FloodNet Artwork by Electronic Disturbance Theater member Carmin Karasic (Credit: Carmin Karasic)

FBI FOIA Response Sheds New Light on Infamous Hacktivist Pentagon Incident

Cian Heasley
29 min readOct 27, 2020

Before Anonymous and the Low Orbit Ion Cannon, in the earlier days of the internet, of hacktivism as a concept and DDoS as a protest tactic, the Electronic Disturbance Theater stood out from a small cast of players. In this article we’re going to take a look at the prehistory and formation of the Electronic Disturbance Theater, events surrounding their most famous online protest actions, and previously unseen contemporaneous documents from the FBI detailing their side of this story.

This piece will chronicle not just the history of the Electronic Disturbance Theater and their SWARM (‘Stop the War in Mexico’) ‘FloodNet’ DDoS protest but also the history of the strand of 90’s hacktivism to which EDT belong to as well as change our understanding of what was at the time described as “appropriate countermeasures” by the Pentagon. This incident in 1998 was long thought to be the first ever digital counterattack or “hack back” of its kind against civilians by the US military, helping set a historical precedent back in the nineties.

Since before the word “hacktivist” even existed there has long been an intensely fiery debate in the hacker community surrounding what constitutes unacceptable harm to a computer system or network, what guiding ethical principles should govern hacking activities. Hacktivism, which we can define very broadly as methodologies for hacking or creating technology to achieve political or social goals, is one of the most public examples of how this internal discourse within the hacker subculture manifests and begs the question does political expediency change the ethical calculus of justifiable damage?

Distributed denial of service (with the acronym “DDoS”) is the act of overwhelming, with incoming data from multiple sources, a specific computer system or network to prevent the performance of their usual functions, essentially denying access to the services that computer or network usually provides users.

Denial of service in general is controversial in the hacking scene, some see it as indefensible for the collateral damage or inconvenience it can cause, others see preventing a website functioning, even temporarily, as tantamount to censorship. On the other side proponents of DDoS as a hacktivist tactic compare it to a virtual sit in, a temporary nuisance that does not result in lasting damage and that is largely a symbolic act of civil disobedience online.

As EDT founder Ricardo Dominguez said in an interview years after the Pentagon DDoS, “FloodNet was not created by hackers or terrorists, but by artists and activists who wanted to create a simple point and click tool that would bring civil disobedience to the HTML community.”

Exposition

Before we get to the protagonists of this particular story we first have to backtrack a little, we’ll take a short historical detour to gain some much needed context.

“A hacker is placed on stage with a computer and a modem . . . The performance ends when the computer is shut down.”

Our prologue begins in 1993, in Florence, Italy, with the founding of the Strano Network. The Strano Network describes itself as having been created with the aim of encouraging the “comparison and interaction of experiences and research carried out in different areas from technology to social problems, from visual arts to experimental music”.

“Telematic Identity” (1996) artwork by Strano Network co-founder Tommaso Tozzi (Credit: Tommaso Tozzi)

There’s a rich history of Strano’s various activities, creations and accomplishments throughout the 90’s that could easily be a separate article in and of itself. For our purposes though we will be focusing on events in late 1995 and the Strano Network’s coordination of an hour long ‘Net Strike’ web based DDoS attack against the French government in response to French nuclear testing in Moruroa.

The language and rhetoric used in their ‘MASSIVE COMMUNICATIVE ATTACK’ ‘Net Strike’ call to arms will strike a familiar chord with anyone who has read statements from hacktivist groups over the years.

“We will go on with our demonstrations with any means, using all technologies, always respecting the law. Those political fellows which do not take into any account people’s needs will understand very soon the real power of new information technologies.”

The attack itself was organized by members of the Strano Network, they went about providing a list of French government target sites via various online activist e-mail lists and Usenet groups, encouraging participants worldwide to visit and hit “refresh” on the homepages of each target repeatedly at a set date and time. This manual DDoS tactic was more recently replicated by Thailand’s F5 Cyber Army.

Sydney Morning Herald, 7 September 1995, “THE DAY THE PACIFIC BOILED” (Credit: Sydney Morning Herald)

This technique for performing a DDoS may seem quaint to us now but it actually fulfilled a number of important functional requirements. A “refresh” style protest necessarily involves a large group of people to succeed, replicating attendance at a mass physical protest online. This is much the same reason Anonymous always played down the decisive role automated botnets of compromised computers served in actions that were attributed to individual “Op” supporters running Low Orbit Ion Cannon, numbers of willing participants lend perceived legitimacy even online.

