DDoS (distributed denial of service) legal aspects

sirgzu · 25-01-2012 2:49pm #1

Hi,

Hopefully you will all have heard of the wave of web protesting hitting the internet in the last few days. It is very unclear to me as to who is morally and lawfully right or wrong about this whole thing, in fact I don't even think the law provides much details about that.

To me a ddos is is akin to a big sitting down in front of a building to deny access, some sort of protesting. Nothing too bad as long as no one's life is threatened. In most cases it costs targeted companies time and money but so do protests. It is arguable that usually protests do not target specific businesses in general.

But is this legal? I mean it might seem obvious at first that hacking is illegal but what about our right to protest? Also the method here is somewhat new and different in one aspect. Let me explain.

Traditionally hackers use "zombie" computers that have been previously infected in order to launch their attack, this without consent from their owners. In this case people have willingly given access to their computers by downloading a kit that allows Anonymous to use their computers for such attack. All this to me is like a protest.

I do not know what is the legislation in terms of protesting, what it is that we can do and that we cannot. I've argued that case already and I have been told for instance it is illegal to block access to a building, being like denying one a fundamental right to go where he wants.

On the other hand if you go down that way there is this other aspect of the problem to consider:

What about Eircom blocking access to PirateBay? And more generally ISPs being able to block websites as proposed in the new ACTA law? What about people's internet being cancelled after illegal downloading? Are these legal sanctions not akin to a ddos?

Please share your insights I am very curious what other people think about this.

Paulw · 25-01-2012 3:00pm

sirgzu wrote: »

Hopefully you will all have heard of the wave of web protesting hitting the internet in the last few days. It is very unclear to me as to who is morally and lawfully right or wrong about this whole thing, in fact I don't even think the law provides much details about that.

To me a ddos is is akin to a big sitting down in front of a building to deny access, some sort of protesting.

No, it's much more like people storming the front of a building in an attempt to jam the doors. It is not a sit-down peaceful protest as you seem to claim.

sirgzu wrote: »

But is this legal? I mean it might seem obvious at first that hacking is illegal but what about our right to protest?

Totally illegal as it is not a protest (even though that's what people claim), but it's a direct attack on a site.

All this would come under the Telecommunications Act.

sirgzu wrote: »

What about Eircom blocking access to PirateBay? And more generally ISPs being able to block websites as proposed in the new ACTA law? What about people's internet being cancelled after illegal downloading? Are these legal sanctions not akin to a ddos?

What Eircom are doing is covered under their Terms and Conditions for provision of service. So, you break their terms and conditions (by downloading copyright material), then they have the right to terminate your service. All well within the law.

sirgzu · 25-01-2012 3:03pm

DO you think people who have downloaded and installed Anonymous kit to support the attacks are liable and should go to prison?

Paulw · 25-01-2012 3:09pm

sirgzu wrote: »

DO you think people who have downloaded and installed Anonymous kit to support the attacks are liable and should go to prison?

Yes, they are breaking the law. If they genuinely want to protest, there are plenty of legal ways of doing it.

dlofnep · 25-01-2012 3:13pm

Paulw wrote: »

No, it's much more like people storming the front of a building in an attempt to jam the doors. It is not a sit-down peaceful protest as you seem to claim.

It is 'peaceful'. It's highly doubtful however if the technophobes in the judicial system would regard it as a legitimate form of protest.

Paulw wrote: »

Totally illegal as it is not a protest (even though that's what people claim), but it's a direct attack on a site.

It is a protest I'm afraid. You seem to be invoking your personal feelings on the matter, and looking at it subjectively rather than objectively.

My concern is the methods used to implement DDoS attacks - Generally they involve a lot of zombie clients, which may be used without the consent of the system owner.

A good comparison would be to compare it to the guy who parked the truck, and cut the brake cables outside the Dáil. A legitimate form of protest. However - if he stole the truck, and then did it - it would not be legitimate. If a sizeable portion of the clients used in these DDoS attacks are zombies, then it would be akin to stealing the truck.

sirgzu · 25-01-2012 3:14pm

Paulw wrote: »

Yes, they are breaking the law. If they genuinely want to protest, there are plenty of legal ways of doing it.

