Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

DDoS (distributed denial of service) legal aspects

  • 25-01-2012 1:49pm
    #1
    Registered Users, Registered Users 2 Posts: 14


    Hi,

    Hopefully you will all have heard of the wave of web protesting hitting the internet in the last few days. It is very unclear to me as to who is morally and lawfully right or wrong about this whole thing, in fact I don't even think the law provides much details about that.

    To me a ddos is is akin to a big sitting down in front of a building to deny access, some sort of protesting. Nothing too bad as long as no one's life is threatened. In most cases it costs targeted companies time and money but so do protests. It is arguable that usually protests do not target specific businesses in general.

    But is this legal? I mean it might seem obvious at first that hacking is illegal but what about our right to protest? Also the method here is somewhat new and different in one aspect. Let me explain.

    Traditionally hackers use "zombie" computers that have been previously infected in order to launch their attack, this without consent from their owners. In this case people have willingly given access to their computers by downloading a kit that allows Anonymous to use their computers for such attack. All this to me is like a protest.

    I do not know what is the legislation in terms of protesting, what it is that we can do and that we cannot. I've argued that case already and I have been told for instance it is illegal to block access to a building, being like denying one a fundamental right to go where he wants.

    On the other hand if you go down that way there is this other aspect of the problem to consider:

    What about Eircom blocking access to PirateBay? And more generally ISPs being able to block websites as proposed in the new ACTA law? What about people's internet being cancelled after illegal downloading? Are these legal sanctions not akin to a ddos?

    Please share your insights I am very curious what other people think about this.


Comments

  • Registered Users, Registered Users 2 Posts: 13,381 ✭✭✭✭Paulw


    sirgzu wrote: »
    Hopefully you will all have heard of the wave of web protesting hitting the internet in the last few days. It is very unclear to me as to who is morally and lawfully right or wrong about this whole thing, in fact I don't even think the law provides much details about that.

    To me a ddos is is akin to a big sitting down in front of a building to deny access, some sort of protesting.

    No, it's much more like people storming the front of a building in an attempt to jam the doors. It is not a sit-down peaceful protest as you seem to claim.
    sirgzu wrote: »
    But is this legal? I mean it might seem obvious at first that hacking is illegal but what about our right to protest?

    Totally illegal as it is not a protest (even though that's what people claim), but it's a direct attack on a site.

    All this would come under the Telecommunications Act.

    sirgzu wrote: »
    What about Eircom blocking access to PirateBay? And more generally ISPs being able to block websites as proposed in the new ACTA law? What about people's internet being cancelled after illegal downloading? Are these legal sanctions not akin to a ddos?

    What Eircom are doing is covered under their Terms and Conditions for provision of service. So, you break their terms and conditions (by downloading copyright material), then they have the right to terminate your service. All well within the law.


  • Registered Users, Registered Users 2 Posts: 14 sirgzu


    DO you think people who have downloaded and installed Anonymous kit to support the attacks are liable and should go to prison?


  • Registered Users, Registered Users 2 Posts: 13,381 ✭✭✭✭Paulw


    sirgzu wrote: »
    DO you think people who have downloaded and installed Anonymous kit to support the attacks are liable and should go to prison?

    Yes, they are breaking the law. If they genuinely want to protest, there are plenty of legal ways of doing it.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Paulw wrote: »
    No, it's much more like people storming the front of a building in an attempt to jam the doors. It is not a sit-down peaceful protest as you seem to claim.

    It is 'peaceful'. It's highly doubtful however if the technophobes in the judicial system would regard it as a legitimate form of protest.
    Paulw wrote: »
    Totally illegal as it is not a protest (even though that's what people claim), but it's a direct attack on a site.

    It is a protest I'm afraid. You seem to be invoking your personal feelings on the matter, and looking at it subjectively rather than objectively.

    My concern is the methods used to implement DDoS attacks - Generally they involve a lot of zombie clients, which may be used without the consent of the system owner.

    A good comparison would be to compare it to the guy who parked the truck, and cut the brake cables outside the Dáil. A legitimate form of protest. However - if he stole the truck, and then did it - it would not be legitimate. If a sizeable portion of the clients used in these DDoS attacks are zombies, then it would be akin to stealing the truck.


  • Registered Users, Registered Users 2 Posts: 14 sirgzu


    Paulw wrote: »
    Yes, they are breaking the law. If they genuinely want to protest, there are plenty of legal ways of doing it.

    Could you be more precise as to what law is being broken? I think the US government has some law specifically dealing with DDoS and degradation of service however what about Irish law?

    I suspect there is no clearly defined law at the moment, the question is more is it morally acceptable? Especially in light of the moral, social and economical implications of the ACTA law projects that it fights?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 16,288 ✭✭✭✭ntlbell


    Paulw wrote: »
    No, it's much more like people storming the front of a building in an attempt to jam the doors. It is not a sit-down peaceful protest as you seem to claim.



    Totally illegal as it is not a protest (even though that's what people claim), but it's a direct attack on a site.

    All this would come under the Telecommunications Act.




    What Eircom are doing is covered under their Terms and Conditions for provision of service. So, you break their terms and conditions (by downloading copyright material), then they have the right to terminate your service. All well within the law.

    There is absoloutley nothing illegal about hacking.

    Please educate yourself before advising on a subject where you don't seem to have a grasp of the basic terminology.


  • Registered Users, Registered Users 2 Posts: 37,316 ✭✭✭✭the_syco


    sirgzu wrote: »
    DO you think people who have downloaded and installed Anonymous kit
    I really doubt the people who own the computers who have the software for the zombie DDOS on their machines even know it's there.


  • Registered Users, Registered Users 2 Posts: 14 sirgzu


    the_syco wrote: »
    I really doubt the people who own the computers who have the software for the zombie DDOS on their machines even know it's there.

    This is true in most cases. This is one of the reason that sparked my curiosity about this whole thing. Some people willingly give control of their computer to give more strength to the protest.

    edit: by using this kit one does not "give control" of his own computer, rather the kits uses the computer connection to add to the attack. Is it then illegal to try and browse a website when a ddos attack is taking place?

    This is a quote taken from Anonews Anonymous news:
    "Anonymous has launched Distributed Denial of Service (DDoS) attacks, designed to shut down websites, against government and corporate sites in the past. Supporters download software called Low Orbit Ion Canon (LOIC) that directs their computer to repeatedly try to connect to a target website. These DDoS attacks can shut down website's."


  • Registered Users, Registered Users 2 Posts: 13,381 ✭✭✭✭Paulw


    ntlbell wrote: »
    There is absoloutley nothing illegal about hacking.

    The Criminal Damage Act 1991, s.2(1), which makes it illegal to alter a system without permission. The Criminal Damage Act 1991, s5 would also come in to making "hacking" illegal. Hacking, normally, is done to gain access to alter programs (install DDOS software), or to gain access to data, covered under the Data Protection Act 1988, s22.


  • Registered Users, Registered Users 2 Posts: 16,288 ✭✭✭✭ntlbell


    Paulw wrote: »
    The Criminal Damage Act 1991, s.2(1), which makes it illegal to alter a system without permission. The Criminal Damage Act 1991, s5 would also come in to making "hacking" illegal. Hacking, normally, is done to gain access to alter programs (install DDOS software), or to gain access to data, covered under the Data Protection Act 1988, s22.

    So we better start arresting just about every developer in the country who is working now who is "hacking"

    what nonsense.

    What you're trying to refer to or what the numpty who wrote the above is cracking.

    There is nothing ilegal about hacking in itself.


  • Advertisement
  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    ntlbell is correct.


  • Registered Users, Registered Users 2 Posts: 13,381 ✭✭✭✭Paulw


    ntlbell wrote: »
    So we better start arresting just about every developer in the country who is working now who is "hacking"

    What you're trying to refer to or what the numpty who wrote the above is cracking.