Hitting refresh in a browser is accessible to people with pretty much any level of internet literacy and it isn’t particularly strenuous for people to perform, no command line kung-fu or need to download potentially risky software (in the 90’s downloading anything on dial-up was a real lengthy ordeal anyway). Lastly a website is a virtual manifestation of a potential target, a website is a representation that people can conceive of and see on their screens, if it becomes non-responsive participants can see this from their browser in real time as opposed to merely imagining the operations of some dusty, nondescript server grinding to a halt in a dimly lit data center somewhere in the world.

“Whether you know it or not, if you are a hacker you are a revolutionary”

In writing this piece I looked into whether anyone has ever been charged with coordinating or participating in a “refresh” style denial of service attack in the US and was only able to turn up one case. In 2006 Michael Stone, an 18 year old high-school student months from graduation, was arrested and charged with a felony count of “disrupting public services” for encouraging people online to go to his high-school’s website and hit refresh in order to knock its web host server offline. Very little information about the case remains but there is this article by Anne P. Mitchell EsqHigh School Student Michael Stone Arrested for Encouraging People to Hit F5”, it is unclear if ultimately Michael was found guilty or not.

Strano Network synchronizing a global protest with tricky timezone issues

The hour long Strano ‘Net Strike’ in 1995 is considered by some to be the first hacktivist DDoS attack, although a case could be made for the murky, now mostly forgotten UK ‘Intervasion’ by the Zippies in 1994 claiming this title as well.

Regardless of whether it was a first for DDoS, Strano Network created stage directions for a method of performative, cooperative political action online that blurred the lines between audience and participant, producing an act of virtual civil disobedience that grabbed the attention of 90’s politically active netizens.

Strano Network’s Net Strike book, 1996 (image credit: Firenze)

Rising action

On the 1st of January 1994 a declaration of war against the Mexican government was issued by the Zapatista Army of National Liberation (EZLN), fighting for indigenous rights. As the First Declaration of the Lacandona Jungle states:

“We have been denied the most elemental preparation so they can use us as cannon fodder and pillage the wealth of our country. They don’t care that we have nothing, absolutely nothing, not even a roof over our heads, no land, no work, no healthcare, no food nor education.”

Mexican Zapatista Army of National Liberation leader, Subcomandante Marcos, 2006 (Credit: Alfredo Estrella)

The EZLN sought to highlight injustices and fight for solutions to the issues facing Mexico’s sizeable indigenous population, many of whom live in southern states rich in natural resources but find themselves suffering extreme poverty as well as social and political marginalization and victimization.

As quickly as it could, given Mexican networking infrastructure of the time, the EZLN adopted the internet as an outlet for political content and as a communication medium. EZLN leadership understood the inherent power of allies in a switched on international activist community and the potential for cross-pollination of revolutionary ideals.

Early EZLN site ¡Ya Basta!, which has since become ezln.org

Meanwhile, in parallel to the EZLN’s internet outreach was the gradual development of the Critical Art Ensemble’s theoretical, philosophical, practical and tactical discourse on the topic of “electronic civil disobedience”.

The Critical Art Ensemble was founded in 1987 in Tallahassee, Florida, with its focus to be “exploration of the intersections between art, critical theory, technology, and political activism”. CAE counted among its original core members Ricardo Dominguez, who would himself go on to co-found the Electronic Disturbance Theater in 1997.

We’re getting ahead of ourselves though.

In 1994 the CAE published a paper called “The Electronic Disturbance”.

“The postmodern gambler is an electronic player. A small but coordinated group of hackers could introduce electronic viruses, worms, and bombs into the data banks, programs, and networks of authority, possibly bringing the destructive force of inertia into the nomadic realm. . . The less nihilistic could resurrect the strategy of occupation by holding data as hostage instead of property. By whatever means electronic authority is disturbed, the key is to totally disrupt command and control.”

It is a somewhat lengthy and dense (but in my opinion engrossing) document that touches on history, art, philosophy, the Situationists (among many others) and what it means to “exist” online, I will try to sum up some of its more salient points here.

The authors contended that humanity has found itself at a sort of crossroads with the creation of the internet and the popularization of video as an accessible, mainstream medium and all of the changes that these developments have brought to global power structures. In ‘Electronic Disturbance’, published in 1994, CAE provide an examination of the limitations not just of technology but the revolutionary potential of the utilization of that technology itself.

Cover image ‘The Electronic Disturbance’, 1994

Throughout the paper is the observation that hackers of the day, and what the authors termed the “technological elite”, are insufficiently politically minded.

In short the CAE posited that a new form of revolutionary activity or resistance is needed, that old methods of resistance were severely in need of modern tactical overhaul. They saw this need as increasingly vital given the ever growing links between people’s existence in the real world and the constructs of data that represent us in online databases and the opaque processes by which that data is accumulated and catalogued.

