Comment by thayne
7 months ago
Disclosure: IANAL
The CFAA[1] prohibits:
> knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
As far as I can tell (again, IANAL) there isn't an exception if you believe said computer is actively attempting to abuse your system[2]. I'm not sure if a zip bomb would constitute intentional damage, but it is at least close enough to the line that I wouldn't feel comfortable risking it.
[1]: https://www.law.cornell.edu/uscode/text/18/1030
[2]: And of course, you might make a mistake and incorrectly serve this to legitimate traffic.
I don't believe the client counts as a protected computer because they initiated the connection. Also a protected computer is a very specific definition that involves banking and/or commerce and/or the government.
Part B of the definition of "protected computer" says:
> which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States
Assuming the server is running in the states, I think that would apply unless the client is in the same state as the server, in which case there is probably similar state law that comes into affect. I don't see anything there that excludes a client, and that makes sense, because otherwise it wouldn't prohibit having a site that tricks people into downloading malware.
The word "accessed" is used multiple times throughout the law. A client accesses a server. A server does not access a client. It responds to a client.
Also, the protected computer has to be involved in commerce. Unless they are accessing the website with the zip bomb using a computer that also is uses for interstate or foreign commerce, it won't qualify.
4 replies →
A protected computer is "a computer which is protected by this law", which is most American computers, not a special class of American computers. The only reason it's not all American computers is that the US federal government doesn't have full jurisdiction over the US. They wrote the definition of "protected computer" to include all the computers they have jurisdiction over.
In particular, the interstate commerce clause is very over-reaching. It's been ruled that someone who grew their own crops to feed to their own farm animals sold locally was conducting interstate commerce because they didn't have to buy them from another state.
Just put a "by connecting to this service, you agree to and authorize…" at the front of the zipbomb.
(I'm half-joking, half-crying. It's how everything else works, basically. Why would it not work here? You could even go as far as explicitly calling it a "zipbomb test delivery service". It's not your fault those bots have no understanding what they're connecting to…)
So the trick is to disguise it as an accident. Have the zip bomb look like a real HTML file at the beginning, then have zeroes after that, like it got corrupted.
well, what does "damage" mean in that law? filling the disk isn't destructive. filling RAM isn't destructive. there's nothing in a zip-bomb approach that is destructive; a reboot or an `rm` (at most) undoes it all. I would say that this doesn't qualify as a destructive operation in any way.
IANAL
There is IMO no legal use case for an external computer system to initiate a connection with my system without prior legal agreement. It all happens on good will and therefore can be terminated at any time.
So you can hack any browser that connects to your website because they dont have a legal agreement with you? Dont think that will work as a defense
There is IMO no legal use case for an external computer system to initiate a connection with my system without prior legal agreement. It all happens on good will.