This story caught my attention a few days ago. In short, Michael W. Stone, a Canton high school senior, put a link to his high school’s website on his own personal webpage. He also placed instructions to try and crash the school’s server by hitting F5 once you got there.
Hitting the ‘F5′ key on a webpage causes the browser to reload the page. It forces the server to resend all the data on that page to the browser. If the webpage is being run on an extremely under-powered server and enough people do this at once, in theory the server could bog down and crash due to not being able to handle the load.
So, guess what? Yup, enough people managed to be hitting F5 on the school’s page simultaniously that the school’s server crashed. No big surprise there….well other than the fact this actually worked. Any modern server would need several thousands of people all hitting F5 repeatedly at the sametime for any chance of this crashing it. Serving webpages is what a webserver is *supposed* to do…and when you hit the F5 key, this is all that happens, your browser requests that the server serve you the page again.
Anyway, so the school server goes down, the school calls in help to figure out why, and the tech traces the traffic back to the kids website. At this point in a sane world, the kid would get suspended or reprimanded and hopefully grounded by his parents. End of story. Well this is not a sane world.
In steps City Prosecutor Frank Forchione. He charges the kid with a felony for commiting a computer crime. The quote of the story: “Michael said it was a joke,” Forchione said. “We showed him how we deal with this kind of joke.”
Huh? Am I missing something? It WAS a joke. It was a STUPID joke, but a joke nonetheless, and this Prosecuter thinks the mature and proper response to this is to charge an 18 year old kid with a felony.
What ‘crime’ was commited? Is it a crime to hit F5 to refresh a browser page? Is it a crime to tell people to visit a particular website? Is it a crime to tell someone to visit a website and then refresh the page? I’d have to say ‘No’ on all three accounts.
What bothers me most is the fact that the server went down in the first place by this method. This leads me to believe it is a vastly underpowered server and the student could have achieved the same thing by simply asking everyone to visit the webpage at a particular time.
So anyway, a few hours later Slashdot picks up the story. Slashdot is an extremely popular community site for ‘nerd’ news, and by popular I mean VERY popular. Slashdot attracks 100,000’s of people per day. In the comments section after the story, several slashdot readers tracked down and posted a link to the high school’s website. This results in the website promply going down again…NOT because people are going there and hitting F5, but rather because of the sheer number of people now visiting the site, that the server can’t handle the load. This is not uncommon when a site is linked to from Slashdot. There is even a term for it: ‘Slashdotting’, or to be ’slashdotted’. Both of which basically means, no one can reach your site because too many people are trying to view it at once. Also, once a story appears on slashdot, it inevitably get’s picked up by other major news sources and sites. This means if your server is underpowered…expect to be down awhile…because the increase in traffic to your site won’t be slowing down anytime soon.
The school’s website is still down today as I write this, a full 6 days after the story broke. I have little doubt this is due to the story now perculating throughout the internet and newly curious people still trying to get to the website.
So, why is this kid being charged with a felony? The only reason I can come up with is that the City prosecuter simply has no clue regarding computer technology.
Is what the kid did wrong? Yes. I could see the argument that he incited (or at least instructed) people to crash a server. But is it a felony level type of crime? Absolutely not. There is NO argument you can make that this should be a felony.
What is the difference between the server going down the first time with people repeatedly hit F5 and the site going down a second time when it was posted on slashdot and people started going there out of curiosity?
The only answer is intent. I not saying what the kid did was OK. But I am saying it’s not a felony. How is what this kid did any different from someone telling everyone in an apartment building to flush their toliets at the same time to see if they can cause the sewer to overflow? It might work in theory, but it shouldn’t work in practice, and if it does, shouldn’t the city be held partially responsible for negligence…for building a sewer system that couldn’t handle flushed toliets?
This is an extremely ineffecient, and frankly stupid method to try and crash a server. In the DDOS (Distributed Denial of Service) attack world, this is most akin to my flushing toliets analogy. It shouldn’t work in 99% of the cases. Most modern servers can handle thousands of hits per second quite easily. Unless this kids website was already hugely popular, the only way this could have worked was that the school’s server was vastly underpowered, or poorly maintained. The fact that their site is still down is further evidence for this.
Finally, I wish the City Prosecuter could be charged in this as well. If he would have took the time to understand how this ‘crime’ actually worked, instead of trying to make a knee-jerk statement about ‘computer crimes’, the school’s website would probably be back up today. Now half-the world is trying to hit the site and who knows when interest will die down enough for the server to be able handle the load.