CAE contemplated how to motivate technically savvy people to engage with electronic civil disobedience.

“It must be asked, How can this class be asked to destabilize or crash its own world? To complicate matters further, only a few understand the specialized knowledge necessary for such action. Deep cyberreality is the least democratized of all frontiers.”

We can also see a sort of theoretical scenario of politically motivated hacking as performance art that presages in a way not just the eventual formation and actions of the Electronic Disturbance Theater itself but also the Strano Network’s ‘Net Strike’ that would take place a year later as well.

“A hacker is placed on stage with a computer and a modem. Working under no fixed time limit,the hacker breaks into data bases, calls up h/er files, and proceeds to erase or manipulate them in accordance with h/er own desires. The performance ends when the computer is shut down.”

In 1997, ‘Electronic Disturbance’ was followed by ‘Electronic Civil Disobedience and Other Unpopular Ideas’ which was in part a rebuttal to critiques that ‘Electronic Disturbance’ was short on practical and tactical suggestions for civil disobedience on the net.

“Blocking the entrances to a building, or some other resistant action in physical space, can prevent reoccupation (the flow of personnel), but this is of little consequence so long as information-capital continues to flow.”

The simultaneous, contradictory approval and skepticism of hacktivism enacted by hackers themselves was still very much present in this text. CAE explicitly detach the technical know how of hacking from motivation and purpose of those same hacks and find the latter lacking.

“Right now the finest political activists are children. Teen hackers work out of their parents’ homes and college dormitories to breach corporate and governmental security systems. Their intentions are vague. Some seem to know that their actions are political in nature.”

There is also however a laudatory quote from an early edition of Phrack, “whether you know it or not, if you are a hacker you are a revolutionary”, attributed to “Doctor Crash”.

Operations by law enforcement against hackers such as ‘Sundevil are discussed in ‘Electronic Civil Disobedience’ as well as the portrayal of hackers in the media and what that cultural baggage means for hackers themselves and how they are perceived by a worried public. The authors muse on what the ideal group pursuing electronic civil disobedience actions might look like, “activist, theorist, artist, hacker, and even a lawyer would be a good combination of talents”.

‘Electronic Civil Disobedience and Other Unpopular Ideas’, 1997

With this document Critical Art Ensemble demonstrated a shift of focus from the theoretical to the practical, only a year later Ricardo Dominguez would be putting together a group very similar to the one described in ‘Electronic Civil Disobedience and Other Unpopular Ideas’.

Climax

Mourners in the aftermath of the Acteal Massacre in Mexico, December 1997

On December 22nd, 1997 45 members of a pacifist political group affiliated with the EZLN known as “Las Abejas” (“The Bees”) were massacred at a Monday prayer meeting in the small village of Acteal, in the Mexican state of Chiapas.

The attack was claimed by a right-wing paramilitary group called “Máscara Roja”, or “Red Mask” although the Mexican authorities had been conspicuously absent during the hours long attack, nearby soldiers had not bothered to intervene and this attack was seen by many as a government endorsed message of warning to the EZLN and their supporters.

EDT members Stefan Wray & Ricardo Dominguez, 1998

The Acteal Massacre provided the impetus for the decision by the artists, technologists, students and activists who were to make up the Electronic Disturbance Theater to formalize their group with its stated aim of highlighting injustices through electronic civil disobedience with New York as its physical nerve center.

The original four members of the Electronic Disturbance Theater were Ricardo Dominguez, Carmin Karasic, Stefan Wray and Brett Stalbaum. As a necessary part of the political statement they wanted to make they eschewed anonymity in favor of personal transparency, no masks no pseudonyms, this immediately separated them from the various arcane hacker handles and outlandish group names that populated this period in the hacktivism scene.

Carmin Karasic (image ©1998 Robert Earnest)

The lack of leetspeak pseudonyms wasn’t the only thing that set them apart from their contemporaries in the nascent hacktivist scene though. When I spoke to Carmin as part of my research into EDT she recalled the surprise she encountered from people who expected a white teenage boy (the hacker stereotype that has long endured) but found themselves instead speaking to a Black woman who had coded denial of service tools to enable online protests. Electronic Disturbance Theater members were unquestionably older, more academic, fiercely political and diverse than their peers in the hacktivist scene.

Carmin Karasic created not just captivating digital artwork for EDT campaigns but along with Brett Stalbaum provided the technical expertise and coding chops necessary to conceive of FloodNet and then gradually improve upon its initial design. Ricardo Dominguez and Stefan Wray handled more of the organizational and messaging side of the group, engaging with the media through interviews and bombastic press releases.

