It’s a scene reminiscent of a thousand police dramas: the FBI arrived at the door of 20-year-old journalism student Mercedes Haefer, guns drawn, at 6am one morning last July.

She was still in her pyjamas, getting ready for work.

Haefer is one of 14 individuals who last week pleaded not-guilty in San Jose for waging cyber attacks against e-commerce giant PayPal.

The warrant for Haefer stated federal officers were looking for anything associated with hacking, infiltrating or Distributed Denial of Service (DDoS) attacks.

Oh, and they were looking for a Guy Fawkes mask – evidence that would link Mercedes with the hacker group Anonymous (who have claimed such masks as their own) and, specifically, Operation Payback.

Payback

Operation Payback saw DDoS attacks on a number of companies, in particular Paypal. Anonymous claimed the attacks were retribution for decisions by executives at these companies to withdraw payment facilities from Wikileaks.

The FBI knew Haefer was associated with Anonymous because of her involvement on the group’s IRC channels, where she was known as “NO”.

But she denied having taken part directly in any of the DDoS attacks on PayPal.

Haefer was indicted along with 13 others on two charges of causing damage against PayPal’s computers. They carry a maximum penalty of 15 years in jail and a fine of $500,000. Two other people were charged separately.

Haefer is enrolled in a journalism and media pre-major course at the University of Nevada and Las Vegas.

Commenting on the charges against Haefer, the director of the Hank Greenspun School of Journalism and Media, Professor Daniel Stout said, “We don’t condone unethical behavior that results in the harm of the audience.”

He also said that if Haefer had continued her studies she would have taken courses that ultimately produce journalists with a strong sense of ethics (Haefer is still enrolled at UNLV and Professor Stout has since moderated his comments).

Despite a superficial understanding of what a DDoS attack comprises (and despite the fact Haefer had not been tried when he made his statement), he was ready to brand both the act and Haefer as criminal and unethical.

In an examination of the ethics of DDoS attacks Gabriella Coleman, a socio-cultural anthropologist at New York University, makes a distinction between criminal acts such as hacking and non-violent political acts such as sit-ins.

In doing so, she raises the possibility of regarding DDoS as the digital equivalent of an occupation.

That said, in the case of a sit-in, the aim may include being arrested to draw more attention to a cause – and it’s not clear that any of the alleged members of Anonymous were anticipating being arrested.

The indictment used for the so-called Anonymous 16 includes the charge of intentional damage to a computer.

DDoS

A DDoS works by sending repeated requests to a website very quickly, exhausting resources and blocking access to regular users.

In the grand scheme of hacks, DDoS is a nuisance but not a major threat to a company, unlike, say, losing the details of user accounts and passwords.

This was a view shared by Deputy Assistant FBI Director Steven Chabinski.

“There has not been a large-scale trend toward using hacking to actually destroy websites, [but] that could be appealing to both criminals or terrorists,” Chabinsky told radio station NPR in July.

“That’s where the ‘hacktivism,’ even if currently viewed by some as a nuisance, shows the potential to be destabilizing.”

Ethics

Leaving aside considerations as to whether DDoS attacks are themselves ethical, the charge that the Anons lack a sense of ethics, as suggested by Professor Stout and others, seems even less certain.

If anything, it’s the Anons’ sense of righting the wrongs of corporations and governments that underpins most of their activities.

Haefer said she became interested in the activities of Anonymous in part because of a sense of injustice at the inappropriate punishment for a woman accused of distributing 24 songs.

She was referring to the US$2 million fine imposed on Jammie Thomas-Rasset for sharing music, a fine which was later reduced to a US$54,000.

Haefer’s case can be contrasted by that of a 16-year-old woman from France who claimed the hack of San Fransisco’s Bay Area Rapid Transport Police Officers Association last month.

The young hacker had released the personal details of 100 officers. Going by the handle “Lamaline_5mg”, she claimed this was her first hack, and that she had little experience and had picked up enough information to hack the site in less than four hours.

Whereas Haefer claimed no previous technical knowledge, Lamaline was technically savvy enough to use techniques to cover her tracks, making her protestations of technical naivety slightly suspect.

Interestingly, Lamaline had not associated herself with Anonymous – in fact, some people on an Anonymous chat room condemned the attack as irresponsible.

Kicking an open door

One confounding factor in the actions of Anons is the relatively low barrier to entry for participation.

A simple search online will provide links to downloadable software to enable the participation in a DDoS.

Software such as the LOIC is simple to use and requires no technical expertise. There are readily accessible videos that demonstrate their use.

Anyone can go on to the Anonymous IRC channel and listen in. You can follow the activities of Anonymous and others on Twitter.

Accompanying this ease of access is the separation of actions and consequence – a separation encapsulated by using DDoS software.

Unsophisticated users would potentially struggle to understand how traceable their actions are.

The fact the FBI had little trouble in rounding up the 14 suspects being tried together in the DDoS attacks is more a testament to the ease of tracing individuals than a reflection of the technical abilities of the FBI.

Their single unifying feature of those arrested in connection with Operation Payback is their young age, given most of those charged are in their twenties.

The reaction against Anonymous from the general public, lawmakers and security specialists comes across almost as a generational conflict.

This is epitomised by Haefer having to leave her father’s home because he supposedly viewed his daughter (in Haefer’s words) as “a terrorist”.

And Haefer? She still believes in the positive things Anonymous is doing and is looking forward to making that known, without a mask, at her day in court.