Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

U.K. Outlaws Denial of Service Attacks

Zonk posted more than 7 years ago | from the keep-it-in-your-toolbox dept.

239

gnaremooz writes "A U.K. law has been passed that makes it an offense to launch denial-of-service attacks. The penalties for violating the new statues are stiff, with sentences increased from 5 to 10 years. The five year penalty was from the 1990 "Computer Misuse Act", which was enacted before the Internet became widespread. The idea of stiffer penalties for DoS attacks are probably something we can all get behind, but the language of the law is frustratingly vague." From the article: "Among the provisions of the Police and Justice Bill 2006, which gained Royal Assent on Wednesday, is a clause that makes it an offense to impair the operation of any computer system. Other clauses prohibit preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer."

cancel ×

239 comments

Sorry! There are no comments related to the filter you selected.

Another law (5, Insightful)

adpsimpson (956630) | more than 7 years ago | (#16804180)

Another law with good intent.

Another set of wording so vague it's no use against those it's meant to stop.

Another set of abuses waiting to happen.

Re:Another law (2, Insightful)

gweihir (88907) | more than 7 years ago | (#16804396)

In short: Another law that was made without asking the domain experts. Are these people just incredibly arrogant or plain stupid?

Re:Another law (1, Interesting)

Anonymous Coward | more than 7 years ago | (#16804644)

Are these people just incredibly arrogant or plain stupid?

No, just powerful. They can, and will, do as they please. Say goodbye to your beloved internet, they'll regulate it to death soon enough.

Re:Another law (2, Insightful)

cayenne8 (626475) | more than 7 years ago | (#16804900)

Also, really....5-10 years for a denial of service?

People who kill people can get less time than that...c'mon, let the penalty fit the crime, this isn't even close. A bit of computer mischief can get you locked up in prison for 5-10 years?!?!?

The world has gone crazy....

Re:Another law (4, Insightful)

Ksempac (934247) | more than 7 years ago | (#16804752)

Well you ve got 2 possibilities...

One : You let a politician write the law with words and vague ideas everyone can understand, including politicians and judges. It doesn t satisfy experts, but at least politicians understand what are they voting for. Once the vague law is voted, judges can make their own decision by referring to the spirit of the law rather than the word of the law.

Second : You let experts write the law, only people with a lot of knowledge in the field will understand what it means, but that will still be up to the politicians to vote them. How do you expect them to vote well if they have no idea what is this all about ? How do you expect judges to use a law they dont understand ?
Moreover, how do you choose your expert for let's say... a law about DRM ? Do you ask a guy from the RIAA/the majors (i m sure they ve got a bunch of qualified engineers and scientists working on DRM) or Richard Stallman to write it ?

Re:Another law (0)

Anonymous Coward | more than 7 years ago | (#16804798)

Does this mean Bill Gates will go to prison if Windows Genuine Advantage wrongly locks-up my PC?

Hindering Access (5, Insightful)

Anonymous Coward | more than 7 years ago | (#16804184)

preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer

This is a pretty good description of DRM! So it's illegal now?

Re:Hindering Access (1)

hkBst (979461) | more than 7 years ago | (#16804218)

yeah, and encryption in general too.

Re:Hindering Access (1)

dfgchgfxrjtdhgh.jjhv (951946) | more than 7 years ago | (#16804398)

or any other security measure. if you dont let all the skiddies in, you are in breach, with that wording.

Re:Hindering Access (5, Insightful)

sumday (888112) | more than 7 years ago | (#16804404)

You seem to be forgetting the magnificent powers of wordplay that lawyers posess. You see, DRM isn't restricting access to data... It's securing access to data.

Re:Hindering Access (0)

Anonymous Coward | more than 7 years ago | (#16804772)

I beg to differ, I see it as "enabling" access by providing a "synergistic" "colloboration" between the device and content supplier.

Re:Hindering Access (1)

gweihir (88907) | more than 7 years ago | (#16804430)

preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer

What is ''operation of data''? I don't think we had that in CS.

Apart from that, this applies also to personal firewalls (imparing access to a program, bad), spyware (good), MS windows (well... good ;-), any other OS (bad), any update with bugs (bad), failing hardware, DRM (good!), copy protection software (good),...., and a lot of other things.

Basically worthless.

Re:Hindering Access (4, Interesting)

jc42 (318812) | more than 7 years ago | (#16804508)

preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer

What is ''operation of data''? I don't think we had that in CS.


Well, on a unix-like system, the meaning is pretty obvious: Any file permissions other than 777 are now illegal. So to comply, you should run the following commands:

umask 0
find / | xargs chmor ugo+rwx

Also, in any programs that create files, you should change the permission arg to 0777.

Lessee, what have I forgotten?

(I suppose you should also turn off any firewall software you may have running, just to be on the safe side.)

Re:Hindering Access (1)

jc42 (318812) | more than 7 years ago | (#16804522)

Damn! Even with preview, I didn't spot the obvious typo.

s/chmor/chmod/

Obviously.

I wonder what typo is in this message.

