A 38-year-old man from the US state of Wisconsin has been sentenced to two years of federal probation and will pay a $183,000 fine for taking part in a distributed denial of service (DDoS) attack organized under the Anonymous hacktivist brand.
Eric J. Rosol, of Black Creek, Wisconsin, pleaded guilty to one misdemeanor count of accessing a protected computer, the Department of Justice said in a statement.
US Attorney Barr Grissom said on 2 December that Rosol admitted to downloading a program called Low Orbit Ion Cannon (LOIC) – a tool that Anonymous has encouraged people to download so as to flood a targeted website with enough traffic to knock it senseless.
The target in this particular operation was Kochind.com, a web page of Koch Industries, which wound up going offline for 15 minutes because of the attack.
Koch Industries is an enormous, multinational corporation based in Wichita, Kansas, that has its fingers in all sorts of pies: manufacturing, refining and distribution of petroleum, chemicals, energy, fiber, intermediates and polymers, minerals, fertilizers, pulp and paper, chemical technology equipment, ranching, finance, and commodities trading.
For their part, the billionaire brothers Charles and David Koch – principals in Koch Industries – are the US’s sugar daddies when it comes to certain political causes.
The brothers have dispensed tens of millions of dollars to groups whose mission it is to end reproductive rights, and they were a key funding source for those who attempted to kill collective bargaining rights for public sector unions in Wisconsin in 2011.
It was the union-busting that got Anonymous to fire up the anti-Koch operation.
On 27 February 2011, Anonymous asked its followers to use the LOIC to attack a Koch Industries site, quiltednorthern.com.
The next day, Anonymous asked its followers to attack Kochind.com with the LOIC.
According to IT World, Rosol and the government agreed that the losses directly resulting from the 28 February attack on Kochind.com amounted to less than $5,000.
Koch Industries, however, argued that it had hired a consulting group to protect its websites at a cost of approximately $183,000, and therein lies the price explosion for 15 minutes of downtime.
Rosol could have been facing a maximum penalty of five years in federal prison and a fine up to $250,000 on each of the two original charges: one count of conspiracy to damage a protected computer and one count of damaging a protected computer.
While he’s off the hook for prison time and will instead only be on probation for two years, Rosol’s fine is being added to a growing list of what’s considered by many to be extraordinarily harsh penalties for computer crimes.
The most recent was the conviction of Jeremy Hammond, a US hacker and political activist who was sentenced in November 2013 to 10 years in US Federal Prison for the theft of 60,000 credit card numbers and the personal information of 860,000 customers of Stratfor through the whistle-blowing website Wikileaks.
Some efforts have been made to curb the charges used in such crimes, including Representative Zoe Lofgren’s proposal of the so-called “Aaron’s Law”.
Aaron’s Law was proposed as a means of changing the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute – laws that formed the basis of 13 felony counts of hacking and wire fraud brought against internet activist Aaron Swartz, who apparently took his own life in the midst of federal prosecution.
The Electronic Frontier Foundation, for its part, considers Aaron’s Law to be a good starting point, but it continues to seek a more fundamental overhaul of the CFAA, including clarification of fuzzy language such as “unauthorized” access, as well as penalties that are more proportionate to offenses.
The charges against Swartz carried the possibility of decades in prison and devastating fines, just as Rosol faced the potential of years in prison and now must pay a crippling fine for his brief participation in the DDoS attack.
Rosol’s $183,000 fine amounts to $3,050 per second of the time that he reportedly spent on the attack. Broken down another way, it translates to $12,200 per minute the targeted site was down.
Was the fine excessive? I can imagine that most hackers might find it so.
Or do those who inflict mayhem deserve such stiff penalties? Perhaps many businesses that struggle to fight off attacks including DDoSes might say that cybercriminals deserve fines similar to that which Rosol is facing.
Please share your own thoughts in the comments section below.