Sweden to Make Denial of Service Attacks Illegal

paulraps writes "Sweden is to pass legislation making Denial of Service attacks illegal. The offense will carry a maximum jail term of two years, and is thought to be a direct response to the attack which crashed the Swedish police's web site last summer. Nobody was charged for that, but the fact that it came shortly after a raid on the Pirate Bay's servers was thought by many to be not entirely coincidental. Sweden's move follows the UK, which is even tougher on web attackers — there the sentence can be over five years in prison."

Slashdotted.

[morgan_greywolf]

So does this mean that they're gonna arrest Taco, Zonk and Co.?

Re:Slashdotted.

[nmb3000]

So does this mean that they're gonna arrest Taco, Zonk and Co.?

It's worth a try!

*cough* :)

Re:Slashdotted.

With any luck they'll just get a warning next time they slashdot a site.

Then when Zonk dupes and even tripes the link, they'll haul him off for good.

Re:Slashdotted.

I sute hope fucktard taco, brokeback neil & co. all get fucking arrested and given the goddamned death penalty for extending and embracing communist linsux and open-sores. That does qualify as committing high treason against America.

Mostly pointless...

[DrYak]

As most of the time DOS attacks are performed from outside the country, and therefor outside its juridiction, I doubt they'll even invoke it in court.

Re:Mostly pointless...

[Xemu]

As most of the time DOS attacks are performed from outside the country, and therefor outside its juridiction, I doubt they'll even invoke it in court.

This law will allow the police to obtain the identity of the person using the IP address that is used for the DOS attack, even if this DOS attack is directed from Sweden to the outside world. I am sure there is a large amount of political pressure from the US in this matter and Swedish politicians are easy to intimidate.

It is important to note that the sentence term of 2 years was not chosen at random. When a crime carries this sentence as a possiblity, the Swedish police gets greater powers to use surveillance, wiretapping and raids to secure evidence such as the identity of person using a specific IP address.

In fact, this is also why thePiratebay.org exists and is so successful - since file sharing carries a sentence which is usually much less than 2 years, the police are not allowed to raid or subpoena the ISPs for the identity of the person that is using a specific IP address. (The Swedish MPAA aka APB have treid hard to get a criminal conviction for file sharing for this reason.)

Re:Mostly pointless...

[sr180]

In fact, this is also why thePiratebay.org exists and is so successful - since file sharing carries a sentence which is usually much less than 2 years, the police are not allowed to raid or subpoena the ISPs for the identity of the person that is using a specific IP address. (The Swedish MPAA aka APB have treid hard to get a criminal conviction for file sharing for this reason.)

No. The pirate bay exists because its not illegal to link to illegal copyrighted material in Sweeden. The pirate bay doesnt share illegal material, just torrent files, which are essentially a link to where the material actually is.

Re:Mostly pointless...

[RallyDriver]

A very common form of DDoS attack is a SYN flood where the source IP in the packets is NOT the IP of the bot being used.

Last time someone had a go at our servers, the forged IPs traced back to well known locations which obviously weren't the real source (mostly US government labs like LLNL and Sandia).

I see a risk here where DDoS is used specifically to frame the real owner of an IP.

In any event, a moderately competent hacker will use a botnet which is managed using wardriving sessions, or from a server in a non-authority-friendly country, ensuring they are untraceable.

Re:Mostly pointless...

[Wilson_6500]

When a crime carries this sentence as a possiblity, the Swedish police gets greater powers to use surveillance...

So, wait. The _objective measurement_ of the severity of the crime (i.e. the level of police response required) is tied to the _possible sentence_ it can carry? While in theory this shouldn't be a problem, since the sentence should reflect the harm done by the criminal, that kind of stipulation has _ludicrous_ potential for abuse.

Re:Mostly pointless...

[Kidbro]

Please explain.

I honestly think the system is pretty sane. They can not search my house, even if I'm suspected of shop lifting. They can, however, search the house of the drug dealer living down the road. Somewhere the line has to be drawn, and if it has to be drawn, there has to be some way of figuring out which side any particular case should end up on. They've chosen the penalty of the crime the suspect is suspected of. Care to come up with a better measurement?

And by the way, I live in Sweden, if that's in any way relevant.

Re:Mostly pointless...

[testadicazzo]

Man, I just gotta say, I'm impressed with the overall sanity of your legal system compared to ours (U.S.). 2 years is a perfectly reasonable sentence. I can't find the links, but I seem to recall seeing many bills announced on slashdot with completely disproportionate sentences. Hell, Kevin Mitnick comes to mind...

Re:Mostly pointless...

[turbofisk]

Actually the grand-parent is right. TPB is basically being prosecuted for aiding copyright infringement and what keeps an ordinary person from being charged for copyright infringement is that the police can't get the logs who tell them who the offender is - for the reason the grand-parent wrote...

Re:Mostly pointless...

[iago-vL]

As most of the time DOS attacks are performed from outside the country, and therefor outside its juridiction, I doubt they'll even invoke it in court.

Actually, DoS attacks are more commonly performed from within the country, because who in Canada, for instance, would bother DoS'ing a Swedish company? Nobody would care.

The problem, however, is that the bots the local attacker uses are typically outside the country, which makes it impossible to track down the attack.

Oh, that will solve it

[Nom+du+Keyboard]

Oh, that will solve it. Just make it illegal, and end of problem. Yeah, right. Until you can track, smash their computer toys in front of their eyes, empty their bank accounts, and lock them away for a good number of years, passing all the laws in the world is simply feel-good do nothing crap. And two years max isn't nearly enough!

Breaking their fingers is a good thought as well.

Moral of the Story

[JonathanR]

Don't do your DoS attacks from Sweden or the UK.

A link to their govt site?

[DimGeo]

Anyone?

Re:A link to their govt site?

http://riksdagen.se/

Good luck

[OverlordQ]

Good luck enforcing it and finding the C2 to punish the right person. I know my clan's site has had to move hosts a few times due to DDoS attacks, especially when the last one was pushing 10 Gb/s

Not going to work

[Kaleo]

It damn well SHOULD be illegal, but unfortunately making it illegal isn't going to accomplish anything. Look at marijuana, it's illegal but everyone does it anyways. It will be unenforceable.

Re:Not going to work

[MysteriousPreacher]

If you wander in to a bar or take a walk in to town, how many smokers do you see wandering around smoking Marijuana? Sure, you'll find some but the fact that there aren't that many around would suggest one of two possibilities.

1) The vast majority of smokers don't like marijuana, they prefer tobacco.

or

2) The vast majority of smokers don't smoke habitually marijuana because it's illegal. This could be because they don't want legal hassle or perhaps they can't easily buy it.

Even if you can't eliminate a crime, the majority will tend to obey it unless they've a very compelling reason to do otherwise.

Re:Not going to work

[mikek3332002]

Well if you lived in A a certains country town in NSW, Austrlia it would be harder to find tobacco smokers.

Re:Not going to work

[Kaleo]

Well I admit that I was comparing apples to oranges, but you could still argue that by making *anything* outright illegal you will simply strengthen the underground of the related market through natural selection. Kinda like the illegal marijuana markets. The more they get attacked by authorities, the further underground network exploiters will go, and their defensive(and offensive) techniques will become more and more effective. Lock up one exploiter and a better one will learn his mistakes and be even more destructive and harder to catch. That is really what I meant by comparing DDos prohibitions to marijuana. I wasn't trying to compare the actual acts of smoking to DDos exploiting.

Re:Not going to work

[MysteriousPreacher]

Looks like I found a place for my next holiday.

Yeah, I should have been mentioned that it depends on the location really.

Re:Not going to work

[MysteriousPreacher]

It's true that DoS techniques could go further underground but a stand has to be taken somewhere. The alternative is to allow state-sanctioned vandalism and blackmail.

Virus writing is a relatively underground past-time but we can still examine the techniques used and improve our defences. My main hope with the law is that it'll deter the "me to" script kiddies who are looking for a few minutes of notoriety.

You're right that this won't stop all of them. The big boys who have real gains to make from these attacks will continue to find new and imaginative ways to hose a server.

Re:Not going to work

uhh, actually it suggests that not very many people (in the US or similar western countries, atleast) smoke marijuana in bars or on the streets, and smoking marijuana in public is an incredibly different thing from smoking marijuana.

could you be any more fucking stupid?

Re:Not going to work

[MysteriousPreacher]

People tend to avoid smoking marijuana in bars and on the street because it's illegal. It's the same reason why I carry out all my murders at home. There are fewer witnesses around.

Re:Not going to work

[Kaleo]

Of course. DoS attacks *have* to be illegal. For it to be legal would be obviously ludicrous. But how well is Sweden going to be able to enforce this? And even when they do catch DoS attackers, locking them up for a mere 2 years will only deter the teenage wannabes, not the real threats. Too many hackers/network exploiters/script kiddies have feelings of invincibility when hidden behind a computer screen. Two year prison sentences is not scary enough to stop these guys. Make it 15 years. That or make it legal for me to savagely beat DoS attackers with baseball bats.

Looks like the prison lobby

[iminplaya]

Looks like the prison lobby has lots of pull in Europe, too. And in places you'd least expect it. If you want to make lots of money, you know where to invest.

Re:Looks like the prison lobby

Umm, you know, the swedish prison system is run by the national government, so there is no money to be made by the prison industry there.

Re:Looks like the prison lobby

[iminplaya]

The Iraq war is being run (badly) by the US government, but Blackwater and Halliburton rake in the dough. A government can operate for profit also. It might not be on the books, but it's there. So buy bonds... Also, they don't use any outside contractors to build the infrastructure? The money spreads far and wide, and it draws lots of scavengers. Those kinds of people will always advocate anything that puts more into their pockets. This isn't about protecting a service or property. It's vultures looking for big bucks. However, the majority of the people won't see past the "morality" spin, and will never get to the root of the problem.

Pointless

[forgoil]

Take a quick look at everything that is illegal in Sweden, take a look at all the laws (seriously, do), and I can tell you that this doesn't really make a difference. Just because you make something illegal doesn't mean it will go away, something they refuse to realize in this country of mine...

Re:Pointless

[susano_otter]

I don't think laws are about preventing crime, so much as they are about setting up a "payback" system for crime.

I think of it this way: You take something from society, you should give up something of your own in exchange. Ideally, you should give up something that pays society back in exchange for what you took, but in practice this is difficult to manage. (However, in America at least, we do have civil courts for people who want to try to get paid back in this way.) Instead, societies over the years have settled on conventions of what is "just" for a person to give up, in exchange for the privilege of taking something away from society.

In this case, the Swedish people, as represented by their government, have determined that two years of freedom is a just thing to give up, in exchange for attempting a denial of service attack.

Imprisonment might seem like a strange thing to exchange for many crimes (including DDOS attacks), but over thousands of years, imprisonment is what most societies have come up with, as the best (or least bad, if you prefer) exchange for most crimes. Other exchanges include fines, confiscation of property, exile, torture, maiming, and execution, as well as combinations of these things.

It's obvious that many people will continue to commit crimes regardless of the deterrents put in their way. The justice system isn't called the "deterrence system", after all. But it's called the "justice system" precisely because it codifies these tradeoffs: take something from society, give up something of your own in return.

Re:Pointless

When I go to prison, could I please take my laptop? And could they provide me with an internetconnection?

Good!

DOS attacks are not funny. They should be treated a serious crime. Two years max sounds about right to me. It's a sufficient penalty to not be a "slap on the wrist", but neither is it a draconian "lock 'em up and throw away the key" response.

Re:Good!

[LeafOnTheWind]

Yeah, ok, DoS attacks aren't funny, but they also shouldn't be a criminal felony. Felonies are for either very high value theft or an act that injures another person; DoS attacks do neither. If the target wishes to gain reparations for damages (monetary) then that is a matter for civil, not criminal, court. Thus, it should be a misdemeanor and punished as such, not as a felony. The punishment should fit the crime and two years imprisonment does not fit a DoS attack at.

Yay for being swedish!

[ozamosi]

Apparently, DoS attacks were going to be labled as computer infringement. So, since I'm swedish, I can compromise your server just by loading your web site quick enough, while you guys still need to actually get into my server! This law makes it so much easier to be a cracker around here!

Tracking

[HomelessInLaJolla]

How do you suppose they'll handle compromised systems, proxies, or VPNs? If I root someone else's system and am knowledgeable enough to cover my tracks how do they propose to track me down? The FP also mentioned the Slashdot effect. How do you think they could handle a network of web pages which, when visited, all make requests from the targetted server (similar to pay-per-click scamming)?

Re:Tracking

[suffe]

They are politicians, why should this bother them? They'll just leave the problem solving to someone else. And as everyone knows, the legal system will only use the new powers to do good when it is evident that the found person is in fact the culprit. No one ever interpreted a law by its words rather then by its intention, did they?

Re:Tracking

[MysteriousPreacher]

Same situation as just about any crime. Just because some people will be smart enough to carry out tax fraud, doesn't mean there's no need for laws against it.

At least making it illegal will hopefully catch the sloppy operations and make the angry geek at home think twice about attacking a site.

The pay-per-click scamming is an interesting point. My old site was getting forum spammed in to oblivion by the old UMAXPPC search sites. Would have been nice at the time if there was legal recourse since the sites were hosted by EV and they don't seem to give a shit about what they're hosting.

Re:Tracking

[MightyMartian]

What percentage of denial of service attacks on Swedish computers do you suppose actually occur within Sweden?
It's a political feel-good law. The Swedish government can say "We're getting tough on this" without much worry that they'll have to bother prosecuting anyone.

Re:Tracking

[rts008]

"They'll just leave the problem solving to someone else."

Uhmmm...No.

Sen. Ted "The Tubes" Stevenson is all over the 'internets' with his trucks.
And he STILL is not getting his internets on a timely basis, but he'll keep those trucks humpin' up the tubes!

Re:Tracking

[MysteriousPreacher]

What percentage of denial of service attacks on Swedish computers do you suppose actually occur within Sweden?

No idea in all honesty. At least if someone decides to carry out a major DoS attack on a Swedish server, there is the possibility of extradition.

Re:Tracking

[MightyMartian]

And when is the last time you've heard of a Russian or Chinese citizen being extradited for a DDoS attack?

Re:Tracking

[MysteriousPreacher]

Never, what's your point? Just because it hasn't happened, it won't happen?

Too bad

[cdrguru]

Too bad they don't understand that the Internet is a consequences-free zone.

