Slashdot Mirror
PayPal Hands Over 1,000 IP Addresses To the FBI
tekgoblin writes "PayPal was attacked by Anonymous last year when they had blocked the Wikileaks accounts transactions. Now PayPal has finally come up with enough evidence to strike back at Anonymous with the help of the FBI. PayPal has come up with a list of over 1,000 IP Addresses left behind when they were attacked by Anonymous."
If I recall correctly, there was a wave of encouraging sympathetic bystanders to install LOIC. This is unlikely to get the organizers of the protest, just the idealistic or foolish people who essentially just showed up and lent their voice.
I neither like Paypal nor the credit card companies much. But participating willingly in a DDOS attack is a criminal act in my book.
On the other hands, they probably have only the ip addresses of cat's paws. So punishing them hard would not be clever. Setting an example always works both ways....
TFA doesn't have any more info than the summary. PayPal hasn't apparently done any investigation themselves so why couldn't they have handed these over 11 months ago? Did they fear that it would cause a retribution and wanted to harden their systems first? Did they actually hand these over 11 months ago and simply announce it now? Did they just spend a year thinking whether to press charges or not (couldn't they have allowed FBI to start the investigation immediately, even if that was the case?)?
If you want a crime solved, it seems very odd to wait a year before handing the relevant data over to FBI... I refuse to believe that it took them a year to determine what traffic was actually part of the DDoS and what wasn't (it can even contain false positives if it's just the starting point for FBI)!
Actually, no.
There mightve been help from botnets but a large number of people were using LOIC, a gui ddos tool for scriptkiddies which doesn't spoof packets.
It's hilarious to me that it's the main tool for Anonymous members and clearly shows how the majority doesn't really know what they're doing but just following lead.
Actually they probably are real, since this attack was done with LOIC, a "voluntary botnet".
why shouldn't PayPal just leave that up to the FBI to check? After all, they're the ones that are supposed to have the public's interest at heart, not PayPal, the corporation that got attacked here.
Man who leaps off cliff jumps to conclusion.
The FBI might not have direct jurisdiction, but they've certainly got agreements with the major law enforcement agencies around the world, and you can bet that hacking across international lines is a sensational enough crime that they're going to assist the FBI in any way they can. See also the recent cases of "Anonymous members" getting picked up in the UK.
Man who leaps off cliff jumps to conclusion.
Haven't you heard? The US Government has jurisdiction wherever the hell it wants.
Technoli
An answer to this might be the old rule that one should never assume malice where stupidity or ignorance are more likely to be the case. It is quite possible that PayPal doesn't have the resources (i.e. the smarts) to follow the trail themselves, so after some fruitless dithering, they have simply passed the bag on to someone else. Not that the FBI will necessarily process the information any more intelligently, but it isn't PayPal's problem any more.
Doubtful.
1. Most people in a voluntary botnet attack don't know tor.
2. Of those who do, some percentage both know how to use it, and understand why multiple people deciding to do thios would quickly become a DOS of the tor network, and we would hope decide not too. (as someone who keeps a lazy eye on the tor mailing lists, I never saw any threads about how LOIC attacks were bringing it to its knees, nor do I remember noticing it being slower than normal then)
3. I expect the set of people who would participate, know about tor, and would decide to use it for this is a vanishingly small group. (though, probably non-zero)
"I opened my eyes, and everything went dark again"
DDoS over Tor would probably cripple the Tor network. Tor is for anonymizing your connection, but it's not a robust, high-speed link. It would slow the attack on the target, and more effectively DDoS Tor than anything.
I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
I'm willing to bet that the vast majority of those 1000 IPs belong to underaged kids, not the masterminds behind the attacks or even older individuals with the sense to cover their tracks. Should we look forward to the arrests of hundreds of 13-year-olds? Well, I guess the backlash will be fun to watch...
Well that's awfully well timed to coincide with the bill to retain IP addresses for 18 months.
The problem with this theory is that it's no different, conceptually, from a civil protest of any other sort. The net effect is the same as, say, a venue's ticket sales website going down because too many people are trying to buy the tickets that "just went on sale" for some crazy-popular act (say, if Gaga or *shudder* Bieber were starting a new tour).
If anything, call it a virtual sit-in. Remember the "Virtual Marches on Washington" a few years back, where people were encouraged to slam emails at their congressmen and tie up the congressional phone banks? SAME THING.
