Comment by avaer
8 years ago
Does anyone know if this kind of white hat stuff has been tested by law?
Because it seems in the realm of possibility that if a large botnet hits you and your responses crash a bunch of computers you could do serious time for trying it. I'm hoping there's precedent against this...
He's got a pretty good defence in that all he's really doing is filtering requests and serving up a really large file to some of them. No active agency, and no executable code. If merely loading a large file crashes a computer, that's arguably the fault of the browser and/or OS.
Intent really matters, especially in cases like these. He's serving up files deliberately, knowing they will likely cause problems.
Microsoft doesn't take the fall for malware, even if its a fault in SMB or the like.
The intent is damage.
Probably his best defence is the fact that it's really unlikely that the attackers would ever swear a complaint or testify. Kind of a "robbing drug dealers problem". I'd be more worried about being targeted by a massive DDOS.
3 replies →
They're probably already committing a felony accessing the computer. The scan is an intent to transmit malware. If that's true, you could make a pretty good fleeing felon argument.
3 replies →
But he's serving those files only to people looking to cause problems. It's self-defense.
2 replies →
That's a good point, although I think the innocuosness of the action would be at least a mitigating factor. I wouldn't expect MS to take any blame, but the "damage" being due to faults in the OS or browser would also be mitigating---a minor rearend collision on a Ford Pinto could cause it to explode because of a design flaw, but the driver of the other car wouldn't be charged with arson. (Afterthought: he might be if he rammed it deliberately, so I guess that supports your thesis rather than mine)
There are laws allowing person to shoot intruder in their house. And I can't serve nulls from my own web server? That would be ridiculous.
From what I've read, in some parts of America it seems okay to shoot at intruders running away from your house, which I find unreasonable.
A farmer here in UK stirred up a whole load of shit when he shot two burglars [1] trying to escape from his property.
[1] https://en.wikipedia.org/wiki/Tony_Martin_(farmer)
The UK (or English?) law about self defence is "back to the wall", i.e. you can invoke leathal force to defend your own life when your back is against the wall, when you have no other option, and no way to escape. In other words, if you can retreat from the situation, then you must retreat.
Some places in the USA have "stand your ground" laws. These say you aren't required to retreat, that you can "stand your ground", that you can use (legally) leathal force without requiring that your back is against the wall.
13 replies →
Yes, in Texas you can use lethal force to prevent a burglary, robbery or theft (at night) and can also use lethal force on someone fleeing with stolen property in order to recover it.
Most of those laws are self defence laws. The US & the UK have slight differences, but you're often allowed to use leathal force to prevent yourself being killed.
You're allowed to use equal force in the UK, as I understand it, which means if someone attacks you with fists, you can't shoot them in return. If you're in danger of being killed, then you'd be able to use lethal force.
Do you have an NRA?
A better outcome for an infected machine is complete failure than silent intrusion. The person then definitely knows something is wrong, AV software or not.
I don't think there's a law against serving obscenely large files on the web, at least nowhere except Germany.
>I don't think there's a law against...
Connecting to a server...( A lot)
Putting random strings into forms...( A lot)
Moving your money between banks... (In different countries)
Buying stocks... (With insider knowledge)
A simple act doesn't spell the whole story, and fraud, computer crime, etc laws are written vaguely enough for a country to prosecute someone " sending large files."