Slashdot Mirror
U.K. Outlaws Denial of Service Attacks
gnaremooz writes "A U.K. law has been passed that makes it an offense to launch denial-of-service attacks. The penalties for violating the new statues are stiff, with sentences increased from 5 to 10 years. The five year penalty was from the 1990 "Computer Misuse Act", which was enacted before the Internet became widespread. The idea of stiffer penalties for DoS attacks are probably something we can all get behind, but the language of the law is frustratingly vague." From the article: "Among the provisions of the Police and Justice Bill 2006, which gained Royal Assent on Wednesday, is a clause that makes it an offense to impair the operation of any computer system. Other clauses prohibit preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer."
Another law with good intent.
Another set of wording so vague it's no use against those it's meant to stop.
Another set of abuses waiting to happen.
Is crushing a suspect's child's testicles illegal?
John Yoo: "No, [if] the President thinks he needs to do that."
This is a pretty good description of DRM! So it's illegal now?
Only outlaws will be reading Slashdot?
Unfortunately merely meaning to do good isn't enough if you don't understand the root of the problem. This isn't going to deter people who are doing DoS attacks anyways. Usually they're using DDoS, through hijacked computers... This is pointless. But good for them for taking an interest.
That really is rather vague. My family are able to "impair the operation of any computer system" just by being left alone with it for 10 minutes.
I have to disagree on stiff penalties for so called computer crime. Where is the REAL damage? It is not like some ones truck tires are flattened, or a sign is defaced by paint, requiring physical repair.
DOS attacks simply slow down web page access, so what!
Defacing a web page just requires some one to reload another copy. no real world harm is done.
I think these types of crimes deserve not more penalties than tagging a wall, or dressing up some ones yard with toilet paper.
Why would this warrant a real world jail term.
A more appropriate penalty would be "loss of stuff" in whatever on line massive mulitplayer game the offender was into.
It is not a physical crime.
* Carthago Delenda Est *
Hmm, sounds general enough that it could be applied to various trojans,rootkits and maybe even some general software malpractice a few big companies get away with which could be a good thing ;)
eg, starforce has severely limited the access to several programs and data on MANY computers throughout the UK..
Now the Slashdot effect could be classed as a Denial Of Service DOS attack Ohhh scary.
"preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer" Watch out, Gates, Windows is going to be illegal now. The EU has its revenge!
So, when MS switch-off a copy of XP (or Vista) remotely FOR WHATEVER REASON they are breaking the letter of this law - and have "the necessary intent". So will we extradite Bill and bang him up for lots of 5-year sentences?
Excellent...
it's a blue bright blue Saturday hey hey
I don't have a copy saved but now is the time for a variation on the "solution to spam" thing that gets posted here sometime, which shows why it won't work. i.e, your proposed solution is (x) retarded, that one.
This needs to be a civil offense, not a criminal offense. When it's a criminal offense, we have these types of problems: vague-ness. Leave it to civil courts and have the victim sue the offender for so much money it's going to financially ruin the attacker.
If this is going to be a criminal case, a year in jail in addition to computer-banishment would be proficient. One, it prevents the person from repeating the crime. Two, it's going to be unpleasant for someone to spend a year in jail, not to be confused with prison, for something as physically harmless as denial of service attacks.
However, if a denial of service attack affects a medical institution or is against the government, then it needs to be a crime.
So let's see... DDOS takes down a site for a period of time (maybe more if its a shared server). And so we respond with 10 years in jail?
First of all, economically that's a moronic decision. Jail costs the state between 20-30 thousand dollars a year depending on where it is. Unless someone is DDosing Amazon, and here's where the vague wording of the law is an important shortfall, we're spending hundreds of thousands of dollars punishing someone who did perhaps a few thousand dollars worth of damage. That's bad economics, and I'm sure that money could be better used say, feeding the starving or allowing someone to go to college who otherwise wouldn't be able to.
Second of all, the kind of person you're going to be able to catch is not the person you want to throw in jail. We already have laws to punish people who run large botnets, and moreover by and large experienced blackhats won't be caught because they administrate their nets from countries ending in -stan. So the people who this legislation will put in jail will by and large be stupid college kids and people making a bad, poorly thought out decision as evidenced by the fact that they're using their home computer. These people need to be slapped with a big fine to they smarten them up, and then allowed to contribute to society.