You can do just about anything on the Internet and are safe from prosecution. Why? Because the Internet crosses international borders and we all know that international law enforcement is just about impossible. No two countries have the same laws, the same penalties or even agree that the same things are criminal acts.

So, Sweden can pass all the laws they want to, but it will have no effect unless every country on the planet agrees that DDOS attacks are a criminal act with at least two years in jail being an appropriate penalty this will have no effect.

What is likely to happen is they will track some stupid show-off bragging script kiddie to Canada where it will be declared that they aren't going to extradite because it would bruise the delinquents ego. Or, the perp will be tracked to Romania where the response will be "So?"

Under the right circumstances, the US would probably even shield a perpetrator.

No, unfortunately for many people the Internet is destined to remain consequences-free for a long time to come.

Re:Too bad

You can do just about anything on the Internet and are safe from prosecution. Why? Because the Internet crosses international borders and we all know that international law enforcement is just about impossible. No two countries have the same laws, the same penalties or even agree that the same things are criminal acts.

You raise an interesting point which I never considered. What happens when two countries *do* both have laws concerning the situation. If I crash a Swedish police website from here in Florida, who can prosecute me? Would I have to be extradited to Sweeden (not going to happen), or could I face a trial here in Florida? Federal court or state court? Whose laws would come into play?

Re:Too bad

[dimeglio]

Being a non-aborted Canadian, I resent your statement. We have a conservative government now, hey!

Re:Too bad

So what? All the Swedish law means is that, if you're caught in Sweden launching a DDOS attack, they can prosecute you. It says nothing about attacks by anyone in any other country against Swedish servers, nor is it limited to Swedish servers at all - if you're in Sweden and you try to DDOS someone in, say, Australia, you can be prosecuted under Swedish law.

It's not about making "their patch" of the Internet any safer. It's about being good global citizens and trying to police their own people. More power to 'em.

Re:Too bad

[newsblaze]

Its not entirely consequences-free.
if you remember, a few big spammers have had their lives jerked around, been stopped, fined and jailed.
I know of someone who hacked into some corporate computers in the 90s, just for fun - he never did any damage. He got off on a bond, but it chewed up two years of his life, lost him his job and really screwed him up.
There needs to be some deterrent otherwise people will do exactly as they please, without caring what it does to other people and with no fear it can hurt them. A DOS attack that cripples a business, puts people out of work or is used to extort money is not funny - except to jerks who have no responsibility.
The problem with laws is they mostly keep honest people from doing something silly. The real badguys don't care.

Re:Too bad

[hedwards]

What is with all the anti-US sentiment here? I hear a lot of whining from other countries about how we handle extraditions, but I don't hear any real acknowledgment of times when our criminals manage to escape to sovereign states like Ireland. The Irish courts have only approved a small hand full of extraditions to the US in recent years. Canada and a nearly every first world nation refuses to extradite murderers back to the US for trial unless we drop our death penalty. So it seems a bit odd to me that there is always this constant whine about how we don't play fair. Nobody else plays fair either, but you don't hear a whole bunch about that It isn't really our fault if places like the UK and Australia are too quick to sign treaties. This type of legislation is ultimately important to the safety and well being of the internet. But, the only way that DDOSs are going to be dealt with ultimately is if localities put the crimes on the books. It really isn't ultimately a good thing when nations like Austria won't extradite people for things which are not illegal under local law, but don't also don't have laws against things which can cross their borders and effect other nations in a direct manner.

My rights online!

[anthony_dipierro]

Geez, so now it's illegal in Sweeden to crash people's websites! What's gonna be next, a law against blowing up mailboxes?

Re:My rights online!

[rTough]

Intent is the keyword in Swedish law. As I assume it is in most countries.

Blowing up mailboxes is of course illegal and has been since long before there were mailboxes.

So...

[TCM]

...does that mean it wasn't illegal up until now? That's actually more surprising to me.

botnets

[mpoloks]

so who are they going to arrest? the bots?

In other news...

Sweden has also made it a crime to take the last parking spot at a supermarket, or buy the last case of soda at the corner convenience store.

And in another strange coincidence, the swedish police department replaced all their web servers with a single 486 using a 10MB ethernet connections. The chief of police cryptically said "business is gonna pick up real soon now".

Seriously, I hope they define "denial of service" very precisely, or Swedish prosecutors just added another general-purpose arrow to their quiver.

seems reasonable

[DM9290]

This seems like a very reasonable maximum sentence. I am sure I can get 2 years for interferring with someones lawnmower or hairdrier in most jurisdictions. So I'm not sure this is even newsworthy. In fact.. I'm quite suprised this isn't already included in some kind of mischeif law thats already on the books and has been on the books for the past 500 years.

Its basically always been illegal to screw around with someone elses machinery.

Re:seems reasonable

[PenGun]

I guess if it's reasonable to hold more of your population, per capita, in jail than any other country you are correct. I will not even cross the damn border so my horror that you can be jailed for 2 years for "interferring (sic) with someones lawnmower or hairdrier (sic)" is moot.

