British Teen Cleared in "E-mail Bomb" Case

legaleagll writes "According to this article , a British Judge has ruled that a teen who sent approximately 5,000,000 e-mails to his former employer was not in violation of the U.K.'s Computer Misuse Act. It appears that the Computer Misuse Act is a bit outdated being that it was created 15 years ago when a number, perhaps most, of the current methods for misuse of computers were not contemplated."

'editors' heh

[Neil+Blender]

Summary says 3 million, the article clearly, even hyperlinked so it's highlighted, says 5 million.

Re:'editors' heh

[destuxor]

Just as the rape victim shouldn't've worn a short skirt, the employer should've had a faster mailserver damnit!

Re:'editors' heh

[austinpoet]

The editors converted it from British Emails into American e-mails. Thus 5 million becomes 3 million.

Oh wait that's still backwards. *shakes fist* damn editors!

Re:'editors' heh

[pe1chl]

No no no... the summary says 3,000,000 and the article says "5 million".

We all know that "5 million" equals "3,000,000".
If they meant "5,000,000" they would have written "5 mebimillion".

Re:'editors' heh

[Tim+C]

I thought it had been established long ago that the slashdot editors don't edit as such, they just approve and reject stories. No checking for factual accuracy, grammar, spelling, or any other things real editors would do is performed - it's even in the FAQ.

That said, that was fine when this was a hobbyist site; it's somewhat irksome now that it's a commercial venture. Not that I pay anything for it, other than the time spent frequenting and contributing of course...

e-mail bomb?

What a nerd. "If my electronic mail-bombe doesn't inconvenience my former employer, then my name isn't Melvin Q. Ucklesworth!"

This is most likely what he said while rubbing his peach-fuzz moustache (nothing to twirl evilly quite yet.)

Pros and Cons of a good piece of legislation

[Palal]

How do we strike a balance between a piece of legislation that covers any crime that may not have been thought up yet, without prohibiting activities that are not necesserily criminal that will be invented in the future? This is something that no country has come up with yet and this is unlikely to happen any time soon due to various governments in power. (cough)

Re:Pros and Cons of a good piece of legislation

[grogdamighty]

The obvious answer is that legislation should be for there here and now, updated as necessary for changes in society. Rather, any "enduring" legal work should be through the constitution - the basic rights fleshed out by legislation.

Thus, the Second Amendment allows citizens to bear arms so that they are never helpless before the government, but more current legislation is designed to keep criminals from using guns to harm citizens (no concealed weapons in certain locales, background checks, etc.)

Re:Pros and Cons of a good piece of legislation

[nunchux]

I don't like the idea of laws that foresee possible misuses of technology in the future, because by their nature they would have to be so vague that they would almost certainly have an adverse affect on freedom. Of course the DMCA is an example of this.

Really, it should be extremely difficult to pass a new law, and it should be clear that there is a solid need for it. Yes, that means the first people who commit crimes using new technology in new ways may not be prosecuted (note that I'm not talking about using new technology to commit EXISTING crimes), but that's better than the alternative. (And I wouldn't say in this case the kid got away scot free-- he was prosecuted, which at the very least is a scary thing, and potentially costly in legal bills as well.)

Oh and yeah, that kind of sucks for the victim, but in some cases (like this) the matter could at least be taken to civil trial.

Re:Pros and Cons of a good piece of legislation

[Cl1mh4224rd]

How do we strike a balance between a piece of legislation that covers any crime that may not have been thought up yet, without prohibiting activities that are not necesserily criminal that will be invented in the future?

What if we give people the responsibility and power to evaluate a given situation as it applies to a certain law? I think we should call them "judges"...

Re:Pros and Cons of a good piece of legislation

[squoozer]

Simple you provide a set of guidelines, perhaps backed up by examples, that define misuse. For instance phrase it thus:

Any action that deliberately sets out to damage, render unavailable or diminish in capability any computer system.