    Developers make software, which is put on the machine with the owners knowledge. Either factory installed or they install it. :rolleyes:

    Yes, cracking, which is more commonly called hacking these days by the general public, although it's quite different. So, in lay terms, hacking (gaining unauthorised access to data/information/computers) is illegal under a number of different acts.


  • Registered Users, Registered Users 2 Posts: 16,288 ✭✭✭✭ntlbell


    Paulw wrote: »
    Developers make software, which is put on the machine with the owners knowledge. Either factory installed or they install it. :rolleyes:

    Yes, cracking, which is more commonly called hacking these days by the general public, although it's quite different. So, in lay terms, hacking (gaining unauthorised access to data/information/computers) is illegal under a number of different acts.

    I wasn't suggesting they be arrested for making software, but for hacking.

    That's what they do, they solve problems. Which is in essence what it is.

    It may very well be now a term used by the general public because so many idiots used the term in the wrong way or were too ignorant to know otherwise.


  • Registered Users, Registered Users 2 Posts: 13,381 ✭✭✭✭Paulw


    ntlbell wrote: »
    That's what they do, they solve problems.

    I don't think gaining access to someone's computer, without their consent would be considered solving a problem. :rolleyes: I don't think using computers to shut a website is solving a problem.

    But, I guess it's down to what you think of it. Under the Criminal Damage Act, it's illegal.


  • Registered Users, Registered Users 2 Posts: 16,288 ✭✭✭✭ntlbell


    Paulw wrote: »
    I don't think gaining access to someone's computer, without their consent would be considered solving a problem. :rolleyes: I don't think using computers to shut a website is solving a problem.

    But, I guess it's down to what you think of it. Under the Criminal Damage Act, it's illegal.

    Hacking has nothing to do with gaining access to someone's computer why do you keep suggesting it does?

    What has Sending excess amounts of 1 and 0's over a wire got to do with hacking?

    As I said earlier, please educate yourself.


  • Registered Users, Registered Users 2 Posts: 13,381 ✭✭✭✭Paulw


    ntlbell wrote: »
    Hacking has nothing to do with gaining access to someone's computer why do you keep suggesting it does?
    .

    As I said, it's because the term hacking is commonly understood as this by the media and the general public. I am well aware of the actual terms, the laws governing it, and it's common application.

    If you want to talk about education, maybe you should start contacting all media outlets and get them to correct their misuse of the term, and also educate the general public of the difference between hacking and cracking. :rolleyes:


  • Closed Accounts Posts: 9,897 ✭✭✭MagicSean


    Paulw wrote: »
    I don't think gaining access to someone's computer, without their consent would be considered solving a problem. :rolleyes: I don't think using computers to shut a website is solving a problem.

    But, I guess it's down to what you think of it. Under the Criminal Damage Act, it's illegal.

    An actual ddos attack would not be illegal. Only the programs which force users to take part would be illegal. Ddos merely overloads the server and does not alter it.


  • Registered Users, Registered Users 2 Posts: 16,288 ✭✭✭✭ntlbell


    Paulw wrote: »
    As I said, it's because the term hacking is commonly understood as this by the media and the general public. I am well aware of the actual terms, the laws governing it, and it's common application.

    If you want to talk about education, maybe you should start contacting all media outlets and get them to correct their misuse of the term, and also educate the general public of the difference between hacking and cracking. :rolleyes:

    Since you understand the difference why don't you use the correct term?

    This is a legal discussion forum not after hours.

    So by you continuing to use the wrong term you encourage others to do the same.


  • Registered Users, Registered Users 2 Posts: 16,288 ✭✭✭✭ntlbell


    MagicSean wrote: »
    An actual ddos attack would not be illegal. Only the programs which force users to take part would be illegal. Ddos merely overloads the server and does not alter it.

    Indeed, if you look at the law paulw quoted it would mean the installation of ping would be illegal.