  You poor people, the richest country on earth, I guess it's fitting.

Re:seems reasonable

"I am sure I can get 2 years for interferring with someones lawnmower or hairdrier in most jurisdictions."

Hair dryer would likely be a summary offense, probably a fine. Lawnmower, since it costs more, would maybe be some jail time, depending on the damage done. Both assume no actual harm came about to a person; this is just messing with the equipment.

iow, what most states in the US these days consider a misdemeanor (up to 2 years it seems, not 1 as is often understood, gotta love prosecutor friendly countries). Actually, criminal mischief and/or vandalism can be a third degree felony (7 years in the state I'm unfortunately reside in) if it's over several thousand or targets infrastructure works that imposes a danger on the public (i.e. targetting fire hydrants).

imnsho, I think that these sorts of punishments are flat out stupid unless they are graduated in some way, much like how meatspace crimes are defined. Which doesn't mean either punishment is appropriate for what the crime is. While web sites have value in today's society, I seriously do not think that computer crimes should illicit prison time unless indirect harm is shown. I'm sure there will be dozens of posts that say "good" and "about time" and the like, but most people like to consider them on the other side of the line pointing fingers with a "you vs. them" attitude.

But maybe that's me...I've read more accounts of people screwing around on their computers or phones who make a mistake in a configuration or general mischievious behavior that causes no real harm being used as examples who end up being sent to prison where they're raped, jaws broken, multiple year sentences, and the like than real abusers (spammers, organized DOS) being taken to task, the latter running rampant. I also have no faith in a prison system of disrepute, or those that find some glee in an inept solution when other avenues have not been explored (such as severe fines instead of imprisonment), or where careers are made when someone is made "an example." Looking at how other laws are handled doesn't make this sentence more reputatable, just more of the same.

DOS attacks are bad. Such people should be punished. But 2 years in jail? Hell no unless it's targetted at something of value and causes physical harm to people; the offense should be graded intelligently. In the US, we already have non-violent offenses classified as violent (i.e. drug offenses), people being locked up for non-harmful infringments (a DUI has less of a prison term than many drug possession), and assault charges being trumped up with "terrorist" laws so DAs and politicians can say they are tough on crime, meanwhile such laws solve NOTHING to crime prevention or give an appropriate punishment for the offense....

Re:seems reasonable

[DM9290]

I'm in Canada. And in Canada you can be jailed for much longer than 2 years for interferring with someone's lawnmower if you do it in a way that MIGHT cause bodily harm. If it actually causes death you are looking at life.

Obviously changing your friend's round lawnmower weels with cubes, is something of a funny joke, and probably harmless and in theory you may be aquitted on the legal defense of "prank". (which sometimes works)

But tampering with a lawnmower is similar to tampering with a car. How would you feel if someone cut the break line of your automobile? Or put sand in your transmission fluid?

That is similar to a DOS attack.

Whether anyone actually gets 2 years is not the same thing as having a 2 year maximum sentence.

I'm sure that a DOS attack on some fairly worthless service that didn't cause any real harm would not land someone 2 years on their first conviction.

But if you (for example) cause 911 service to stop working across the entire city by doing a DOS attack on some telephone routing computer... 2 years seems rather lenient. It all comes down to the specific facts of the case.

(which is why I utterly loath "minimum sentences")

But my point was... laws against tampering with machines belonging to other people ALREADY EXIST. So why did they need to create a new one? And why would it even be newsworthy?

(politics)

Slashdottings aren't what they used to be.

Probably not. But that's just because a Slashdotting is not what it used to be.

Server hardware has gotten so powerful that even a site running an untuned and uncached PHP/MySQL-based CMS can readily withstand a Slashdotting. With most low-end hosting plans offering 100 GB or more of bandwidth each month, exhausting such limits is no longer an issue.

While it may be somewhat suspect, we can look at the Alexa data showing Digg getting far more traffic than Slashdot, and other sites like Reddit and Netscape being close behind. If a site can survive a Digging, then handling a Slashdotting is going to be virtually nothing.

Re:Slashdottings aren't what they used to be.

[MasaMuneCyrus]

The difference between Slashdot and digg is that there have been surveys showing that most people digg stories without even reading them. Also, considering that digg has hundreds of stories per day and Slashdot has about three to five, there are a LOT more stories on digg to distribute all that traffic. I'm willing to wager that the Slashdot effect is still worse than the digg effect, and will be until digg is a large factor larger than Slashdot.

Re:Slashdottings aren't what they used to be.

I'm willing to wager that the Slashdot effect is still worse than the digg effect, and will be until digg is a large factor larger than Slashdot.

That wasn't the case when one of my sites made the front page of Slashdot, Digg and Reddit on the same day. In terms of the number of hits, Digg had the most, followed by Slashdot and then Reddit. I don't recall off-hand the absolute values, but I remember Digg bringing about 30% more hits than Slashdot. I remember that because it surprised me. I didn't realize how popular Digg actually was.