Re:Hindering Access (2, Insightful)

joe 155 (937621) | more than 7 years ago | (#16804736)

"preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer"

I wouldn't take this to be not allowing anyone access to the data, and I'm convinced that no judge in the world would interpret it this way. I think that it largely is talking about preventing access from someone who is authorised to access the data. If the FSF is clever here they will bring private prosecutions against the companies who ship DRM trying to get CEOs put in prison over this - because I think that this is within what the law meant far more than what your line of arguement here is... With any new law of course this will need to be argued out, and it might get into the House of Lords if it really can't be settled (which at least would give us clarity on the matter). I wish Labour wouldn't bring in so many new laws each year that not even the lawyers can keep up with them

Re:Hindering Access (3, Interesting)

russ1337 (938915) | more than 7 years ago | (#16805036)

">>>I wouldn't take this to be not allowing anyone access to the data, and I'm convinced that no judge in the world would interpret it this way."

Lets just hope you have a good lawyer who can put up a decent argument against a well versed set of 'anti-terror' lawyers, and prey that the judge you speak of owns an iPod. (you might want to hope you don't have the anarchists cookbook on your computer too).

But riddle me this Batman - if you submit a story to Slashdot about a new technology bill making denial of service attacks illegal, and the Governments site referenced in the article gets Slashdotted.... are you, by the new law, responsible?

Re:Hindering Access (1)

dwater (72834) | more than 7 years ago | (#16804840)

you also obvious don't have any files with spaces in their names. try :

find / -print0 | xargs -0 chmod ugo+wrx

or simply :

find / -exec chmod ugo+wrx {} \;

Max.

Re:Hindering Access (0)

Anonymous Coward | more than 7 years ago | (#16805026)

What kind of moron uses spaces in filenames?

Re:Hindering Access (0)

Anonymous Coward | more than 7 years ago | (#16805224)

> What kind of moron uses spaces in filenames?

One whose system doesn't use a severely retarded user interface that struggles to cope with spaces in filenames.

The typical Mac or PC owner has plenty of files like that, and, worse, doesn't even realise that it's a problem, or that doing so makes him a moron. It's probably excessive exposure to sunlight that causes his mental infirmity, which is why you're so wise spending your entire life reading Slashdot from the sanctuary of the basement in your parents' house in Wyoming.

Re:Hindering Access (1)

truedfx (802492) | more than 7 years ago | (#16805048)

find / -print0 | xargs -0 chmod ugo+wrx
-print0 and -0 are non-standard find and xargs options. The standard way to get the exact same effect is: find / -exec chmod ugo+wrx {} +

Re:Hindering Access (1)

Instine (963303) | more than 7 years ago | (#16804532)

I'd say installing Norton 'security' software on someone's machine could now be illegal too, by this...

Re:Hindering Access (2, Insightful)

glowworm (880177) | more than 7 years ago | (#16804556)

This is a pretty good description of DRM! So it's illegal now?
No, the law [parliament.uk] states "he does any unauthorised act in relation to a computer" (34.3.1.a).

DRM and Encryption are both authorised act's. And... saying "you" don't authorise DRM on your PC isn't good enough, the UK laws allowing DRM override your own de-authorisation.

With encryption in general though, if you had a falling out with your employer and you encrypted his drive, then you would be guilty. Encrypting your own drive though is certainly legal and allowed. (Mind you in the UK you are required to hand over your keys to the police if lawfully requested).

IANAL.

Re:Hindering Access (1)

Smidge204 (605297) | more than 7 years ago | (#16804600)

DRM and Encryption are both authorised act's. And... saying "you" don't authorise DRM on your PC isn't good enough, the UK laws allowing DRM override your own de-authorisation.


So I, as the owner of the computer system, am not authorized to determine what can and can't operate on my hardware? I am not qualified to say what constitutes "proper operation" of my own equipment and determine if some software is detrimental to that operation?

Sounds like a decent legal argument in the making.
=Smidge= (Also not a lawyer...)

Re:Hindering Access (1)

glowworm (880177) | more than 7 years ago | (#16804716)

So I, as the owner of the computer system, am not authorized to determine what can and can't operate on my hardware?
The law in general allows DRM, this overrides your personal desires. I believe that you, as an individual or a business cannot make up your own rules on what is and isn't authorised if it goes against commonly accepted practices.

Scarily if you read the law you will see that *anyone* who knowingly attempts to subvert the lawful operation of any computer program (say DRM/WGA) is causing an offense.

Far from allowing you to say, "don't prevent my access to your data", if you bypass DRM to access "their" data you might be committing the crime and get 10 years in goal.

Re:Hindering Access (0)

Anonymous Coward | more than 7 years ago | (#16805056)

Scarily if you read the law you will see that *anyone* who knowingly attempts to subvert the lawful operation of any computer program (say DRM/WGA) is causing an offense.

So, DRM/WGA and all other forms of malware now have their operation protected by UK law?

A user commits a crime if they attempt to uninstall something like the Sony rootkit?

Re:Hindering Access (1)

TheVelvetFlamebait (986083) | more than 7 years ago | (#16804596)

I hear so many of these little loopholes/inconsistencies/unconstitutional sections/etc, yet I never hear of any of them working out. I hope for all our sakes that you are right about DRM being illegal. However my question is this: do you honestly think anything will come of this? Is it that there isn't enough will or money for a class action suit against companies that use DRM? Does it get overlooked because it's such a common practice? Why do these things never eventuate into the radical change they have the potential to be?

What would stop the EFF, for example, taking a suit against these companies?

Re:Hindering Access (1)

NewToNix (668737) | more than 7 years ago | (#16804648)

preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer
This is a pretty good description of DRM! So it's illegal now?

Looked at the other way this may mean anyone has the right to access any data on any computer... your computer or any other computer... I think this even makes firewalls and NAT illegal... WOW!

Re:Hindering Access (1)

SEWilco (27983) | more than 7 years ago | (#16804794)

Other clauses prohibit preventing or hindering access to a program or data held on a computer,
"Mom! Sis won't give me my cell phone!"
"Nancy, it's illegal to hinder your brother from accessing his phonebook and calendar."

If Slashdotting is outlawed (5, Funny)

EnsilZah (575600) | more than 7 years ago | (#16804190)

Only outlaws will be reading Slashdot?

Re:If Slashdotting is outlawed (0)

Anonymous Coward | more than 7 years ago | (#16804534)

Lets just hope there isn't any "prison shower trolling phenomenon"....

Re:If Slashdotting is outlawed (1)

joe 155 (937621) | more than 7 years ago | (#16804578)

Only if you RTFA ; )

Good intentions (4, Insightful)

robinesque (977170) | more than 7 years ago | (#16804200)

Unfortunately merely meaning to do good isn't enough if you don't understand the root of the problem. This isn't going to deter people who are doing DoS attacks anyways. Usually they're using DDoS, through hijacked computers... This is pointless. But good for them for taking an interest.

Re:Good intentions (0)

Anonymous Coward | more than 7 years ago | (#16804574)

Unfortunately merely meaning to do good isn't enough if you don't understand the root of the problem.
I didn't think hijacked Windows boxes had root...

Re:Good intentions (1)

Hao Wu (652581) | more than 7 years ago | (#16804742)

I truely believe that most peoples will refain from such mischief. Their pride and honor is at stake. No person wants to be thought of as criminal by community whether A.C. (anonymous coward) or highest reputable internet personality.

Very vague. (4, Funny)

massivefoot (922746) | more than 7 years ago | (#16804204)

a clause that makes it an offense to impair the operation of any computer system


That really is rather vague. My family are able to "impair the operation of any computer system" just by being left alone with it for 10 minutes.

Where is the real damage (0, Flamebait)

kurt555gs (309278) | more than 7 years ago | (#16804206)

I have to disagree on stiff penalties for so called computer crime. Where is the REAL damage? It is not like some ones truck tires are flattened, or a sign is defaced by paint, requiring physical repair.

DOS attacks simply slow down web page access, so what!

Defacing a web page just requires some one to reload another copy. no real world harm is done.

I think these types of crimes deserve not more penalties than tagging a wall, or dressing up some ones yard with toilet paper.

Why would this warrant a real world jail term.

A more appropriate penalty would be "loss of stuff" in whatever on line massive mulitplayer game the offender was into.

It is not a physical crime.

Re:Where is the real damage (1)

robinesque (977170) | more than 7 years ago | (#16804234)

You're overlooking that it costs someone time to clean these things up. Sure, 5-10 years might be a /lot/, but the IT guy that has to go fix the page costs money. There is revenue lost because there store wasn't available. etc. etc.

Re:Where is the real damage (0)

Anonymous Coward | more than 7 years ago | (#16804238)

I think these types of crimes deserve not more penalties than tagging a wall, or dressing up some ones yard with toilet paper.

You forgot to add 'burning a cross on someone's lawn'.

Re:Where is the real damage (4, Insightful)

the_unknown_soldier (675161) | more than 7 years ago | (#16804240)

The original poster sounds a bit silly - but he is getting close to an important point.

I don't think anyone here denies that it is important if websites go down. It can cot businesses millions if their website is not available to customers. If DDOSing hurts business, then why should it not be a civil issue? Let the civil jurisdiction deal with it, because it certainly isn't something that is worthy of jail time.

Re:Where is the real damage (0)

Anonymous Coward | more than 7 years ago | (#16804526)

Yeah. There are already tools in the lawbooks for the other stuff related to DDoSing like blackmailing etc. It all seems a bit silly, since by this you could prosecute a guy linking to a page creating a flash crowd.

Re:Where is the real damage (1)

suv4x4 (956391) | more than 7 years ago | (#16804922)

Let the civil jurisdiction deal with it, because it certainly isn't something that is worthy of jail time.

Can you give me reasons why it's not "worthy of jail time"? Because it's too easy? I can kill someone easily too by throwing a knife at them. It doesn't mean it's not worthy of jail time.

Someone went out of their way to cause signifigant damage to a business or a person. It's certainly a crime.