It would be quite easy to prove that sending 3,000,000 emails to your ex-employer, especially in a short span of time, would fall foul of that law. Yes, you have to prove intent but you would have to do that anyway. Accidents wouldn't fall foul of this law but a clause for negligence could be added. The problem is that a law thus phrased would require interpretation by the jury which is something most Governments seem loath to allow them to do. The upside is that this law would be good for the foreseeable future and would probably cover most new crimes. I suppose the problem is that if we had high level laws and a true trial by jury the Govenment would rapidly lose one of it's basic functions - to make more laws.

Re:Pros and Cons of a good piece of legislation

[DrSkwid]

Some years ago a friend of mine was a phreaker. Eventually he got caught.
The cops had to individually read out each phone call from the itemized list they had been given saying something like "on 12th september 1985 did you make a call to 555 5555" and he had to answer yes or no. It took them 10 hours of interview to get through the list.
When it got down to it there wasn't a suitable law in statue and they could only charge him with "Theft of Electricity" and he ended up with a minor fine.

Re:Pros and Cons of a good piece of legislation

[hhghghghh]

How do we strike a balance between a piece of legislation that covers any crime that may not have been thought up yet, without prohibiting activities that are not necesserily criminal that will be invented in the future? This is something that no country has come up with yet and this is unlikely to happen any time soon due to various governments in power. (cough)

There are many such laws. For example, criminal damage. If you infringe on another's property rights by physically damaging his/her property (be it a horsebuggy, a door, or an iPod) without permission, that's a crime. Many laws are put in a technology-neutral way. The problem is that with new technologies, often the first laws to fight some sort of nuisance are framed in a technology-non-neutral choice of words. That's why there were junk-fax statutes even before e-mail spam came along.

Also, there are judges and juries determining whether a certain law should apply, even if the wording is a bit off. And to what extent (e.g. 2nd amendment - not good for carrying nuclear warheads..)

Then, finally, there's your run off the mill lawsuits, where you can get a court to compel some one to stop being a jerk and to pay damages. Not being criminal court the standards for evidence, as well as the standards for strict interpretation of the law, are a bit laxer. In general, if some one is being a jerk, you'll be able to seek judgement against them, even if what they're doing isn't a punishable offense, or even specifically legislated against - unless there's legislation spelling out it's their right to be jerks (i.e. the first amendment, though even in that case, you can slap time, manner and place restrictions on people).

It's not that the law isn't flexible. It's just that there's a process, and different ways of seeking retribution. And sometimes you don't get to act out revenge, because something isn't on the books, or, *gasp*, some one is allowed to be a jerk.

Time for a new server.

[CyricZ]

Perhaps it is time for that business to invest in a more modern mail server. Indeed, even the lowliest of Dell servers running Linux or FreeBSD can easily handle 5 million email messages, even if sent in a very short period of time. A large amount of mail should never cause the server to completely crash, even if it does consume much bandwidth and cause other delays.

Re:Time for a new server.

[CyricZ]

Would my server straight out die? Of course not. It would queue the messages for as long as possible, and if the server happened to run out of disk space, it would begin rejecting the messages. The one thing it would not do is crash.

Re:Time for a new server.

And then it spawns more and more processes to process the mail, eating up ram, at which point any other services on the box may be overloaded and deprived of resources.

The default configuration of sendmail and many other common MTAs is to delay and stop accepting email to prevent exactly that.

Re:Time for a new server.

[CyricZ]

There are numerous ways to limit the excessive resource misallocation you mention. Again, any half decent mail server can do that, as can any half decent operating system.

And a thrashing server is not a crashed server by any means. If it's running a decent operating system (most UNIX-like systems, for instance), it should be working just fine within a short amount of time. Yes, it may not be the most responsive system for a little while, but it sure hasn't crashed.

Re:Time for a new server.

[Fulcrum+of+Evil]

And then it spawns more and more processes to process the mail, eating up ram, at which point any other services on the box may be overloaded and deprived of resources.