The Slashdot hits were distributed over the course of a day. The Digg hits, on the other hand, came within the course of two hours. After that, they dropped right off. The story must have left the front page at that point.

Legality?

[MEForeman]

They're already interference with private property, DDoS attacks are illegal. They may not be specifically outlawed, but make no mistake, they are by no means legal.

Makes people realise that it is serious

[EmbeddedJanitor]

Alot of people still see DOSing, cracking etc as being not "real crimes" because they happen in cyberspace.

As the internet continues to be extended to provide vital services (including access to emergency services etc), making denial of service illegal makes sense.

Re:Makes people realise that it is serious

correction, not using internet-attached computers to run vital services makes sense.

I've been doing some simulations of networks recently, and, it occured to me, that whilst I was talking about 'creating' nodes and 'creating' links, all I was doing was writing a number into an array. There was nothing really there, it was just an abstract idea that those numbers meant anything. Therefore, I consider anyone who relies on the outcome of electronic interactions to control anything physical to be utterly mad. It's just specific ordering of magnetic poles, sequences of 1 volt & 5 volts and lots of shuffling voltages around to do base-2 mathematics - STOP RELYING ON IT.

Punishment...

[xaoslaad]

People who get charged with DUI's and other more grievous crimes don't even necessarilly end up in prison for the first offense. Sending people to prison for over 5 years for taking down a website is absurd. It's something that should probably be dealt with via stiff fines. In most cases it's just a frikkan' website. In most cases no ones life or well-being rely on it... perhaps a separate more severe punishment like prison time could be reserved for those public service type sites that might exist with a greater purpose...

At least the 'maximum punishment' of 2 years they are seeking does not seem too severe. If that maximum sentence isn't abused, and used only for those repeat offenders who just don't learn it seems alright...

Re:Punishment...

[aldheorte]

Mod parent up. You can beat someone senseless and get a year or less in jail, but send to many requests to a computer and you get two years. It's senseless and probably has roots in the same hysteria that drove the Salem witch trials (something unknown/arcange/magical from the perspective of the law makers).

Re:Punishment...

Sending people to prison for over 5 years for taking down a website is absurd. It's something that should probably be dealt with via stiff fines

Well, the maximum sentence is going to be for something like a botmaster who takes a gambling site down. Whilst you might think it excessive, consider that merely threatening to DoS someone's site could get you 20 years for extortion.

Huh, well ...

[ScrewMaster]

I think they mean they're making DDOS attacks more illegal. I can't believe that such destructive behavior was previously legal, nor do I believe that merely passing a law will have the slightest effect on reality. I mean, I'm frequently amazed at how stupidly U.S.-centric our Congress is when it passes laws regarding Internet crime, but I guess such thinking isn't limited to just our government. Practically speaking, such a law is likely to encourage more and more damaging attacks, just to show how ineffectual it is.

Personally, I think that government (any government) would be better off quietly diverting sufficient resources to law enforcement to enable them to catch these assholes. Throwing down the gauntlet by passing more legislation with much fanfare is just stupid and serves no real purpose. Unless they're being sneaky and trying to attract the DOS lightning to make it easier to nail the perpetrators ... nah, they're not that smart.

So This Means...

[FrankDrebin]

... we can no longer use the term "the server is borked".

It has been illegal

[dastrike]

It has been illegal, just not in the same sense as it now will be, as now it will be covered by the law regarding computer intrusion. The DDoS attacks against the police's website last year were filed under "taking the law into one's own hands" (egenmäktigt förfarande). Which is a bit nebulous of a category for it.

I am very sceptical that this law will have any real effect. Just some sable rattling to give an illusion that the government is in control of these things.

Re:It has been illegal

[networkBoy]

taking the law's servers into one's own hands and throttling it
There, now it makes sense ;)
-nB

Heh

[weatherguy48]

Heh...I read this as "Sweden to Make Dental Service Attacks Illegal". No comment........

I'm soooo moving to Sweden

[Max+Littlemore]

Of course, this being /. I didn't read TFA but any country where if I stagger into a bar already drunk, they deny me service and throw me out physically and _they_ get charged for it is alright by me!

Re:I'm soooo moving to Sweden

[Unsichtbarer_Mensch]

Actually the article missed out on a small detail. It's D.Å.S attacks they will ban, not DOS attacks :P

More importantly

[denoir]

What is just briefly mentioned in the article is that conspiracy to make a DOS attack will be punishable. It seems like a very vaguely defined crime and because the tough sentences it would give the police search warrants way too easily. Technically to be a suspect all you need to have is a computer - what else kind of evidence could there be before an attack is actually committed?

Re:More importantly

[romland]

what else kind of evidence could there be before an attack is actually committed?
Oh, having a botnet of a few hundred zombies comes to mind...