Could you be more precise as to what law is being broken? I think the US government has some law specifically dealing with DDoS and degradation of service however what about Irish law?

I suspect there is no clearly defined law at the moment, the question is more is it morally acceptable? Especially in light of the moral, social and economical implications of the ACTA law projects that it fights?

ntlbell · 25-01-2012 3:17pm

Paulw wrote: »

No, it's much more like people storming the front of a building in an attempt to jam the doors. It is not a sit-down peaceful protest as you seem to claim.

Totally illegal as it is not a protest (even though that's what people claim), but it's a direct attack on a site.

All this would come under the Telecommunications Act.

What Eircom are doing is covered under their Terms and Conditions for provision of service. So, you break their terms and conditions (by downloading copyright material), then they have the right to terminate your service. All well within the law.

There is absoloutley nothing illegal about hacking.

Please educate yourself before advising on a subject where you don't seem to have a grasp of the basic terminology.

the_syco · 25-01-2012 3:23pm

sirgzu wrote: »

DO you think people who have downloaded and installed Anonymous kit

I really doubt the people who own the computers who have the software for the zombie DDOS on their machines even know it's there.

sirgzu · 25-01-2012 3:31pm

the_syco wrote: »

I really doubt the people who own the computers who have the software for the zombie DDOS on their machines even know it's there.

This is true in most cases. This is one of the reason that sparked my curiosity about this whole thing. Some people willingly give control of their computer to give more strength to the protest.

edit: by using this kit one does not "give control" of his own computer, rather the kits uses the computer connection to add to the attack. Is it then illegal to try and browse a website when a ddos attack is taking place?

This is a quote taken from Anonews Anonymous news:
"Anonymous has launched Distributed Denial of Service (DDoS) attacks, designed to shut down websites, against government and corporate sites in the past. Supporters download software called Low Orbit Ion Canon (LOIC) that directs their computer to repeatedly try to connect to a target website. These DDoS attacks can shut down website's."

Paulw · 25-01-2012 3:44pm

ntlbell wrote: »

There is absoloutley nothing illegal about hacking.

The Criminal Damage Act 1991, s.2(1), which makes it illegal to alter a system without permission. The Criminal Damage Act 1991, s5 would also come in to making "hacking" illegal. Hacking, normally, is done to gain access to alter programs (install DDOS software), or to gain access to data, covered under the Data Protection Act 1988, s22.

ntlbell · 25-01-2012 4:08pm

Paulw wrote: »

The Criminal Damage Act 1991, s.2(1), which makes it illegal to alter a system without permission. The Criminal Damage Act 1991, s5 would also come in to making "hacking" illegal. Hacking, normally, is done to gain access to alter programs (install DDOS software), or to gain access to data, covered under the Data Protection Act 1988, s22.

So we better start arresting just about every developer in the country who is working now who is "hacking"

what nonsense.

What you're trying to refer to or what the numpty who wrote the above is cracking.

There is nothing ilegal about hacking in itself.

dlofnep · 25-01-2012 4:09pm

ntlbell is correct.

Paulw · 25-01-2012 4:19pm

ntlbell wrote: »

So we better start arresting just about every developer in the country who is working now who is "hacking"

What you're trying to refer to or what the numpty who wrote the above is cracking.

Developers make software, which is put on the machine with the owners knowledge. Either factory installed or they install it. :rolleyes:

Yes, cracking, which is more commonly called hacking these days by the general public, although it's quite different. So, in lay terms, hacking (gaining unauthorised access to data/information/computers) is illegal under a number of different acts.

ntlbell · 25-01-2012 4:31pm

Paulw wrote: »

Developers make software, which is put on the machine with the owners knowledge. Either factory installed or they install it. :rolleyes:

Yes, cracking, which is more commonly called hacking these days by the general public, although it's quite different. So, in lay terms, hacking (gaining unauthorised access to data/information/computers) is illegal under a number of different acts.

