When the FBI appeared at David Goodyear’s doorstep in August 2016, they started asking him about telescopes. The 42-year-old IT specialist and avid stargazer had frequented an astronomy forum called Cloudy Nights. Now, someone had taken the forum offline with a denial-of-service attack, and the evidence pointed to Goodyear.
Goodyear swore innocence at first, but after increasingly pointed questioning, he confessed. One of his accounts had been banned a couple of weeks ago, he said. In a sudden rage, he’d spammed the site with pornography, then posted its address on a site called HackForums.net, asking for someone to attack it. “I was just, like, what the fuck am I being banned for? I was just pissed,” he told his visitors — one from the Federal Bureau of Investigation and another from the Los Angeles Police Department. “I just went up in, just the heat of the moment.”
His visitors seemed mildly amused by the forum drama, and he chatted with them about his $100,000 telescope collection before they left. But one year later, Goodyear was arrested. In December 2018, he was sentenced to more than two years in prison for violating the Computer Fraud and Abuse Act.
It’s a sentence that even Goodyear’s victims don’t want him to serve. A single forum post was enough to direct a temporarily devastating attack on a small business, while federal computer crime laws meant that same post could now come with life-changing consequences.
Distributed denial of service (or DDoS) attacks are one of the simplest cyberattacks: they flood a site with huge amounts of traffic until it can no longer serve pages to real users. At a large scale, these attacks can be incredibly disruptive. The 2016 Mirai DDoS shut down large sections of the web, hijacking insecure smart devices to create an army of bots. Even at a smaller scale, they can cause real harm — like Goodyear’s request did to the owners of the Cloudy Nights forum.
Cloudy Nights is run by Astronomics, an Oklahoma-based company that sells telescopes and other astronomy gear. Vice president Michael Bieler estimates that the forum has around 115,000 registered users swapping advice, space photos, and opinions about telescopes. Bieler describes Cloudy Night as generally “a nice peaceful edge of the internet” where moderators have handed out fewer than a dozen lifetime bans in over 15 years of operation. Politics are prohibited except on a board for discussing light pollution laws.
On August 13th, someone named HawaiiAPUser posted a screenshot of a failed login attempt, indicating they’d been banned under another name. Below was a string of sexual insults and porn links. “Mods and admins can’t stop me!” the user wrote. “I think I will talk with my contacts and just D0S this site as well as A55stronomics,” an apparent reference to a denial-of-service attack.
The next day, Cloudy Nights and Astronomics’ website started getting overloaded with traffic, making the forums unreliable and keeping Astronomics.com almost completely offline. “We’re just a small family-owned business, and he shut us down essentially for two weeks,” Bieler tells The Verge. “I made zero income. It was almost nonexistent.”
As the attack continued, Bieler called the local police and a lawyer who told him to contact the FBI. “I was like, ‘Well, they’re going to laugh at me when I tell them someone got mad on a forum and has decided to take down my website,’” he says now. But at the time, he was deadly serious. Bieler told the agency that he was afraid his company would go out of business if the attacks continued, and that his father — the company’s founder — had gone to the hospital with cardiac problems from the stress. “It is literally killing him,” he wrote in an email.
Cloudy Nights’ moderators, meanwhile, had a good idea who was behind the attack. Goodyear had been a regular visitor until 2013 when he was banned for — as he put it — “mouthing off” to moderators. (Court documents paint a darker picture, saying he followed up with a threatening message “asking to fight” one of them.) He’d created several more accounts since then, and moderators kept banning them. HawaiiAPUser’s screenshot had a timestamp, so they checked which accounts had been active at that moment and whether other people had logged in from the same IP address. Goodyear’s old accounts came up.
On August 31st, the FBI and LAPD visited Goodyear’s house in El Segundo, California. Goodyear professed bafflement about why they’d come, claiming that he wasn’t behind the post. “I kind of washed my hands of this website,” he said, suggesting that an employee or a hacker might have used his network.
The agents threatened to start filing search warrants. “The FBI knows what they’re doing,” one warned ominously. “We caught Osama bin Laden, right? We can catch someone doing a DDoS.”
The argument apparently convinced Goodyear. “I did post that crap about hitting them. I also put on a hack forum, saying, ‘Hey, can you take down this site?’” he admitted. “I think that maybe it went further than what it should have.” But he insisted that he had no hacking expertise and hadn’t paid anyone for the attack. When asked whether he could make the attacks stop, he said he “didn’t know [the HackForum members] well enough.”