    So basically anyone who owns a pc/mac could be breaking the law.

    It's embarrassing been Irish sometimes.


  • Closed Accounts Posts: 2,630 ✭✭✭folan


    purposly performing a ddos is illegal, as is purposly cutting someones broadband wire.

    hacking is a term for writing software, not for intruding into another persons computer. it has been been used incorrectly over the years, and made "popular" by the film "Hackers". However, a hacker is anyone who writes software.


  • Advertisement
  • Closed Accounts Posts: 9,897 ✭✭✭MagicSean


    folan wrote: »
    purposly performing a ddos is illegal, as is purposly cutting someones broadband wire.

    hacking is a term for writing software, not for intruding into another persons computer. it has been been used incorrectly over the years, and made "popular" by the film "Hackers". However, a hacker is anyone who writes software.

    Under what law is a ddos attack illegal. Cutting broadband is different as it is physically cutting a connection. Ddos does not interfere with the site in any way, it just overloads it with traffic. The site is not damaged. At least that's my understanding of it.


  • Closed Accounts Posts: 2,630 ✭✭✭folan


    the site is not damaged, but the ddos purposly makes it inaccessable, just as though you cut the wire that connects the server hosting the site.

    just because you do not do something physically does not mean that it is not illegal. you cannot perform illegal activity over the internet just because it does not require you to be there physically. Threatening emails, blog posts, slander are good examples of this.

    most of this is covered under the telecoms act. Please look it up, as though it is outdated, its still the main point of refrence for alot of this type of thing.


  • Registered Users, Registered Users 2 Posts: 16,288 ✭✭✭✭ntlbell


    If you ever had any dealings with for example the Irish Cyber Crime Squad or whatever they call themselves now.

    I think the anonymous gang are safe enough :)


  • Registered Users, Registered Users 2 Posts: 14 sirgzu


    I have very limited understanding of the Irish law but from discussing it with more knowledgeable people I gathered that under the common law, what happens in the US or in the UK can influence Irish law as a sort of precedent. This is why we must keep our eyes fixed on what is going on on both sides of the Atlantic.

    Now about ddos, here is a paper from TJ McIntyre who is a lecturer in UCD and is a specialist in cyber law. On page 6 is a section about denial of service and again, from what I gathered, there is no clear definition in Irish law as to what to do about it.


  • Registered Users, Registered Users 2 Posts: 14 sirgzu


    ntlbell wrote: »
    If you ever had any dealings with for example the Irish Cyber Crime Squad or whatever they call themselves now.

    I think the anonymous gang are safe enough :)

    Actually there is a whole cyber crime department at UCD.


  • Closed Accounts Posts: 9,897 ✭✭✭MagicSean


    folan wrote: »
    the site is not damaged, but the ddos purposly makes it inaccessable, just as though you cut the wire that connects the server hosting the site.

    just because you do not do something physically does not mean that it is not illegal. you cannot perform illegal activity over the internet just because it does not require you to be there physically. Threatening emails, blog posts, slander are good examples of this.

    most of this is covered under the telecoms act. Please look it up, as though it is outdated, its still the main point of refrence for alot of this type of thing.

    The site is made inaccessable in the same way it was on budget day. Too much traffic. It is not interfered with in any way. I didn't say you had to physically be there. I said you have to cause some actual damage. A ddos attack does not do that.


  • Closed Accounts Posts: 2,630 ✭✭✭folan


    sirgzu wrote: »
    Actually there is a whole cyber crime department at UCD.
    have they any legal powers? I was under the impression that the state was attempting to set up on under AGS.

    Also, as per your previous post and the article, I believe that, when intent to disrupt a communication channel can be shown as can be done in the case of a ddos, it does fall under section 2 of the Criminal Damage Act.

    Imagine disrupting the entrance to a physical branch of AIB. A ddos on the online site is similar.

    intent is the big thing though.