Re:Where is the real damage (2)

yakumo.unr (833476) | more than 7 years ago | (#16804250)

assuming your not being sarcastic, (also as your not being modded funny)

deny service to ebay, amazon, or countless other ecomerece sites and your doing them more real financial damage per minute than several tyres and the cost of travel delay to most companies.

this law in my opinion (or at least it's intent as IANAL and haven't read all the legalese) is a valid generalization to protect all, that if enforced correctly should do no harm to anyone causing no harm (unlike various rights infringing DRM and terrorism laws kicking about atm)

Re:Where is the real damage (1)

Chris_Jefferson (581445) | more than 7 years ago | (#16804270)

I don't really understand many slashdot user's blindness when it comes to how the world is moving electronic (yes, I realise everyone here is different). DoSing Amazon for a day will cause them to lose millions of dollars, and should be considered the same as forcing a shop (in fact a more fair comparison would be all shops of a particular company) to close. Managing to DoS a mail server should be considered the same as stealing a large quantity of mail.

Re:Where is the real damage (1)

nurb432 (527695) | more than 7 years ago | (#16804436)

And if you pay for bandwidth, your bandwidth is exceeded and then you cant present yourself to your customers until you pay more, or wait until next month when the counters are reset.

Some people pay their entire bill based on traffic.

Now, tell me where the crime is?

Re:Where is the real damage (2, Insightful)

TheVelvetFlamebait (986083) | more than 7 years ago | (#16804682)

Where is the REAL damage?
I'd have to say the REAL damage is in the bandwidth of the site, the potential loss of customers, etc. Besides, the point is not really about the damage, it's about the intent. The law is designed to discourage the intention to do certain things. The DoS attacks show that you are intending to cause harm. The question isn't so much "Why should it be illegal?", so much as "Why shouldn't it?" It isn't a good thing; It's a manifestation of malicious intent.

Defacing a web page just requires some one to reload another copy. no real world harm is done.

I think these types of crimes deserve not more penalties than tagging a wall, or dressing up some ones yard with toilet paper.
The problem with tagging some sites is that they can get millions of hits per day. Down time can cost a helluva lot. It would be more like vandalising voting booths on election day; Lots and lots of people would be inconvenienced.

not just DoS (1)

yakumo.unr (833476) | more than 7 years ago | (#16804212)

Hmm, sounds general enough that it could be applied to various trojans,rootkits and maybe even some general software malpractice a few big companies get away with which could be a good thing ;)

eg, starforce has severely limited the access to several programs and data on MANY computers throughout the UK..

Slashdotted effect (1)

davro (539320) | more than 7 years ago | (#16804224)

Now the Slashdot effect could be classed as a Denial Of Service DOS attack Ohhh scary.

Re:Slashdotted effect (3, Funny)

thebigbluecheez (1010821) | more than 7 years ago | (#16804280)

quick, everyone pull the article up and refresh till the cows come home!

Obligatory MS bash (1)

eggman9713 (714915) | more than 7 years ago | (#16804266)

"preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer" Watch out, Gates, Windows is going to be illegal now. The EU has its revenge!

Jail Microsoft? (3, Interesting)

newandyh-r (724533) | more than 7 years ago | (#16804276)

So, when MS switch-off a copy of XP (or Vista) remotely FOR WHATEVER REASON they are breaking the letter of this law - and have "the necessary intent". So will we extradite Bill and bang him up for lots of 5-year sentences?

Re:Jail Microsoft? (1)

@madeus (24818) | more than 7 years ago | (#16804328)

I think Microsoft manage to to fall foul of "preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer" even when Windows is behaving normaly.

Re:Jail Microsoft? (1)

Mixel (723232) | more than 7 years ago | (#16804852)

Not if "being switched off" is part of the function of the program (windows). So authors are allowed to stop their programs from working; by means of integrating an 'off' function. Using the task manager to kill programs is illegal however, as is switching off a computer while apps are still running (power companies, better not cause any power cuts now!). But using the local/remote exit functionality is fine as long as it is part of the normal functioning of the computer system... *breaks into laughter*

Re:Jail Microsoft? (1)

nurb432 (527695) | more than 7 years ago | (#16804932)

That would be steve that would have to be jailed, not bill. Remember bill stepped down from the CEO position.

And that is part of why you have a corporation, to sheild you from things like that. THe corp gets fined, you dont have to goto jail .

Phone DOS (1)

quokkapox (847798) | more than 7 years ago | (#16804316)

So Laura Ingraham [mediamatters.org] could be arrested and tried for DOS, if this law had been passed in America before election day?

Excellent...

where is that SPAM cut and paste (0)

Anonymous Coward | more than 7 years ago | (#16804342)

I don't have a copy saved but now is the time for a variation on the "solution to spam" thing that gets posted here sometime, which shows why it won't work. i.e, your proposed solution is (x) retarded, that one.

Stupid idea (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16804346)

This needs to be a civil offense, not a criminal offense. When it's a criminal offense, we have these types of problems: vague-ness. Leave it to civil courts and have the victim sue the offender for so much money it's going to financially ruin the attacker.

If this is going to be a criminal case, a year in jail in addition to computer-banishment would be proficient. One, it prevents the person from repeating the crime. Two, it's going to be unpleasant for someone to spend a year in jail, not to be confused with prison, for something as physically harmless as denial of service attacks.

However, if a denial of service attack affects a medical institution or is against the government, then it needs to be a crime.

Re:Stupid idea (1)

JoeInnes (1025257) | more than 7 years ago | (#16804666)

However, this is the U.K., where individuals rarely sue. Yes, it happens, but normally it's only large companies that sue other large companies (or individuals). As such, I think it's better left as a criminal offence.

