On 7/28/16 11:04 AM, Paras Jha wrote:
Nothing is going to happen. Cloudflare will continue to turn a blind eye
towards abusive customers, and even downright allow customers to HTTP scan
from their network without batting an eyelash. The mere act of scanning
isn't illegal, but it shows the kind of mindset that they have.
Let's see:
Vbooter (on their home page) claims:
"#1 FREE WEBBASED SERVER STRESSER"
"Using vBooter you can take down home internet connections, websites and
game servers such us Minecraft, XBOX Live, PSN and many more."
"You don't have to pay anything in order to use this stresser! In
addition there are NO limits if you are a free user."
So they're advertising a free service that explicitly offers DDoS
capabilities.
Now - with the caveat that I'm not a lawyer, and I'm talking from a US
perspective only - as a sometimes hosting provider who pays attention to
our legal liabilities, and who's had one of our boxes compromised and
used to vector a DDoS against a gaming site....
1. DDoS is clearly illegal under multiple statutes - most notably the
Computer Fraud and Abuse Act - see
https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf
- for a Justice Dept. memo on "Prosecuting Computer Crimes." When
coupled with threats, requests for payoffs, etc. - it expands into lots
of other crimes (e.g., extortion). And that's before one starts
attacking Government-owned computer systems.
2. One might infer that, while "stress testing" is a legitimate and
useful service - under specific circumstances, vBooter's tools might
also fall under laws regarding being an accomplice to a criminal act,
aiding & abetting, "burglar's tools," etc., and more generally "creating
a public nuisance."
3. There are also various (mostly state) laws against the sale of
burglar's tools (e.g., sale of a lockpick to someone who's not a
professional locksmith). I expect some of those laws might apply.
4. All of those certainly could be applied to vBooter.org. Whether
Cloudflare is liable for anything would seem to depend on whether
Cloudflare is complicit in the use of vBooter's use for criminal
purposes, or promoting it's use therefore. Hosting would certainly fall
into that category - and while, I have no direct knowledge that
Cloudflare hosts vBooter, they do provide nameservice, and their web
server's IP address is in a network block registered to Cloudflare -
that would seem to establish complicity. Now if Cloudflare were to
actively suggest that folks use vBooter to test systems, as a way to
boost sales for Cloudflare - that would certainly be an interesting test
case for RICO (akin to McAfee encouraging folks to write and release
viruses).
As to whether "Nothing is going to happen" - I expect something WILL
happen, when somebody big, with a good legal department, gets hit by a
really damaging DDoS attack, and starts looking for some deep pockets to
sue. Or, if somebody attacks the wrong Government computer and the FBI,
or DoD, or DHS get ticked off.
It will make for very good theater - at least for anyone not directly in
the cross-hairs.
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra