Slashdot Mirror
British Teen Cleared in "E-mail Bomb" Case
legaleagll writes "According to this article , a British Judge has ruled that a teen who sent approximately 5,000,000 e-mails to his former employer was not in violation of the U.K.'s Computer Misuse Act. It appears that the Computer Misuse Act is a bit outdated being that it was created 15 years ago when a number, perhaps most, of the current methods for misuse of computers were not contemplated."
Summary says 3 million, the article clearly, even hyperlinked so it's highlighted, says 5 million.
What a nerd. "If my electronic mail-bombe doesn't inconvenience my former employer, then my name isn't Melvin Q. Ucklesworth!"
This is most likely what he said while rubbing his peach-fuzz moustache (nothing to twirl evilly quite yet.)
How do we strike a balance between a piece of legislation that covers any crime that may not have been thought up yet, without prohibiting activities that are not necesserily criminal that will be invented in the future? This is something that no country has come up with yet and this is unlikely to happen any time soon due to various governments in power. (cough)
-Palal
Perhaps it is time for that business to invest in a more modern mail server. Indeed, even the lowliest of Dell servers running Linux or FreeBSD can easily handle 5 million email messages, even if sent in a very short period of time. A large amount of mail should never cause the server to completely crash, even if it does consume much bandwidth and cause other delays.
Cyric Zndovzny at your service.
That law has a hard time keeping up with technology. It takes a long time for laws to be made, changed, proven, and stand up in court. It doesn't take nearly as long in the technological world for attacks, defenses, and things in general to change. This is where a lot of the problems are coming from, since most of the time when you get things that are pushed out quickly there are all sorts of acts or laws such as the DMCA or Canadian Do-Not-Call list) which contain all sorts of problems in one way or another. It's just a shame it will take so long for things to really shape up.
Really quite a predicament when too fast means you get poorly written laws, and too slow means the bad guys can work "legally" for a while...
At first I was a bit confused as to why this was posted in the your rights online section, until I considered this case from the point of view of the poor bastard that got blasted by the former employee. Denial of service attacks have been around quite some time before 1990. If UK law doesn't considered this sort of computer act to be illegal what else isn't? What is illegal?
What if the entire Universe were a chrooted environment with everything symlinked from the host?
maybe the company can claim that the dude made some threats in the past. Maybe they can label him as a super-advanced cyber-terrorist and extradite him to US. (Maybe they can make him disapper there - in one of the secret prisons.) Wait - with the Blunkett laws, maybe they can do this without US help.
I doubt that we will ever figure out - and I suspect that even if we did figure out we couldn't do much about it
Saying "being that" makes one sound like a dumbass. If I were an editor, I would have thrown out the article submission and ridiculed the submitter.
It's illegal to mod your gaming console or copy your copy-protected CDs to your iPod but go ahead and fuck up some email servers? Got it.
I am a leet hax0r. I can launch a DOS with 2 lines of 'code'.
While he got off on the computer misuse charge, what about spamming? Couldn't it be argued he was sending unsolicited email to this bloke? Do the UK have such laws?
Let's all send him email's of congratulation. 5,000,000 per ./ reader seems appropriate.
Or maybe sign him up for a few catalogs.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
Computer Misuse Act is a bit outdated being that it was created 15 years ago when a number, perhaps most, of the current methods for misuse of computers were not contemplated.
yes, i'm feeling like slashdotting my employer's website.
If the editors had written it like "his previous employers, who are at this link: _______", then we'd get to see if they got around to updating that server. My money is on 'yes'.
You write something like Miami University has in its Responsible Use of Computing Resources document. You can read it at http://kb.muohio.edu/cgi-bin/webcgi.exe?new,KB=MUK B,case=obj(4831) if you are interested.
There is very little technology specific language in it, and it was written many, many years ago. We look to revise it at a certain interval, and always come to the conclusion that it still stands and applies as well as it did when it was written. The student judicial system and technology advisers get involved in the interpretation of the policy if something happens, and the governmental judicial system should do something similar in the real world.