Anonymous Digital Coalition Net Strike announcement, 1998

On January 18th, 1998, a call to online action over the Acteal Massacre came from net activists in Italy who called themselves the Anonymous Digital Coalition. In a now familiar method of coordination, the word went out on Usenet and various activist and political e-mail lists.

This virtual protest on January 29th was along the lines of the Strano Network’s earlier ‘Net Strike’, sharing not just the name but also the technique of encouraging participants to engage in a manual browser refresh style of protest action. There may have also been other aspects to this protest such as “email bomb” spam attacks against email addresses associated with the Mexican financial institutions that were targeted, I was unable to turn up too much information on this event unfortunately.

On February 4th a Mexican hacker group defaced a Mexican government site with pro Zapatista messages, as the CAE had written in ‘Electronic Disturbance’, it was becoming “time to turn attention to the electronic resistance”.

The members of Electronic Disturbance Theater considered how this existing protest methodology inherited from Strano Network and the Anonymous Digital Coalition could be expanded upon and hit on a way to make it even easier for people to participate. Carmin Karasic along with Stalbaum designed and wrote the code needed to make their concept a reality and thus ‘FloodNet’ was born.

FloodNet enabled participants to craft webserver requests that were in themselves political messages.

The idea was a simple one, think about the functional requirements for an online protest that was inclusive for non-technical people and lower the bar for participation even further, automate both the choosing of target servers and the refresh process itself. By navigating to the ‘FloodNet’ webpage users could simply choose a predetermined target from a drop down list and then with just another click start the automated refresh operation running on that page.

Participants could also specifically request non-existent pages such as “Justice” or “Peace” which would then create a sort of symbolic record of those errors and requests in the targeted server’s web access logs. EDT stated that these symbolic log file messages were in fact the aim of ‘FloodNet’, not slowing access to or preventing connections to the targeted servers which would be merely an unintended consequence of the protest.

‘FloodNet’ needed hosting though, this protest could not simply consist of anonymous emails to mailing lists and Usenet posts, there had to be associated web infrastructure. If there is one thing I have learned by watching hacktivists over the years it is that with more infrastructure comes more actual and potential problems. Wray agreed to host ‘FloodNet’ on his New York University student website account, a decision which we will see came with risks as attention from authorities became focused on EDT.

If, for the purposes of this story, Strano Network and the Anonymous Digital Coalition’s ‘Net Strike’ was a sort of technical rehearsal for the Electronic Disturbance Theater’s ‘FloodNet’ then the dress rehearsal was ‘FLOODNET: TACTICAL VERSION 1.0.’, an attack in April of 1998 on the website of then Mexican President Zedillo.

Contemporaneous screenshot of FloodNet active in Netscape, 1998

Still the stage beckoned, EDT needed a public platform to put on a performance that could capture not just the audience’s attention but their participation and support as well. The 1998 Ars Electronica festival had as its theme that year “INFOWAR”, it must have seemed like serendipity at the time.

“Our support personnel were aware of this planned electronic civil disobedience attack and were able to take appropriate countermeasures”

In advance of the festival that was to take place in Austria in early September, the EDT crafted a press release to go out to reporters on August 25th. This effort of outreach to what we now call legacy media already differentiated EDT operationally from their hacker antecedents.

Ars Electronica program, 1998

Whether they acknowledge it or not hacktivists need legacy press coverage if their actions and message are to really achieve anything beyond legal troubles, especially back in the 90’s, long before the time of social media. Media relations is a sometimes neglected but incredibly important factor in whether anyone actually takes notice or if a group is engaging in an online equivalent of the tree that falls in the forest with nobody within earshot to notice or care.

“To demonstrate our capacity for simultaneous global electronic actions and to emphasize the multiple nature of our opponents, FloodNet will target three web sites in Mexico, the United States, and Europe representing three important sectors: government, military, and financial.”

Three targets were chosen for the September 9th “SWARM” ‘FloodNet’ action to take place for 24 hours, with Ricardo Dominguez and Stefan Wray to take active part in ‘FloodNet’ live from the Ars Electronica Festival itself.

“In Mexico, FloodNet will target President Zedillo’s web site . . . an obvious choice and one we have made before. In the United States, FloodNet will target the Pentagon . . . also an obvious choice given the level of U.S. military and intelligence involvement in Mexico. And in Germany, FloodNet will target the Frankfurt Stock Exchange . . . as Germany is a major player in the global neoliberal economy.”

Dominguez and Wray traveled to Austria for Ars Electronica to get everything ready for the SWARM action. On the day of SWARM Wray received an email from New York University which eventually led to EDT moving their site to a dedicated domain.

