Even the victim says the sentence was too harsh
They began asking him about telescopes, when the FBI appeared at August 2016 at David Goodyear’s doorstep. The 42-year-old IT specialist and stargazer had uttered an forum called Cloudy Nights. Now, someone had taken the discussion offline with a denial-of-service attack, along with the evidence pointed to Goodyear.
Goodyear swore innocence initially, but afterwards increasingly pointed questioning, he confessed. One of his accounts were banned a couple weeks before, he said. In a sudden rage, he’d spammed the site with porn, then posted its own address on a website called HackForums.net, asking for a person to attack it. “I was only, for example, what the fuck am I being prohibited for? I was just pissed,” he told his customers — from the Federal Bureau of Investigation and yet another in the Los Angeles Police Department. “I just went in, only the heat of the moment.”
His traffic seemed mildly amused by the forum play, and he chatted with them around his $100,000 telescope collection before they abandoned. But Goodyear was arrested. In December 2018he had been sentenced to over two years in prison.
It’s a sentence that Goodyear’s victims don’t want him to serve. A single forum article was enough to lead a temporarily devastating assault while national computer crime laws meant that post could come with consequences that are life-changing.
Distributed denial of service (or DDoS) attacks are one of the easiest cyberattacks: they flood a site with huge amounts of traffic before it can no longer serve pages to real users. At a large scale, such attacks can be disruptive. The 2016 Mirai DDoS closed down segments of the web, hijacking devices that are smart that are insecure to create an army of bots. Even at a scale that is lesser, they could cause harm — like Goodyear’s request did to the proprietors of the Cloudy Nights forum.
Cloudy Nights is run by Astronomics, an Oklahoma-based company that sells telescopes and other astronomy gear. Vice president Michael Bieler estimates that the forum has about 115,000 registered users swapping space photographs, advice, and remarks about telescopes. Bieler describes Cloudy Night as generally”a great peaceful edge of the net” in which moderators have passed out more than a dozen life bans in over 15 years of operation. Politics are illegal except for discussing pollution legislation on a board.
“Mods and admins can’t stop me!”
On August 13th, someone named HawaiiAPUser submitted a screenshot of a failed login attempt, suggesting they had been prohibited under another name. Below was a string of pornography links and sexual insults. “Mods and admins can’t stop me” The user wrote. “I believe I will talk with my contacts and only D0S this site as well as A55stronomics,” an apparent reference to a denial-of-service attack.
The next day, Cloudy Nights and Astronomics’ website started becoming overloaded with traffic, making the forums undependable and maintaining Astronomics.com almost entirely offline. “We are just a tiny family-owned organization, and he shut us down basically for two weeks,” Bieler informs The Verge. “I made zero income. It had been almost nonexistent.”
Since the attack continued, Bieler called the local authorities and a lawyer who advised him to contact the FBI. “I was like,’Well, they’re going to laugh at me when I tell them somebody got angry on a forum and has decided to take down my website,”’ he says now. But at the time, he was serious. Bieler told the agency he was afraid his company would go out of business when the attacks continued, which his dad — the organization’s creator — had gone into the hospital with cardiac issues from the stress. “It’s literally killing him,” he wrote in an email.
Cloudy Nights’ moderators, meanwhile, had a fantastic idea who was behind the assault. Goodyear was a regular visitor until 2013 when he was banned for — as he put it –“mouthing off” to moderators. (Court documents paint a darker image, saying he followed up with a threatening message”requesting to fight” one of them) He’d created several more reports because then, and moderators retained banning them. The screenshot of hawaiiAPUser had a timestamp, so they checked which accounts had been busy at that moment and if people had logged in from the same IP address. The old accounts of goodyear came up.
On August 31st, the FBI and LAPD visited Goodyear’s house in El Segundo, California. Goodyear professed about why they’d come bafflement . “I sort of washed my hands of the site,” he explained, indicating that an employee or a hacker might have used his community.
The agents threatened to start filing search warrants. “The FBI knows exactly what they are doing,” one warned ominously. “We caught Osama bin Laden, right? We can grab someone doing a DDoS.”
The argument reportedly convinced Goodyear. “I did post that crap around hitting them. Additionally, I put on a forum, saying,’Hey, can you just take down this website? ”’ he confessed. “I think that perhaps it went further than that which it ought to have.” However he insisted that he hadn’t paid anyone for the assault and had no experience that was hacking. When asked whether he could make the attacks stop, he said he”did not know [the HackForum members] well enough”
“We captured Osama bin Laden, right? We can grab someone doing a DDoS.”
