UK Parliament to ban DoS Attacks

Ian Hill writes "It seems that the UK government is not as technologically withdrawn as you may think. This bill is an amendment to the Computer Misuse Act 1990 which bans Denial of Service attacks by name. It states that a person is guilty of an offence if they cause, or intend to cause, 'degradation, failure or other impairment of function of a computerised system.'"

Thank God

[Ashcrow]

Now no one will ever do it!

First Criminals

[Amazing+Quantum+Man]

And the first two people charged will be:

Ian Hill and CmdrTaco for causing a slashdotting of the UK Parliament server!

Re:First Criminals

[DNS-and-BIND]

This is a real issue. I was involved in a court case recently, where an email server had fallen down after receiving a mere 14,000 emails. The mail server (a 4x450 CPU Sun E4500) had really bad mail processing software. The cluebies who set it up caused sendmail to spawn a shell process and a SQL script for *each incoming email*. That's right, two expensive processes just to get one email injected into the database. Needless to say, after the first 500 mails or so, the system load was above 100 and the machine was not doing anything but processing mail (needless to say, it was an "all-in-one" server, that had Oracle, apache web interface, OAS, DNS running). The FBI prosecuted the guy for "executing a remote command to do damage" and "unauthorized access".

Was he wrong? All he did was send some email. It's not his fault the machine fell down, it was an unscalable design.

Ha anyone told Rep. Howard Berman ?

[drew_kime]

I wonder if this will get passed before this.

irony

[s20451]

So we slashdotted them with a link. How ironic. Can I rat out Taco for a reduced sentence?

Slashdot Banned From posting Links to UK?

[EastCoastSurfer]

Wouldn't the slashdot effect be a way of degrading network performance?

Degredation of a computer system?

[restauff]

Every time I download a big movie or file from a fast server, I cause degredation to my connection, and so my computer system. How does one define at what point it is intentional, and at what point serious damage is done to the system?

UK vs US?

[dillon_rinker]

So when the RIAA kills a file-sharing server in Scotland because US law specifically permits it, and when they are indicted because UK law specifically outlaws it, whose national sovereignty will be degraded?

Re:UK vs US?

[Martin+Spamer]

So when the RIAA kills a file-sharing server in Scotland because US law specifically permits it

Decriminalisation in not the same as specifically permiting something.

whose national sovereignty will be degraded?

Neither, since crime would be committed in the UK and the USA/UK have a extradiction treaty. The the Individual would be etradited, tried and imprisoned in the UK.

Though the idea of sticking one on the RIAA (or MPA) is appealing. This is not really a good idea. It would be the geek on trial not the people that gave the orders. I'm not so keen on my taxes being used to finance a nice break at some home counties open prison.

English Law

[Jucius+Maximus]

In other news, it is still legal in Chechire (Chester) England to shoot, with a crossbow, any Welsh person, as long as you do it inside the city walls after 11 PM.

(don't ask me for a reference, I found it on a 'Stupid Laws' page that has subsequently shut down)

This is very good.

[tshak]

This is very good - I mean consider all of the damage that DOS could do to your machine. It's insecure, lacks multitasking, and requires users to configure EMM386 and HIMEM.SYS just to play Doom. Let's just hope that bin Laden doesn't have the technology available to perform a DOS install/attack on all of our machines.

Re:Blast it all

[Martin+Spamer]

If they changed the wording just a little bit it would make Spammers face charges.

Unsolicited Bulk Email is almost certainly illegal (though untested) under the Section 1 of the Computer Misuse Act 1990 if sending or receipt of UCE is against your AUP/TOS. Any unauthorised access to a computer is illegal under the Computer Misuse Act Section 1.

The problem is enforcement, the Police seem to have neither the inclination nor ability to enforce it.

---
1.--(1) A person is guilty of an offence if--
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that is the case.
(2) The intent a person has to have to commit an offence under this section need not be directed at--
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.
---

http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900 01 8_en_1.htm

Criminal Law not Civil Law

[Martin+Spamer]

The Computer Misuse act is criminal law not civil law anybody breaking goes to Prison.