“We have received a recent complaint from someone within the DISA of the
DOD regarding the ECD web site you are maintaining on your page. As you know freedom of speech is a vital part of the academic process and is one to which we are dedicated just as we are to insure that NYU is a good network citizen.”

Criticisms of EDT’s planned protest action from fellow Ars attendees were harsh and vehement, often along the lines of “even if the load was to take down a server (ignoring the free speech implications for a moment, free speech you want for yourself but deny to those with whom you disagree), you would not only impact communications with the target site, but also to those around it. FloodNet is *unacceptable* network abuse.”

Ars Electronica Festival in Linz, Austria, September 7–12th, 1998 “INFOWAR — information.macht.krieg”

Worse was to come, within around four hours of SWARM launching participants started reporting that they were unable to take part in ‘FloodNet’ because of computer issues, systems running ‘FloodNet’ were crashing suddenly and unexpectedly.

FBI copy of September, 1998, Wired article “Pentagon Deflects Web Assault” on FloodNet & Pentagon

The day after SWARM, September 10th, Wired published an article by Niall McKay headlined “Pentagon Deflects Web Assault”. This article contains a quote from Defense Department spokesperson Suzan Hansen which constitutes the closest thing to an admission of a counter-attack that the Pentagon would make, “our support personnel were aware of this planned electronic civil disobedience attack and were able to take appropriate countermeasures”.

“At issue is whether in fighting back against hackers, the Pentagon crossed the line into so-called offensive information warfare, and perhaps violated U.S. laws”

Speaking with Ricardo as I put this piece together, he points to this Wired article as the moment that the story that was to become history was framed. The story became one of hacktivists in direct electronic confrontation with Pentagon cybersecurity engineers, either through spin or DoD design.

The dust had barely settled after SWARM but Electronic Disturbance Theater was already planning a protest of the FCC on October 4th and on November 22nd, a further ‘FloodNet’ protest of the School of the Americas (now known as the Western Hemisphere Institute for Security Cooperation).

The School of the Americas was a United States Department of Defense institute located at Fort Benning that trained Central and South American military personnel in intelligence, counter-intelligence and counterinsurgency techniques. Former students of School of the Americas have been linked to crimes against humanity including genocide and the School became more and more controversial over the years.

‘Hacktivists’ of All Persuasions Take Their Struggle to the Web

Coverage surrounding SWARM continued on for some time in the press, the New York Times published an in-depth article about EDT, and hacktivism in general, on October 31st entitled “‘Hacktivists’ of All Persuasions Take Their Struggle to the Web”. The article quotes a Defense Department spokesman as saying of FloodNet, “if it wasn’t illegal it was certainly immoral — there are other constructive methods of electronic protest”.

In, I think, November of 1998 (I have been unable to find an exact date for this) Carmin, Ricardo and Stefan traveled to Harvard Law School to discuss the legality of their actions with students and lecturer on Internet law and Harvard fellow Andrew Shapiro and Professor Jonathan Zittrain at the Berkman Center on Internet and Society.

Wray wrote contemporaneous notes on how their visit went:

“Once we had clarified more what we were about and how we were using FloodNet, the instructor began to open up the discussion to the class to talk more about the legal nature. At one point we specifically looked at code 1030, a section of federal law that deals with computer crimes. We looked at a specific section that talks about how it is illegal to intend to block access to a site.”

Wray asked questions of the assembled students that continue to perplex prosecutors to this day.

“The instructor polled the students at one point to ask if they thought we were violating this section of the federal code. A good number of the students thought we were. However, I asked a question, that I later learned was called a “jurisdictional” question. I said “who would prosecute us?” and “who would be prosecuted?” If the participants in FloodNet are dispersed throughout the world, doesn’t this pose serious problems for potential prosecutors?” This question seemed to deflate or confuse or complicate the issue. This was discussed by the class.”

I wonder if this scrutiny from law experts and their students helped shield Electronic Disturbance Theater from DOJ interest as the discussion at Harvard was at least partially a brainstorming session for potential defenses against prosecution and whether in fact any existing cybercrime laws could be applied to ‘FloodNet’, especially as the stated aim was a “disturbance” and not an actual denial of service.

It is worth noting that the above quotes are pulled from a document that was in the FBI FOIA files I received, so it is a certainty that the authorities were aware of the competing legal opinions on the protests.

Falling action

It is time to see this story from the perspective of the authorities, in particular the details of how the Pentagon deflected the ‘FloodNet’ attack, and caused the computers of many ‘FloodNet’ participants to require a reboot.

