SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1984
Courts Hand Down Hard Jail Time for DDoS — Krebs on Security
Seldom do people responsible for launching crippling cyberattacks face justice, but increasingly courts around the world are making examples of the few who do get busted for such crimes. On Friday, a 34-year-old Connecticut man received a whopping 10-year prison sentence for carrying out distributed denial-of-service (DDoS) attacks against a number of hospitals in 2014. Also last week, a 30-year-old in the United Kingdom was sentenced to 32 months in jail for using an army of hacked devices to crash large portions of Liberia’s Internet access in 2016.
Daniel Kaye, an Israel-U.K. dual citizen, admitted attacking an African phone company in 2016, and to inadvertently knocking out Internet access for much of the country in the process. Kaye launched the attack using a botnet powered by Mirai, a malware strain that enslaves hacked Internet of Things (IoT) devices like poorly-secured Internet routers and Web-based cameras for use in large-scale cyberattacks.
According to court testimony, Kaye was hired in 2015 to attack Lonestar, Liberia's top mobile phone and Internet provider. Kaye pocketed $10,000 for the attack, which was alleged to have been paid for by an individual working for Cellcom, Lonestar's competitor in the region. As reported by Israeli news outlet Haaretz, Kaye testified that the attack was ordered by the CEO of Cellcom Liberia.
In February 2017, authorities in the United Kingdom arrested Kaye and extradited him to Germany to face charges of knocking more than 900,000 Germans offline in a Mirai attack in November 2016. Prosecutors withheld Kaye's full name throughout the trial in Germany, but in July 2017 KrebsOnSecurity published findings that named Kaye as the likely culprit. Kaye ultimately received a suspended sentence for the attack in Germany, and was sent back to the U.K. to face charges there.
The July 2017 KrebsOnSecurity investigation also linked Kaye to the development and sale of a sophisticated piece of spyware named GovRAT, which is documented to have been used in numerous cyber espionage campaigns against governments, financial institutions, defense contractors and more than 100 corporations.
The U.K's National Crime Agency called Kaye perhaps the most significant cyber criminal yet caught in Britain. A report on the trial from the BBC says Kaye wept as he was taken away to jail.
(Score: 2) by bob_super on Tuesday February 05 2019, @10:15PM (9 children)
IF you follow proper practices, a DDoS is a temporary, if costly at the time, inconvenience.
I would not equate that to physical intrusion and damage.
It is not worth 10 years in jail. A reasonable sentence, and a significant fine and restitution, are enough to make sure someone will not be tempted by this path, and use their computing skills in a more productive way.
US sentencing is completely out of whack.
(Score: 3, Interesting) by zocalo on Tuesday February 05 2019, @10:44PM (2 children)
They are, but they can also be much more than that depending on what you are using the network for, and that can absolutely cross the line into physical harm. A hospital - as in the US case - might use it for ordering essential medical supplies, people run telemetry over various forms of VPNs across the Internet the data from which might be used for things like river water levels that generate flood warnings to give one IRL example I'm aware of, and so on. Yeah, you can argue that's a bad idea (and it is), but that doesn't mean people don't do it and fail to have adequate contingency plans, even when they know the risks. Kaye managed to bring down a national ISP; depending on their setup if they were sharing routers for private MPLS networks and Internet (again, a bad idea but far from uncommon, especially for smaller players) that has the potential for even greater harm.
Someone launching a DDoS like these examples, as opposed to knocking a rival gamer offline say, has no real way of knowing exactly what unforseen effects they might have, which makes it rather a reckless thing to do, especially given the potential for life safety issues with the targets. "Reckless" is often used in sentencing to justify a harsher sentence for other crimes, and there's no reason why it can't do so here, especially if there's any actual evidence of potential or actual knock-on effects.
UNIX? They're not even circumcised! Savages!
(Score: 4, Insightful) by bob_super on Tuesday February 05 2019, @11:01PM (1 child)
True, but if I bump into something when improperly parking my car, triggering a chain of events where the improperly parked gas truck plows into a crowd, blows up, and kill hundreds... Oh wait, bad example, US prosecutors will also bypass the chain of actual responsibilities and load it all on the trigger, unless he's rich enough to defend himself.