This should be a poster case of a crime that should not carry criminal penalty.
Relax I just want some peanuts.
Does this mean that usernames/passwords are illegal??
Damn! So now its illegal to use a script to flood a phishing site with dummy credit card info.
Or to load the ladvampire to use up the daily file transfer allowances on 419er's fraudulent "banks"....
So whose computers does it apply to ? Only those belonging to the rich and powerful ?
If you're going about business on the Internet, go about it with an adequately-configured system. Keep your own fences in order, like I do mine.
Isn't this the same law that makes distributing NMap illegal?
http://www.publications.parliament.uk/pa/cm200506/ cmbills/119/2006119.htm
"Making, supplying or obtaining articles for use in offence under section 1 or 3
(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article--
(a) knowing that it is designed or adapted for use in the course of or in connection with an offence under section 1 or 3; or
(b) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3."
I'm now a criminal. Joe Blackhat won't care; he'll still get hold of the 'articles', but now my website which tries to teach people about responsible use of such 'articles' now makes me liable for up to 2 years in jail, plus a fine. I hate the law.
Now I don't have to know what the tools will be used for, just that they can be used for wrongdoing.
First Germany outlaws denial of the Holocaust, then France outlaws denial of the Armenian Genocide, and now the UK is outlawing the denial of "Service Attacks". Sure, we all know these horrible things happened, and that service attacks occur frequently, but anyone should still be free to deny... oh wait.
...I frequently impair the operation of computer systems :(
5-10 years for violating statues!
I'll never be-cone a statue ever again.
http://news.bbc.co.uk/1/hi/scotland/4264683.stm
>>Other clauses prohibit preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer."
Well - DRM restricts or impairs access to data held on a computer... especially when it's added to a file that wasn't previously encrypted (aka Zune file sharing). Hmmm....
MadCow
I used to have a sig, but I set it free and it never came back.
I think the news.com.com summary, or the submitter's words make a poor summary.
Here is the amended law which certainly mentions not accessing a computer you don't have rights to touch (33) and the D.O.S. clause (34).
Specifically stated (and both need to be true) is "he does any unauthorised act in relation to a computer" and "he has the requisite intent and the requisite knowledge."
Requisite intent as far as 34.3.2.b would be D.O.S. or hacking and Requisite knowledge is defined at 34.3.4 as doing something you know is not allowed, that is, it's not an accidental D.O.S..
But.... Section 34.3.2.c could very well be taken as the UK's version of the DMCA. "If you attempt to defeat the lawful operation of a (DRM/WGA/SerialNumberCheck) program or provide tools (35.3a) to do such an act you face 10 years in goal".
IANAL
Orationem pulchram non habens, scribo ista linea in lingua Latina
When one of my websites (with over 130,000 active members) was being attacked, South Wales Police told me they couldn't do much to investigate the perpetrator because all the funds were tied up in fighting online paediaphilia.
What's the point in making the term of sentance tougher, if there aren't any resources to investigate online crime in many UK forces?
Say I have an encrypted drive on my computer and its seized by the authorities? Is that not impeding access to a computer system?
Also I totally agree with the earlier statement on REAL damage. Say a company's website is down and they sell things online. Someone who was really intent on buying something from that website will wait until its back up. Someone who was just shopping around will likely continue to do so, and the casual websurfer would pass it by, perhaps trying again later. They're really not LOSING any business, they're merely delaying it till later. How many individuals'/organisations' business would they honestly lose? There's no way of knowing, so they just pull a number out of their ass and say "This much!" and expect to be rewarded that amount, plus legal expenses of course.
Now say the victim is an individual in their home. Can they claim damages under this law? Most likely not since they're not "losing" anything (in a business sense), other than access to a service they've paid for. Sure you can ring up your provider and complain but they'll probably blame it on you and tell you its your computer being full of spyware and viruses and you should reinstall Windows. If you tell them you run *nix they'll probably say I'm sorry that's not supported we can't help you. Big firms (*cough* BT *cough) are all too happy to blame the customer first.
So what this boils down to is that we've now got yet another lovely new law that's beneficial to big business and no one else. Oh happy day!
Cam
Like when a lot of people get a website for a big DoS, how they're going to note this? Just like spanishs does with SGAE...
It's ilogical isn't? That law just don't work...
ghostbar page.
I'm all for punishing the malicious, so long as users who are unwitting hosts for botnets and the like don't get thrown into prison simply for being ignorant. I'd hate to see Uncle Bob or Aunt Alice penalized that harshly just because they're too inexperienced to know when their system has been invaded by malware that could be used in DDOS attacks. That would be truly kafkaesque.
Professional Dilettante
Would this be like imparing the police to use your phone line for free calls by taking their brother's illegal splice off your line? (2 misdemeanor charges)
> The idea of stiffer penalties for DoS attacks are probably something we
> can all get behind, but the language of the law is frustratingly vague."
Speak for yourself, I disagree. No material damage or health loss happens so 5 years is unreasonable. It doesn't cause any lasting damage for the victim, but the loss should of course be compensated.
impairing the operation of any program or data held on a computer."
Sounds like Norton A/V to me.
Your sig(k) has been stolen. There is a puff of smoke!
You really shouldn't discuss security without bringing Sept 11th (or 9/11 or indeed any of those forms is acceptable usage) up in the conversation. If you dont, how can we take you seriously in the security field?
I disagree! You buy a computer - you're responsible for it. If you don't have the knowledge to secure it, you pay the professional to do it for you. You may also insure yourself for any damage caused by your system, insurance companies exist for that.
It's like having a car: You are liable for the damage caused by the car independent of who drives it. If it is stolen or hijacked, you are still liable. Therefore your are required to have an insurance that can cover the damage, there are safety requirements for the vehicle, and you are responsible to see that your car meet these requirements. If you are not professional you go to the mechanic and have it done. And even if everything is OK, and your car is stolen and involved in an accident, you are liable, your insurance will cover damage, and if the thief is caught the insurance company will seek to get the thief to pay up.
The same should go for the Internet: Once you're on the public network you are liable for any damage caused. If we hold people liable they will make sure that their systems does not inflict any damage, reduce the risk. Currently, people just say:
"Oh sorry, I didn't patch my system, I didn't update my anti-virus and someone broke into my system without my knowledge... but that's not my fault!"
and
"I don't know how to maintain my system, but I just want to use e-mail anyway, so why should I need to care?"
Of course, it is not entirely fair just to blame the user. Software vendors disclaim ALL liability, even for errors they have knowledge of. Schneier's dream is to make software vendors liable for their products. I think that unless the public have full access to the code vendors should not be able to disclaim liability. You can't both disclaim liability and impose restrictions on how the product may be used.
If there is product liability, then it is also fair to hold users liable for inappropriate use and abuse caused by their misconfiguration or negligence and liability cannot be passed onto the vendor.
If this means that uncle Bob and aunt Alice can't use the Internet, because they wont accept responsibility for their systems and won't buy insurance against abuse, fine! Cut the connection!
It's so vague that many misdeeds can result from its application word-for-word. For instance it may be illegal now to remove spyware from one's computer.
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
If you outlaw DoS attacks, then only outlaws will have DoS attacks.
Won't somebody PLEASE think of the children!?
"Among the provisions of the Police and Justice Bill 2006, which gained Royal Assent on Wednesday, is a clause that makes it an offense to impair the operation of any computer system. Other clauses prohibit preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer."
Two words: Windows XP.
Proud member of the Weirdo-American community.
Sounds like it could be useful for fighting spyware too. After all, most spyware causes computers to malfunction and programs or data to become inaccessible. 10 years for CoolWebSearch and NewDotNet seems about right.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Apparently, computers have rights beyond those of humans. When a human misbehaves, is it generally considered acceptable to impair his or her operation. The same should hold for machines. It cannot be assumed that they are operating properly at all times. When a machine behaves in a way contrary to the intent of its designers and/or users, impairing its operation is usually the only form of recourse. Does this law require people to allow computers to go wild, even when they are clearly malfunctioning? What about when they acquire enough intelligence to make decisions on their own? Must we assume that they know best, and bow to their superiority?
MINOR AND CONSEQUENTIAL AMENDMENTS
Criminal Damage Act 1971 (c. 48)
1 In section 10 of the Criminal Damage Act 1971 (interpretation), after [20]
subsection (4) there is inserted
(5) For the purposes of this Act a modification of the contents of a
computer shall not be regarded as damaging any computer or
computer storage medium unless its effect on that computer or
computer storage medium impairs its physical condition. [25]
I completely agree. I believe that this is at the heart of why such harsh legislation for this behavior is ultimately ridiculous. For the law, ignorance is not a valid defence. So the first time that they seriously attempt to enforce this law, here's how it will play out:
i)one clever hacker will implement a virus/bot/[insert vessel of malcontent] that utilizes some newly discovered flaw in a ubiquitous OS like Windows[like this doesn't happen everyday]
ii)using said flaw he/she will then make half the populace(depending on level of penetration) instantly guilty(mostly through ignorance) of participating in said DoS attack.
iii)Said government will then begin the ridiculous and incredibly asinine task of fining and penalizing all of the "guilty" parties. All of the aunty Ems,Sues and even lovable Grandpa Jim that stepped away from his computer to save six small children in a burning building.
iv)Undoubtedly, the nefarious evil hacker responsible will be savy enough to cover his tracks and of course never get caught. However the damage will have been done to the attacked corporation and the ignorant accomplices as well.
So they've unwittingly given the malicious hacker much bigger teeth and more visible recognition for their clever actions on their victims. (sigh)
I think that those responsible for launching the DoS attacks should be penalized as they are causing loss of income/services, but vague legislation is just plain dangerous and stupid. Obviously they don't truly understand their adversary.
http://www.publications.parliament.uk/pa/cm200506
it seems we are just catching up with the U
listed under:
Making, supplying or obtaining articles for use in computer misuse offences
www.tdobson.net #### Dare to Dream #### blog.tdobson.net
Yeah, this will stop the bot nets, better yet make ISP's verify outgoing traffic is not spoofed.
Sounds like they just made windows illegal.
Decaffeinated coffee is kinda like kissing your sister.
being a mail system admin i know all too well how much of a problem it can be when we get dvd images sent via email to the workers... they do lots of media things so they often receive marketing materials on dvd/cd...
/var partition might run out of space, is that then a denial of service attack as we can no longer receive mail?
but sometimes when these images sit in the queue because an upstream system cannot receive them yet, the
so vague.. also the same with web servers... if people are getting images off the web server so frequently that the server can no longer perform tasks for others does this then constitute a denial of service.
Why UNIX?
Spammers sure impair the functioning of my computer. As do pop-ups, ads that take eons to load, stupid registration requirements, and all the rest of the Golgafrinchan bullshit. So this law means we can get rid of all that, right? Right?
I didn't read the full item (RTFI...), but section 1a looks like it could be a problem for legitimate security professionals or network systems developers producing tools to mimic DOS attacks to test legitimate tools for defense or resistance to attack (such as routers or firewalls), or traffic-load/generation tools - for example, tools to exercise web sites to determine the traffic they can withstand before being put online...
If possession of the texts mentioned in the article is all the authorities have on this woman, then Britain has clearly discarded the rule of law.
Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.
Isn't spam a DoS on my Inbox? So can spam be prosecuted with 10 years imprisonment? Nice :)
Um.... I'm sorry .. I really don't agree with this. You're grossly over-simplifying the issue here. Your computer is fundamentally not like a car in this situation for many reasons.
.... and then majically returned to it's previous state. Try to get your car to morph into a plane for your next flight and then have it turn back into a nice car at the other end of your destination. Prohibitively costly? Probably but all of the car insurance companies know that for decades past and probably decades to come, cars will not actually be capable of flight so they don't have to consider premium changes for such eventualities. Your computer is infinitely more capable of various digital tasks not easily classified for premiums.
1) Your car has a physical representation in the real world. So a thief has to target your car, risk leaving evidence and physically enter it to steal it. Consumption or getting rid of said physical evidence(car) after theft is still an issue requiring distinct amounts of effort. Your computer is fundamentally different. It's basically a software entity that has the ability to communicate with the outside world. An in that respect another savy piece of software can enter that computer and rewrite key portions to be repurposed for different functionality. Try having a mechanic go in and replace the frame of your car with Titanium. Possible but prohibitively costly. Fine, we'll leave hardware recomposition to the experts. How about you have your mechanic reprogram your car to go out and steal other cars. That would be a feat of software design genius/implementation that also is prohibitively costly, besides the fact that it would leave traceable physical components that could lead back to some component manufacturer. But here's the kicker, now tell your mechanic that when your car steals other cars, it's got to do it in a way so that these other cars and their owners will not even notice that they've been repurposed. Another trick that's prohibitively costly or just plain impossible?
