36 comments

[ 3.1 ms ] story [ 72.8 ms ] thread
tl;dr "web attack" = ApacheBench
Isn't he the same guy who was barred from the iOS store for creating crappy apps that were essentially just webpages packaged as applications?

Wonder whatever happened to that ordeal

(comment deleted)

    $ ab -c 500 -n 1000000 http://example.com/some/resource/intensive/url
Amazing how many sites this kind of "attack" would take down. Most sites don't have any throttling in place to stop it.
Although there was obviously malicious intent here I think it's amazing that typing one line into a terminal can result in (potentially) 5 years in prison.
Just because something is simple or easy doesn't make it any more or less ethical to do.
Pulling a trigger is pretty easy too.
Yeah, but the difference between killing someone and making a website go down is pretty huge. 5 years for a DOS is insane
I don't know, it is a pretty vicious act to knock someone's business offline. Worse than car theft. DOS could be disrupting thousands of lives and commerce or research, depending on the site. Five years seems about right if the intent is malicious.
You could also say not setting up the right infrastructure to stop such an attack is malicious of the owners of the site.
How many queries per second could you do that with just a personal machine (i.e. not a cloud machine with huge bandwidth limits), before your ISP shut you off?
Whoa .. there is a big story in here somewhere, which appears to have gone way over the head of the LA Times hack who wrote this regurgitated press release.

He was arrested on criminal charges for running a simple benchmarking program? By the company he was formerly the CEO of?

This is patently ridiculous, and can only be a case of YouSendIt having some major grievances with him about something else, or some other kind of ulterior motive. It seems only reasonable that he was running apache benchmark for curiosity, not with any serious malicious intent, and is now being held on some trumped up charges concocted by people out to get him.

If anyone knows of an article that actually explains the relationship between YouSendIt and their former CEO, please link to it.

Umm, did you actually read the article?

  The former chief executive of the YouSendIt, 
  a website where users can post files too large 
  to send over email, has admitted to launching an 
  online attack against the company he once ran.
According to FBI investigators, from about December 2008 to June 2009, Shaikh sent an ApacheBench program to YouSendIt's servers, which measured the number of requests per second the site was capable of handling. Sending the program multiple times in essence amounted to a distributed denial of service attack, or DDoS attack.

No "curious" person would run apache bench on a website they formerly cofounded for 7 months.

No. He POSTed the binary ab.exe to the website/service over and over ... using ab itself to do the POST.
The article and the FBI statement are a little unclear, but I don't think that's what they mean.

"Beginning in or about December 2008 and continuing through June 2009, Mr. Shaikh sent an ApacheBench computer code to YouSendIt’s servers. ApacheBench is a benchmarking program used for measuring the performance of computers known as web servers. ApacheBench was designed to determine the number of requests per second a server is capable of serving. By intentionally transmitting the ApacheBench program to YouSendIt’s servers, Mr. Shaikh was able to overwhelm the servers’ capabilities and render it unable to handle legitimate network traffic."

I have to think when they say "sent... to" they mean he directed the AB to make requests from YouSendIt's server, not that he posted it to the service. Otherwise the rest of the statement - "able to overwhelm the servers’ capabilities and render it unable to handle legitimate network traffic" - doesn't make any sense, unless someone can explain how simply transmitting the benchmark executable via the service somehow caused that.

(As someone else pointed out, he could have used AB to /post/ AB to the servers... but I don't see anything in these articles to necessarily support that... and it would seem like the payload is less interesting than the transmission method.)

"This is patently ridiculous" ... how? The guy plead guilty to what was essentially a DOS (corrected from DDOS) attack intended to interfere with the company's ability to do business. Was it a really simple attack? Yes. But I'm not sure that's relevant. It's kind of like being caught trying to burn someone's house down and then claiming you were just testing to see if it was flammable.
Minor nit - unless he was using an EC2 cluster or something, this would be a regular old-fashioned DOS, not a DDOS. It's something of a condemnation of YouSendIt's software and NOC that they weren't able to mitigate a huge number of connections from a single IP. Leveraging a botnet against someone is worlds apart from running a high-concurrency ab test.
You're right... I was kind of assuming that it would take more than a single computer running AB to do this to any service of this size, but there's nothing in the article to support that.
How do you know that he intended to interfere with the company's ability to do business? Sure, that's what the FBI said (channeled, presumably, from YouSendIt), but he could have just been running apache benchmark as a simple test to see how the server would respond.

In fact, the allegation doesn't really make sense, because as the former CTO, if he had really wanted to interfere with the company's ability to do business, you'd think he could have found much better ways to do so. Logging in and deleting the company's data, turning employees/investors against them, or writing negative articles about them would have had a far greater consequence on their business than running an apache benchmark program.

To be clear, I'm not claiming to know what happened; I'm just saying that this press release is a deeply one-sided view of the story, and that the situation smells funny.

Well, at this point, that's what he himself has said, since it was a guilty plea. Presumably he had to admit not just his actions but his intent / malice.
While I tend to agree with you that he likely did something malicious, a guilty plea in this day and age doesn't really tell you that.

He may have been taking a plea bargain out of fear of much worse?

The problem with pleading guilty, is that then everyone thinks that you're guilty.
While he might have taken a plea to avoid a more serious charge, last time I checked you still have to be guilty of whatever lesser crime you're pleading to, as well. You're not allowed to make up a lesser crime in the name of bargaining down.
>> "By intentionally transmitting the ApacheBench program to YouSendIt's server..." the FBI said in a statement.

This statement makes it clear how unfamiliar the FBI is with technology.

No. The payload was the binary ab.exe (ApacheBench), sent over and over again using the YouSendIt service, which sends files from person A to person B instead of using email.
Well that is certainly an interpretation that would make sense, so thanks.

I reread the FBI's statement, and I'm not convinced that what you suggest is what they actually mean, however. Does yousendit actually work that way? Can I send someone an arbitrary executable referenced from an email and it actually runs?

What would be the point of this? Why send ab?
It would certainly send a statement. "You really should be using ab for load testing. Here, have a million copies of it."
Is there another story you're getting this from?
So the FBI runs YouSendIt. Don't upload your warez there folks.
Maybe they swindled him out of his vested options too.
For those that are getting confused.

What he did was something like this...

    C:\Apache\bin\ab.exe -c 500 -n 5000000 -p ab.exe http://yousendit.com/send-it
Using ab.exe to POST the binary ab.exe over and over using the service (yousendit) which send file1 from user1 to user2.
Are you getting this from somewhere other than the OP and linked FBI statement? Just wondering if someone else has written about this case...
More about Khalid : http://blekko.com/ws/Khalid+Shaikh+/techblogs

I agree with comments here that this is one of those 'these facts don't sound like the story in which they are presented' Given the timeline of his relationship with YouSendIt its possible he had a grudge against them, just speculation though.

It's pretty pathetic that a file transfer site can be harmed by a single user running ab. I really hope there is more to this. I run ab all the time on my own stuff, I didn't know I could go to prison for something as simple as testing the performance of a site I used to run.
The fact that he got caught suggests he didn't bother to cover his tracks which is fairly easy to do. So how do you not realize that throwing a brick through your old employers front window isn't a crime?