No, the mail server is a dedicated box, and thee are limits to how many processes it will spawn. What it will do is queue a bunch of messages and work through the backlog. I can build a $3k box (plus the cost of a storage array if needed) that will handle a 20Mbit stream of mail all day long. This isn't rocket science.

Re:Time for a new server.

[Fulcrum+of+Evil]

See, there are other people in the world than yourself. And, while it's not hard to put together a Linux/sendmail server that can handle a 20 Mb stream, building one that also runs, oh, say, a web server, WebDAV, SQL, and a few other services useful to a small business may lead you to places where it's not true anymore.

Anybody that runs production hardware like that deserves what they get. There are serious security problems with running all-in-one solutions; if your needs are really so small, get a site-hosting arrangement for $25/mo. I was referring to any company large enough to run their own stuff.

And, since SCSI drives are expensive, you'll typically see a smaller (maybe 20 GB) drive on it on your small business, entry level server that's a year or two old.

If it's entry level, then it's probably IDE, and 80GB is easy for a small server 1.5 years old. Sorry, but your numbers aren't really credible.

Plus, your "20 Mb stream" server doesn't take into account anything at all resource-intensive, such as SpamAssassin, anti-virus, greylisting, or most of the other, processor-intensive functions now in common use. In reality, your baseline "20 Mb stream" server only proves that a modern SCSI drive can read/write data at a rate greater than 20 Mbps.

Any modern disk can do 20Mb/sec. SCSI is no longer necessary for much aside from SAN apps. Regardless of the tasks performed, my point was that no properly configured server should choke on mail. This is a solved problem.

Re:Time for a new server.

[mcrbids]

I take you you have little/no experience working with small businesses?

My "not credible" numbers are very typical for scenarios I work in. In this world of small enterprises, it's very normal to run an entire business with just a single server. Bitch all you want to about whatever security issues, I sure have.

Small business owners tend to have a case of megalomania. If they can pet the box, they "own" it. Thus, they'll spend $2,000 on a server rather than $25/mo on a managed solution because they can pet the box, even as they explain about the increased downtime because they don't have a dedicated admin, like their ISP.

Just because it's not true in your world, doesn't mean it isn't true!

Re:Time for a new server.

I'am wondering if this helps my case in any way. I stand trial in the Netherlands because I informed a spammer I dodn't like there e-mails. Quite often, 70.000 times according to the spammer, but I think rule #1 is in effect. p.s. In the Netherlands initials are used when newspapers report about suspects, my initials are actually A.C.

Proof...

[hoka]

That law has a hard time keeping up with technology. It takes a long time for laws to be made, changed, proven, and stand up in court. It doesn't take nearly as long in the technological world for attacks, defenses, and things in general to change. This is where a lot of the problems are coming from, since most of the time when you get things that are pushed out quickly there are all sorts of acts or laws such as the DMCA or Canadian Do-Not-Call list) which contain all sorts of problems in one way or another. It's just a shame it will take so long for things to really shape up.

Really quite a predicament when too fast means you get poorly written laws, and too slow means the bad guys can work "legally" for a while...

Re:Proof...

[woolio]

I think its the letter of the law that confuses people.

If 1000 people camped out in the middle of a public road in front of the entrance to a company, would they be breaking a crime by not allowing people to enter/exit? In essence, they would be executing a "denial of service" attack to the companies road.

Or what if a few 18-wheelers decided to park in the middle of an interstate to block it. This is also a DOS attack.

What if 1 million people concertedly & simultaneously dialed 911 for "testing purposes" once a month. This would also be a DOS attack.

In each case different laws might be violated but the principle is the same: resources are being purposely mis-used in order to deprive others of them.

Now a question arises: is the Internet a public utility or just a privately owned network? IANAL, but the latter would seem to make the Britisher's offsense a Civil one, not a Criminal one.

Your Rights Online?

[goofyheadedpunk]

At first I was a bit confused as to why this was posted in the your rights online section, until I considered this case from the point of view of the poor bastard that got blasted by the former employee. Denial of service attacks have been around quite some time before 1990. If UK law doesn't considered this sort of computer act to be illegal what else isn't? What is illegal?

Re:Your Rights Online?

[Bonobo_Unknown]

What is illegal?

Getting on trains, if you're Brazilian.

revenge

[Muhammar]

maybe the company can claim that the dude made some threats in the past. Maybe they can label him as a super-advanced cyber-terrorist and extradite him to US. (Maybe they can make him disapper there - in one of the secret prisons.) Wait - with the Blunkett laws, maybe they can do this without US help.

Re:being that

[Neil+Blender]

And look at that floating comma... "According to this article , a British Judge..." They really should stop calling themselves editors and start calling themselves what they really are - cronjobs. They probably spend five minutes in the morning picking stories and play games for the rest of the day.

So let's see..

[EiZei]

It's illegal to mod your gaming console or copy your copy-protected CDs to your iPod but go ahead and fuck up some email servers? Got it.

Congrats

[SnarfQuest]

Let's all send him email's of congratulation. 5,000,000 per ./ reader seems appropriate.

Or maybe sign him up for a few catalogs.

Obviously, we need to run a test

[ZachPruckowski]

If the editors had written it like "his previous employers, who are at this link: _______", then we'd get to see if they got around to updating that server. My money is on 'yes'.

Re:being that

[utnow]

Your mom gave me a cronjob last night...

Re:spam

[sr180]

He had a previous relationship with the company concerned, them being his employer, so it could not be classified as spam.

Sorry, but that's a pretty dumb comment...

[WIAKywbfatw]

Sorry, but that's a pretty dumb comment. In fact, there isn't one line of it that I can't rip to shreds in seconds.

Do you have any idea of the size of the company involved?

For all you know, the company concerned might have no more than a handful of employees, so a mail server capable of handling 5 million emails in a short space of time would be totally inappropriate. Not all computer crime is committed against large organisations that have turnovers that are measured in millions or even billions.

Wasting police and court time? Well, if the police were involved then there's a good chance that the prosecution was brought by the Crown Prosecution Service (ie, the government), so someone in the appropriate position of authority thought it was a sensible case to persue.

And even if it was a civil case, well, then that's what courts are for: to listen to all the evidence, consider all the facts, and make a judgment one way or another when two parties are in dispute.

Re:Sorry, but that's a pretty dumb comment...

[Fulcrum+of+Evil]

For all you know, the company concerned might have no more than a handful of employees, so a mail server capable of handling 5 million emails in a short space of time would be totally inappropriate.

Let's see - 5M messages at 10k each = 50GB. If it were a small company, they may have only had a 1.5Mb line, so that 50GB would take about 50GB/150K/3600 = 92 hours to complete. Any mail server can handle that, and any competent admin should be able to block the messages within four days!

Of course, a 3rd party hosted mail server could handle the mail a bit faster, so the only question is whether 50GB is an excessive amount. Since I have a 300MB quota, it might be. Then again, maybe not - disk space is cheap, and nuking one message sent to any number of people is pretty straightforward.

Re:Sorry, but that's a pretty dumb comment...

[WIAKywbfatw]

Let's see, small 5-man company with basic ISDN (128Mbit/s) or ADSL (512Mbit/s)internet access used for everything including email, web access, etc that has no dedicated IT professional and whose business grinds to a halt because they can't do anything while their server is heavily attacked.

Don't assume that everyone has full-time IT professionals to hand. Also, don't assume that the messages were small: they could have been 10KB each, but they could easily have been 2MB each, 2,000 times larger than your guess.

Also remember that the crime in question took place at least two years ago, when internet access would have been slower, disk space would have been more expensive, etc, etc. The average business today has better resources now than would have been available then, at least from a bang-per-buck point of view, if nothing else.

