UK Parliament to ban DoS Attacks

Ian Hill writes "It seems that the UK government is not as technologically withdrawn as you may think. This bill is an amendment to the Computer Misuse Act 1990 which bans Denial of Service attacks by name. It states that a person is guilty of an offence if they cause, or intend to cause, 'degradation, failure or other impairment of function of a computerised system.'"

Ha anyone told Rep. Howard Berman ?

[drew_kime]

I wonder if this will get passed before this.

Slashdot Banned From posting Links to UK?

[EastCoastSurfer]

Wouldn't the slashdot effect be a way of degrading network performance?

UK vs US?

[dillon_rinker]

So when the RIAA kills a file-sharing server in Scotland because US law specifically permits it, and when they are indicted because UK law specifically outlaws it, whose national sovereignty will be degraded?

Hang on

[Rogerborg]

Feel free to mod this as funny or troll, but I am perfectly serious. I like this bill: it's pithy, addresses a real problem, and is neither too narrow nor too broad. However, it occurs to me that the wording could be applied to writing a piece of buggy software.

"A person is guilty of an offence if without authorisation he does any act which causes directly or indirectly a degradation, failure, or other impairment or function of a computerised system or any part thereof. A person is guilty of the offence [...] even if the act was not intended to cause such an effect, provided that a reasonable person could have anticipated that the act would have caused such an effect. [...] the act is without authorisation if the person doing it does not have the permission of the owner [of the relevant computerised system or part thereof]."

So, I write a piece of code with a memory scribbler in it, say passing an unitialised pointer to memcpy(). The "act" is my typing of that specific line of code. Any reasonable person would anticipate that act would cause a degradation or failure on a system. Note: "a" system, not "my" system. I didn't intend it to cause failure, but I should (reasonably) have realised it would. And once I distribute the code, the damage is caused on many systems, none of which are owned by people who gave me permission (explicitely or even implicitely) to perform the "act", i.e. write that scribbler.

I'm certainly stretching a point, but my scenario satisfies the letter (if not the spirit) of the law. There's already a concept of criminal negligence; this would just be a specific case of it. The part that makes me pause is that the offence is caused by the individual coder, not by her employer.

So while this probably will never effect me, it gives me a little more incentive to make sure that I lint every line that I write, and damn the deadline. But hey, on balance that's a good thing, right? ;-)

Re:First Criminals

[DNS-and-BIND]

This is a real issue. I was involved in a court case recently, where an email server had fallen down after receiving a mere 14,000 emails. The mail server (a 4x450 CPU Sun E4500) had really bad mail processing software. The cluebies who set it up caused sendmail to spawn a shell process and a SQL script for *each incoming email*. That's right, two expensive processes just to get one email injected into the database. Needless to say, after the first 500 mails or so, the system load was above 100 and the machine was not doing anything but processing mail (needless to say, it was an "all-in-one" server, that had Oracle, apache web interface, OAS, DNS running). The FBI prosecuted the guy for "executing a remote command to do damage" and "unauthorized access".

Was he wrong? All he did was send some email. It's not his fault the machine fell down, it was an unscalable design.