I wasn't suggesting they be arrested for making software, but for hacking.

That's what they do, they solve problems. Which is in essence what it is.

It may very well be now a term used by the general public because so many idiots used the term in the wrong way or were too ignorant to know otherwise.

Paulw · 25-01-2012 4:39pm

ntlbell wrote: »

That's what they do, they solve problems.

I don't think gaining access to someone's computer, without their consent would be considered solving a problem. :rolleyes: I don't think using computers to shut a website is solving a problem.

But, I guess it's down to what you think of it. Under the Criminal Damage Act, it's illegal.

ntlbell · 25-01-2012 4:46pm

Paulw wrote: »

I don't think gaining access to someone's computer, without their consent would be considered solving a problem. :rolleyes: I don't think using computers to shut a website is solving a problem.

But, I guess it's down to what you think of it. Under the Criminal Damage Act, it's illegal.

Hacking has nothing to do with gaining access to someone's computer why do you keep suggesting it does?

What has Sending excess amounts of 1 and 0's over a wire got to do with hacking?

As I said earlier, please educate yourself.

Paulw · 25-01-2012 4:56pm

ntlbell wrote: »

Hacking has nothing to do with gaining access to someone's computer why do you keep suggesting it does?
.

As I said, it's because the term hacking is commonly understood as this by the media and the general public. I am well aware of the actual terms, the laws governing it, and it's common application.

If you want to talk about education, maybe you should start contacting all media outlets and get them to correct their misuse of the term, and also educate the general public of the difference between hacking and cracking. :rolleyes:

MagicSean · 25-01-2012 5:00pm

Paulw wrote: »

I don't think gaining access to someone's computer, without their consent would be considered solving a problem. :rolleyes: I don't think using computers to shut a website is solving a problem.

But, I guess it's down to what you think of it. Under the Criminal Damage Act, it's illegal.

An actual ddos attack would not be illegal. Only the programs which force users to take part would be illegal. Ddos merely overloads the server and does not alter it.

ntlbell · 25-01-2012 5:01pm

Paulw wrote: »

As I said, it's because the term hacking is commonly understood as this by the media and the general public. I am well aware of the actual terms, the laws governing it, and it's common application.

If you want to talk about education, maybe you should start contacting all media outlets and get them to correct their misuse of the term, and also educate the general public of the difference between hacking and cracking. :rolleyes:

Since you understand the difference why don't you use the correct term?

This is a legal discussion forum not after hours.

So by you continuing to use the wrong term you encourage others to do the same.

ntlbell · 25-01-2012 5:02pm

MagicSean wrote: »

An actual ddos attack would not be illegal. Only the programs which force users to take part would be illegal. Ddos merely overloads the server and does not alter it.

Indeed, if you look at the law paulw quoted it would mean the installation of ping would be illegal.

So basically anyone who owns a pc/mac could be breaking the law.

It's embarrassing been Irish sometimes.

folan · 25-01-2012 5:15pm

purposly performing a ddos is illegal, as is purposly cutting someones broadband wire.

hacking is a term for writing software, not for intruding into another persons computer. it has been been used incorrectly over the years, and made "popular" by the film "Hackers". However, a hacker is anyone who writes software.

MagicSean · 25-01-2012 5:17pm

folan wrote: »

purposly performing a ddos is illegal, as is purposly cutting someones broadband wire.

hacking is a term for writing software, not for intruding into another persons computer. it has been been used incorrectly over the years, and made "popular" by the film "Hackers". However, a hacker is anyone who writes software.

Under what law is a ddos attack illegal. Cutting broadband is different as it is physically cutting a connection. Ddos does not interfere with the site in any way, it just overloads it with traffic. The site is not damaged. At least that's my understanding of it.

folan · 25-01-2012 5:21pm

the site is not damaged, but the ddos purposly makes it inaccessable, just as though you cut the wire that connects the server hosting the site.

just because you do not do something physically does not mean that it is not illegal. you cannot perform illegal activity over the internet just because it does not require you to be there physically. Threatening emails, blog posts, slander are good examples of this.

most of this is covered under the telecoms act. Please look it up, as though it is outdated, its still the main point of refrence for alot of this type of thing.

ntlbell · 25-01-2012 5:24pm

If you ever had any dealings with for example the Irish Cyber Crime Squad or whatever they call themselves now.