Re:Stupid idea (1)

mollymoo (202721) | more than 7 years ago | (#16804908)

This needs to be a civil offense, not a criminal offense. When it's a criminal offense, we have these types of problems: vague-ness. Leave it to civil courts and have the victim sue the offender for so much money it's going to financially ruin the attacker.

So you mean only the rich would get justice? Erm, yeah. That sounds like a great idea for lawyers and criminals, but not for anybody else. Before you say, no-win-no-fee is no substitute for the rule of law. That only works for clear-cut cases with a high probability of success. If it's not clear cut you have to be able to and prepared to pay the full costs of litigation or you don't get justice.

Cutting off nose to spite face much? (4, Insightful)

KKlaus (1012919) | more than 7 years ago | (#16804358)

So let's see... DDOS takes down a site for a period of time (maybe more if its a shared server). And so we respond with 10 years in jail?

First of all, economically that's a moronic decision. Jail costs the state between 20-30 thousand dollars a year depending on where it is. Unless someone is DDosing Amazon, and here's where the vague wording of the law is an important shortfall, we're spending hundreds of thousands of dollars punishing someone who did perhaps a few thousand dollars worth of damage. That's bad economics, and I'm sure that money could be better used say, feeding the starving or allowing someone to go to college who otherwise wouldn't be able to.

Second of all, the kind of person you're going to be able to catch is not the person you want to throw in jail. We already have laws to punish people who run large botnets, and moreover by and large experienced blackhats won't be caught because they administrate their nets from countries ending in -stan. So the people who this legislation will put in jail will by and large be stupid college kids and people making a bad, poorly thought out decision as evidenced by the fact that they're using their home computer. These people need to be slapped with a big fine to they smarten them up, and then allowed to contribute to society.

This should be a poster case of a crime that should not carry criminal penalty.

Re:Cutting off nose to spite face much? (1)

joe 155 (937621) | more than 7 years ago | (#16804618)

Well, I partly agree, but this doesn't mean that someone will get 5-10 years in prison for the crime, the judge has discresion over exactly what the sentence that is given is (I don't know how it works in the US, so this might be the same).

Also note that people are automatically released half way through a sentence on licence anyway. So assume that some kid gets caught for this and its his first time and he was just messing about with little mallice involved he'd probably a suspended sentence tops (which means if he doesn't commit another crime in a set period then he's not put in prison, if he does then he goes to prison for the length of time determined at the start), even if they gave a 5 year sentence he'd be out in 2.5... and don't forget 5 years is probably more than the average person would get for stabbing someone (I have seen it just be a fine for this... damn law)

Re:Cutting off nose to spite face much? (2, Insightful)

Placido (209939) | more than 7 years ago | (#16804662)

1. 10 years will be the maximum jail sentance and the actual penalty will be subject to the discretion of the judge
>> we're spending hundreds of thousands of dollars punishing someone who did perhaps a few thousand dollars worth of damage
2. Your argument is completely nonsensical. Catching and punishing criminals is always more expensive than the simple monetary value of their potential damage. However if we used that argument we wouldn't bother to lock up murderers for life. The value in locking up criminals is not monetary value but in the stabality of society.

Re:Cutting off nose to spite face much? (1)

testadicazzo (567430) | more than 7 years ago | (#16805052)

I just had the same discussion with my girlfriend. The sentencing is ridiculously thought out, although I can see the idea of a longer (one or two years)jail sentence for a repeat or premeditated offender. Someone doing a DOS as part of a business strategy for example.


I'm probably a bit stiffer about it than you though. I don't think it's a bad idea to make it a criminal offense. I think ranging from a stiff fine to maybe a few days or weeks in jail might be a good idea, to make the activity something kids are genuinely afraid to to do. But for your average hacker, a couple weeks or even days in jail is already a pretty terrifying concept. The same thing goes for the idea of having a criminal record.


Doesn't it seem like the sherriff of nottingham is running the US (and our laptop the UK) these days?

Access Denied (2, Interesting)

karlssberg (1025898) | more than 7 years ago | (#16804368)

Does this mean that usernames/passwords are illegal??

Re:Access Denied (0)

Anonymous Coward | more than 7 years ago | (#16804448)

No, as that's an *authorized* restriction of access.

Mustn't impede criminals, must we? (2, Insightful)

Anonymous Coward | more than 7 years ago | (#16804372)

Damn! So now its illegal to use a script to flood a phishing site with dummy credit card info.
Or to load the ladvampire [aa419.org] to use up the daily file transfer allowances on 419er's fraudulent "banks"....

Re:Mustn't impede criminals, must we? (1)

hotdiggitydawg (881316) | more than 7 years ago | (#16804808)

Only from the UK. Find an anonymous proxy overseas and you're good to go!

One law for the rich ... (1)

quiberon2 (986274) | more than 7 years ago | (#16804386)

I don't expect anyone will get jailed for DoS-ing my broadband connection.

So whose computers does it apply to ? Only those belonging to the rich and powerful ?

If you're going about business on the Internet, go about it with an adequately-configured system. Keep your own fences in order, like I do mine.