Voluntary people. Doing voluntary things as a form of protest. 1000 people, in an organized sit-in, could easily shut down business in 10 consumer banks. Those same 1000 people, "virtually", were part of an organized "virtual sit-in" that caused trouble for Paypal because Paypal had done something worth protesting.
Civil protests are protected free speech under the 1st Amendment to US Constitution.
Denial Of Service attacks are not protected speech and are a violation of Federal law.
What next, are you going to suggest that you can have people fire guns up into the air and call that a a civil protest?
Correct me if I'm wrong, but I do believe that sit-ins and pickets cannot legally prevent or impede normal operations of the business - you cannot block customers or employees.
Picket lines and sit-ins are meant to educate people about an issue; make them think twice about it, make them realize there may be more to something that hadn't considered before. Attempt to dissuade people from working or doing business with the company or institution you don't like.
DDoS is nothing like that. It directly impedes business, it directly impedes customers. It has no message, other than an error when a customer tries to load the page; there's no persuasion there. They might read about it later - might - but then, the DDoSers no longer control the message - most people are going to read about it from a news outlet. They'll probably see it as some "hackers" preventing them from getting on with their lives. Frustrating people and not letting them handle their affairs is not a good way to get them on your side.
DDoS isn't a sit-in, isn't a protest. It's sabotage. It's revenge. It's sneaking into UPS at night and letting the air out of all the tires of all the trucks. No permanent physical damage done, but disrupts business, delays packages.
I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
FYI it's open source... http://sourceforge.net/projects/loic/
Free speech = picketing in front of a business. Totally protected.
DoS attacks = blocking a business' entrance and preventing customers from entering. Not protected and very definitely illegal.
Correct me if I'm wrong, but I do believe that sit-ins and pickets cannot legally prevent or impede normal operations of the business - you cannot block customers or employees.
Picket lines and sit-ins are meant to educate people about an issue; make them think twice about it, make them realize there may be more to something that hadn't considered before. Attempt to dissuade people from working or doing business with the company or institution you don't like.
DDoS is nothing like that. It directly impedes business, it directly impedes customers. It has no message, other than an error when a customer tries to load the page; there's no persuasion there. They might read about it later - might - but then, the DDoSers no longer control the message - most people are going to read about it from a news outlet. They'll probably see it as some "hackers" preventing them from getting on with their lives. Frustrating people and not letting them handle their affairs is not a good way to get them on your side.
DDoS isn't a sit-in, isn't a protest. It's sabotage. It's revenge. It's sneaking into UPS at night and letting the air out of all the tires of all the trucks. No permanent physical damage done, but disrupts business, delays packages.
I am not sure, on the sit-ins and pickets. I would not think a sit-in can disrupt operations, since it's on private property, and it's not like they're discriminating against you based on your race or gender. A picket line might be different--if someone touches you to move you out of the way, that's a tort and a crime. But it may also be a tort and/or crime for you to physically bar their entry. (And disobeying a lawfully given police order is also a crime usually, but I'm not sure how the first amendment interacts with that in orders to disperse, etc...)
A DDoS is not sabotage--sabotage implied some kind of surreptitious damage to a machine, to equipment, etc... and a DDoS attack damages the bottom line, but not equipment. The UPS metaphor is close, although again, you're not sneaking in--you come in through the front door, the way everyone else does, you just behave differently. It's kind of like a flash-mob that doesn't steal anything, but is filling the store and and nobody else can get in.
The only real difference--and it is a big one--is that for a DDoS, there is no real way to tell someone to leave.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
In fact in the EU I think the ISPs are required to keep that information for two years, under the Data Retention Directive.
Dilbert RSS feed
By that logic, citizens who protested against Gitmo were "providing material support" to the supposed terrorists held there.
This is where the law has become completely goddamn stupid. A protest is a protest. If it becomes violent, and that means PHYSICALLY VIOLENT, then it's a problem. Shy of that, it's just a protest and protected under the Constitutional right to peaceably assemble.
Temporarily taking a website offline sucks for the affected company. So does a protest that blocks the street in front of a store being protested, or even the neighboring stores in the strip mall. But unless there is permanent damage done (the equivalent of someone not just peacefully protesting, but actively spray-painting graffiti as one conceptual example) then it's just a protest and shouldn't be considered criminal.
Correct me if I'm wrong, but I do believe that sit-ins and pickets cannot legally prevent or impede normal operations of the business - you cannot block customers or employees.
