Forgot your password?
typodupeerror
The Courts Government The Internet News

Sweden to Make Denial of Service Attacks Illegal 108

Posted by ScuttleMonkey
from the play-nicer dept.
paulraps writes "Sweden is to pass legislation making Denial of Service attacks illegal. The offense will carry a maximum jail term of two years, and is thought to be a direct response to the attack which crashed the Swedish police's web site last summer. Nobody was charged for that, but the fact that it came shortly after a raid on the Pirate Bay's servers was thought by many to be not entirely coincidental. Sweden's move follows the UK, which is even tougher on web attackers — there the sentence can be over five years in prison."
This discussion has been archived. No new comments can be posted.

Sweden to Make Denial of Service Attacks Illegal

Comments Filter:
  • by morgan_greywolf (835522) on Monday February 19, 2007 @05:35PM (#18073796) Homepage Journal
    So does this mean that they're gonna arrest Taco, Zonk and Co.?
    • by nmb3000 (741169) <nmb3000@that-google-mail-site.com> on Monday February 19, 2007 @05:42PM (#18073946) Homepage Journal
      So does this mean that they're gonna arrest Taco, Zonk and Co.?

      It's worth a try!

      *cough* [sweden.gov.se] :)
    • They're already interference with private property, DDoS attacks are illegal. They may not be specifically outlawed, but make no mistake, they are by no means legal.
    • by Anonymous Coward
      They won't be arrested for anything, since they probably didn't do nothing.

      However, no one mentions the political change that occurred this autumn.
      After twelve years of social democrats (left) we (swedes) now have the so called "alliance" (right) since a few months back.
      Even though the social democrat's minister of justice (Tomas Bodström) was just the same kind of openly left and inner right kind of parrot that Blair is -- repeating whatever baloney the monkey in the white house spits out, there were
  • As most of the time DOS attacks are performed from outside the country, and therefor outside its juridiction, I doubt they'll even invoke it in court.
    • by Xemu (50595) on Monday February 19, 2007 @05:45PM (#18073996) Homepage
      As most of the time DOS attacks are performed from outside the country, and therefor outside its juridiction, I doubt they'll even invoke it in court.

      This law will allow the police to obtain the identity of the person using the IP address that is used for the DOS attack, even if this DOS attack is directed from Sweden to the outside world. I am sure there is a large amount of political pressure from the US in this matter and Swedish politicians are easy to intimidate.

      It is important to note that the sentence term of 2 years was not chosen at random. When a crime carries this sentence as a possiblity, the Swedish police gets greater powers to use surveillance, wiretapping and raids to secure evidence such as the identity of person using a specific IP address.

      In fact, this is also why thePiratebay.org exists and is so successful - since file sharing carries a sentence which is usually much less than 2 years, the police are not allowed to raid or subpoena the ISPs for the identity of the person that is using a specific IP address. (The Swedish MPAA aka APB have treid hard to get a criminal conviction for file sharing for this reason.)

      • by sr180 (700526) on Monday February 19, 2007 @08:01PM (#18075708) Journal

        In fact, this is also why thePiratebay.org exists and is so successful - since file sharing carries a sentence which is usually much less than 2 years, the police are not allowed to raid or subpoena the ISPs for the identity of the person that is using a specific IP address. (The Swedish MPAA aka APB have treid hard to get a criminal conviction for file sharing for this reason.)

        No. The pirate bay exists because its not illegal to link to illegal copyrighted material in Sweeden. The pirate bay doesnt share illegal material, just torrent files, which are essentially a link to where the material actually is.

        • If you link to copyrighted material but do not host it, you're an accessory to the crime of illegally distributing the material. Story (in swedish) [www.svt.se], the actual document (pdf, swedish) [svt.se].

          The problem with prosecuting the Pirate bay is that someone must be found guilty of a crime for another to be guilty of being an accessory to thet crime. The users of Piratebay are not suspected of a crime carrying a sentence of two years or more, meaning the police can't get their IP numbers, meaning they can't be charged wi
        • by turbofisk (602472)
          Actually the grand-parent is right. TPB is basically being prosecuted for aiding copyright infringement and what keeps an ordinary person from being charged for copyright infringement is that the police can't get the logs who tell them who the offender is - for the reason the grand-parent wrote...

      • A very common form of DDoS attack is a SYN flood where the source IP in the packets is NOT the IP of the bot being used.

        Last time someone had a go at our servers, the forged IPs traced back to well known locations which obviously weren't the real source (mostly US government labs like LLNL and Sandia).

        I see a risk here where DDoS is used specifically to frame the real owner of an IP.

        In any event, a moderately competent hacker will use a botnet which is managed using wardriving sessions, or from a server in
      • When a crime carries this sentence as a possiblity, the Swedish police gets greater powers to use surveillance...