Re:One law for the rich ... (2, Insightful)

TheVelvetFlamebait (986083) | more than 7 years ago | (#16804704)

I don't expect anyone will get jailed for DoS-ing my broadband connection.
So whose computers does it apply to ? Only those belonging to the rich and powerful ?
A flawed conclusion from a flawed reason.

Why wouldn't do you think the law would protect you? If someone did DoS your broadband, then yes, they could be charged as a criminal. I don't know how else it could be.

Distributing Tools which can be used for Hacking (0)

Anonymous Coward | more than 7 years ago | (#16804406)

Isn't this the same law that makes distributing NMap illegal?

Full text of the act (4, Interesting)

user24 (854467) | more than 7 years ago | (#16804440)

http://www.publications.parliament.uk/pa/cm200506/ cmbills/119/2006119.htm [parliament.uk]

"Making, supplying or obtaining articles for use in offence under section 1 or 3
(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article--
(a) knowing that it is designed or adapted for use in the course of or in connection with an offence under section 1 or 3; or
(b) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3."

I'm now a criminal. Joe Blackhat won't care; he'll still get hold of the 'articles', but now my website which tries to teach people about responsible use of such 'articles' now makes me liable for up to 2 years in jail, plus a fine. I hate the law.
Now I don't have to know what the tools will be used for, just that they can be used for wrongdoing.

Re:Full text of the act (1)

Cederic (9623) | more than 7 years ago | (#16804528)


I had to go and read the text of the act. You're right. We're all fucked.

I have in my pocket right now about a bootable linux distribution on a USB key. Lets hope to hell a lawyer can convince the jury that the Infosec tools on it are designed for authorised detection of vulnerabilities and not for illicit use.

Re:Full text of the act (1)

awol (98751) | more than 7 years ago | (#16804856)

Actually the question of whether or not you are a criminal is a question of "fact" according to the text of the act. That is, these clauses are designed to defeat the "solicitation" and "conspiracy" defences where an actually guilty person would say "but I didn't know what it was for" or "I just [wrote|modified|acquired] the software" and allow such a person to be found guilty on a question of whether they were _to the sufficient burden of proof_ a knowing contributor to the specific offence.

So if you don't go helping people commit these DOS offences then you are innocent.

Relax your head :-)

Impair, you say? (1)

James Youngman (3732) | more than 7 years ago | (#16804444)

"Among the provisions of the Police and Justice Bill 2006, which gained Royal Assent on Wednesday, is a clause that makes it an offense to impair the operation of any computer system."
Cool. Impair is a failrly broad term though. Does this mean people can be prosecuted for installing Windows onto a computer system?

Re:Impair, you say? (3, Insightful)

jc42 (318812) | more than 7 years ago | (#16804586)

Does this mean people can be prosecuted for installing Windows onto a computer system?

Maybe. But more likely it means you can be prosecuted for installing a browser. The only purpose of a browser is to use the bandwidth and cpu time of some other computer. That obviously interferes with anything running on that computer, impairing it for all other users.

What is happening to free speech in Europe? (1)

Ztream (584474) | more than 7 years ago | (#16804452)

First Germany outlaws denial of the Holocaust, then France outlaws denial of the Armenian Genocide, and now the UK is outlawing the denial of "Service Attacks". Sure, we all know these horrible things happened, and that service attacks occur frequently, but anyone should still be free to deny... oh wait.

As a professional programmer... (0)

Anonymous Coward | more than 7 years ago | (#16804454)

...I frequently impair the operation of computer systems :(

violating statues (2, Funny)

rHBa (976986) | more than 7 years ago | (#16804474)

The penalties for violating the new statues are stiff, with sentences increased from 5 to 10 years.


5-10 years for violating statues!

I'll never be-cone a statue ever again.

http://news.bbc.co.uk/1/hi/scotland/4264683.stm [bbc.co.uk]

Re:violating statues (1)

WeaverBen (762108) | more than 7 years ago | (#16804868)

Reminds me of that old song, "Promenading in the park, Goosing statues after dark If Sherman's horse can take it why can't you" http://sniff.numachi.com/pages/tiHUMORESQ.html [numachi.com]

how far can this be stretched? (1)

MadCow42 (243108) | more than 7 years ago | (#16804486)

>>Other clauses prohibit preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer."

Well - DRM restricts or impairs access to data held on a computer... especially when it's added to a file that wasn't previously encrypted (aka Zune file sharing). Hmmm....

MadCow

UK DMCA? (2, Informative)

glowworm (880177) | more than 7 years ago | (#16804490)

I think the news.com.com summary, or the submitter's words make a poor summary.

Here is the amended law [parliament.uk] which certainly mentions not accessing a computer you don't have rights to touch (33) and the D.O.S. clause (34).

Specifically stated (and both need to be true) is "he does any unauthorised act in relation to a computer" and "he has the requisite intent and the requisite knowledge."

Requisite intent as far as 34.3.2.b would be D.O.S. or hacking and Requisite knowledge is defined at 34.3.4 as doing something you know is not allowed, that is, it's not an accidental D.O.S..