I think the anonymous gang are safe enough

sirgzu · 25-01-2012 5:32pm

I have very limited understanding of the Irish law but from discussing it with more knowledgeable people I gathered that under the common law, what happens in the US or in the UK can influence Irish law as a sort of precedent. This is why we must keep our eyes fixed on what is going on on both sides of the Atlantic.

Now about ddos, here is a paper from TJ McIntyre who is a lecturer in UCD and is a specialist in cyber law. On page 6 is a section about denial of service and again, from what I gathered, there is no clear definition in Irish law as to what to do about it.

sirgzu · 25-01-2012 5:33pm

ntlbell wrote: »

If you ever had any dealings with for example the Irish Cyber Crime Squad or whatever they call themselves now.

I think the anonymous gang are safe enough

Actually there is a whole cyber crime department at UCD.

MagicSean · 25-01-2012 5:38pm

folan wrote: »

the site is not damaged, but the ddos purposly makes it inaccessable, just as though you cut the wire that connects the server hosting the site.

just because you do not do something physically does not mean that it is not illegal. you cannot perform illegal activity over the internet just because it does not require you to be there physically. Threatening emails, blog posts, slander are good examples of this.

most of this is covered under the telecoms act. Please look it up, as though it is outdated, its still the main point of refrence for alot of this type of thing.

The site is made inaccessable in the same way it was on budget day. Too much traffic. It is not interfered with in any way. I didn't say you had to physically be there. I said you have to cause some actual damage. A ddos attack does not do that.

folan · 25-01-2012 5:43pm

sirgzu wrote: »

Actually there is a whole cyber crime department at UCD.

have they any legal powers? I was under the impression that the state was attempting to set up on under AGS.

Also, as per your previous post and the article, I believe that, when intent to disrupt a communication channel can be shown as can be done in the case of a ddos, it does fall under section 2 of the Criminal Damage Act.

Imagine disrupting the entrance to a physical branch of AIB. A ddos on the online site is similar.

intent is the big thing though.

folan · 25-01-2012 5:45pm

MagicSean wrote: »

The site is made inaccessable in the same way it was on budget day. Too much traffic. It is not interfered with in any way. I didn't say you had to physically be there. I said you have to cause some actual damage. A ddos attack does not do that.

by definition, a ddos does exactly that. it is an attempt to stop the service from working correctly by removing its access. it is an attempt to deny a service.

MagicSean · 25-01-2012 5:46pm

folan wrote: »

have they any legal powers? I was under the impression that the state was attempting to set up on under AGS.

Also, as per your previous post and the article, I believe that, when intent to disrupt a communication channel can be shown as can be done in the case of a ddos, it does fall under section 2 of the Criminal Damage Act.

Imagine disrupting the entrance to a physical branch of AIB. A ddos on the online site is similar.

intent is the big thing though.

http://www.irishstatutebook.ie/1991/en/act/pub/0031/print.html#sec1

to damage” includes—

(b) in relation to data—

(i) to add to, alter, corrupt, erase or move to another storage medium or to a different location in the storage medium in which they are kept (whether or not property other than data is damaged thereby), or

(ii) to do any act that contributes towards causing such addition, alteration, corruption, erasure or movement,

I don't see how a Ddos attack would fall under this definition

folan · 25-01-2012 5:53pm

(a) in relation to property other than data (but including a storage medium in which data are kept), to destroy, deface, dismantle or, whether temporarily or otherwise, render inoperable or unfit for use or prevent or impair the operation of,

would actually be my understanding of it.

However, I am not a solicitor. So at this point I will leave the arguement to those of you who know more.

One thing that this has shown me though is that the Data Laws in the ROI are very loose and as stand dont really cover a whole lot

DDoS (distributed denial of service) legal aspects

Comments