        So, wait. The _objective measurement_ of the severity of the crime (i.e. the level of police response required) is tied to the _possible sentence_ it can carry? While in theory this shouldn't be a problem, since the sentence should reflect the harm done by the criminal, that kind of stipulation has _ludicrous_ potential for abuse.
        • by Kidbro (80868)
          Please explain.

          I honestly think the system is pretty sane. They can not search my house, even if I'm suspected of shop lifting. They can, however, search the house of the drug dealer living down the road. Somewhere the line has to be drawn, and if it has to be drawn, there has to be some way of figuring out which side any particular case should end up on. They've chosen the penalty of the crime the suspect is suspected of. Care to come up with a better measurement?

          And by the way, I live in Sweden, if that's
          • Man, I just gotta say, I'm impressed with the overall sanity of your legal system compared to ours (U.S.). 2 years is a perfectly reasonable sentence. I can't find the links, but I seem to recall seeing many bills announced on slashdot with completely disproportionate sentences. Hell, Kevin Mitnick comes to mind...
      • It is important to note that the sentence term of 2 years was not chosen at random. When a crime carries this sentence as a possiblity, the Swedish police gets greater powers to use surveillance, wiretapping and raids to secure evidence such as the identity of person using a specific IP address.

        Also, if you catch someone in the act of committing, or appearantly fleeing from the scene of crime of, a crime that carries a maximum penalty of more than two years, you may make a "citizen's arrest", that is grab a
    • by iago-vL (760581)
      As most of the time DOS attacks are performed from outside the country, and therefor outside its juridiction, I doubt they'll even invoke it in court.

      Actually, DoS attacks are more commonly performed from within the country, because who in Canada, for instance, would bother DoS'ing a Swedish company? Nobody would care.

      The problem, however, is that the bots the local attacker uses are typically outside the country, which makes it impossible to track down the attack.

  • Oh, that will solve it. Just make it illegal, and end of problem. Yeah, right. Until you can track, smash their computer toys in front of their eyes, empty their bank accounts, and lock them away for a good number of years, passing all the laws in the world is simply feel-good do nothing crap. And two years max isn't nearly enough!

    Breaking their fingers is a good thought as well.

    • Tracking (Score:3, Insightful)

      How do you suppose they'll handle compromised systems, proxies, or VPNs? If I root someone else's system and am knowledgeable enough to cover my tracks how do they propose to track me down? The FP also mentioned the Slashdot effect. How do you think they could handle a network of web pages which, when visited, all make requests from the targetted server (similar to pay-per-click scamming)?
      • Re: (Score:3, Insightful)

        by suffe (72090)
        They are politicians, why should this bother them? They'll just leave the problem solving to someone else. And as everyone knows, the legal system will only use the new powers to do good when it is evident that the found person is in fact the culprit. No one ever interpreted a law by its words rather then by its intention, did they?
        • by rts008 (812749)
          "They'll just leave the problem solving to someone else."

          Uhmmm...No.

          Sen. Ted "The Tubes" Stevenson is all over the 'internets' with his trucks.
          And he STILL is not getting his internets on a timely basis, but he'll keep those trucks humpin' up the tubes!
      • Same situation as just about any crime. Just because some people will be smart enough to carry out tax fraud, doesn't mean there's no need for laws against it.

        At least making it illegal will hopefully catch the sloppy operations and make the angry geek at home think twice about attacking a site.

        The pay-per-click scamming is an interesting point. My old site was getting forum spammed in to oblivion by the old UMAXPPC search sites. Would have been nice at the time if there was legal recourse since the sites w
        • What percentage of denial of service attacks on Swedish computers do you suppose actually occur within Sweden?
          It's a political feel-good law. The Swedish government can say "We're getting tough on this" without much worry that they'll have to bother prosecuting anyone.
          • What percentage of denial of service attacks on Swedish computers do you suppose actually occur within Sweden?

            No idea in all honesty. At least if someone decides to carry out a major DoS attack on a Swedish server, there is the possibility of extradition.
    • Alot of people still see DOSing, cracking etc as being not "real crimes" because they happen in cyberspace.

      As the internet continues to be extended to provide vital services (including access to emergency services etc), making denial of service illegal makes sense.

  • Don't do your DoS attacks from Sweden or the UK.
  • Good luck enforcing it and finding the C2 to punish the right person. I know my clan's site has had to move hosts a few times due to DDoS attacks, especially when the last one was pushing 10 Gb/s
  • Not going to work (Score:2, Insightful)

    by Kaleo (1041478)
    It damn well SHOULD be illegal, but unfortunately making it illegal isn't going to accomplish anything. Look at marijuana, it's illegal but everyone does it anyways. It will be unenforceable.
    • If you wander in to a bar or take a walk in to town, how many smokers do you see wandering around smoking Marijuana? Sure, you'll find some but the fact that there aren't that many around would suggest one of two possibilities.