  • Closed Accounts Posts: 2,630 ✭✭✭folan


    MagicSean wrote: »
    The site is made inaccessable in the same way it was on budget day. Too much traffic. It is not interfered with in any way. I didn't say you had to physically be there. I said you have to cause some actual damage. A ddos attack does not do that.
    by definition, a ddos does exactly that. it is an attempt to stop the service from working correctly by removing its access. it is an attempt to deny a service.


  • Closed Accounts Posts: 9,897 ✭✭✭MagicSean


    folan wrote: »
    have they any legal powers? I was under the impression that the state was attempting to set up on under AGS.

    Also, as per your previous post and the article, I believe that, when intent to disrupt a communication channel can be shown as can be done in the case of a ddos, it does fall under section 2 of the Criminal Damage Act.

    Imagine disrupting the entrance to a physical branch of AIB. A ddos on the online site is similar.

    intent is the big thing though.

    http://www.irishstatutebook.ie/1991/en/act/pub/0031/print.html#sec1

    to damage” includes—


    (b) in relation to data—


    (i) to add to, alter, corrupt, erase or move to another storage medium or to a different location in the storage medium in which they are kept (whether or not property other than data is damaged thereby), or


    (ii) to do any act that contributes towards causing such addition, alteration, corruption, erasure or movement,


    I don't see how a Ddos attack would fall under this definition


  • Advertisement
  • Closed Accounts Posts: 2,630 ✭✭✭folan


    (a) in relation to property other than data (but including a storage medium in which data are kept), to destroy, deface, dismantle or, whether temporarily or otherwise, render inoperable or unfit for use or prevent or impair the operation of,

    would actually be my understanding of it.

    However, I am not a solicitor. So at this point I will leave the arguement to those of you who know more.

    One thing that this has shown me though is that the Data Laws in the ROI are very loose and as stand dont really cover a whole lot


  • Closed Accounts Posts: 9,897 ✭✭✭MagicSean


    folan wrote: »
    would actually be my understanding of it.

    However, I am not a solicitor. So at this point I will leave the arguement to those of you who know more.

    One thing that this has shown me though is that the Data Laws in the ROI are very loose and as stand dont really cover a whole lot

    It doesn't specify temporary or permanent but I suppose it could fall under that category. But the storage medium is not affected though. It is still operating, just at full capacity.


  • Registered Users, Registered Users 2 Posts: 14 sirgzu


    Isn't that contradictory with the three strikes thing? I mean the ISPs have right to cut down your internet I think? Am I right?

    Also under the hypothesis that a ddos is an unlawful act; are zombie computer owners liable? What if they willingly joined the ddos? What about normal web-browsing? And ultimately how do you differentiate between these in practice?


  • Registered Users, Registered Users 2 Posts: 16,288 ✭✭✭✭ntlbell


    sirgzu wrote: »
    Isn't that contradictory with the three strikes thing? I mean the ISPs have right to cut down your internet I think? Am I right?

    Also under the hypothesis that a ddos is an unlawful act; are zombie computer owners liable? What if they willingly joined the ddos? What about normal web-browsing? And ultimately how do you differentiate between these in practice?

    This is where everything becomes very grey

    I think the 3 strikes you're referring to is for uploading copyrighted material.

    Proving the above is not always going to be easy and in some cases down right impossible.


  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    On the flipside are there any rules/laws in place to ensure that website owners take reasonable care in protecting public users data that is stored on there servers and databases?


    ie. Is there any specific laws against someone setting up a legit e-commerce site that stores credit card details or other info that could be used in identity theft and then renting out space with root access on the same server to someone.

    *edit
    Probably covered in the Data Protection Act.


  • Registered Users, Registered Users 2 Posts: 55 ✭✭Maxpv


    DDoS attacks don't just use up the server's CPU time and RAM, they use up HUGE amounts of bandwidth, and can cost the owner's of the site loads in bandwidth costs. They can cause servers to overheat, and do serious damage to them and even start a fire.