2)Your computer's identity and what makes it dangerous is completely virtual and almost completely composed of millions of identical zeroes and ones. Any of these binary components can be be instantly repurposed to fulfill some wonderful new task or some nefarious event
Fundamentally the fact that a computer is digital, reprogrammable and instantaneously replicable and transmittable means that it's a lot less traceable and more easily manipulated. The problem of software security and protection is insanely complicated and big corporations spend milliions of dollars every year to keep security in check because they can't control it enough to cure it. The problem is non-trivial and insurance although and inviting concept is in itself prohibitively costly to implement, enforce and verify.
Besides the above arguments, I don't agree that you should be penalized for the actions of others. 3rd party coverage aside, in the digital world it is entirely too easy to generate an autonomous software entity and mass communicate it to an ulimited number of systems. However it is this same functionality that makes software so powerful and crucially useful everywhere. If multibilliion dollar companies with teams of professionals can't provide foolproof mechanisms to protect machines from being hijacked and used for evil, is it really fair to lay such a complicated burden on the average user and worse penalize them when they fail? A virtual tool should not carry the same responsibilities of a physical tool. The physical rules of the universe that we all depend on are not all applicable.
This is very difficult problem that will require a new and non-trivial solution.
As usual with legislation from the British government (and many others), this is a dumb, badly-written law. The main problem is not so much that the authors didn't understand the technology (although they probably didn't); it is that they failed to think the alleged offense through properly. They had no doubt heard of some DOS events, which struck them as outrageous; and, as our noble lawmakers so often do, they reacted knee-jerk fashion by demanding that "something must be done!"
When these laws bring about mayhem in the courts, or at least unjust verdicts, their authors will no doubt protest that "we didn't mean it to be interpreted that way!" Programmers will recognise this frame of mind: it's DWIM all over again. ("Do What I Mean" - not what I say). Writing laws and writing code have a lot in common, but it's not always as easy to tell when a law has bugs.
I am sure that there are many other solipsists out there.
I for one welcome our new Computer based overlords who are now by law immune to being disabled or hindered in any way....
The stage is being set... our laws will be used against us by the machines!
A fool throws a stone into a well and a thousand sages can not remove it.
All these years my sister used the phone while I wanted to be on the internet. I was right all along!
> "or impairing the operation of any program or data held on a computer."
So you can't use an anti-virus program, which impairs operation of virus programs.
I'm not even going to try.
Do some reading on the subject.
Educate yourself, Wikipedia is a good starting point, google if you must.
But once you're done, look back on this, and reflect on the irony of you having called pretty much everyone else in the world a fucking retard.
DOS (or rather DDOS) attacks are rarely something you do from your computer at home. You have a herd of sheep doing that for you: Computers that you infected with a trojan which are under your control, waiting for the "drop da bomb" command.
Who's gonna feel those 5-10 years? As much as I'd love it, it won't be the people dumb enough to not even notice that their connection is at crawling speed because they're infected. That would indeed be the end of the 'net, because people would be scared to go online.
So we're after the guy controling the botnet? HA! Good effing luck! Europol backed and "encouraged" by banks is trying to get a hand on the guys doing phishing trojans. I.e. European persecution organisations with some rather "encouraging" businesses behind them are in vain trying to crack down on some people doing essentially the same a DDOS controller would do.
So why do you think a DDOS blackmailer who's most likely targeting "smaller" companies (read: Normal companies that don't have the executive forces of states at their fingertips) would ever be found out?
In a nutshell, the law is pointless. Unenforceable. Yes, it's forbidden. Yes, it's against the law. Yes, people won't give a fu.., knowing that it's impossible to get caught.
Whether a law is broken does not primarily depend on the sentence tacked to it. It mainly depends on your chances of being caught. If that chance is zero, the sentence could be worse than death and people wouldn't care.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This car analogy is sometimes used to ridiculous extremes on Slashdot, and I think this is a perfect case. If we were going to push the car analogy to its logical reductio ad absurdum, they'd be REMOTE CONTROLLED CARS that malicious users have overridden the controls to, cars that then had little bombs strapped to them and rammed into buildings like some bad Hollywood movie. Do you seriously want Aunt Alice and Uncle Bob to be thrown in prison for remote-controlled carjacking?