I haven't posted in so long, my sig is out of date.
Sorry, but that's a pretty dumb comment. In fact, there isn't one line of it that I can't rip to shreds in seconds.
Do you have any idea of the size of the company involved?
For all you know, the company concerned might have no more than a handful of employees, so a mail server capable of handling 5 million emails in a short space of time would be totally inappropriate. Not all computer crime is committed against large organisations that have turnovers that are measured in millions or even billions.
Wasting police and court time? Well, if the police were involved then there's a good chance that the prosecution was brought by the Crown Prosecution Service (ie, the government), so someone in the appropriate position of authority thought it was a sensible case to persue.
And even if it was a civil case, well, then that's what courts are for: to listen to all the evidence, consider all the facts, and make a judgment one way or another when two parties are in dispute.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Yeah sure its only 5 million emails, and most systems should be able to handle that. Providing of course that they were only going to one person. What if it went to all staff and there was 30 employees then you have 150 million messages and its a little bit more of a problem. Assume you posted these all at 2 am at night, at 8 the next morning all 30 people get to work and check their emails all at about the same time. Ouch
IANAL, nor do I know much about british law, but in canadian law there is an idea that the weakness of the victim is the responbility of whoever caused the damages. It doesn't matter if they were running a farm of Linux sendmail servers or Joe Bloe's Free Mail Server on some Windoze box. It's petty obvious that it was intentional and malicious and I think the teenager should be culpable for his actions. I don't think that "5 million emails? It was an accident, truely!" cuts it.
If you live in Britian, drop this article around the office, then start dressing like someone from the matrix and talking in tech jargon. Your boss will fear you, and you'll be able to get away with murder!
-1 Uncomfortable Truth
Just a couple of comments, obviously the teen should be held responsible for something, but having read the article the correct result seems to have been reached. Without having read the specific law, the words referred to are "unauthorized access" or "unauthorized modification" of computer material, which seems a bit of a stretch to cover a DoS attack. Frankly, I'm surprised that the UK doesn't have other laws to cover this type of crime, as DoS attacks have been around for quite a while, but as other readers have commented, laws often are behind the times when it comes to new technology. That being said, in many instances existing laws may be sufficient to cover many aspects of "new" computer crimes, ie. stealing credit card numbers by computer and then using them will be prosecutable under fraud as well as other more specific offenses.
That being said, there are still civil remedies that may be pursued, such as suing for damages arising from interference with business relations and the like. One of the differences between criminal and tort law is that tort law is not necessarily a closed set, judges in common law jurisdictions may find new torts in adapting to new fact situations (see Lord Denning's judgments for an example). Practically speaking, there probably isn't too much to be gained from suing the teen for damages, except perhaps for deterring future attacks.
Incidentally, given the associated penalties, criminal law is correctly a legislated, closed set of offenses that can only be changed or added to by the will of parliament.
OK.. so i go add my site to google, then my servers fall over from too many hits.. but google didnt do it maliciously.. its my own fault for having crap load handling/balancing.
The fact of the matter is, regardless of malicious intent, prevention is clearly better.
Just because he's an ex employee and may have knowledge of the system's running there, theres nothing to stop anyone on the internet doing exactly the same thing and running through some proxies to avoid easy traceback.
If your gonna have a server connected to the internet, you have to take these things into account.
This is so blatantly obvious; since the teen is not doing anything illegal, couldn't the company just do the very same thing. Perhaps stretching it futher to SMS-bomb, phone-bomb, snailmail-bomb and DoS-bomb him for the rest of his sorry life?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Just imagine that
Perhaps his exec forced him to do that?
It's a question of minimizing the disk I/O -- or more importantly minimizing the amount that the disk heads need to move.
The Computer Misuse Act seems to have been designed to encode the electronic equivalent of breaking-and-entering (offences 1 & 2) and criminal damage (offence 3).
