Re: EVERYTHING about Booters (and CloudFlare)

[Miles Fidelman <mfidelman () meetinghouse net>]

On 7/28/16 11:04 AM, Paras Jha wrote:

> Nothing is going to happen. Cloudflare will continue to turn a blind eye
> towards abusive customers, and even downright allow customers to HTTP scan
> from their network without batting an eyelash. The mere act of scanning
> isn't illegal, but it shows the kind of mindset that they have.

Let's see:

Vbooter (on their home page) claims:
"#1 FREE WEBBASED SERVER STRESSER"
"Using vBooter you can take down home internet connections, websites and 
game servers such us Minecraft, XBOX Live, PSN and many more."
"You don't have to pay anything in order to use this stresser! In 
addition there are NO limits if you are a free user."

So they're advertising a free service that explicitly offers DDoS 
capabilities.

Now - with the caveat that I'm not a lawyer, and I'm talking from a US 
perspective only - as a sometimes hosting provider who pays attention to 
our legal liabilities, and who's had one of our boxes compromised and 
used to vector a DDoS against a gaming site....

1.  DDoS is clearly illegal under multiple statutes - most notably the 
Computer Fraud and Abuse Act - see
https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf 
- for a Justice Dept. memo on "Prosecuting Computer Crimes."  When 
coupled with threats, requests for payoffs, etc. - it expands into lots 
of other crimes (e.g., extortion).  And that's before one starts 
attacking Government-owned computer systems.

2. One might infer that, while "stress testing" is a legitimate and 
useful service - under specific circumstances, vBooter's tools might 
also fall under laws regarding being an accomplice to a criminal act, 
aiding & abetting, "burglar's tools," etc., and more generally "creating 
a public nuisance."

3. There are also various (mostly state) laws against the sale of 
burglar's tools (e.g., sale of a lockpick to someone who's not a 
professional locksmith).  I expect some of those laws might apply.

4. All of those certainly could be applied to vBooter.org.  Whether 
Cloudflare is liable for anything would seem to depend on whether 
Cloudflare is complicit in the use of vBooter's use for criminal 
purposes, or promoting it's use therefore.  Hosting would certainly fall 
into that category - and while, I have no direct knowledge that 
Cloudflare hosts vBooter, they do provide nameservice, and their web 
server's IP address is in a network block registered to Cloudflare - 
that would seem to establish complicity.  Now if Cloudflare were to 
actively suggest that folks use vBooter to test systems, as a way to 
boost sales for Cloudflare - that would certainly be an interesting test 
case for RICO (akin to McAfee encouraging folks to write and release 
viruses).

As to whether "Nothing is going to happen" - I expect something WILL 
happen, when somebody big, with a good legal department, gets hit by a 
really damaging DDoS attack, and starts looking for some deep pockets to 
sue.  Or, if somebody attacks the wrong Government computer and the FBI, 
or DoD, or DHS get ticked off.

It will make for very good theater - at least for anyone not directly in 
the cross-hairs.

Miles Fidelman


--
In theory, there is no difference between theory and practice.
In practice, there is.  .... Yogi Berra