Re:More importantly

[ichigo+2.0]

How do you know that without a search warrant?

Oh!

[compandsci]

By the way... here is the link to the Swedish police: http://www.polisen.se/

Cell mate conversation

[RickBauls]

inmate one:hey
inmate two:yea, what are you in for?
inmate one:I murdered my family. You?
inmate two:... DOS

Re:Cell mate conversation

Given that there are maximum security prisons for murderers, bank-robbers et.c. and minimum security prisons for people who comitted less violent crimes (and DoS will definately be in that range), that scenario you describe is not going to happen.

Re:Are they currently legal?

[the-intersocialist]

IKEA is an abbrevation for Ingvar Kamprad Eltmaryd Agunnarryd (the first two are the names of the founder and the two second are the name of the farm he grew up at and the parish of said farm). IKEA is not a word in Swedish.

and in america...

"Sweden's move follows the UK, which is even tougher on web attackers -- there the sentence can be over five years in prison..."

And in America the setence is life plus 5 years of probation, Japans setencing had no comment.

Maximum two years?

[pair-a-noyd]

How about a MINIMUM of two years in prison?

maintaining an attractive nuisance

Will microsoft and the zombiefied MS users be charged for maintaining an attractive nuisance when their computers running that paragon of computer security called "windows" are used in a DDoS attack? I mean, isn't this the usual and most common way those attacks occur in the first place?

If you leave your keys in the car and it gets swiped, your insurance company will take a pretty dim view of this behavior and could very well contest any theft claim you made. If some site gets nailed, from thousands of people who "left their keys in their computer" because they are running insecure by design windows, doesn't that make them at least partially accountable? This is not "news" that MS is basically hugely insecure and quite hard-(by the numbers,let's admit reality and no personal you are so leet anecdotals, so no arguing, everyone knows it is true-windows is just a total failure on that security score for 99% of the people who use it). So, who are the swedish cops really going to nail for some DDoS event? If a windows botnet is involved, shouldn't that be part of it? Same with mass SPAM, when will people and governments just look at the multi billion dollar company and go "you know, a lot of this crap REALLY IS YOUR FAULT".

Re:maintaining an attractive nuisance

Over the years we've been victims of some minor DOS attacks that I suspect were really caused by misconfigured systems / bugs in script codes various people around the world use to automate procedures on the network. In other areas I remmeber a while ago some aggressive CPE DSL gear flooding some networks with authentication requests causing DOS whenever the customer neglected to pay their bills on time. I would hate to think customers can be arrested because of such a misunderstanding.

I remember reading more than one stories about dos attacks caused by people resting cups on their keyboards causing hundreds of thousands of requests to be sent to remote servers accidently.

The problem with DOS is a technical one that can be solved or greatly mitigated by technical means which improves resistance to attack and improves design and implementation quality of software.

The entanglement of a general lack of control over ones system (Caused by viruses, scams, software bugs...etc) the accidental user created conditions or software/hardware bugs that can ententionally launch such an attack, sharing of computer resources, etc...may make it too easy for persons acting without the intention of launching such attacks to be implicated.

Desiging protocols that do less before authentication - that don't unecessarily provide force multipliers (broadcast response attacks..etc) can go a long way. At the application level software can certainly do much to detect and deal with a barrage of requests from one or more entities. These codes are in many cases also directly usable to assure graceful degregation of service whenever a systems capacity is exceeded.

Similiar to DMCA laws using legal powers to prevent poor and insufficent implementations only places less pressure on people to fix problems. If the Internet is to one day be used for very sensitive and very vital services then on a global basis over the long term legislation against DOS is actually detremental to the network.

The DDOS scenario is a different story. DDOS is almost always based on the control of thousands of unwilling participants. The existing computer trespass/hacking laws that would be violated by carrying out such an attack carry a higher maximum sentance than what is being proposed here.

Isn't is already illegal?

[Schraegstrichpunkt]

Aren't DoS attacks already illegal by way of tort law?

Prior law

[Joebert]

They're not illegal already ?
Don't they fall under some sort of Don't be an asshole common-law ?

Re:Are they currently legal?

[the-intersocialist]

Correction: It is an acronym, not an abbrevation.

Digg and Slashdot users are not mutually exclusive

[ickeicke]

Probably the news was on Digg earlier, resulting in a massive influx of visitors. You say that Slashdot was responsible for less visitors, but maybe that was because some Slashdot readers had already seen the story (hours) earlier via Digg?

It would be interesting to see how many people regularly visit both sites. I think that people who often check Digg, will RTFA even less often than regular /. users, because Digg often has stories faster (or so I am told, I myself only visit Slashdot).

simple javascript reload function

[MrSpiff]

The attack on the police homepage was nothing but a very simple javascript function on a HTML page, constantly reloading a large JPEG on www.polisen.se. The URL was then spread on a large discussion forum (namely flashback), which made everyone upset with the piratebay raid contribute to bringing down the site. Good luck charging thousands of people with broadband connections for visiting a webpage.

