Ryan Russell wrote: > All I want is for prosecutors, judges, and law enforcement to put some > intelligent thought into what the damages really were. I still say the > attacker couldn't have done 1.2B in damages, and that's the "crucifixtion" > dollar amount. That would be because the attacker(s) did NOT cause $1.2B in damages. According to a press report I read last week (sorry, lost the reference) the total loss of e-business (assuming that transactions that didn't happen due to DDoS are lost instead of delayed) was around $100M. The other $1.1B was "capitalization loss", i.e. blame the total $ value of lowering share prices for the victim .com's on the attackers, ignore any subsequent stock price rebound, and pin that whole $ amount on the attacker(s). I agree, the above math does not make sense. The stock price loss really IS the victim's fault: it's Wall Street telling them they need to clean up their security act, because they are vulnerable. The $100M in lost transaction costs is arguably the attacker's fault, but there is a lot of doubt about how many of those transactions truly evaporated, vs. how many just came back the next day. Caveat: I am not a lawyer, I'm not party to any of these activities, and the above is paraphrased from what I read in the newspaper. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org JOBS! http://immunix.org/jobs.html
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:06:16 PDT