It’s not completely clear how the DDoS effort did end. According to a September 2016 screenshot of Goodyear’s HackForums.net accounts, the last time he logged in — under his original username — was August 29th. The last successful DDoS attempt was on August 30th, the day prior to Goodyear talked to the FBI. The attackers may have stopped voluntarily after that, or else they might have been stymied by Astronomics’ new defenses since Bieler had hired a cybersecurity expert to help.
In a media release, the Justice Department highlighted”the importance of deterring sophisticated cybercrimes, which are difficult to trace and therefore especially important to penalize.” But the manner Goodyear explained his offense was virtually ridiculously unsophisticated. In his FBI interview, he also stated he had searched Google to be able to reunite in Cloudy Night. “I was looking for different approaches to determine if I could take them out, even if I could hack on… buy a botnet or something.” He discovered HackForums.net, said”screw it,” and signed up.
Either way, a jury found Goodyear responsible for one count of”intentional damage to a protected computer.” He was sentenced by A judge for 26 weeks in prison, $27,352 in restitution, and a $ 2,500 fine.
Bieler had supposed the case was closed until the FBI arrested Goodyear annually later and summoned Bieler to court. When he learned about the amount of the sentence he had been shocked. He never desired Goodyear to be imprisoned for two decades, let alone in any way. “Honestly, I think it’s intense, what happened,” he says. “We really asked in our letter [to the court] that he would get prison time. We just wanted him to stop attacking our site.”
The 34-year-old Computer Fraud and Abuse Act (CFAA), which technician policy expert Tim Wu has called”the worst law in technology,” is controversial for many reasons. One of the most frequent is its sentencing rules that are harsh.
Judges foundation prison sentences on a range characterized together with the United States Sentencing Guideline rubric, which calculates a number representing a crime’s severity. The CFAA makes that number easy to inflate. In case a defendant cooperates prosecutors can bump up the estimated cost of a hack with expenses, or lowball it. They can add more penalties for using”sophisticated means” and”specific skills,” even for fairly simple tasks like running a script.
“This, to me, is a disproportionately punitive sentence,” says lawyer Tor Ekeland of Goodyear’s 26-month term. “Unfortunately, it is sort of typical.” Ekeland has represented characters such as journalist Matthew Keys and security researcher Justin Shafer at cybercrime cases, and he is among the most outspoken critics of the CFAA. He says there’s no legal framework for convicting individuals of DDoS attacks since the offense is new. But he thinks that prosecutors often bring even clearly weak cases to court, both because they are relatively easy to assert and since there’s a”sexiness factor” to computer crimes.
“This was not a sophisticated computer crime”
The Justice Department has shown especially adept at DDoS prosecutions beneath Trump, prosecuting the Mirai botnet’s founders and, more lately, the guy behind many attacks on important gaming networks. These do not always lead to long sentences, as a hindrance because only a portion of offenders are captured, but as the Justice Department press release indicates, courts punish some cybercrimes aggressively.
Online offenses are difficult to trace, which is a real problem for the people that are fighting online dangers, swatting hoaxes, or even ransomware surgeries. And much from overreacting to all internet crimes, courts and law enforcement may ignore or downplay harassment, for example.
Ekeland believes that courts treat many”hacker” offenses as threatening, however, in comparison with non-computer offenses that lead to financial damage — or bad behavior by companies. The point about the DDoS assault’s sophistication is particularly”absurd,” he says. “This was not a sophisticated computer crime. And also the fact that the court thought that highlights the issue with these kinds of cases.”
The CFAA is only one aspect of the American justice system’s problems, naturally. A great deal of offenses besides cybercrimes can result in sentences. And the issue is overlong prison terms. It’s the conditions of prisons, which affect millions of people who are less privileged than Goodyear, a number of whom have been convicted of a crime.
Virtually everybody involved with catching Goodyear seemed somewhat bemused by the entire saga. “How are you guys getting banned by an astronomy website?” Wondered the FBI agent who arrived to question him. “Is there a debate on a planet or something?” And in Goodyear’s estimation, all he’d done was log to some forum, ask”Hey, how can you guys hack this?” And return to life as usual. He seemed surprised to hear he might get in real trouble because of it, although he concurred that what he had done was wrong.
Today, Bieler finds it”insane” a man would nurse a three-year-long grudge against an astronomy forum bitterly that he would efficiently try to bankrupt a company in revenge. “If people could only step away from their keyboards for five seconds, a lot of this would not occur,” he says. But as the case reaches its conclusion, he feels bad for everybody such as Goodyear.
“Look, losing cash sucks. Getting my company down for a few weeks sucks. Not understanding what’s going to happen because you don’t have any income coming in to pay people’s salaries sucks,” states Bieler. “Losing two decades of your life because you did something idiotic sucks worse.