Depends on your location. Any such laws are local, not federal, in nature and probably won't stand up to constitutional scrutiny, especially since such laws were uniformly used to harass civil rights protesters in the 1950s and 1960s.
Picket lines and sit-ins are meant to educate people about an issue; make them think twice about it, make them realize there may be more to something that hadn't considered before. Attempt to dissuade people from working or doing business with the company or institution you don't like.
No, the purpose of any such protest is to disrupt the business conditions of the business/person you are protesting. As you said yourself: "Attempt to dissuade people from working or doing business with." If they physically can't get to the store because there are too many people present already, that's that.
Lunch counter sit-ins, for example, filled the restaurant with people that the racist restaurant owners refused to serve, leaving no seats for the "desired customers."
DDoS is nothing like that. It directly impedes business, it directly impedes customers. ... DDoS isn't a sit-in, isn't a protest. It's sabotage. It's revenge.
Given that your entire premise has just been proven false, the rest of your rant is meaningless. There were a lot of angry Southerner KKK members who were angry about the fact that a group of protesters were "directly impeding customers" at the lunch counter sit-ins, too. A lot of people who were "frustrated" and not "let handle their affairs" in other sit-ins throughout the years, including recently when the Republicans were raping the public sector and protesters staged sit-ins at several state capitals.
No permanent physical damage done, but disrupts business...
That's the exact purpose of a peaceful protest. To not do permanent physical damage, but cause enough disruption that your demands are acceded to.
Temporarily taking a website offline sucks for the affected company. So does a protest that blocks the street in front of a store being protested, or even the neighboring stores in the strip mall. But unless there is permanent damage done (the equivalent of someone not just peacefully protesting, but actively spray-painting graffiti as one conceptual example) then it's just a protest and shouldn't be considered criminal.
It's a question of scale, though. One of the reasons sitting on the street in front of a store is a legal way of protesting is that you only have your own one body to work with. You can protest, but you can't single-handedly block access completely unless others (who're making their own decisions) work together with you.
In denial-of-service terms, this would be more akin to repeatedly hitting F5 in your browser to reload the page. If you do that by hand, you should be golden: it's pretty much the same as sitting on the street in front of a store.
Using an automated tool to use your entire available bandwidth (which may be significant these days) to bring down a website is more akin to building a wall or another sort of barrier in front of a store. If you try that in real life, you will soon find that despite not being physically violent, it is not actually a valid and/or legal way of protesting.
If the CiC structure allows anonymous to control the machine, then voluntarily installing their botnet means one is providing them with resources, not merely protesting. (Or at least, that is the argument.)
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
I'd say a DDOS is much more analogous to the sit-in than a picket outside, as the disruption happens within the target's property, i.e. their computers. Even if it happens at their ISP's routers, that's still private property that they are effectively leasing the right to use, which they are being prevented from doing.
That said, the obvious extrapolation should be made: a sit-in is not a criminal offence, it is trespass. Therefore a DDOS should be relegated to the status of trespass-to-chattels. Which would mean you cannot be imprisoned for taking part in one, but you could be held liable for losses incurred by the target because of it (trespass gives rise to a chose in tort, if I understand such matters correctly, which as I am not a lawyer I may not...).
No, it's the difference between blocking 5 stores and blocking corporate HQ.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
http://en.wikipedia.org/wiki/Trespass_to_chattels
Sometimes you think you know the law. And then you find out, you didn't really know that much about the law. That's why lawyers exist.
They wouldn't have to scrounge like this if they would implement IPV6.
-Dave
They already have one set of suspects from a single IP address :
These were the IP addresses that sent the largest number of packets. Packets coming from Anonymous contained strings like "wikileaks," "goof," and "goodnight". The affidavit was offered in support of a search warrant for the home of an Arlington, Texas couple and their son. They have not been charged yet, but the house was the source of 3,678 packets in about two-and-a-half hours.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
So does a protest that blocks the street in front of a store being protested, or even the neighboring stores in the strip mall.
You can't legally block access to a store or a street with a protest. You have to let people through.
That's not really true. One person using their maximum bandwidth is unable to take down a web site, you cannot single-handedly block access completely unless others (who're making their own decisions) work together with you. In fact I think you've actually successfully proven yourself wrong.
Phillip.
Property for sale in Nice, France
Google won't let you create an Adwords ad with a trademarked term in it without the permission of the trademark holder. That tanks #2 in one easy step, unfortunately.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".