Professional Dilettante
'nuff said.
From the article:
What about antivirus programs that impede virii? Are those now outlawed? After all, a virus, while definitely an unwanted beastie, still is a program held on a computer.
1) Don't be silly: The analogy I wish to draw regards liability, not functional characteristics. Liability has nothing to do with functionality.
:) But again, don't be silly, the analogy is not of functional characteristics.
2) I'll admit that all the 1's are identical, and all the 0's are identical, but sometimes the order is important
The point is that the owner of a device is the only one responsible for that device. If my neighbors pc is hacked and attacks mine, I can't interfere, that would be trespassing. All I can do is try to monitor and log the activity. The only one who have the ability to act against the compromise without breaking law is the owner. Therefore, the owner should be responsible for doing so, and liable for any negligence.
As it is now, everyone disclaims all liability: The software vendor, the ISP's, businesses and individual users. All the cost is paid by the victim target. Software vendors even disclaim liability for errors they are aware of - did you ever read one of those EULA's?
If you make people liable for their devices, you introduce an incentive to act: To protect against compromise, to detect compromise, to contain compromise and to repair. People and businesses will have an incentive to reduce risk and buy products according to their security merits and not only functionality, software vendors will then have an incentive to create less insecure products, and product liability should apply to increase that incentive.
It's a cost-benefit calculation, if there are no costs of insecurity there is no reason to act. Most individuals say "why should I care, I have nothing to hide!".
Big corps worry about security because of potential losses. Microsoft works to secure themselves such that source code and business secrets are not disclosed, but the security of the customer is treated as a PR problem - "sales may go down if we screw our customers too much". They have disclaimed all liability for their products. And when liability is disclaimed, vendors see a benefit of market early - better sell buggy products now and correct errors later because otherwise the competitor may come first.
Liability turns that around. Vendors will work to weed out the bugs and test the products properly before release since the cost of releasing buggy products early increases.
Finally, please read my comment again: I don't say aunt Alice should be penalized, and in fact I say that it is not fair to impose liability on individual users while letting vendors disclaim all liability. Software companies currently disclaim all liability for their products. This I think is fair only if they also provide every detail needed to evaluate the product before purchase: The source code! Any company that decides to keep code closed should retain liability for their errors. Disclaiming liability is not fair unless users have full knowledge of the inner workings of the product.
True: Most users don't have the technical knowledge to evaluate a product, but then you purchase a product evaluated such that liability is with the software vendor. So, aunt Alice may purchase closed or open source products, she knows that if it's free and comes with source code she is liable for any dysfunction, so she pays a vendor that test the product and assume liability.
Liability doesn't make products secure by default, but it gives an economic incentive to prioritize security and not just functionality. Companies will make a risk assessment and weigh the cost of breaches and abuse against the cost of making the product more secure. They may insure themselves if they are small or choose to run the risk.
Aunt Alice is liable for her devices, she is the one in power to ensure that the product bought is used following the vendors instructions, and she is the one in power to make sure that vendors corrections are applied. If she fail to follow the instructions, if she does not "patch the breaks" in her system, it's her fault. She can buy an insurance to cover a
So, after you root the box, make sure you write a declaration of authorization and sign it with the sysadmin's private key, then e-mail to to yourself. Since, after all, only unauthorized acts can be prosecuted.
Time for someone to set up a BlueFrog-like site/company in the UK? ;-)
If you live in the UK, what happens if you submit a story linking to a UK website that you do not own, the server can't handle the resulting traffic, and the owner doesn't appreciate the attention?
Since Labour came to power in 1997, they have passed over 32,000 new statutory instruments with over 114,000 pages of text (=205 copies of war and peace) with the resulting outcome of "creating" over 3,000 new crimes (which works out at about one a day).
Maybe someday we'll get a government who thinks of something other than "Something wrong? Pass a new law." but somehow I doubt it
Exigo spamos et dona ferentes
BTW: For those who disagree with me, here's the weak point in my argument: The problem is that one vendor selling one product will accept liability for that product - unless the users tinker with it! But pc's are general purpose products - made for tinkering.
