A 23 year-old Belleview, Ohio man has been convicted and sentenced to 30 months in prison for carrying out several DDoS attacks on several prominent conservative political figures and infecting their systems with botnets.
Mitchell L. Frost, a former University of Akron student, pleaded guilty to causing damage to a protected computer system and possessing 15 or more unauthorized access devices. He also admitted to carrying out cyber-attacks in 2006 and 2007 on web servers which hosted the websites for Rudy Giuliani, Bill O’Reilly, Ann Coulter, and the University of Akron.
Frost not only took down servers for hours at a time with the DDoS attacks, but also used botnets to harvest personal data including user names, passwords, credit card numbers, and CVV security codes. In just one of the incidents, Frost rendered his university’s servers inaccessible for over eight hours and attempts to bring services back online allegedly cost the school over $10,000.
In addition to serving over two years in prison, Frost was also ordered to pay $10,000 in restitution to the University of Akron and $40,000 to Bill O’Reilly’s website. After serving his sentence, Frost will be subject to 3 years of supervised release.
This is an interesting case because it illustrates the kind of penalties that participants in the Operation Payback DDoS attacks could face if they are caught and convicted. Over a two month period, members of Anonymous carried out 24 attacks that resulted in hundreds of hours of downtime for target sites, including the MPAA, RIAA, and the US Copyright Office.
There is quite a debate going on over at TechDirt.com regarding the fairness of the penalties in Frost’s case. I haven’t quite made up my mind on this one yet. The fine seems fair in regards to the destruction caused at the university, but I don’t understand the payout to Bill O’Reilly and the length of the prison sentence. It does seem excessive. What’s your take?