Point remains, that if someone is running (literally) vital stuff on a non-redundant unreliable system like a public internet connection, it shouldn't get dumped on the moron who triggers a DDoS and deserves a nice visit to a place he won't even want to go again, but not 10 years on my taxes.
(Score: -1, Troll) by Anonymous Coward on Wednesday February 06 2019, @03:02AM
" if someone is running (literally) vital stuff on a non-redundant unreliable system like a public internet connection, it shouldn't get dumped on the moron who triggers a DDoS"
-
What utter bullshit.
Only an idiot would accept your "reasoning". What you wrote is similar to blaming a person who didn't have high security door locks for his house being burglarized.
Seriously, you're a dumb shit. Do not breed, the world does not want or need children from idiots like you.
(Score: 2) by RandomFactor on Tuesday February 05 2019, @11:11PM
Significant computing skills and knowledge are not a prerequisite for participating in a DDoS attack. Every schlub that can download LOIC [wikipedia.org] has been participating for years. Many are not even sufficiently versed to hide what they are doing in the most basic manner (my last place of employment prosecuted a number of attackers that didn't know enough to go through seven proxies [knowyourmeme.com] when participating in a DDoS.)
В «Правде» нет известий, в «Известиях» нет правды
(Score: 2) by Runaway1956 on Wednesday February 06 2019, @02:19AM
I haven't read the case, but targeting hospitals makes it worth a decade in prison. Otherwise, I agree with you. The real problem with network security is, no one takes security seriously. Hospital business shouldn't be on the internet, at all - it should be a separate network, inaccessible to those of us outside of healthcare. The results of DDOS'ing a hospital should only mean that patients, visitors, and staff can't get on the internet with their personal devices. Hospital business shouldn't be affected at all.
(Score: -1, Troll) by Anonymous Coward on Wednesday February 06 2019, @03:08AM
"I would not equate that to physical intrusion and damage.
It is not worth 10 years in jail."
-
A DDOS against a HOSPITAL is a serious crime.
Most people are perceptive enough to recognize this is the case.
You ? You're just a stupid waste of skin spewing your idiotic poorly reasoned opinion on the internet.
Crawl back in the hole where you live and shut the fuck up.
(Score: 1, Insightful) by Anonymous Coward on Wednesday February 06 2019, @10:31AM (2 children)
Internet is like roads. Blocking roads is "inconvenient" too.. until the ambulance that is transporting a heart attack patient can't get there in time, a baby dies because house is on fire and you are blocking the fire trucks or an innocent victim is dead because someone high on drugs is on a rampage.
Blocking roads doesn't do much damage either, until you think of all the shit that happens around. DDoS can result in same problems, including inability of emergency staff to communicate. Your idea is as stupid as arguing, "WTF? Can't they use a helicopter to get there? Can't they take out the rampaging guy from orbit?"
That's why people that protest on roads, they don't go out of their way to block access to a fucking hospital! And this guy blocked hospitals. If he was protesting some porn site, you think the judge would give him 10 years too?
Think dude. Think before you speak. Society is more fragile than you think and things like *COST* of doing stuff matters. That's why a DDoS should be treated no different as someone piling up shit across half a city intersections. 10 years for such crap against hospital network??
The guy got off easy.
(Score: 2) by bob_super on Wednesday February 06 2019, @05:38PM
If a hospital gets into a critical life-threatening situation because they lost their main access to the internet, they really need to rethink the way they are doing things.
Internet access is never guaranteed. The US reserves the right to shut it down any time. Many countries have done that many times when protests had to be squelched. ISPs have fucked up configurations, and backhoes have cut fibers, many many times...
Yes, the guy is an asshole. No, he's not responsible for your silly idea that the hospital is lacking a basic contingency plan for an obvious failure point.
Don't be so dramatic.
(Score: 0) by Anonymous Coward on Wednesday February 06 2019, @07:23PM
not society, but scum. bankster scum, medical industry scum, government scum, news media scum. they should just be glad they are not being dragged down the street by hooks.