      1) The vast majority of smokers don't like marijuana, they prefer tobacco.

      or

      2) The vast majority of smokers don't smoke habitually marijuana because it's illegal. This could be because they don't want legal hassle or perhaps they can't easily buy it.

      Even if you can't eliminate a crime
      • Well if you lived in A a certains country town in NSW, Austrlia it would be harder to find tobacco smokers.
      • by Kaleo (1041478)
        Well I admit that I was comparing apples to oranges, but you could still argue that by making *anything* outright illegal you will simply strengthen the underground of the related market through natural selection. Kinda like the illegal marijuana markets. The more they get attacked by authorities, the further underground network exploiters will go, and their defensive(and offensive) techniques will become more and more effective. Lock up one exploiter and a better one will learn his mistakes and be even
        • It's true that DoS techniques could go further underground but a stand has to be taken somewhere. The alternative is to allow state-sanctioned vandalism and blackmail.

          Virus writing is a relatively underground past-time but we can still examine the techniques used and improve our defences. My main hope with the law is that it'll deter the "me to" script kiddies who are looking for a few minutes of notoriety.

          You're right that this won't stop all of them. The big boys who have real gains to make from these att
          • by Kaleo (1041478)
            Of course. DoS attacks *have* to be illegal. For it to be legal would be obviously ludicrous. But how well is Sweden going to be able to enforce this? And even when they do catch DoS attackers, locking them up for a mere 2 years will only deter the teenage wannabes, not the real threats. Too many hackers/network exploiters/script kiddies have feelings of invincibility when hidden behind a computer screen. Two year prison sentences is not scary enough to stop these guys. Make it 15 years. That or make
  • Looks like the prison lobby has lots of pull in Europe, too. And in places you'd least expect it. If you want to make lots of money, you know where to invest.
    • Re: (Score:1, Insightful)

      by Anonymous Coward
      Umm, you know, the swedish prison system is run by the national government, so there is no money to be made by the prison industry there.
      • by iminplaya (723125)
        The Iraq war is being run (badly) by the US government, but Blackwater and Halliburton rake in the dough. A government can operate for profit also. It might not be on the books, but it's there. So buy bonds... Also, they don't use any outside contractors to build the infrastructure? The money spreads far and wide, and it draws lots of scavengers. Those kinds of people will always advocate anything that puts more into their pockets. This isn't about protecting a service or property. It's vultures looking for
  • Pointless (Score:4, Insightful)

    by forgoil (104808) on Monday February 19, 2007 @05:39PM (#18073874) Homepage
    Take a quick look at everything that is illegal in Sweden, take a look at all the laws (seriously, do), and I can tell you that this doesn't really make a difference. Just because you make something illegal doesn't mean it will go away, something they refuse to realize in this country of mine...
    • Re: (Score:3, Insightful)

      by susano_otter (123650)
      I don't think laws are about preventing crime, so much as they are about setting up a "payback" system for crime.

      I think of it this way: You take something from society, you should give up something of your own in exchange. Ideally, you should give up something that pays society back in exchange for what you took, but in practice this is difficult to manage. (However, in America at least, we do have civil courts for people who want to try to get paid back in this way.) Instead, societies over the years ha
  • Good! (Score:1, Insightful)

    by Anonymous Coward
    DOS attacks are not funny. They should be treated a serious crime. Two years max sounds about right to me. It's a sufficient penalty to not be a "slap on the wrist", but neither is it a draconian "lock 'em up and throw away the key" response.
    • Yeah, ok, DoS attacks aren't funny, but they also shouldn't be a criminal felony. Felonies are for either very high value theft or an act that injures another person; DoS attacks do neither. If the target wishes to gain reparations for damages (monetary) then that is a matter for civil, not criminal, court. Thus, it should be a misdemeanor and punished as such, not as a felony. The punishment should fit the crime and two years imprisonment does not fit a DoS attack at.
  • Apparently, DoS attacks were going to be labled as computer infringement. So, since I'm swedish, I can compromise your server just by loading your web site quick enough, while you guys still need to actually get into my server! This law makes it so much easier to be a cracker around here!
  • Too bad (Score:4, Insightful)

    by cdrguru (88047) on Monday February 19, 2007 @05:44PM (#18073968) Homepage
    Too bad they don't understand that the Internet is a consequences-free zone.

    You can do just about anything on the Internet and are safe from prosecution. Why? Because the Internet crosses international borders and we all know that international law enforcement is just about impossible. No two countries have the same laws, the same penalties or even agree that the same things are criminal acts.

