Anonymous have published a letter to the UK Government condemning the recent arrest of 5 teenagers in relation to the DDoS attacks against Mastercard, Visa and Paypal. The letter is well worth reading if you have a moment.
The arrests have occurred as result of the Anonymous collective using the Low Orbit Ion Cannon (LOIC) tool. Whilst very effective, it makes no attempt to hide the originating IP address, so Mastercard's server logs will contain the IP address of more or less everyone who participated in that DDoS (apart from those who joined after the server was knocked offline).
Although some have expressed malcontent at the arrests, DDoS is illegal in the UK. Is anyone really surprised that arrests have been made? If you break the law then you can fully expect that you may have your collar felt at some point.
In their letter, Anonymous compare the DDoS to a 'real world' protest such as blocking a street (through a march or similar) and state that whether the protest is in the real or cyber world is irrelevant to them. The problem is, it's not irrelevant to the law. As Anonymous themselves admit, the Computer Misuse Act considers it an offence to impair the operation of a computer (without authority). A DDoS is designed to do exactly this, either by absorbing all available bandwidth or by forcing the server to commit all it's resources to serving the requests it is receiving.
Bang to rights wouldn't you say?
Anonymous then go on to clarify the difference between DDoS and Hacking. Whilst I agree with this, the media will continue to confuse the two just as they always have.
Is DDoS right?
Reading between the lines, Anonymous seem to be suggesting that DDoS shouldn't be a crime. The problem is there's quite a range of scenarios where DDoS can be used for 'evil' rather than protest. Is it possible that the law could be changed to allow 'protest' whilst still barring the 'evil' uses? Possibly. The only thing that's certain is that's not a debate that the LOIC will be any use in.
DDoS didn't change the stance of any of those targeted. About the only 'success' was when a certain member of ACS:Law decided to play down the effect on their website. Even then, the release of e-mails that followed was down to internal stupidity rather than a result of the DDoS.
So, even if the law could be changed to allow DDoS, what's the point? It doesn't change anything, and never will. Especially whilst you can only target non-essential services such as a corporate blog.
In their letter, Anonymous play down the harm done to a website by DDoS. Whilst (most) DDoS attacks don't do direct harm, smaller businesses can and do crumble as a result of the lost business. DDoS is therefore a very powerful weapon to wield, and it won't always be aimed at the larger corporations. So a minor offence? Not really. That said, I do agree with Anonymous' comments on sentencing. The maximum available sentence means that these teenagers could (potentially) serve longer sentences that someone who's committed a really serious wrong (rape for example).
What I don't agree with is the complaining about these punishments after committing the act, only the densest of participants could have been unaware that what they were doing was illegal, and a quick search on Google would soon tell them the potential consequences. Yes, we need to look at the severity of the punishments but you can't complain if you committed the acts knowing the repercussions.
In their closing paragraph Anonymous note that thousands participated in the attacks. Given the population of the UK alone, this isn't nearly as impressive as they seem to think it is. Those who participated took a stupid risk as soon as they ran the LOIC, and now some are paying the price.
Alternative forms of protest
There's often comparison of DDoS with other types of 'real world' protest, especially by Anonymous supporters. The problem is that DDoS doesn't really line up to any of those.
So what other forms of protest are available (and legal)?
- Boycott - Only works in an idealistic world. You'll never get enough customers to refuse to do business with a company on nothing more than principle.
- Physical Protest - About the only real option. Has it's own complications and isn't always effective. Can also turn violent and/or attract trouble makers.
The advantage that DDoS has is that it's low risk, the user can set it going and go to bed. Sensible attackers would also hide their identities, but through use of the LOIC this doesn't seem to have happened. Ironic, really, that the attack tool used by Anonymous is the thing that ensured participants could be found!
I also find the ages of those arrested conforms with my expectations of the typical Anonymous 'hacktivist'. A teenager who thinks s/he knows everything and will happily participate in this kind of this just for a laugh. Indeed, I wouldn't be surprised to learn that the older members of the collective had the foresight to hide their IP before running the LOIC (How hard is it to connect to a VPN or TOR?)