But.... Section 34.3.2.c could very well be taken as the UK's version of the DMCA. "If you attempt to defeat the lawful operation of a (DRM/WGA/SerialNumberCheck) program or provide tools (35.3a) to do such an act you face 10 years in goal".

IANAL

Oh well, try getting them to act (4, Insightful)

norfolkboy (235999) | more than 7 years ago | (#16804500)

When one of my websites (with over 130,000 active members) was being attacked, South Wales Police told me they couldn't do much to investigate the perpetrator because all the funds were tied up in fighting online paediaphilia.

What's the point in making the term of sentance tougher, if there aren't any resources to investigate online crime in many UK forces?

Re:Oh well, try getting them to act (1)

Turn-X Alphonse (789240) | more than 7 years ago | (#16804778)

You're silly little site going doen VS some little girl being kidnapped and raped.. hmm :)

Re:Oh well, try getting them to act (0)

Anonymous Coward | more than 7 years ago | (#16804878)

you could have told them it was a paedophile web site...

This is Great! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16804518)

I'm moving to UK now with my girlfriend. She could
go to jail now for denying me service.

What about encryption? (2, Insightful)

ubercam (1025540) | more than 7 years ago | (#16804580)

Say I have an encrypted drive on my computer and its seized by the authorities? Is that not impeding access to a computer system?

Also I totally agree with the earlier statement on REAL damage. Say a company's website is down and they sell things online. Someone who was really intent on buying something from that website will wait until its back up. Someone who was just shopping around will likely continue to do so, and the casual websurfer would pass it by, perhaps trying again later. They're really not LOSING any business, they're merely delaying it till later. How many individuals'/organisations' business would they honestly lose? There's no way of knowing, so they just pull a number out of their ass and say "This much!" and expect to be rewarded that amount, plus legal expenses of course.

Now say the victim is an individual in their home. Can they claim damages under this law? Most likely not since they're not "losing" anything (in a business sense), other than access to a service they've paid for. Sure you can ring up your provider and complain but they'll probably blame it on you and tell you its your computer being full of spyware and viruses and you should reinstall Windows. If you tell them you run *nix they'll probably say I'm sorry that's not supported we can't help you. Big firms (*cough* BT *cough) are all too happy to blame the customer first.

So what this boils down to is that we've now got yet another lovely new law that's beneficial to big business and no one else. Oh happy day!

Cam

Re:What about encryption? (1)

glowworm (880177) | more than 7 years ago | (#16804638)

Say I have an encrypted drive on my computer and its seized by the authorities? Is that not impeding access to a computer system?
In the UK, Australia and New Zealand at least you are required under law to hand over your keys of you are directed to. Not doing so carries a very stiff penalty, many time more than you would get by releasing the terrorist plot in the encrypted store.

Steganography (such as truecrypt) used with care can help you get past this law, but most people are just not qualified to run such protection effectively. For example if they have a swap the keys are compromised off the bat, on windows the MRU can give the presence of the data away while if on Linux the bash-history contains the access commands. etc.

Re:What about encryption? (0)

Anonymous Coward | more than 7 years ago | (#16805128)

> Sure you can ring up your provider and complain but they'll
> probably blame it on you and tell you its your computer being
> full of spyware and viruses and you should reinstall Windows.
> If you tell them you run *nix they'll probably say I'm sorry
> that's not supported we can't help you.

Basically, they're saying, "If you are using the operating system we support, it's your fault, and we can't support, but if you are using something else, it's your fault, and we can't support you."

That's always been one of my beefs with many ISPs and other providers of computer-related services, or products. While I understand they can't always provide support for ever operating system under the sun, and would choose to focus on the most popular ones, it's never quite that clear cut either. It usually comes down to them not supporting _any_ operating system beyond a few token "helper" applications, or an FAQ.

Personally, I'd prefer if they would just admit right from the beginning that they don't actually support your operating system, no matter what it is, here's a few things that you might find helpful for the most popular ones, but beyond that contact your vendor. Then I'd like to see them have people with some actual knowledge of networking technology, and system intrusion manning the help desks who aren't just there to simply push blame back onto the customer.

That said, I agree that I don't know how helpful this kind of law would be for most UK homeowners if ISPs continue to behave this way towards their customers. In fact, I don't see how it'd be any more useful than their old law. It doesn't matter how stiff the penalties are, as long as there is only a remote chance of getting caught, the wrongdoer will feel no incentive to change.

And what about community resistance DoS? (1)

ghostbar38 (982287) | more than 7 years ago | (#16804594)

Like when a lot of people get a website for a big DoS, how they're going to note this? Just like spanishs does with SGAE...

It's ilogical isn't? That law just don't work...

YOU FAI L IT (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16804656)

Let's kkep to argueAd by Eric decentralized very sick and its

Punish The Malicious, Spare The Ignorant Innocents (1)

Slyfoot (1020559) | more than 7 years ago | (#16804684)

I'm all for punishing the malicious, so long as users who are unwitting hosts for botnets and the like don't get thrown into prison simply for being ignorant. I'd hate to see Uncle Bob or Aunt Alice penalized that harshly just because they're too inexperienced to know when their system has been invaded by malware that could be used in DDOS attacks. That would be truly kafkaesque.

