Although there was obviously malicious intent here I think it's amazing that typing one line into a terminal can result in (potentially) 5 years in prison.
I don't know, it is a pretty vicious act to knock someone's business offline. Worse than car theft. DOS could be disrupting thousands of lives and commerce or research, depending on the site. Five years seems about right if the intent is malicious.
How many queries per second could you do that with just a personal machine (i.e. not a cloud machine with huge bandwidth limits), before your ISP shut you off?
Whoa .. there is a big story in here somewhere, which appears to have gone way over the head of the LA Times hack who wrote this regurgitated press release.
He was arrested on criminal charges for running a simple benchmarking program? By the company he was formerly the CEO of?
This is patently ridiculous, and can only be a case of YouSendIt having some major grievances with him about something else, or some other kind of ulterior motive. It seems only reasonable that he was running apache benchmark for curiosity, not with any serious malicious intent, and is now being held on some trumped up charges concocted by people out to get him.
If anyone knows of an article that actually explains the relationship between YouSendIt and their former CEO, please link to it.
The former chief executive of the YouSendIt,
a website where users can post files too large
to send over email, has admitted to launching an
online attack against the company he once ran.
According to FBI investigators, from about December 2008 to June 2009, Shaikh sent an ApacheBench program to YouSendIt's servers, which measured the number of requests per second the site was capable of handling. Sending the program multiple times in essence amounted to a distributed denial of service attack, or DDoS attack.
No "curious" person would run apache bench on a website they formerly cofounded for 7 months.
The article and the FBI statement are a little unclear, but I don't think that's what they mean.
"Beginning in or about December 2008 and continuing through June 2009, Mr. Shaikh sent an ApacheBench computer code to YouSendIt’s servers. ApacheBench is a benchmarking program used for measuring the performance of computers known as web servers. ApacheBench was designed to determine the number of requests per second a server is capable of serving. By intentionally transmitting the ApacheBench program to YouSendIt’s servers, Mr. Shaikh was able to overwhelm the servers’ capabilities and render it unable to handle legitimate network traffic."
I have to think when they say "sent... to" they mean he directed the AB to make requests from YouSendIt's server, not that he posted it to the service. Otherwise the rest of the statement - "able to overwhelm the servers’ capabilities and render it unable to handle legitimate network traffic" - doesn't make any sense, unless someone can explain how simply transmitting the benchmark executable via the service somehow caused that.
(As someone else pointed out, he could have used AB to /post/ AB to the servers... but I don't see anything in these articles to necessarily support that... and it would seem like the payload is less interesting than the transmission method.)
"This is patently ridiculous" ... how? The guy plead guilty to what was essentially a DOS (corrected from DDOS) attack intended to interfere with the company's ability to do business. Was it a really simple attack? Yes. But I'm not sure that's relevant. It's kind of like being caught trying to burn someone's house down and then claiming you were just testing to see if it was flammable.
Minor nit - unless he was using an EC2 cluster or something, this would be a regular old-fashioned DOS, not a DDOS. It's something of a condemnation of YouSendIt's software and NOC that they weren't able to mitigate a huge number of connections from a single IP. Leveraging a botnet against someone is worlds apart from running a high-concurrency ab test.
You're right... I was kind of assuming that it would take more than a single computer running AB to do this to any service of this size, but there's nothing in the article to support that.
How do you know that he intended to interfere with the company's ability to do business? Sure, that's what the FBI said (channeled, presumably, from YouSendIt), but he could have just been running apache benchmark as a simple test to see how the server would respond.
In fact, the allegation doesn't really make sense, because as the former CTO, if he had really wanted to interfere with the company's ability to do business, you'd think he could have found much better ways to do so. Logging in and deleting the company's data, turning employees/investors against them, or writing negative articles about them would have had a far greater consequence on their business than running an apache benchmark program.
To be clear, I'm not claiming to know what happened; I'm just saying that this press release is a deeply one-sided view of the story, and that the situation smells funny.
