Court Judgement is no Carte-Blanche for DoSsers

November 11, 2005

There is a great deal of uncertainty about the legal implications of a recent court ruling that a denial of service (DoS) e-mail attack did not constitute a crime under UK law. So does this ruling mean that people who maliciously attack servers – DoSsers - are now safe from prosecution in the UK? Probably not, say a group of communications experts, but the law urgently needs to be made clearer.

Last week, Wimbledon Magistrates Court found a teenager - who can’t be named for legal reasons - not guilty of breaking the 1990 Computer Misuse Act, even though he crashed his former employer’s e-mail server by sending over five million emails. The Judge ruled that because the employer’s server was established as a public server, it implicitly gave authorisation to anyone to email that site, regardless of how many emails they sent and the impact on the recipient. Many fear that this case has effectively given DoS attackers carte-blanche to wreak havoc.

But according to the Communications Research Network - a unique community of industry leaders and academic experts - this is not a landmark judgement. The Communications Research Network (CRN) is funded by the Cambridge-MIT Institute and has a specialist working group currently researching DoS attacks, their impact on the UK economy and how best to prevent them.

“The ruling that sending emails to a registered email address is not a crime is very different from specifying that a low level attack generating spurious packets which flood a site is ok”, said Jon Crowcroft, Marconi Professor of Information Systems at the University of Cambridge and a principle investigator with the CRN.

“If you stick with the normal process of fetching web pages or sending email then I think that in the UK is legal,” commented Adam Greenhalgh, a CRN-funded researcher at University College London. “However, if you send malformed requests or emails with the explicit intention of hampering the proper function of a public server, then you are moving towards misuse under the Computer Misuse Act.”

“We can’t afford to be complacent,” cautioned David Cleevely, Chairman of the CRN. “While this ruling doesn’t mean that denial of service attacks are legal, there is still considerable uncertainty under the law about whether or not malevolent attacks using low level flooding of packets constitute an offence under the Computer Misuse Act. Attacks by DoSsers are a real infringement of the right of businesses to conduct their affairs and the UK urgently needs to firm up the law if our economy is not to suffer.”

The scale of the DoS problem is difficult to assess. Many attacks are not reported because organisations fear they may undermine client confidence in their security. One of the CRN’s key recommendations is for the establishment of a central database where companies and individuals can log attacks anonymously - allowing the communications industry to assess the scale of the problem and identify patterns of attack.

“Criminal activity on the internet should be a notifiable event, with registration on a central database,” said David Cleevely. “It's important to remember that there are more of us good guys than there are bad guys. The more we share information, the more we stay ahead of the game.”

Source: Cambridge-MIT Institute

Explore further: Big email hack doesn't exactly send the message Yahoo needed

Related Stories

In Yahoo breach, hackers may seek intelligence, not riches

September 23, 2016

If a foreign government is behind the massive computer attack that compromised a half billion user accounts at Yahoo, as the company says, the breach could be part of a long-term strategy that's aimed at gathering intelligence ...

Beyond the Yahoo hack: Other major data breaches

September 22, 2016

The Yahoo hack exposed personal details from at least 500 million user accounts, potentially the largest breach of an email provider in history. Despite the size of the break-in, attackers don't appear to have accessed obviously ...

Russia? China? Who hacked Yahoo, and why?

September 23, 2016

Yahoo's claim that it is the victim of a gigantic state-sponsored hack raises the question of whether it is the latest target for hackers with the backing of Russia, China or even North Korea, experts say.

Yahoo pressed to explain huge 'state sponsored' hack

September 23, 2016

Yahoo faced pressure Friday to explain how it sustained a massive cyber-attack—one of the biggest ever, and allegedly state-sponsored—allowing hackers to steal data from half a billion users two years ago.

Recommended for you

US prepares to cede key role for internet

September 29, 2016

The US government is set to cut the final thread of its oversight of the internet, yielding a largely symbolic but nevertheless significant role over the online address system.

Scientists investigate unidentified radio sources

September 28, 2016

(Phys.org)—A team of researchers led by Andrea Maselli of the Institute of Space Astrophysics and Cosmic Physics of Palermo, Italy, has conducted an observational campaign of a group of unassociated radio sources with NASA's ...

The frontier fields: Where primordial galaxies lurk

September 28, 2016

In the ongoing hunt for the universe's earliest galaxies, NASA's Spitzer Space Telescope has wrapped up its observations for the Frontier Fields project. This ambitious project has combined the power of all three of NASA's ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.