As mentioned earlier this aspect of the SWARM incident did not go unreported in the press. As George I. Seffers writes in a Defense News article written in October of 1998:

“Hackers calling themselves the Electronic Disruption Theater allege the Pentagon used illegal offensive information warfare techniques — a charge DoD officials deny — to thwart the group’s recent computer attack. At issue is whether in fighting back against hackers, the Pentagon crossed the line into so-called offensive information warfare, and perhaps violated U.S. laws that prohibit anyone from covertly accessing another’s computer”

Discussion of this counter-attack is fairly muted in the documents I was sent, it is mentioned in depth only twice, but we will get to that.

FBI document: the opening of an investigation into EDT, 11th November 1998

Looking over the 6 FBI documents that I received based on my FOIA request I get the impression that the September, 1998, ‘FloodNet’ SWARM protest caught the authorities a little off guard, once it became clear that EDT intended to carry out further actions there was a flurry of emails, faxes, phone calls and meetings. The media spotlight on the events undoubtedly caused the protest actions to receive an increased level of attention from the US government and military, this wasn’t just a technical problem for them to deal with but a potential political and public relations minefield.

Websites were catalogued and saved, news stories printed out or scanned and blogs and email newsletters were scoured for potential evidence. The FBI looked in to arranging a warrant to search what I assume was the EDT’s web host and dossiers were created for each Disturbance Theater member.

“On November 22, 1998 an electronic attack was launched against the School of Americas, Fort Benning, Georgia. SA ⬛⬛⬛⬛⬛⬛⬛ of the Columbus RA was contacted and he was put in touch with FBIHQ”

This spike in interest stretched from FBI agents on the ground all the way through the Department of Defense to the NSA and the White House Situation Room.

FBI document dated November 4th 1998

The day after the Pentagon SWARM protest the DoD contacted NYU “for a second time”, a letter was sent by someone from the US government to NYU which was interpreted by the university as a request for a “tape freeze”, which I take to mean retention of data backups on university systems that related to Wray and EDT. The FBI document doesn’t contain a record of any attempt to disabuse NYU of the notion that they should be spying on one of their students on behalf of the authorities.

FBI documents from late November of 1998 detail this cooperation between New York University, DISA (Defense Information Systems Agency) and the FBI to surveil Wray and his activities on university systems, including all of his files and emails.

FBI document dated 11/23/1998
FBI dossier on EDT members

Also in November the FBI began in earnest to collect, collate and distribute documents and information relating to the history of the Electronic Disturbance Theater and the members of the group.

This intensified level of interest seems directly related to the announced plan to stage a ‘FloodNet’ action against the US Army’s School of the Americas on the 22nd of November and a hybrid physical and online protest at the FCC in October.

When the School of the Americas ‘FloodNet’ attack took place the authorities were ready, having seen the announcement weeks before and there was an immediate scramble to investigate.

“On November 22, 1998 an electronic attack was launched against the School of Americas, Fort Benning, Georgia. SA (redacted) of the Columbus RA was contacted and he was put in touch with FBIHQ”

EDT SOA protest announcement, as archived by FBI

It is interesting throughout the documents to chart the evolution of levels of understanding as to who EDT were, what they were trying to achieve and how they were setting out to achieve it. The analysis ranges from technically inaccurate speculation to some interesting thoughts on how to prevent or mitigate DDoS, as well as pages upon pages of a list of all IP addresses that accessed the School of the America’s website in a time frame spanning the protest.

It also occurred to me while reading over the FOIA documents that I saw no references to the EDT actions that involved servers located outside the US, there is no mention of cooperation with the Mexican authorities for instance, or even that cooperation might be a course of action. The sole focus was on the impact of ‘FloodNet’ within the US, everything else is just background detail.

“the Department of Justice (DOJ) was contacted concerning the actions of DoD, and their opinion was that the DoD may have committed a misdemeanor violation by their actions, and that DOJ would contact the DoD General Council’s Office and advise them to discontinue the DoD actions”

Denouement

A document from the now defunct National Infrastructure Protection Center (NIPC) dated 15th October 1998 gives us one version of the Pentagon counter attack along with concerns as to the legality of it.

George I. Seffers’ Defense News article features heavily in the discussion.

“The article indicates the participants used a computer mini-application (applet) to set up the participant’s computers to dial and redial the Pentagon web site, DefenseLink. The sheer volume of requests was intended to shut down the server supporting DefenseLink. The EDT posted their intentions on the Internet, which allowed the Department of Defense (DoD) to receive warning and counter the protest. According to ⬛⬛⬛⬛⬛⬛ the Pentagon placed on its web site an applet that activated whenever FloodNet was detected, which shut down the participant’s Internet browsers.”

