by Charles Nesson, Anita Ramasastry

Last updated: June 22, 2002



"Cyber Crime" is not a rigorously defined concept. For our purposes, consider it to embrace criminal acts that can be accomplished while sitting at the computer keyboard. Such acts include gaining unauthorized access to computer files, disrupting the operation of remote computers with viruses, worms, logic bombs, Trojan horses and denial of service attacks; distributing and creating child pornography via the internet, stealing another's identity; selling contraband and stalking victims. Cyber crime is cheap to commit (if one has the know-how to do it), hard to detect (if one knows how to erase one's tracks) and often hard to locate in jurisdictional terms, given the geographical indeterminacy of the net.

Our purpose in considering the subject of cyber crime is not to catalog it exhaustively, but rather to raise and consider questions of particular interest that are presented by cyber methodologies if committing crimes, the most interesting questions arise at the points where criminal opportunities presented by the new technologies stretch the bounds of our criminal law.


As background for the case study and discussion problems, please read the following:

1. The text of United States Code Title 18 Section 1030 (Fraud and Related Activity in Connection with Computers)

2. United States Department of Justice, Field Guidance on New Authorities That Relate to Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001 (Read especially the guidance on Section 814 of the USA Patriot Act which amends U.S. Code Title 18 Section 1030)

3. Part III of The Electronic Frontier Foundation's Analysis Of The Provisions Of The USA PATRIOT Act That Relate To Online Activities (Oct 31, 2001)

Cyber Protest and Denial of Service Attacks

On February 2000, news reports indicated that that Yahoo, Cable News Network, eBay,, E*Trade, and, (among other sites) experienced distributed denial of service ("DDOS") attacks. The challenges to apprehending the suspects proved substantial. In many cases, the attackers used "spoofed" IP addresses, so that the address that appeared on the target's log was not the true address of the system that sent the messages.

The FBI was able to identify a 16-year old Canadian teenager, known as "Mafiaboy" as a suspect by reviewing Internet chat room logs that showed Mafiaboy asking others what sites he should take down - before the sites were attacked. For example, there was discussion of a possible denial of service attack on CNN before CNN's site was taken down. Mafiaboy was arrested in April 2000.

In January of 2001, Mafiaboy pleaded guilty to 56 counts of "mischief to data" in relation to the DDOS attacks from February 2000. He was charged with "a DDOS attack that brought down,, eBay, Dell Computer and others between February 8 and 14, 2000. The teenager eventually received a sentence of eight months in detention followed by a year of probation for his actions. The judge also required him to donate $250 to charity. Mafiaboy allegedly caused more than US $1.5 billion in damage in connection with the various DDOS attacks.

In the United States, a hacker who engaged in a DDOS attack would be prosecuted under the federal Computer Fraud and abuse Act (CFAA).

Also in January 2001, an Alaskan resident, Scott Dennis, a former systems administrator for the United States District Court in Alaska was sentenced for interfering with a government-owned communications system. Dennis was charged with launching three DDOS attacks against the U.S. District Court for the Eastern District of New York. The prosecution contended that Dennis had bombarded the Eastern District's server with email messages to prove that it was vulnerable to outside attack. He was sentenced to 6 months incarceration - three months in prison and three months home confinement followed by one year of supervised release. Dennis was also required to perform 240 hours of community service and to allow his computer activities to be monitored. Dennis also paid $5,300 in restitution to the New York federal court system and Internet Alaska.

Within the past several years, distributed denial of service (DDOS) attacks have generated a tremendous amount of concern from governments as well as the private sector. During the fall of 1999, there was a great deal of publicity concerning a new set of computer tools known as "Trinoo," "Tribal Flood Net" and "Stacheldraht" (German for "barbed wire").

How are these "tools" utilized? Hackers gain unauthorized access to a computer system(s) and place software code on it that renders that system a "master". The hackers also intrude into other networks and place malicious code, which converts those systems into agents (also known as "slaves"). Each master can control multiple agents. Network owners typically are unaware that these tools have been placed and reside on their systems.

The masters are activated either remotely or by internal programming (such as a command to begin an attack at a prescribed time) and are used to send information to the agents, activating a DDOS attack. The agents then generate numerous requests to connect with various targeted websites. The agents will typically leave a fictitious or "spoofed" IP (Internet Protocol) address, thus providing a falsified identity as to the source of the request.

In laypersons terms, the agents request the same web page continuously and the volume of traffic is so high as to make the requested website inaccessible. Due to the volume of requests the targeted website's computer becomes overwhelmed in its efforts to acknowledge and complete a transaction with the sending computers. The targeted server must deny service to legitimate website visitors -- hence the term "Denial of Service" For example, in the February 2000 attacks, if you wanted to order a book from Amazon, you might not have been able to access the Amazon site. These attacks are especially damaging when they are coordinated from multiple sites - hence the term Distributed Denial of Service.