Re:Punish The Malicious, Spare The Ignorant Innoce (2, Insightful)

erik_norgaard (692400) | more than 7 years ago | (#16804884)

I disagree! You buy a computer - you're responsible for it. If you don't have the knowledge to secure it, you pay the professional to do it for you. You may also insure yourself for any damage caused by your system, insurance companies exist for that.

It's like having a car: You are liable for the damage caused by the car independent of who drives it. If it is stolen or hijacked, you are still liable. Therefore your are required to have an insurance that can cover the damage, there are safety requirements for the vehicle, and you are responsible to see that your car meet these requirements. If you are not professional you go to the mechanic and have it done. And even if everything is OK, and your car is stolen and involved in an accident, you are liable, your insurance will cover damage, and if the thief is caught the insurance company will seek to get the thief to pay up.

The same should go for the Internet: Once you're on the public network you are liable for any damage caused. If we hold people liable they will make sure that their systems does not inflict any damage, reduce the risk. Currently, people just say:

    "Oh sorry, I didn't patch my system, I didn't update my anti-virus and someone broke into my system without my knowledge... but that's not my fault!"

and

    "I don't know how to maintain my system, but I just want to use e-mail anyway, so why should I need to care?"

Of course, it is not entirely fair just to blame the user. Software vendors disclaim ALL liability, even for errors they have knowledge of. Schneier's dream is to make software vendors liable for their products. I think that unless the public have full access to the code vendors should not be able to disclaim liability. You can't both disclaim liability and impose restrictions on how the product may be used.

If there is product liability, then it is also fair to hold users liable for inappropriate use and abuse caused by their misconfiguration or negligence and liability cannot be passed onto the vendor.

If this means that uncle Bob and aunt Alice can't use the Internet, because they wont accept responsibility for their systems and won't buy insurance against abuse, fine! Cut the connection!

Like impairing the police from using your phone? (0)

Anonymous Coward | more than 7 years ago | (#16804712)

Would this be like imparing the police to use your phone line for free calls by taking their brother's illegal splice off your line? (2 misdemeanor charges)

Unreasonable punishment (1)

shd666 (451529) | more than 7 years ago | (#16804726)

> The idea of stiffer penalties for DoS attacks are probably something we
> can all get behind, but the language of the law is frustratingly vague."

Speak for yourself, I disagree. No material damage or health loss happens so 5 years is unreasonable. It doesn't cause any lasting damage for the victim, but the loss should of course be compensated.

What about Symantec? (0, Flamebait)

farker haiku (883529) | more than 7 years ago | (#16804786)

impairing the operation of any program or data held on a computer."

Sounds like Norton A/V to me.

Re:What about Symantec? (0)

Anonymous Coward | more than 7 years ago | (#16805142)

> Other clauses prohibit preventing or hindering access to a program or data held on a computer
> or impairing the operation of any program or data held on a computer.

To me this also means that I am not allowed to
  - take steps to protect personal information I hold on a computer from hackers (preventing access)
  - not being allowed to install a firewall (which may hinder access to data or programs)
  - not being able to remove viruses (which are programs operating on my computer that
            I would be hindering)

Not very security concious law,.. but in a beautiful legal way it makes sense.
After all since it also makes it illegal for others to impair my use of my machine with
say a virus or a hack so there is no need for protective measures as they could only hinder
those kind heroic folks (police, security agencies and information gathering
arms of the government) who are only looking out for my safety and comfort.

But what does this mean for resource intensive programs (that clog up my machine
by using CPU or disk I/O). Probably best to just buy the computer not
put anything on it but the operating system and then just to be safe, turn it off.
No Wait! That won't work. Then I am preventing access again, and I am impairing
the operating system from running Aaaaarg! Big Brother is stopping me from turning
off the computer. And what about removing pre-installed software (say Windows)
and replacing it with something else (say Linux). Is that 'interfering with programs
and data on a computer'?

They really should have slipped the words 'legitimate' or 'illegitimate' in there somewhere.

How to discuss security articles... (0)

Anonymous Coward | more than 7 years ago | (#16804820)

You really shouldn't discuss security without bringing Sept 11th (or 9/11 or indeed any of those forms is acceptable usage) up in the conversation. If you dont, how can we take you seriously in the security field?

You just know... (1)

Kazymyr (190114) | more than 7 years ago | (#16804890)

It's so vague that many misdeeds can result from its application word-for-word. For instance it may be illegal now to remove spyware from one's computer.

Outlaws (1)

spoonist (32012) | more than 7 years ago | (#16804972)

If you outlaw DoS attacks, then only outlaws will have DoS attacks.

Won't somebody PLEASE think of the children!?

This covers a lot of ground (1)

Angst Badger (8636) | more than 7 years ago | (#16805068)

"Among the provisions of the Police and Justice Bill 2006, which gained Royal Assent on Wednesday, is a clause that makes it an offense to impair the operation of any computer system. Other clauses prohibit preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer."

Two words: Windows XP.

Could be useful against spyware too (1)

AmiMoJo (196126) | more than 7 years ago | (#16805078)

Sounds like it could be useful for fighting spyware too. After all, most spyware causes computers to malfunction and programs or data to become inaccessible. 10 years for CoolWebSearch and NewDotNet seems about right.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?