Of course, if you're implementing IT strategy for a large corporation then DOS contingency planning will be part of your job description, but if you're running a small company, one where the guy who looks after the PCs is the same guy who puts out the rubbish at the end of the day, then DOS attacks probably won't be on your radar.

Re:Sorry, but that's a pretty dumb comment...

[ultranova]

For all you know, the company concerned might have no more than a handful of employees, so a mail server capable of handling 5 million emails in a short space of time would be totally inappropriate.

When a mail server gets messages faster than it can handle them, the proper thing to do is store the extra messages to a queue and handle them when it has time. When the queue gets full, or the server is getting messages faster than it can put them to the queue, the proper thing to do is to start refusing connections. Simply eating more and more resources - by allocating more and more memory, by starting more and more subprocesses or threads, by opening more and more files or network connections, or by using more and more diskspace for the queue or temporary files - until the computer runs out and then crashing is never the proper thing to do.

A server that crashes under load is simply buggy. Not small-scale, not only suitable for small companies, but just plain buggy and unsuitable for anything.

In short, if this server was incapable of handling 5 million messages in a short period of time, then it should only have accepted as many as it can handle and rejected the rest.

Re:Sorry, but that's a pretty dumb comment...

[darkonc]

Let's see - 5M messages at 10k each = 50GB. If it were a small company, they may have only had a 1.5Mb line, so that 50GB would take about 50GB/150K/3600 = 92 hours to complete. Any mail server can handle that, and any competent admin should be able to block the messages within four days!

If, on the other hand, they have a 10 megabit line (possibly shared with other companies in the building), it would only take about 4 hours to fill a 20GB hard disk (i.e. overnight -- even for a 60GB drive) -- which isn't unreasonable for a small company with a 4 year old server that's been serving them fine (with only software updates needed).

50 Gig worth of email would also make the server useless for most users of the system... If you've got 200,000 emails in your mailbox, it could take your email program a few hours to download, store and index before it shows you a screen. Even if the email server actually survived, it would look like it was down when nobody managed to open their email box after 1/2 hour of waiting.

And, of course, with 20 users each trying to index a mailbox with 1/4million emails, the server is going to thrash itself into oblivion -- making the process take even longer.

Even for a small to medium company (or division) with a reasonably well set-up email server, 5 million unexpected emails are likely to turn most reasonable email servers into an unusable pig for the next couple of days.

That's not to say that I couldn't build a server that could eat 5 million emails, burp and wait for more, but I'd have a hard time justifying building it for most small - to -medium size businesses with mimimal email requirements.

And, it's not just large businesses that will hire a kid for work experience. Sometimes a company with 10-20 workers will hire a summer or work experience student out of a sense of community comittment and/or to get a bit of extra work done for cheap.

Re:Only 5 million emails and the server crashed?

[Frogbert]

Yeah sure its only 5 million emails, and most systems should be able to handle that. Providing of course that they were only going to one person. What if it went to all staff and there was 30 employees then you have 150 million messages and its a little bit more of a problem. Assume you posted these all at 2 am at night, at 8 the next morning all 30 people get to work and check their emails all at about the same time. Ouch

Moral of the Story

[ShieldW0lf]

If you live in Britian, drop this article around the office, then start dressing like someone from the matrix and talking in tech jargon. Your boss will fear you, and you'll be able to get away with murder!

Re:Moral of the Story

[Gumph]

What do you mean START dressing like some from the matrix and talking in tech jargon?

These were some nice days for the execs Blackberry

[lonesometrainer]

Just imagine that :) His device in his pocket, vibrating all day long... neeeeaaat?

Perhaps his exec forced him to do that?

Re:Only 5 million emails and the server crashed?