An analogy would be if someone launched an automated program to have thousands of phone calls placed to the switchboard simultaneously. Many incoming callers would receive busy signals due to the high volume of telephone traffic.

The United States government has become worried that international groups are using DDOS tools as a form of political protest. The United States National Infrastructure Protection Center ("NIPC"), has issued bulletins alerting government entities and the general public to the threat posed by politically motivated DDOS attacks. Such attacks are described as politically motivated because the sites that are attacked are in some way linked to the issues that the group is protesting.

A report issued by the NIPC in November 2001 reported:

Beginning on September 11, patriot hackers and hacking groups on Internet Relay Chat (IRC) and newsgroups called for attacks on Pakistani and Afghani web sites. They promoted active retaliation for the terrorist attacks on the World Trade Center and Pentagon. A web site dealing with Afghan dogs was reportedly the first victim of pro-U.S. cyber protesters. On September 12, the official web site of the Government of Pakistan was defaced. Other web sites defaced were those belonging to the Afghan News Network, Afghan Politics,, and

Spam (unwanted mass e-mails) was also used to encourage hackers to join together in attacking web sites of Islamic fundamentalism and those supporting terrorism. Recipients were encouraged to further disseminate the message to persuade others to join the fight in any way they could, be it by active hacking or in a support role such as information gathering. Denial-of-service (DoS) attacks were also used by hackers. E-mail bombing is a popular form of a DoS attack. Massive amounts of e-mail or web traffic are directed against a specific site, overloading it and causing it to crash. On September 12, the official web site of the Presidential Palace of Afghanistan was affected by a DoS attack that rendered it inaccessible. Usenet newsgroups dealing with Islam have also experienced DoS attacks. The newsgroup soc.religion.islam was e-mail bombed by hackers and subsequently crashed.

The call to hackers to join forces has been successful. A group calling itself the Dispatchers has taken up the task of striking out against Palestinian and Afghani web sites. Lead by a hacker named The Rev, who has defaced several sites since February, the group vowed to target those responsible for the September 11 terrorist attacks. Their first known defacement, committed on September 16, was the Iranian Ministry of the Interior. They stated their intentions to continue defacing and crashing sites in retaliation of the terrorist attacks and they have successfully done so, although they have not been heard from since late September.

Client-Side Distributed Denial of Service: A Variant on DDOS

In addition to DDOS attacks, another form of denial of service requires that several thousand persons participate directly in the action in order to create a so-called "cyber" protest or "virtual" protest. Unlike DDOS attacks, client -side distributed denial of service (CDOS) or client-side actions, requires many users to log onto their computers at the same time, and to launch a program on their PCs that would direct their browsers to request the same website over and over again. CDOS actions are the equivalent of protests in cyberspace. Various NGOs and grass roots groups have engaged in CDOS as a means of protesting everything from genetically modified food to Starbucks to globalization and world trade.

Such client-side actions are done for limited periods of time, and are done with much publicity (i.e. unlike DDOS attacks which are done covertly, these are done in an open and transparent manner). Often, the goal is not to shut a site down completely but to slow down the site, making it harder (but not impossible to access).

CDOS attacks emerged in 1998, when the pro-Zapatista group Electronic Disturbance Theater unveiled FloodNet software that targeted sites of the Mexican government, the U.S. Department of Defense, and the Frankfurt Stock Exchange, and succeeded in crashing the site of former Mexican president Ernesto Zedillo. Where once law enforcement had to track down only the dedicated servers hurling outsized packets of data, now they have to contend with thousands of people working with toys on their home computers.

Yet the work of organizations engaged in CDOS is viewed by some as far less malevolent than the DDOS attacks that hackers launched against major corporate sites. CDOS actions rely on the mass participation of individuals -not automated technology controlled by one or at most a handful of individuals.

In the fall of 1999, during the Seattle Ministerial of the World Trade Organization ("WTO"), virtual protestors engaged in a CDOS protest against the WTO. Similarly, in the fall of 2000, while 12,000 activists flooded the streets of Prague during the annual meeting of the International Monetary Fund and World Bank, thousands of other protesters waged war online.

Orchestrated by a group of French cyber activists called the Federation of Random Action ("FRA") the virtual sit-in used a DDOS tool that anyone could download in the comfort of their own homes. The plan of the virtual protest was to target the websites of the IMF and the World Bank with repeated requests for information, overloading their server.

