Miles is right. Their thinly veiled "stress tester" thing is not going to be
much of a defense. They must not have very good legal counsel. Here is the
issue. Stress testing is perfectly legal as long as I am:
a) Stress testing my own stuff
b) Stress testing your stuff WITH YOUR CONSENT
Selling a product or service that is unsafe can lead to serious civil
consequences. For example, I sell you roach killer and don't warn you that it
will also kill every other living thing in your home, I am going to get sued
and lose badly.
Let's say I am running a demolition company that offers to knock down any house
for a price. Don't you think I have a responsibility to verify that you own
the house you just asked me to knock down? (by the way, this has happened in
the real world -wrong address on paperwork- and the demolition company was held
liable) Obviously I have that responsibility and obviously the same rules would
apply to any service that can potentially damage someone's property.
Steven Naslund
Chicago IL
>Let's see:
>
>Vbooter (on their home page) claims:
>"#1 FREE WEBBASED SERVER STRESSER"
>"Using vBooter you can take down home internet connections, websites and game
>servers such us Minecraft, XBOX Live, PSN and many more."
>"You don't have to pay anything in order to use this stresser! In addition
>there are NO limits if you are a free user."
>So they're advertising a free service that explicitly offers DDoS capabilities.
>Now - with the caveat that I'm not a lawyer, and I'm talking from a US
>perspective only - as a sometimes hosting provider who pays attention to our
>legal liabilities, and >who's had one of our boxes compromised and used to
>vector a DDoS against a gaming site....
>1. DDoS is clearly illegal under multiple statutes - most notably the
>Computer Fraud and Abuse Act - see
>https://www.justice.gov/sites/default/files/criminal->ccips/legacy/2015/01/14/ccmanual.pdf
>- for a Justice Dept. memo on "Prosecuting Computer Crimes." When coupled
>with threats, requests for payoffs, etc. - it expands into lots of other
>crimes (e.g., >extortion). And that's before one starts attacking
>Government-owned computer systems.
>
>2. One might infer that, while "stress testing" is a legitimate and useful
>service - under specific circumstances, vBooter's tools might also fall under
>laws regarding >being an accomplice to a criminal act, aiding & abetting,
>"burglar's tools," etc., and more generally "creating a public nuisance."
>
>3. There are also various (mostly state) laws against the sale of burglar's
>tools (e.g., sale of a lockpick to someone who's not a professional
>locksmith). I expect some >of those laws might apply.
>
>4. All of those certainly could be applied to vBooter.org. Whether Cloudflare
>is liable for anything would seem to depend on whether Cloudflare is complicit
>in the use >of vBooter's use for criminal purposes, or promoting it's use
>therefore. Hosting would certainly fall into that category - and while, I
>have no direct knowledge that >Cloudflare hosts vBooter, they do provide
>nameservice, and their web server's IP address is in a network block
>registered to Cloudflare - that would seem to establish >complicity. Now if
>Cloudflare were to actively suggest that folks use vBooter to test systems, as
>a way to boost sales for Cloudflare - that would certainly be an >interesting
>test case for RICO (akin to McAfee encouraging folks to write and release
>viruses).
>
>As to whether "Nothing is going to happen" - I expect something WILL happen,
>when somebody big, with a good legal department, gets hit by a really damaging
>DDoS attack, >and starts looking for some deep pockets to sue. Or, if
>somebody attacks the wrong Government computer and the FBI, or DoD, or DHS get
>ticked off.
>
>It will make for very good theater - at least for anyone not directly in the
>cross-hairs.
>
>Miles Fidelman