This seems to confirm that ‘FloodNet’ participant computers were deliberately targeted in some way.

“A Pentagon spokeswoman acknowledged the Defense Technology Information Center, which supports the DefenseLink Web site, launched an effective counter-measure, which they believe is defensive in nature and legal.

The balance of the article contains a discussion concerning the Pentagon possibly having crossed the “line” between offense and defense, and may have been illegal. Some consider the Pentagon’s action to be offensive information warfare because it attacked back to cause a disruption of service or disrupt the system of the participant.”

FloodNet screenshot from 1998

Concerns were raised internally about the electronic “counterattack” itself.

“On 10/7/98 the Department of Justice (D0J) was contacted concerning the actions of DoD, and their opinion was that the DoD may have committed a misdemeanor violation by their actions, and that DOJ would contact the DoD General Council’s Office and advise them to discontinue the DoD actions.

On 10/7/98 a DOJ representative advised that DoD was questioning why the FBI did not have the EDT under investigation. DOJ has not furnished any opinion concerning the actions of the EDT.”

I believe that in expressing a legal opinion regarding the actions of Pentagon computer security engineers but without any emphatic legal position on the Electronic Disturbance Theater’s actions DOJ gave the investigation into EDT the kiss of death.

The Pentagon simply would not want to risk legal exposure for what some saw as extra-legal internet vigilantism carried out against protestors by the military.

It was all a convenient lie of omission or complete technical misunderstanding though, the Pentagon did not in fact ever intend to cause ‘FloodNet’ members’ computers to freeze. They allowed this story to flourish though with vaguely worded non denials and a wink and a nod while privately stressing over potential legal exposure as a result of the unintended consequences of redirecting the DDoS traffic.

“Whether the law applies to cyberspace is the subject of heated debate within Washington, and insiders suggest current laws will have to be rewritten to find a new place for the military in civilian-cyber-defense.”

Why did the Pentagon never properly explain that any perceived counterattack was an unintended consequence? Littered throughout the FOIA documents I received are concerns that groups like Electronic Disturbance Theater were not only gaining popularity through media coverage for themselves, but also for their tactics. It may have been decided that a minimal statement was safest, and then hope that the story died.

It is also possible that the Pentagon was glad for an opportunity to seem to flex their muscles, albeit it online, against civilian protestors, this could have been seen as a potential warning for future activists.

Perhaps the officials in charge of drafting a formal statement on ‘FloodNet’ at the Pentagon had no understanding of the technology involved and believed (as in the NIPC document above) that there really had been a deliberate hostile response. Maybe the Pentagon was happy to float the concept of electronic countermeasures against protestors and allow misconceptions to linger in order to see how the notion would be received by the public and other government agencies.

Damage estimates resulting from FloodNet from FBI FOIA documents

As an actual DTIC (Defense Technical Information Center) official who was involved in formulating the response to ‘FloodNet’ explains it in one of the FBI FOIA documents:

“The Reuters News Pentagon Beats Back Internet Attack, Thursday, September 10, 1998 indicated that the Pentagon struck back at the cyber attackers forcing them to reboot their computers. Since a counterattack had not been our intent we were curious to know why this was reported. We tested the Java applet by the Electronic Disturbance Theater against our site and discovered that it opened hundreds windows on the desktop computer, necessitating a reboot. This behavior may have been triggered by the DTIC system’s response to the applet. DTIC did not write any Java applet contrary to the Reuters story.”

DTIC had looked at peculiarities in web traffic coming from ‘FloodNet’ (I suspect the lack of referrer or other similar traces in log files were used) to divert incoming ‘FloodNet’ traffic and had blocked incoming traffic from Austria entirely (which was presumably coming from the Ars Electronica Festival).

It was this attempt to redirect the incoming ‘FloodNet’ traffic that unintentionally caused a cascade of new browser windows, presumably one for each request made from that computer through ‘FloodNet’. Computers in 1998 would not have handled multiple browser windows very well at all, resulting in a system crash that necessitated a reboot.

Screenshot from DTIC presentation on FloodNet, October 22nd 1998

As the FBI observe in a document from their Washington Field Office:

“DTIC, advised that in an attempt filter out the denial of service attempts and still provide service to legitimate users, the DTIC wrote a Perl script that redirected any malicious traffic away from DefenseLINK to a non-existent site. When the EDT protestors continually sent request messages to the search engine, the protestors should have received an error message pop-up, advising that the DefenseLINK website could not be found. If the protestors launched multiple attacks, then with every attempt to shut down DefenseLINK, the protestors would get another error message back. As a result, with all of these error messages coming back, the protestor would be forced to reboot the machine.”