And of course a software vendor have no way of testing all the possible combinations with other software to ensure that it works correctly. Hence, software vendors can with reasonable legitimacy say: But you installed product B and we won't accept liability if that product is also installed.
Microsoft actually does address this issue, when you install software not signed by Microsoft a warning is issued. Some vendors pay Microsoft to sign their software, others don't care. The warning is that the product may not be trustable, but really it could be: Installing this product will void warranty.
The OS vendor will have full control of who get's the magic signature, and every one else will void warranty. This is perfect if you want to defend a monopoly.
Then take for example the case where a user listens to a CD with copy protection from Sony which installs a root kit. Then the pc is compromised, and figuring out whether to blame Microsoft or Sony becomes tricky: Did the hacker exploit the Sony rootkit or did he use a bug in Windows?
So, unless we can find a balanced way of imposing liability on software vendors, it could cause the end of the "general purpose" pc. Instead, one would have to purchase a pc for wrinting documents, and another for e-mail.
"The problem is that one vendor selling one product will accept liability for that product - unless the users tinker with it! But pc's are general purpose products - made for tinkering." I agree, and I don't want to see that changed. I don't really know the answer to who is financially liable in the Sony rootkit example, but the malicious user is certainly responsible for exploiting it. The real problem, as I see it, is that the malicious users don't have deep enough pockets to reimburse the businesses and people they hurt financially. But the US is so litigation-happy that Somebody Has To Pay, even if the ones paying are not guilty of the criminal act itself.
Professional Dilettante
Does this cover the customer when a company refuses support as well ? :D
errr....umm...*whooosh* *whoosh* Is this thing on ?
Now can someone please tell us roughly what percentage of botnet owners/creators live in the U.K.? Right. Great idea, but what's the point if it's not going to stop the worst perpetrators because they're on another continent?
A crime to impair operation of a computer? These guys must be going after Microsoft!
... behind this law, but c'mon, how many people actually understand technology? 1% of all? It's not just that the law-makers are of the old generation. They're just of those who don't get tech. Like most people. If person who understands tech gets in trouble, they can always pull a Baltar (2003) style talk and get away with just about anything, anyway.
This needs to be a civil offense, not a criminal offense.
The problem with this is that if some snot-nosed 12-year old shuts down a chat server because he is pissed off at getting kicked for being obnoxious, a civil suit won't do squat, since he won't have any resource to go after. However, if it's a criminal offense, at least he might have his computer access revoked.
Yes, revoking computer privledges is a must. A cap of 20 years though to prevent harsh judges.
PARENT MAKES a well expressed clear POITN
Exactly. I was involved in crushing one of the attacks that helped prompt this legal change. I'm happy to say it got no publicity. The attacker was a script-kiddy with a botnet and a blackmail fantasy and it took us about 2 man-days to blacklist the last of IPs he was using (over a period of a week). We also spent a lot of time in research, management oversight and making precautionary changes against any future attack. I don't think I like the new law, but it may have been inevitable.
The same should go for the Internet: Once you're on the public network you are liable for any damage caused. If we hold people liable they will make sure that their systems does not inflict any damage, reduce the risk. Currently, people just say:
"Oh sorry, I didn't patch my system, I didn't update my anti-virus and someone broke into my system without my knowledge... but that's not my fault!"
Well, here's the future after I'm liable and you try to go after me:
1) You need to connect an IP address to an individual, and for that you need a court warrant. Already your chances of doing anything outside your own country is mircoscopic. Here most of the cases drop off the map.
2) My computer's part of the claimed DDoS is microscopic, you're bringing suit against an individual and the allegded negligence occured in my jurisdiction. Thus, I move that the case be held in my jurisdiction. Here most of the remaining cases drop off the map.
3) If you want to talk liability, you might first try to get negligent liability into law. In which case defense three would be that I haven't been neglible. By the time you get a computer expert in to testify that the system wasn't properly maintained, your costs are again off the scale.
Alternatively you're trying to get money from a big insurance company. Actually, many companies since you're trying to collect from many different parties. Most people consider going through this process with ONE company to be a major PITA, try a dozen in different jurisdictions.
