Three days after the Megaupload takedown on Thursday morning, and one day after the largest coordinated Anonymous DDoS campaign that has yet been run against US law-enforcement and entertainment-industry infrastructure, the dust is settling and the structural questions are getting clearer. Megaupload has been the largest single file-sharing service on the public internet for several years; the indictment unsealed by the Eastern District of Virginia on Thursday names eighteen counts including racketeering and money-laundering and aims to extradite Kim Schmitz (legally Kim Dotcom) and six co-defendants from New Zealand to face trial in the US. Schmitz was arrested by New Zealand police on Thursday evening at his Coatesville mansion north of Auckland after a substantial armed-response operation that has produced its own controversy locally. The Megaupload service is offline; approximately fifty million daily users have lost access to whatever they were storing on it; the FBI has seized the domain names and the hosting infrastructure.
The interesting thing about the Megaupload takedown is not the takedown itself, which was procedurally consistent with how previous large file-sharing services have been dismantled. The interesting thing is the timing. The indictment was filed in late December but unsealed on Thursday — three days after the SOPA/PIPA legislative blackout protest on Wednesday, which saw Wikipedia, Reddit, Wired, Mozilla and many others go dark for twenty-four hours in opposition to the proposed Stop Online Piracy Act and Protect IP Act. The legislation, which the entertainment-industry coalitions had been pushing through 2011, would have given US law enforcement substantially expanded powers to take down sites accused of facilitating copyright infringement. The Wednesday blackout was the largest coordinated political action by the internet community I can remember; it was effective enough that SOPA was shelved in the House on Friday and PIPA in the Senate on Tuesday. And then, in the middle of that political moment, the Department of Justice produced the Megaupload indictment to demonstrate that they did not in fact need SOPA or PIPA to take down a file-sharing site of that scale, because the existing copyright and racketeering legislation was sufficient.
I am not entirely sure how to read the timing. The conspiratorial reading is that the indictment was held back until the SOPA/PIPA fight was lost so that the DOJ could make the political point. The procedural reading is that an indictment of that complexity has its own timeline and the Wednesday blackout simply happened to be the same week. I do not have visibility into either reading from where I sit. What I can say is that the political theatre of the takedown — domain seizures of major sites, an armed raid in New Zealand that involved cutting through electronic locks with a chainsaw, eighteen indictments against a defendant in glasses and leather trousers — was operationally striking enough that the message landed regardless of intent.
The Anonymous response landed within hours. Operation Megaupload claimed coordinated DDoS attacks on Thursday afternoon against the DOJ website, the FBI, the RIAA, the MPAA, Universal Music, Hadopi (the French anti-piracy enforcement agency), and the US Copyright Office. Anonymous-affiliated commentary claimed several thousand participants and "the largest co-ordinated DDoS Anonymous has ever run". The sites were variously offline for hours. The defensive shape was the same volunteer-LOIC pattern as the Operation Payback DDoS in December 2010 and the Stratfor-aftermath activity two weeks ago, but at substantially larger scale, which is consistent with the political mobilisation around SOPA having produced more participants willing to run LOIC against US-government infrastructure than would have been available six months ago.
The technical shape of the Megaupload takedown is worth recording because it is the operational template that takedowns at this scale will follow for some time. The DOJ obtained warrants for the .com, .net and .org domains and worked with VeriSign and the relevant registries to redirect the domains. They obtained warrants for the hosting infrastructure (Carpathia and Cogent in the US, Leaseweb in the Netherlands) and seized servers. They obtained the financial-system warrants to freeze approximately one hundred and seventy-five million dollars in Megaupload-associated assets across multiple jurisdictions. They coordinated with Hong Kong, New Zealand, and Dutch authorities for the various extradition and seizure operations. The whole thing is procedurally complex and required cross-jurisdictional cooperation that did not exist five years ago. That cooperation infrastructure is now, demonstrably, in place and operational.
The thing I want to make a note of for the engagements is the consequence for clients who use cloud storage providers for backup or for working data. The Megaupload servers also held data legitimately uploaded by paying customers — businesses, academics, researchers — who were not part of the alleged copyright infringement and who have, as of this morning, lost access to their data. The DOJ has indicated that legitimate customers may eventually be able to recover their data through some kind of process; the timeline is unclear and the practical recoverability depends on what happens to the seized hardware while the trial works through the courts. The operational lesson is that the takedown of a cloud provider can produce significant data loss for customers whose only relationship with the provider was paying for storage, and this is a risk that needs to be on the cloud-provider risk assessment in a way it has not been previously. I am writing this up for two of the Hedgehog clients this week.
The wider piece — what SOPA and PIPA being shelved tells us about the political shape of internet regulation in 2012 — is something I will think about more before writing. The headline observation is that the entertainment-industry political coalition that has dominated copyright legislation for two decades has, this week, lost a fight it expected to win. Whether that is the start of a sustained shift or a single tactical loss is not yet clear. The follow-on legislative attempts — the Cybersecurity Act of 2012 in the US, ACTA in the EU — are going to test the same political coalition over the coming year, and I will be following them.
The next post is probably either the LulzSec successor activity that has been reorganising under various banners since the disbanding announcement in June, or whatever the Symantec source-code situation produces — Anonymous-affiliated operators are claiming to have stolen Symantec's source code and have been demanding a ransom, which Symantec is publicly refusing to pay.