Hang on

[Rogerborg]

Feel free to mod this as funny or troll, but I am perfectly serious. I like this bill: it's pithy, addresses a real problem, and is neither too narrow nor too broad. However, it occurs to me that the wording could be applied to writing a piece of buggy software.

"A person is guilty of an offence if without authorisation he does any act which causes directly or indirectly a degradation, failure, or other impairment or function of a computerised system or any part thereof. A person is guilty of the offence [...] even if the act was not intended to cause such an effect, provided that a reasonable person could have anticipated that the act would have caused such an effect. [...] the act is without authorisation if the person doing it does not have the permission of the owner [of the relevant computerised system or part thereof]."

So, I write a piece of code with a memory scribbler in it, say passing an unitialised pointer to memcpy(). The "act" is my typing of that specific line of code. Any reasonable person would anticipate that act would cause a degradation or failure on a system. Note: "a" system, not "my" system. I didn't intend it to cause failure, but I should (reasonably) have realised it would. And once I distribute the code, the damage is caused on many systems, none of which are owned by people who gave me permission (explicitely or even implicitely) to perform the "act", i.e. write that scribbler.

I'm certainly stretching a point, but my scenario satisfies the letter (if not the spirit) of the law. There's already a concept of criminal negligence; this would just be a specific case of it. The part that makes me pause is that the offence is caused by the individual coder, not by her employer.

So while this probably will never effect me, it gives me a little more incentive to make sure that I lint every line that I write, and damn the deadline. But hey, on balance that's a good thing, right? ;-)

Re:First Criminals; This is *NOT* funny

[lingqi]

Read the damn file! it reads:

A person is guilty of the offence in subsection (1)(a) even if the act was not intended to cause such an effect, provided that a reasonable person could have anticipated that the act would have caused such an effect.

this means no more posting of links on slashdot linking to UK sites lest Taco becomes an international criminal.

somebody in UK, please write your queen about this.

Re:English Law

[nicklott]

In case anyone cares: it's here

Eh ... no

[00_NOP]

This is not a Government Bill - so has no real chance of getting passed - especially as it has been introduced so late in the session. I don't think it's even had a 2nd Reading debate.

Nice try, guys. But you need to update yourselves on the UK constitution.

Re:First Criminals; This is *NOT* funny

[peddrenth]

"somebody in UK, please write your queen about this"

Concerted attempts have been made to wield the clue-stick in the direction of parliament, however, they're still thick as pigshit when it comes to computers:

The bill, as it stands, would outlaw everything which causes somebody else's computer to slow down without the owner's permission. Read the bill if you think I'm exaggerating.

That means, anytime you use a computer for anything, you are to some extent a criminal if this gets passed. Again, our MPs need some computer experience, p.d.q. if they think this is a good solution to d.o.s.!

(p.s. side issue, but if a program of yours is insecure (even with GPL's disclaimed liability) and your program causes someone else's computer to slow down, or to divert any resources away from its normal functioning, you'll have broken the law if this piece of legislation gets passed. Software liability by the back door?)

Re:First Criminals; This is *NOT* funny

[FyRE666]

"somebody in UK, please write your queen about this"

Didn't you know? We all know her here in the UK - I'll pass on your message next time I drop by for tea and scones...

Re:Dos'ers should have

[arivanov]

It is easier to organise in the US then in the UK.

Rat them up to the NKVD^WHomeland Security. Works great on spammers (espcecially of the "all capitals nigerian bulshit" or other scam varieties). All you need to do is express your suspicion that the scam money is used to finance terrorism. After that you will never hear from that spammer again once they have disappeared "in and night and fog" to GULAG^WGuantanamo Bay for questioning with no legal representation.

Unfortunately the Yard in the UK systematically drops the ball on these. I wish it did not. And I wish it did what you suggest.