Unlike Mafiaboy who hijacked computers and automated them to crash the sites of and eBay in February, the FRA announced the action up-front and created a program that required mass participation to be effective.

FRA claimed the action caused some sporadic slowdown on the sites of the World Bank and the IMF. FRA estimated that perhaps 5000 people got involved-far fewer than the 452,000 who reportedly bombarded the WTO's site in December 1999 during a virtual sit-in organized by a U.K. group, the Electrohippies.

The Electrohippies have described their action as follows:

What the Electrohippies did for the WTO action was a client-side distributed DOS action. The electrohippies method of operation is also truly distributed since instead of a few servers, there [were] tens of thousands of individual computer users involved in the action. The requests sent to the target servers are generated by ordinary Internet users using their own desktop computer and (usually) a slow dial-up link. That means client-side distributed actions require the efforts of real people, taking part in their thousands simultaneously, to make the action effective. If there are not enough people supporting then the action it [sic.] doesn't work. The fact that service on the WTO's servers was interrupted on the 30th of November and the 1st of December, and significantly slowed on the 2nd and 3rd of December, demonstrated that there was significant popular support for the electrohippies action.

So, the difference between the two actions is one of popular legitimacy versus individual will.

Excerpt from The electrohippies collective occasional paper no.1 Client-side Distributed Denial-of-Service: Valid campaign tactic or terrorist act? (February 2000)

Case Study and Discussion Problem: Client Side Denial of Service

The e-boy collective

The eboy collective is an international group of male artists and activists who are united to create art to promote world peace. In 1999, the eboy collective registered for the domain name The collective is headquartered in Amsterdam., is a large clothing chain based in New York that sells clothing to male teenagers over the Internet. The eboy collective is several years older than, which was incorporated in 2001.

In November 2001, E-boys attempted to buy the domain from the collective for $700,000. eboy turned down the offer.

On November 29, 2001, obtained a court injunction preventing eboy from operating a website at, which had been registered before E-boys even existed. To obtain the injunction, E-boys told the judge that was confusing to its customers and that the site contained lewd and pornographic images. The judge ordered the collective to close down their website or face paying $10,000 per day in damages. The eboy collective went into exile at an undisclosed numeric address.

Many organizations saw E-boy's actions as a threat to independent publishers and small businesses on the Internet. In an effort to mobilize support for the eboy collective, another activist group, the Internet Beatniks, decided to stage a virtual protest against They sent out emails to members and supporters asking them to participate in a virtual sit-in against E-boys. I-Beatniks, which is in no way associated with eboy, aims to publicize what it sees as the widespread corporate abuse of democratic institutions. To this end it solicits and distributes funding for "sabotage projects." Their E-boys virtual sit-in consisted of asking visitors to the I-Beatnik site to program their web browsers to repeatedly go to the E-boys site, potentially slowing its functions during the busy holiday shopping season. Visitors had to visit the I-Beatniks website and download automated software designed to access the target E-boys site every few seconds and to send an email message to

The announcement on the I-Beatniks website read:

Blockade the website

Take part in a virtual protest against corporate globalization and domination. Support art and world peace. Support the eboy collective. On December 15, 2001, visit the I-Beatnik website, download a software program that will allow your browser to repeatedly visit the website.

This initiative is designed to provide a lasting warning to e-commerce corporations against behaving unethically on the Web. The outcome of this case has enormous implications for free speech on the Internet and could set a precedent determining whether the Internet will be governed by the brute force of multinational corporations or by individuals and democratic processes.

The virtual sit-in began on December 15, 2001. The "sit-in" had little effect on the first day, but, on the second day, massively overloaded E-boys's server by filling its customer database with emails and unnecessary customer requests. At times, customers in both the US and Europe were unable to reach Online ordering was slowed down or blocked. It is estimated that more than 50,000 people participated in the virtual sit in.

E-boys stock, which had previously been rising, plummeted over 50%. Having lost a day's worth of orders during its vital holiday selling season, E-boys found itself with extra inventory on hand and had to extend its deadline for by-Christmas delivery until Saturday of the pre-Christmas week, the second slowest day on the web.

In January, E-boys effectively surrendered, announcing to the press that it was "moving away" from its lawsuit against eboy in response to public outcry. E-boys dropped its case against eboy "without prejudice" and formally agreed to pay eboy's court costs and other expenses incurred as a result of the lawsuit.

Discussion Questions

1. What, if any, legal consequences do the I-Beatniks actions have? Can they be prosecuted for their actions? Can they be sued civilly?

2. How do the amendments to the Computer Fraud and Abuse Act contained in the USA PATRIOT ACT affect the legality of the I-Beatniks actions?