EVERYTHING about Booters (and CloudFlare)

Thu Jul 28 16:12:25 UTC 2016

Miles is right.  Their thinly veiled "stress tester" thing is not going to be much of a defense.  They must not have very good legal counsel.  Here is the issue.  Stress testing is perfectly legal as long as I am:

	a) Stress testing my own stuff
	b) Stress testing your stuff WITH YOUR CONSENT

Selling a product or service that is unsafe can lead to serious civil consequences.  For example, I sell you roach killer and don't warn you that it will also kill every other living thing in your home, I am going to get sued and lose badly.

Let's say I am running a demolition company that offers to knock down any house for a price.  Don't you think I have a responsibility to verify that you own the house you just asked me to knock down?   (by the way, this has happened in the real world -wrong address on paperwork- and the demolition company was held liable) Obviously I have that responsibility and obviously the same rules would apply to any service that can potentially damage someone's property.

Steven Naslund
Chicago IL

>Let's see:
>
>Vbooter (on their home page) claims:
>"#1 FREE WEBBASED SERVER STRESSER"
>"Using vBooter you can take down home internet connections, websites and game servers such us Minecraft, XBOX Live, PSN and many more."
>"You don't have to pay anything in order to use this stresser! In addition there are NO limits if you are a free user."

>So they're advertising a free service that explicitly offers DDoS capabilities.

>Now - with the caveat that I'm not a lawyer, and I'm talking from a US perspective only - as a sometimes hosting provider who pays attention to our legal liabilities, and >who's had one of our boxes compromised and used to vector a DDoS against a gaming site....

>1.  DDoS is clearly illegal under multiple statutes - most notably the Computer Fraud and Abuse Act - see https://www.justice.gov/sites/default/files/criminal->ccips/legacy/2015/01/14/ccmanual.pdf
>- for a Justice Dept. memo on "Prosecuting Computer Crimes."  When coupled with threats, requests for payoffs, etc. - it expands into lots of other crimes (e.g., >extortion).  And that's before one starts attacking Government-owned computer systems.
>
>2. One might infer that, while "stress testing" is a legitimate and useful service - under specific circumstances, vBooter's tools might also fall under laws regarding >being an accomplice to a criminal act, aiding & abetting, "burglar's tools," etc., and more generally "creating a public nuisance."
>
>3. There are also various (mostly state) laws against the sale of burglar's tools (e.g., sale of a lockpick to someone who's not a professional locksmith).  I expect some >of those laws might apply.
>
>4. All of those certainly could be applied to vBooter.org.  Whether Cloudflare is liable for anything would seem to depend on whether Cloudflare is complicit in the use >of vBooter's use for criminal purposes, or promoting it's use therefore.  Hosting would certainly fall into that category - and while, I have no direct knowledge that >Cloudflare hosts vBooter, they do provide nameservice, and their web server's IP address is in a network block registered to Cloudflare - that would seem to establish >complicity.  Now if Cloudflare were to actively suggest that folks use vBooter to test systems, as a way to boost sales for Cloudflare - that would certainly be an >interesting test case for RICO (akin to McAfee encouraging folks to write and release viruses).
>
>As to whether "Nothing is going to happen" - I expect something WILL happen, when somebody big, with a good legal department, gets hit by a really damaging DDoS attack, >and starts looking for some deep pockets to sue.  Or, if somebody attacks the wrong Government computer and the FBI, or DoD, or DHS get ticked off.
>
>It will make for very good theater - at least for anyone not directly in the cross-hairs.
>
>Miles Fidelman