Over the Memorial Day weekend, Revision3 was brought down by MediaDefender due to an open BitTorrent tracker, that according to MD, was seeding illegal copyrighted content.
Now here’s the rub. MD usually just seeds the target trackers with corrupted files and collects data on whom could be downloading the copyrighted property. But R3 claims to have found an open security hole in their tracker (used to distribute their legitimate content) and closed it over that weekend. From there on, MD servers took drastic measures and sent over 8,000 SYN packets a second trying to reach the tracker instead of just shutting down. MD obviously defends their actions, while R3 speaks against it.
Question is, were any laws broken?
While I’m no attorney, any sort of DoS attack is a violation of IAB proper use policy. On top of that, this there’s a question of whether or not any computer crime laws were broken. On a federal level, it seems pretty gray area since most of it deals with actual damages of copyright or intrusion based on commerce and fraud. What is interesting to note however is California actually has code specifically for computer crimes.
While much of it seem to apply such as civil damages and such, here’s the one thing that I found rather fascinating. In Section 1 of Stats.1987, c. 1499, under 8c:
(c) Any person who maliciously accesses, alters, deletes, damages, destroys or disrupts the operation of any computer system, computer network, computer program, or data is guilty of a public offense.
The reason why this is interesting is because from the interview, MD was saying that their actions were legit due to the fact that there was copyrighted materials. But even law enforcement have specific procedures that they have to follow and can’t go guns a-blazing and MD doesn’t constitute as law enforcement. On top of that, DoS attacks clog the networks that route them, meaning that an attack launched as such would not only effect R3 itself but would create a major load on the Tier 1 routers pushing the traffic and any routers down the stream. For most DDoS attackers, this isn’t an issue due to the fact that they’re knowingly committing a crime. But for MD? Having servers set up in this fashion couldn’t be good by any means. Either way, one thing is extremely clear. There definitely was a disruption of a computer network.
There’s a lot more to go over in the California State Penal Code, but overall being that both corporations are in California state, I personally think that MD would be fighting an uphill battle with the comments already made and having read some of the attorney speak. It’s obviously based on my interpretations of the code (which doesn’t mean squat in a court of law, but it is my opinion nonetheless). I’ll leave the whole federal law thing to the FBI who’s sorting out the matter in itself. I would be curious to know if the copyrighted materials found within the R3 tracker was indeed an exploit, or if an employee or what not was involved in those materials. It still doesn’t legitimize MD’s attack, but it would put R3 in deeper water than it is currently.
If MD should change their tune and say that it was a misconfiguration or what not and take back what the CEO said to Wired, then I would be curious how that works out since then it becomes pretty gray area of who’s at fault. That’s one for judge or jury and not I or anyone else.
Should be interesting to see what outcome is from this event. Word to the wise. It’s not always prudent to fight fire with fire. Especially if your “fire” could be the not-so-ethical kind.