Theresa May DDoS case: Man cuffed by eCops A man has been arrested in Stoke-on-Trent by police investigating a DDoS attack on Theresa May's website and the Home Office website in June. The 41 year old was arrested this morning by officers from the eCrime unit. He was later bailed until December. The man was arrested on suspicion of assisting or encouraging the denial …
Stop laughing at the back...
I fail to see how DDoS'ing Mays website is a serious crime. Maybe inconveniencing her constituents might be considered annoying. Surely a slap on the wrist?
However I am wondering if I should start reporting the 'attacks' I see on my servers, 30 to 40 per day per server. I'm sure the ePolice would be very grateful.... perhaps I could forward the fail2ban alerts directly to them!
The key word is "denial of service".
The random SSH spam hitting your server isn't really denying service, just a nuisance. And, yes, it's also illegal. There's nothing stopping you reporting it but pretty much the answer will be "out of our jurisdiction" or even "not enough effect on the 'victim' to be worth bothering hunting down".
But if you take a website DOWN by doing it, and it's traceable in the UK, and they can prove you did it deliberately (and not just hit the wrong button when typing in an IP while "infinite retry" was on, or whatever), then you should report it.
There's a HUGE difference, though, between random SSH port-hits from known-spammy overseas servers and actually knocking a website offline through a deliberate data overload. Both are technically crimes, as is driving while phoning. You can report as many people as you like for driving while phoning (which I must see 5-10 times a day) but the chances are that even with all the evidence in the world, not much will happen (because the burden of proof is higher than the actual result you'll get and many times you'll spend so much investigating the crime and it will never get to the point where it can be prosecuted). Drive past a police car while doing it, or have an accident because of it, though and it's a very different matter.
Not saying that's *right*. That's just life. And our police already spend half their lives chasing things that they shouldn't need to, without worrying about your SSH pings. But taking down a public website of a politician (or even celebrity, or charity, or organisation, or company - no matter how small) through attacks and DDoS? Yes, that's something I would expect them to investigate, at least.
"The random SSH spam hitting your server isn't really denying service, just a nuisance. And, yes, it's also illegal."
IANAL, but using a system as it is intended to be used is not illegal.
http://strowger-net.telefoonmuseum.com/tel_hist_phreak.html
Check out the last paragraph about the Old Bailey trial. 3 Oct. 1973
It is if you're trying even a single username/password combination that you don't have legal right to use.
I don't care about you opening a reasonable-amount of TCP connections to the services published (unreasonable amount = DDoS). It's what you do with them. And most of the stuff that connects to SSH servers will try a couple of username/password combinations on the hopes of getting in.
Which *is* illegal.
Spam email is the same. Connecting to a mail server isn't a crime. Trying to send falsified email through a mail server is.
It's interesting though how the police can have a crystal clear knowledge of the law when it involves a celebrity or big business, and then suddenly develop a certain Gumby-like stupidity ('my brain hurts!') when dealing with anybody else making a complaint.
Compare and contrast that readiness with their stubborn refusal to do anything about the apparent illegal interception of communications by BT/Phorm for example (and the City of London's police's laughable excuse of 'no criminal intent'). Then you have Hampshire police's refusal to do anything about Vodafone and the unauthorised use of Bluecoat's systems on customer connections.
It would seem that crimes are only committed when they don't involve large corporations or mobile phone companies. This is a view that seems to be reinforced by their lack of will to go after telecoms providers for RIPA offenses affecting tens of thousands of customers but are quite happy to go after individual journalists as part of the investigations into phone hacking.
Incidentally how do mobile operators continue to get away with running such insecure systems where voicemail is concerned? If ISPs can generate random passwords for their wifi routers then surely it should not be beyond the abilities of the likes of Vodafone to generate random passwords for the voicemail and give them to the customer when they're signing up for the service?
@Arrrggghh-otron
The thing is, you and I may be aware that DDoSing a site is at best a nuisance in terms of its real world effect - that's not a statement about the intent, though, just about the competence of the attacker. Idiots who overvalue websites and mistake them for the whole of the Internet often make this mistake. (As always, Randall Munroe at XKCD explains it perfectly).
I don't particularly see that turning a blind eye to malicious intent mitigated only by the attacker's own incompetence benefits us all. Do we wait until the same malicious moron attempts to DDoS the constituency council systems in some fashion? Or do we act now and have the individual in question spanked by the law for attempting to disrupt the political system in order to make a point?
TL,DR: DDoS attacks and other infrastructure attacks aren't legitimate political expression, and anyone carrying them out deserves a kick up the hole.
They also attacked the home office web site. Oddly this is mentioned second in the article, after Theresa May, I would have thought this would be the more significant act.
Either way, someone taking an MP's web site off the Internet is interfering in people's ability to contact their MP and therefore a bit more significant than taking down a general "this is me" type of web page.
Actually, a DDoS would be more like blocking the entire road they use. Which could (and is likely to) impact on a lot more people than the intended target, and still could be perceived as harassment, obstruction and (depending on how you did it) even assault. Even discussing doing such a thing would also be a conspiracy offence in some cases (no different to, say, conspiring to harass someone, or using threatening language).
Just because it's on the Internet doesn't mean it's victimless. They have no idea how many other people and/or companies whose private business they may have affected by doing such things. Someone, somewhere was paying for that website to be up and the DDoS was preventing that contract from being fulfilled by, basically, force.
People are always on about the laws being "old-fashioned" while at the same time thinking that simple principles laid down centuries ago don't apply to modern media. The law doesn't distinguish, that's the only problem and works both ways. In this case, they harassed someone, blocked a service being provided, impacted on the business and personal lives of the person targeted and may have done so to any number of unknown people too (Never heard of a VPS? Or a datacentre whose main lines gets DDoS'd?) and cost people lots of money and prevented them doing business.
There's no difference between this and deliberately constantly ringing all the phones in the office of the victim until they can't send/receive any more phone calls. And that's been illegal for decades. It's also bordering on harassment as well. Just because a computer was involved, doesn't make it any less illegal.
Also, a DDOS would be more like a whole bunch of people standing in your way preventing you from going where you want, which would - certainly in my opinion - be significantly more than petty obstruction.
Yup, sounds like a legitimate demonstration to me.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