Denial of service is probably very difficult to encode in a similar fashion, since I do not see what *criminal* offence it would equate to.
In this particular care, there is no essential difference between sending a million emails and sending a million letters by post - both would swamp the service, but equally both are simply making use of the (e)mailing infrastructure as it was designed. (Yes I know letters cost more. That's irrelevant - they require more effort to deliver, and are priced accordingly).
Taking a different example, such as opening thousands of connections to a server with intent to deprive others' of access to it, I still can't see what equivalent physical world *criminal* offence has been committed. In this case an analogy requires many people, but what difference is it if a thousand people stand on the pavement outside a shop entrance effectively preventing other shoppers from entering, due to weight of numbers? Sure, the police can ask people to move on, which is the same as closing those open connections, no?
Since most electronic systems only enact operations which have equivalents in the physical world, I do not see how it would be right to create a law which makes the electronic equivalent illegal, when the physical original is not. This use of legislation creates the likes of the DMCA.
The Computer Misuse Act is a rare example of a really *good* law which is (1) broad enough to capture most offenders (2) easily tested for applicabilty i.e. not complicated with exceptions, extensions, etc and (3) not so vague that it is open to abuse.
Anotehr case of The 'Darkmail' Attack Vector and people getting away with it. Yes it is a bit lame mail bombing someone but I think it's easy to underestimate the damage a mail bomb attack can do to a business - and on a sliding scale, the smaller the business the more damage it does. I linked to a paper which explains it all - if my company got hit, we would have some serious problems no doubt.
I wondered how long it would take for someone to notice that I had typed 128Mbits/s and 512Mbits/s...
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Just because this guy sent x amount of emails it doesn't take away the fact that he destroyed a computer network infrstructure, which can be applied as criminal damage. That can be recompensed by the criminal for replacing the equipment and lost revenue. On a similar note, some berk's managed to ping my website into submission so that it cannot be view for the rest of the month. If I ever find who did it then there will be serious hell to pay.
There have been many times when dealing with people that I wished I could kiss my own butt goodbye
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
What the f*** was he sending that many emails for in the first place?
Because even if the law that dinged him is outdated, if DOS'ing (or even as simple as making mishchief) _was_ his intent, given the results, criminal activity was present (it seems that he just got charged specifically with the wrong thing).
File under 'M' for 'Manic ranting'
There's no case for prosecuting children for a minor one-time assualt, when every minute the organised crime syndicate of marketeers known as spammers continue their mass harrassment of the entire population to a far worse extent.
Slashdot had better hope so or else they could be eligible for DoS prosecution.
Hello,
I'm the defendant in the case, perhaps you should be asking yourself why i did what i did and whether i felt it to be justified?
Anyway..
The current law stands as this:
1) Each individual email was authorised, (not unauthorised) - because you installed the mail server application. It's the same as if someone came up to your house with a skip-full of pizza leaflets and put them through your door. You have a letter box thing - you authorise the email.
2) CMA 1990 states that acts under Section 3 cannot be held liable for criminal damage.
3) To cause an offence under the CMA, I have to firstly show INTENT to NOT only cause modification, but to also impair functionaily to the machine or the reilability of the data. not ONLY do i have to do this, but i have to have the "requisite knowledge" that what i was doing was authorised. Based on the fact that a) i believe by installing a mail server you authorise mail, and for another reason I can't disclose yet in case of appeal, there was no requisite knowledge, therefore no offence has taken place.
4) SPAM Laws - The Privacy and Electronic Communications Act 2003 protects against spam email.. but that covers companies only, and not individuals.
5) I could have easily easily been succesfully prosecuted for harrasment. However, the CPS decided to be clever and do it under the CMA. That was silly.
6) - Based on 5 - if you do decide to send 5 million emails, you do not break the CMA*. you do however, break harrasment law.
*Provided the emails were of HFC Standard - text only, with no payload. If you included a payload such as a virus/trojan etc etc, you cause further modification to the computer system without consent, therefore breaching the CMA.
It's not worth it to the company.