It’s not totally clear how the DDoS campaign did end. According to a September 2016 screenshot of Goodyear’s HackForums.net account, the last time he logged in — at least under his original username — was August 29th. The last successful DDoS attempt was on August 30th, the day before Goodyear spoke to the FBI. The attackers may have stopped voluntarily after that, or they might have been stymied by Astronomics’ new defenses since Bieler had hired a cybersecurity expert to help.
In a press release, the Justice Department emphasized “the importance of deterring sophisticated cybercrimes, which are difficult to trace and therefore particularly important to punish.” But the way Goodyear described his crime was almost ridiculously unsophisticated. In his FBI interview, he said he’d searched Google for ways to get back at Cloudy Night. “I was looking for other ways to see if I could take them out, if I could hack… get a botnet or something.” He found HackForums.net, said “screw it,” and signed up.
Either way, a jury found Goodyear responsible for one count of “intentional damage to a protected computer.” A judge sentenced him to a $2,500 fine, $27,352 in restitution, and 26 months in prison.
Bieler had assumed the case was closed until the FBI arrested Goodyear a year later and summoned Bieler to court. He was shocked when he learned about the length of the sentence. He never wanted Goodyear to be imprisoned at all, let alone for two years. “Honestly, I think it’s extreme, what happened,” he says. “We actually asked in our letter [to the court] that he not get prison time. We just wanted him to stop attacking our website.”
The 34-year-old Computer Fraud and Abuse Act (CFAA), which tech policy expert Tim Wu has called “the worst law in technology,” is controversial for many reasons. One of the most common is its harsh sentencing rules.
Judges base jail sentences on a range defined with the United States Sentencing Guideline rubric, which calculates a number representing a crime’s severity. The CFAA makes that number unusually easy to inflate. Prosecutors can bump up the estimated cost of a hack with loosely related expenses, or lowball it if a defendant cooperates. They can add extra penalties for using “sophisticated means” and “special skills,” even for fairly simple actions like running a script.
“This, to me, is a disproportionately punitive sentence,” says attorney Tor Ekeland of Goodyear’s 26-month term. “Unfortunately, it’s kind of typical.” Ekeland has represented figures like security researcher Justin Shafer and journalist Matthew Keys in cybercrime cases, and he’s one of the CFAA’s most outspoken critics. He says there’s no cut-and-dried legal framework for convicting people of DDoS attacks since the crime is fairly new. But he thinks that prosecutors often bring even clearly weak cases to court, both because they’re relatively easy to argue and because there’s a “sexiness factor” to computer crimes.
The Justice Department has proven particularly adept at DDoS prosecutions under Trump, prosecuting the Mirai botnet’s creators and, more recently, the man behind several attacks on major gaming networks. These don’t always result in long sentences, but as the Justice Department press release suggests, courts punish some individual cybercrimes harshly as a deterrent since only a fraction of offenders are caught.
Online crimes are hard to trace, and that’s a real problem for the people who are fighting online threats, swatting hoaxes, or ransomware operations. And far from overreacting to all internet crimes, law enforcement and courts can ignore or downplay online harassment, for example.
Ekeland thinks that courts treat many “hacker” crimes as unduly threatening, however, compared to non-computer crimes that cause financial damage — or bad behavior by companies. The line about the DDoS attack’s sophistication is particularly “absurd,” he says. “This was not a sophisticated computer crime. And the fact that the court thought that highlights the problem with these types of cases.”
The CFAA is only one facet of the American justice system’s problems, of course. Lots of offenses besides cybercrimes can result in disproportionate sentences. And the problem isn’t just overlong prison terms. It’s the inhumane conditions of American prisons, which affect millions of people who are far less privileged than Goodyear, some of whom haven’t even been convicted of a crime.
Virtually everyone involved in catching Goodyear seemed a little bemused by the whole saga. “How are you guys getting banned from an astronomy site?” wondered the FBI agent who arrived to question him. “Is there a debate on a tenth planet or something?” And in Goodyear’s estimation, all he’d done was log into a forum, ask “Hey, can you guys hack this?” and go back to life as usual. He agreed that what he’d done was wrong, but he seemed surprised to hear that he could get in real trouble for it.
Today, Bieler finds it “insane” that a man would nurse a three-year-long grudge against an astronomy forum so bitterly that he would effectively try to bankrupt a company in revenge. “If people could just step away from their keyboards for five seconds, a lot of this wouldn’t happen,” he says. But as the case reaches its end, he simply feels bad for everyone involved — including Goodyear.
“Look, losing money sucks. Having my business down for a few weeks sucks. Not knowing what’s going to happen because you have no income coming in to pay people’s salaries sucks,” says Bieler. “Losing two years of your life because you did something dumb sucks worse.”