Not a crime but accessory to one

[grimJester]

If you link to copyrighted material but do not host it, you're an accessory to the crime of illegally distributing the material. Story (in swedish), the actual document (pdf, swedish).

The problem with prosecuting the Pirate bay is that someone must be found guilty of a crime for another to be guilty of being an accessory to thet crime. The users of Piratebay are not suspected of a crime carrying a sentence of two years or more, meaning the police can't get their IP numbers, meaning they can't be charged with a crime that Piratebay could be an accessory to.

Re:Digg and Slashdot users are not mutually exclus

[mike2R]

Your surely not trying to claim that people read digg for the comments..? The mind boggles!

I would have thought you'd have a higher percentage of people RTFAing on Digg, simply because there isn't really anything else they'd want to do there Certianly applies to all (five or so) people I know who visit Digg.

What a novel idea

[Opportunist]

Make it illegal, so people stop doing it. Why didn't anyone ever come up with the idea of making Terrorism illegal, then we'd have saved a TON of money and quite a few people would've saved their lives, for example by not going to Iraq?

What do you mean, it doesn't work? It has to, or they wouldn't pass a law making a DDoS illegal. Or do you mean they would pass an unenforceable law, because

a) DDoSs are by their very definition international
b) Drones are used that don't even know they participate
c) Finding and disabling those drones is pretty much impossibe because of a) and b)
d) all of the above
?

Re:What a novel idea

[jamyskis]

To be quite frank, this is only to close loopholes in the law that DDoSers use to escape punishment - more a formality than anything else. Hacking into computers is still quite a legal grey area in many countries - people who steal bank details through phishing or other means would be prosecuted under theft laws, for example. Technically speaking, under current law in Sweden and previously in the UK, DDoS could not have been considered damaging or theft by law, as no hardware damage was caused and nothing was stolen. You could technically bring a civil case for loss of income, but that is so cumbersome and time-consuming that a shorter way needed to be found - ergo, this.

Re:What a novel idea

[Opportunist]

So you think I should no laugh about that law that some county in California (I think) has which makes it illegal (and can get you fined for up to 500 bucks) to detonate a nuclear device within city limits?

Personally, I find this law ridiculous. But when you put it that way, it suddenly becomes very sensible and sane.

Re:What a novel idea

[jamyskis]

Well...just wait for bin Laden to detonate a nuclear device in the State of California and then watch in glory as the FBI leads the world's biggest manhunt to chase up 500 bucks.

Re:What a novel idea

[Opportunist]

If it doesn't cross state borders it's none of the FBI's biz. So he should wait 'til the wind blows from the east.

Re:Are they currently legal?

[srussia]

Correction: It is an acronym, not an abbrevation. Don't be so hard on yourself; an acronym is a type of abbreviation.

Not really, but this has other political flavours

They won't be arrested for anything, since they probably didn't do nothing.

However, no one mentions the political change that occurred this autumn.
After twelve years of social democrats (left) we (swedes) now have the so called "alliance" (right) since a few months back.
Even though the social democrat's minister of justice (Tomas Bodström) was just the same kind of openly left and inner right kind of parrot that Blair is -- repeating whatever baloney the monkey in the white house spits out, there were never any successful arrests or trials for file sharing, torrent-sites, etc. However, it'll be interesting how much the new political power will bend over to thy mighty George Christ and arbitrary corporate organizations.
I'm sure we'll see more laws (like this), since that's the easiest way of showing political will and competence.

Personally I might move to Russia or China where you are a hell lot more free to use your hardware as you wish. Sure it has draw-backs, especially in China with the firewall and everything (and they kill their citizens, just like in the US), but what the hell... What country isn't completely fucked up today anyway? Either we have some dictators thinking they know best for everyone or we have the "democratic" corporate dictatorships (which some people refer to as "the free world")...

I think what you get is what you give, and the authorities today, give an awful lot of shit to their citizens...

DoS - definition & punishment to whom?

[rajats]

What is the definition that they will use for Denial-of-Service attack i.e., when would I be considered under a DoS, if my site completely goes down? Or if I see a 50% drop in performance? Also, who will they arrest? If I had a spyware/malware on my PC without my knowledge would I be considered an offender? These things probably need to be crystallized too.

Re:Are they currently legal?

[Dretep]

Damn marketers and their commercials! They led some of us to believe that Ikea was swedish for common sense.

Geek vigilante fest!

[sita]

It is important to note that the sentence term of 2 years was not chosen at random. When a crime carries this sentence as a possiblity, the Swedish police gets greater powers to use surveillance, wiretapping and raids to secure evidence such as the identity of person using a specific IP address.

Also, if you catch someone in the act of committing, or appearantly fleeing from the scene of crime of, a crime that carries a maximum penalty of more than two years, you may make a "citizen's arrest", that is grab and hold a person until the police arrives.

Now imagine a geek neighbourhood watch!