Well, at this point, that's what he himself has said, since it was a guilty plea. Presumably he had to admit not just his actions but his intent / malice.
While he might have taken a plea to avoid a more serious charge, last time I checked you still have to be guilty of whatever lesser crime you're pleading to, as well. You're not allowed to make up a lesser crime in the name of bargaining down.
No. The payload was the binary ab.exe (ApacheBench), sent over and over again using the YouSendIt service, which sends files from person A to person B instead of using email.
Well that is certainly an interpretation that would make sense, so thanks.
I reread the FBI's statement, and I'm not convinced that what you suggest is what they actually mean, however. Does yousendit actually work that way? Can I send someone an arbitrary executable referenced from an email and it actually runs?
I agree with comments here that this is one of those 'these facts don't sound like the story in which they are presented' Given the timeline of his relationship with YouSendIt its possible he had a grudge against them, just speculation though.
It's pretty pathetic that a file transfer site can be harmed by a single user running ab. I really hope there is more to this. I run ab all the time on my own stuff, I didn't know I could go to prison for something as simple as testing the performance of a site I used to run.
The fact that he got caught suggests he didn't bother to cover his tracks which is fairly easy to do. So how do you not realize that throwing a brick through your old employers front window isn't a crime?
36 comments
[ 3.1 ms ] story [ 72.8 ms ] threadWonder whatever happened to that ordeal
He was arrested on criminal charges for running a simple benchmarking program? By the company he was formerly the CEO of?
This is patently ridiculous, and can only be a case of YouSendIt having some major grievances with him about something else, or some other kind of ulterior motive. It seems only reasonable that he was running apache benchmark for curiosity, not with any serious malicious intent, and is now being held on some trumped up charges concocted by people out to get him.
If anyone knows of an article that actually explains the relationship between YouSendIt and their former CEO, please link to it.
No "curious" person would run apache bench on a website they formerly cofounded for 7 months.
"Beginning in or about December 2008 and continuing through June 2009, Mr. Shaikh sent an ApacheBench computer code to YouSendIt’s servers. ApacheBench is a benchmarking program used for measuring the performance of computers known as web servers. ApacheBench was designed to determine the number of requests per second a server is capable of serving. By intentionally transmitting the ApacheBench program to YouSendIt’s servers, Mr. Shaikh was able to overwhelm the servers’ capabilities and render it unable to handle legitimate network traffic."
I have to think when they say "sent... to" they mean he directed the AB to make requests from YouSendIt's server, not that he posted it to the service. Otherwise the rest of the statement - "able to overwhelm the servers’ capabilities and render it unable to handle legitimate network traffic" - doesn't make any sense, unless someone can explain how simply transmitting the benchmark executable via the service somehow caused that.
(As someone else pointed out, he could have used AB to /post/ AB to the servers... but I don't see anything in these articles to necessarily support that... and it would seem like the payload is less interesting than the transmission method.)
In fact, the allegation doesn't really make sense, because as the former CTO, if he had really wanted to interfere with the company's ability to do business, you'd think he could have found much better ways to do so. Logging in and deleting the company's data, turning employees/investors against them, or writing negative articles about them would have had a far greater consequence on their business than running an apache benchmark program.
To be clear, I'm not claiming to know what happened; I'm just saying that this press release is a deeply one-sided view of the story, and that the situation smells funny.
He may have been taking a plea bargain out of fear of much worse?
This statement makes it clear how unfamiliar the FBI is with technology.
I reread the FBI's statement, and I'm not convinced that what you suggest is what they actually mean, however. Does yousendit actually work that way? Can I send someone an arbitrary executable referenced from an email and it actually runs?
What he did was something like this...
Using ab.exe to POST the binary ab.exe over and over using the service (yousendit) which send file1 from user1 to user2.I agree with comments here that this is one of those 'these facts don't sound like the story in which they are presented' Given the timeline of his relationship with YouSendIt its possible he had a grudge against them, just speculation though.