On Dec 9, 2010, at 4:37 AM, Paul Thornton wrote:
On 08/12/2010 20:42, Jack Bates wrote:
Of course, it's debatable if use of LOIC is enough to convict. You'd have to first prove the person installed it themselves, and then you'd have to prove that they knew it would be used for illegal purposes.
Earlier this morning there were two people interviewed on the BBC radio 4 Today program (this is considered the BBC's flagship morning news/current affairs show on their serious nationwide talk radio station) about this - one was a security consultant and another was a member of/spokesman for the 'operation payback' group. One wonders why the Met Police didn't have someone waiting to have a quiet chat with the latter when he left the studio.
Both of them said that people had been voluntarily downloading and installing botnet clients on their PCs in order to take part in these DDoS attacks. Ignoring, for a moment, the stupidity of such action it is hard to see how you'd be able to argue that this was *not* going to be used for illegal purposes.
The other amusing part of the interview was when the security consultant started off very well explaining a DDoS in layman's terms, but then veered off using the terms HTTP, UDP and IP in one sentence causing the presenter to intervene as it "was getting a tad too technical there".
There is an interesting analysis in today's New York Times http://www.nytimes.com/2010/12/09/technology/09net.html?_r=1 about the attacks on Mastercard, Visa and Ebay, how they were coordinated over Twitter and Facebook, and the free speech issues that that raises for the latter two organizations. My guess is that we will shortly see security folks searching through Facebook and twitter along with IRC for signs of attack coordination. It does seem like these social attacks would lend themselves to obfuscation and steganography (i.e., you don't have to say "let's bombard Ebay with packets using X", you can say "Let's send Elisa lots of poetry using X," or something more clever), so I don't think it will remain as easy as in this case. By the way, I was amused that a Twitter spokesman boasted that "The company is not overly concerned about hackers’ attacking Twitter’s site, he said, explaining that it faces security issues all the time and has technology to deal with the situation." I hope he had his fingers crossed when he said that, as Twitter can barely keep the service functioning on a good day, with frequent outages. Regards Marshall
Paul.