    Amazon cloud users pay something like €0.20/GB of data transfer. This can get extremely expensive when you have loads of people DDoS attacking.

    Not only that they are also taking down websites that are completely unrelated to the target but are hosted on the same server, in the same datacenter or even on the same bandwidth provider.

    Its also worth noting that most of the traffic from the DDoS attacks are coming from botnets and hacked internet connections, so these guys launching the DDoS attacks are breaking many laws and IMO it isn't a moral way to have a protest when you are effecting much more people than just the target and are wasting loads of expensive bandwidth etc etc.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 55 ✭✭Maxpv


    sirgzu wrote: »
    are zombie computer owners liable?

    As far as I know, zombie computer owners can be held responsible if it is thought they did not do enough to secure their computer. Its like leaving your car door wide open with keys in the ignition parked right outside a bank which happens to be in the process of being robbed. If a court thinks you didn't sufficiently secure your PC/car, you could be held somewhat liable.


  • Registered Users, Registered Users 2 Posts: 16,288 ✭✭✭✭ntlbell


    Blazr wrote: »
    As far as I know, zombie computer owners can be held responsible if it is thought they did not do enough to secure their computer. Its like leaving your car door wide open with keys in the ignition parked right outside a bank which happens to be in the process of being robbed. If a court thinks you didn't sufficiently secure your PC/car, you could be held somewhat liable.

    Be interesting to test this theory with a 70yr old yahoo bingo player who's bingo client brought down some website in the Bahama's because she didn't know what do with the windows update button.


  • Registered Users, Registered Users 2 Posts: 13,381 ✭✭✭✭Paulw


    ntlbell wrote: »
    Be interesting to test this theory with a 70yr old yahoo bingo player who's bingo client brought down some website in the Bahama's because she didn't know what do with the windows update button.

    Doesn't Windows, by default, have automatic updates enabled?


  • Registered Users, Registered Users 2 Posts: 124 ✭✭Sempai


    MagicSean wrote: »
    http://www.irishstatutebook.ie/1991/en/act/pub/0031/print.html#sec1

    to damage” includes—


    (b) in relation to data—


    (i) to add to, alter, corrupt, erase or move to another storage medium or to a different location in the storage medium in which they are kept (whether or not property other than data is damaged thereby), or


    (ii) to do any act that contributes towards causing such addition, alteration, corruption, erasure or movement,


    I don't see how a Ddos attack would fall under this definition


    A DDoS may be covered in the Theft and Fraud Offences Act. But I doubt the Government suffered any loss. It's more common in commercial websites.

    Unlawful use of computer.

    9.—(1) A person who dishonestly, whether within or outside the State, operates or causes to be operated a computer within the State with the intention of making a gain for himself or herself or another, or of causing loss to another, is guilty of an offence.

    (2) A person guilty of an offence under this section is liable on conviction on indictment to a fine or imprisonment for a term not exceeding 10 years or both.


  • Registered Users, Registered Users 2 Posts: 16,288 ✭✭✭✭ntlbell


    Paulw wrote: »
    Doesn't Windows, by default, have automatic updates enabled?

    To be honest I'm not sure I don't know much about windows.

    But I think if you're installing during the setup you may have an option of what to do.

    e.g. download updates. download and install updates etc.

    But I'm very open to be corrected.


  • Advertisement
  • Closed Accounts Posts: 12 AnonCypher


    ntlbell wrote: »
    I wasn't suggesting they be arrested for making software, but for hacking.

    That's what they do, they solve problems. Which is in essence what it is.

    It may very well be now a term used by the general public because so many idiots used the term in the wrong way or were too ignorant to know otherwise.

    white hat hacking and black hat cracking are two very very different things.
    Cracking is very illegal in this sense where as white hat protective hacking is done everyday by companies to monitor and check their own security for backdoors and faults you are of course right ntlbell some people do need to learn their terminology in this case as a lot of people get bad reputations by how people use their wording.


Advertisement