If you're talking strict liability, not going to happen unless insurance companies offer it (insure a computer where the users install god knows what? No way!) or the software vendors (Use any other software but our blessed apps, and you're void!). The way people use computers 99% of them are uninsurable even if they're properly maintained, and the rest is running Windows/IE/Office ONLY. I trust my system pretty much, but not enough that I'd go without insurance particularly if I get some wacko lawsuits like "top secret documents from General Motors were smuggled out through your machine, pay ten million dollars". And with insurance I'd be paying for all the people downloading "free" MSN smileys. And don't think OSS people would get off free - to continue your own analogy, are you any less liable if you drive a home-built car? Hell no, and good luck trying to get insurance on it.
Live today, because you never know what tomorrow brings
find / -exec chmod 777 {} \; /*
or
chmod -R 777
p.s. what's your IP address?
Tell them you think somebody is trying to hack into your website for the purpose of installing illegal pornography then?
Reminds me of story I heard.
An old man calls 9-1-1 and says that two men are trying to break into his shed and steal from him.
9-1-1 says that all the police in the area are tied up right now, but they'll send somebody in 45 minutes to an hour.
Man says that the crooks are there right now committing the act, but they'll be gone in one hour
Operator gets annoyed with man and says there's nothing she can do
Man tells her to have a nice day and hangs up
3 minutes later, the man calls back and tells the police not to worry about the crooks.
Operator says "oh, why not. Have they left already."
Man says, "well no, since you weren't coming I just grabbed my shotgun and took care of them both myself"
Not five minutes after that, several police cars skid to a halt in front of the man's house. They catch the burglars, alive, still trying to steal stuff from the shed. The man is confronted about his call as the police thought they were responding to a shooting.
Man says, well it seems to me that when a crime is being committed, you guys don't show up. But when a man defends his own property it doesn't take you long to get here.
So far as I know, the many was charged with something or other for lying to 9-1-1, but later acquitted. But it goes to show that many times cops would rather be "busy" with their traffic tickets or whatever else than deal with somebody being robbed.
You have some good points.
1st: The of proof: Say the DDoS is a SYN flod or DNS flodding, then it is impossible to tell which packets where legitimate, but failed because of the attack, and which were part of the attack. But if this is a mail flood or HTTP attack, then it is much easier to prove that this was indeed part of a DDoS - or just part of an attack.
2nd: True, there are plenty of countries in which I don't have the resources to bring the case. But then: Small businesses and individuals which don't do business outside their own country can mitigate the problem: Why allow access from non-potential business partners or customers?
3rd: Yes, your part is almost nil, which is the problem in many attacks today, but then: This year in UK (I think in February) a guy managed to get £300 for a (one) spam mail in a civil suit: Compensation and covering of the costs, with reference to a EU directive. So, if compensation is something in that order - anyone under attack knows it's raining gold!
4th: You're still liable, negligence just increases the risk that someone will hold you liable for illicit actions. Negligence becomes a problem between you, your insurance company and the vendor.
Given 3, there are other problems that I find much greater: Proving the accuracy of you logs.
Now, think liability in other types of attack: Say some cracker breaks in and steal secrets, destroy data or otherwise cause service interruption.
The losses in such a case are potentially much bigger. The target, knowing they don't have to track down all the way to the very end in order to bring the case in court, will be more likely to bring the case to win compensation. This means that individual users will do more to reduce their risk of being victim not because of their own losses but because of the potential damage they can be held liable for. How many times have I heard people say they don't care about security because they have nothing secret on their computer?
So, introducing liability will improve security. And this will also have the positive effect in the cases of DDoS and similar where cost of investigation does not match the possible win.
And insurance companies will be there to offer the insurance you need - even allowing you to install whatever you like. It's just a question of assessing the risks and the costs. They might have you pay the first $1000 damage - this gives you a clear incentive not to be too ignorant. And ignorant aunt Alice will pay certified people to install her computer and not the neighbors 11 year old son.
You have to keep in mind that products are currently not designed with liability in mind: Everyone disclaims liability, it is not fair to introduce liability all the way through from one day to another: Everything would grind to a halt. Rather than starting at the end user, start with the vendors and the ISP's. They have the expertise and resources to make a big difference.
But, the positive side is: A new market will be created, where security is a feature, and people will evaluate security along with other features when choosing their product.