Computer Misuse (Amendement) Bill
Andrew Cormack
A.Cormack at ukerna.ac.uk
Tue, 21 May 2002 09:48:03 +0100
Just catching up on this discussion. One act that my users and many others
are particularly interested in having prohibited is sending UBE with forged
From headers. That can result in the owner of the From domain suffering a
serious DoS attack, even though they were neither the sender nor the
recipient of the original mail. Indeed both of those parties can be, and
usually are, on a different continent from the person who suffers from the
attack. Doing this sort of thing would be criminalised by the proposed
amendment, which would be a good thing, even though it's unlikely that
they'd ever be prosecuted, being on a different continent and all that...
Andrew
> -----Original Message-----
> From: Ian Jackson [mailto:ijackson@chiark.greenend.org.uk]
> Sent: 12 May 2002 19:08
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Re: Computer Misuse (Amendement) Bill
>
>
> Peter Sommer writes ("Computer Misuse (Amendement) Bill"):
> ...
> > House of Lords Bill to amend the 1990 Computer Misuse Act
> to include D0S
> > attacks:
> >
> >
> http://www.publications.parliament.uk/pa/ld200102/ldbills/079/
> 2002079.pdf
>
> I might as well reproduce the meat here. The CMA gets amended by the
> addition of this new section:
>
> 3A Denial of service attacks
>
> (1) A person is guilty of an offence if without authorisation he
> does any act -
> (a) which causes; or
> (b) which he intends to cause,
> directly or indirectly, a degradation, failure, or other
> impairment of function of a computerised system or any part
> thereof.
> (2) A person is guilty of the offence in subsection (1)(a) even if
> the act was not intended to cause such an effect, provided that
> a reasonable person could have anticipated that the act would
> have caused such an effect.
> (3) For the purposes of subsection (1), the act is without
> authorisation if the person doing it -
> (a) is not the owner of the relevant computerised system or
> part thereof; or
> (b) does not have the permission of the owner.
>
> (The original CMA 1990 is at
> http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm.)
>
> I have a number of questions and criticisms:
>
> * The other offences in the CMA 1990 all have a bit saying what the
> penalty is. This one doesn't. Am I missing something ?
>
> * This seems to me to be massively overbroad. It includes any
> degradation of performance, not just serious or total loss of service.
> You commit the offence even if the performace degradation is a
> side-effect of some legitimate effect.
>
> For example: my anti-spam SMTP server SAUCE [1] deliberately delays
> responding to erroneous SMTP instructions from machines trying to send
> it mail. It does this for a number of reasons mainly to do with
> fighting spam (but also for slowing down endless loops).
>
> However, it's clear that doing this `causes ... an impairmant of
> function ... of a [computer]' - namely, it reduces the mail-sending
> performance of the affected sending sites. Since I'm not the owner of
> those systems, and I don't have (at least in some cases) their
> permission to slow their computer down in this way, I would appear to
> be committing this offence. Surely not ? Am I then legally mandated
> to have my mail-receiving software respond promptly ?
>
> I'm sure ukcrypto readers can think of other examples.
>
> * I'm very troubled by the `reasonable person could have anticipated'
> bit.
>
> Denial of service is frequently caused accidentally by
> less-than-clueful users. Are we to say that (for example) filling up
> the disk by creating many large files, so that a shared computer
> doesn't work any more, is now to be an offence ? Surely a `reasonable
> person could have anticipated' that using up huge amounts of a limited
> resource like disk space would `impair [the] function' of the
> computer ?
>
> But, surely these miscreants should be dealt with via slapped-wrist
> from the sysadmin, not by the criminal law !
>
> Ian.
>
>