The FBI document then goes on to state:

“On 11/10/98 the Eastern District of Virginia declined prosecution of anyone at DTIC based on the information provided above. The Eastern District further declined comment on any hypothetical cases involving government protests which may occur in the future.”

Just the impression that the Pentagon launched a hostile action against internet aggressors spurred debate around the idea of “hacking back” though. Within government and business circles there is a long ongoing debate around the potential benefits that can be gained from engaging cyber aggressors on their own terms (“hacking back”), hacking or otherwise disabling their infrastructure either to gain evidence or to impede ongoing hostilities.

In 2014 it was revealed that GCHQ, the UK’s equivalent of the US National Security Agency, had launched cyber attacks on Internet Relay Chat servers used by Anonymous supporters to discuss and coordinate actions, with the purpose of preventing communication and disrupting cooperation.

These attacks by the British intelligence agency took the form of direct and successful attempts to knock the chat servers entirely offline with DDoS as well as spreading malware through infiltrators within the chat groups themselves, infecting unwitting participants and enabling GCHQ to access their private data. While these attacks violated UK law GCHQ enjoys immunity from prosecution, in the arena of “hacking back” private enterprises and government agencies will never truly have parity.

Screenshot of EDT’s post NYU website

As Winn Schwartau observed in a Network World article, ‘Cyber-civil Disobedience: Inside the Electronic Disturbance Theater’s Battle with the Pentagon’, from January 11th 1999:

“Meanwhile, the Pentagon’s counter-attack raises questions regarding whether the U.S. Government and the military should be launching cyber-attacks within the U.S., even as a defense measure. Posse Comitatus, an 1878 law, bans the use of the military in domestic law enforcement. Whether the law applies to cyberspace is the subject of heated debate within Washington, and insiders suggest current laws will have to be rewritten to find a new place for the military in civilian-cyber-defense.”

Even now in the US there are proposed new laws to help clean up this legal uncertainty, to allow private businesses and the government to take retaliatory action against hackers, glossing over issues of attribution, jurisdiction and proportionality of response.

This incident has featured in so many discussions of “hacking back” over the years and it was all just an unintended consequence of an attempt at DDoS mitigation. A Perl script meant to block unwanted incoming traffic accidentally became a catalyst for discussions that still affect cybercrime response calculus to this day.

It is especially interesting to look back at these events with renewed scrutiny now, at a time when online activism in all of its multitudinous forms is a constant presence in our lives and offline protestors are simultaneously demonized by governments around the world.

As I write this article Anonymous is involved with the #EndSARS protest in Nigeria, providing online amplification to demonstrators on the ground in Nigeria. Online activism and real life civil disobedience have not always enjoyed a smooth union but the two only ever seem to grow more intertwined.

If the Electronic Disturbance Theater had sprung into existence now instead of 23 years ago I think the eventual outcome for them would have been very different. We can look at cases like that of the “PayPal 14” and Operation Payback to see that US authorities were able to overcome concerns regarding jurisdiction or collective culpability for group actions online and respond by arresting anyone they could easily track down.

Anonymous “Operation Payback” announcement, 2010

The relative ignorance on all matters internet related demonstrated by higher ups in the FBI and DoD in the FOIA documents I received, the involvement after the fact of Harvard Law and concerns about legal exposure created by DoD attempts to thwart ‘FloodNet’ traffic all helped Electronic Disturbance Theater pull off a series of bold digital protest actions and escape relatively unscathed.

Strano Network, Electronic Disturbance Theater and similar groups that bridged academia, the rapidly blooming digital art scene and the political fringes of the hacker underground provide us a vibrant snapshot of activist politics of the early adopter internet.

The hacker community has not always been great at documenting its own history and learning lessons from that history. For events that took place online it may seem counter-intuitive for there to be so many informational gaps, research dead ends and missing pieces of data but websites vanish, articles are archived and links break while data is simply lost in the shuffle of servers moved, platforms lost and popular mediums shifting over time.

It is all fascinating history that should really be remembered though, it is part of our subcultural DNA.

We’ll finish with a quote from media theorist Frederich Kittler.

“Only art history still knows that the famed geniuses of the Renaissance did not just create paintings and buildings, but calculated fortresses and constructed war machines. If the phantasm of all Information Warfare, to reduce war to software and its forms of death to operating system crashes, were to come true, lonesome hackers would take the place of the historic artist-engineers.”

--

--

Cian Heasley
Cian Heasley

Written by Cian Heasley

I work in infosec and live in Scotland, I am fascinated by computer security, privacy and the intersection of the internet, technology and human rights.

No responses yet