[richi]

Assume you posted these all at 2 am at night, at 8 the next morning all 30 people get to work and check their emails all at about the same time. Ouch

Well we don't know what mail server they were using, but that would be a problem with some popular servers that don't properly keep single copies of messages sent to multiple recipients CoughExchange5.5Cough. When I worked on OpenMail (now Scalix) this sort of load would have been no problem for a small server with a few thousand users.

It's a question of minimizing the disk I/O -- or more importantly minimizing the amount that the disk heads need to move.

Re:spam

[twoshortplanks]

I don't think any *criminal* act was carried out here. This doesn't mean the company couldn't sue for loss of earnings or disruption to buisness. It's just not something the Crown can prosecute for. Of course, that's my best guess. I'm no law expert.

computer misuse act does NOT need updating

[irw]

The Computer Misuse Act seems to have been designed to encode the electronic equivalent of breaking-and-entering (offences 1 & 2) and criminal damage (offence 3).

Denial of service is probably very difficult to encode in a similar fashion, since I do not see what *criminal* offence it would equate to.

In this particular care, there is no essential difference between sending a million emails and sending a million letters by post - both would swamp the service, but equally both are simply making use of the (e)mailing infrastructure as it was designed. (Yes I know letters cost more. That's irrelevant - they require more effort to deliver, and are priced accordingly).

Taking a different example, such as opening thousands of connections to a server with intent to deprive others' of access to it, I still can't see what equivalent physical world *criminal* offence has been committed. In this case an analogy requires many people, but what difference is it if a thousand people stand on the pavement outside a shop entrance effectively preventing other shoppers from entering, due to weight of numbers? Sure, the police can ask people to move on, which is the same as closing those open connections, no?

Since most electronic systems only enact operations which have equivalents in the physical world, I do not see how it would be right to create a law which makes the electronic equivalent illegal, when the physical original is not. This use of legislation creates the likes of the DMCA.

The Computer Misuse Act is a rare example of a really *good* law which is (1) broad enough to capture most offenders (2) easily tested for applicabilty i.e. not complicated with exceptions, extensions, etc and (3) not so vague that it is open to abuse.

Re:computer misuse act does NOT need updating

[irw]

Why not set up www.you're-not-allowed-to-look-at-this.com and launch a criminal suit against anyone who has a peek? In fact, you are officially NOT AUTHORISED to read this message.

You wouldn't get very far with this argument. Anything placed on a website is published. Anything published is public, therefore access is de facto authorised.

Now obviously you can put access controls on a website. But then you've taken a step to define authorised access. If you give someone a username and password, you've granted access. If someone obtains a username or password without permission, that's unauthorised. If someone bypasses this access control (and this bypass would probably have to be non-trivial; so if for example someone could cut and paste a URL which went directly to the material without being prompted, this would not apply) then it is unauthorised.

I personally think that "computer material" was a bad choice of phrase, and that "computer system(s)" is more appropriate. I cannot think of a way in which access controls could be devised which would NOT involve the owner of a computer system defining (at least implicitly) "authorised access". I'd make the assumption that in giving permission to put computer material on a computer system the owner of the material has agreed with the owner of the system on what arrangements are made for authorised access.

If my reading is correct it means a court gets to decide what is or is not authorised based on the circumstances, which is the Right Way IMO. Putting every conceivable situation in the Act would either be draconian or prone to loopholes as previously unconsidered situations arise.

Please give post your e-mail address so I can send details of the criminal suit against you 5 million times.

You're joking, of course. I suspect you could be charged with harassment (though maybe not criminally) and I would seek an injunction to stop you. Furthermore, the fact that you have made a threat which you are capable of carrying out might be common assault (which is a criminal offence).

Attack?

[FreakUnique]

Just because this guy sent x amount of emails it doesn't take away the fact that he destroyed a computer network infrstructure, which can be applied as criminal damage. That can be recompensed by the criminal for replacing the equipment and lost revenue. On a similar note, some berk's managed to ping my website into submission so that it cannot be view for the rest of the month. If I ever find who did it then there will be serious hell to pay.