    So, Sweden can pass all the laws they want to, but it will have no effect unless every country on the planet agrees that DDOS attacks are a criminal act with at least two years in jail being an appropriate penalty this will have no effect.

    What is likely to happen is they will track some stupid show-off bragging script kiddie to Canada where it will be declared that they aren't going to extradite because it would bruise the delinquents ego. Or, the perp will be tracked to Romania where the response will be "So?"

    Under the right circumstances, the US would probably even shield a perpetrator.

    No, unfortunately for many people the Internet is destined to remain consequences-free for a long time to come.
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      You can do just about anything on the Internet and are safe from prosecution. Why? Because the Internet crosses international borders and we all know that international law enforcement is just about impossible. No two countries have the same laws, the same penalties or even agree that the same things are criminal acts.

      You raise an interesting point which I never considered. What happens when two countries *do* both have laws concerning the situation. If I crash a Swedish police website from here in Flori

    • by dimeglio (456244)
      Being a non-aborted Canadian, I resent your statement. We have a conservative government now, hey!
    • by newsblaze (894675) *
      Its not entirely consequences-free.
      if you remember, a few big spammers have had their lives jerked around, been stopped, fined and jailed.
      I know of someone who hacked into some corporate computers in the 90s, just for fun - he never did any damage. He got off on a bond, but it chewed up two years of his life, lost him his job and really screwed him up.
      There needs to be some deterrent otherwise people will do exactly as they please, without caring what it does to other people and with no fear it can hurt the
    • by hedwards (940851)
      What is with all the anti-US sentiment here? I hear a lot of whining from other countries about how we handle extraditions, but I don't hear any real acknowledgment of times when our criminals manage to escape to sovereign states like Ireland. The Irish courts have only approved a small hand full of extraditions to the US in recent years. Canada and a nearly every first world nation refuses to extradite murderers back to the US for trial unless we drop our death penalty. So it seems a bit odd to me that th
  • by anthony_dipierro (543308) on Monday February 19, 2007 @05:44PM (#18073974) Journal
    Geez, so now it's illegal in Sweeden to crash people's websites! What's gonna be next, a law against blowing up mailboxes?
    • Re: (Score:1, Insightful)

      by rTough (316345)
      Intent is the keyword in Swedish law. As I assume it is in most countries.

      Blowing up mailboxes is of course illegal and has been since long before there were mailboxes.
  • So... (Score:3, Interesting)

    by TCM (130219) on Monday February 19, 2007 @05:46PM (#18074010)
    ...does that mean it wasn't illegal up until now? That's actually more surprising to me.
    • It has been illegal, just not in the same sense as it now will be, as now it will be covered by the law regarding computer intrusion. The DDoS attacks against the police's website last year were filed under "taking the law into one's own hands" (egenmäktigt förfarande). Which is a bit nebulous of a category for it.

      I am very sceptical that this law will have any real effect. Just some sable rattling to give an illusion that the government is in control of these things.

      • taking the law's servers into one's own hands and throttling it
        There, now it makes sense ;)
        -nB
  • botnets (Score:1, Funny)

    by mpoloks (1062844)
    so who are they going to arrest? the bots?
  • seems reasonable (Score:4, Interesting)

    by DM9290 (797337) on Monday February 19, 2007 @06:02PM (#18074264) Journal
    This seems like a very reasonable maximum sentence. I am sure I can get 2 years for interferring with someones lawnmower or hairdrier in most jurisdictions. So I'm not sure this is even newsworthy. In fact.. I'm quite suprised this isn't already included in some kind of mischeif law thats already on the books and has been on the books for the past 500 years.

    Its basically always been illegal to screw around with someone elses machinery.
    • by PenGun (794213)
      I guess if it's reasonable to hold more of your population, per capita, in jail than any other country you are correct. I will not even cross the damn border so my horror that you can be jailed for 2 years for "interferring (sic) with someones lawnmower or hairdrier (sic)" is moot.

        You poor people, the richest country on earth, I guess it's fitting.
      • by DM9290 (797337)
        I'm in Canada. And in Canada you can be jailed for much longer than 2 years for interferring with someone's lawnmower if you do it in a way that MIGHT cause bodily harm. If it actually causes death you are looking at life.

        Obviously changing your friend's round lawnmower weels with cubes, is something of a funny joke, and probably harmless and in theory you may be aquitted on the legal defense of "prank". (which sometimes works)

        But tampering with a lawnmower is similar to tampering with a car. How would you
  • Punishment... (Score:4, Interesting)

    by xaoslaad (590527) on Monday February 19, 2007 @06:10PM (#18074356)
    People who get charged with DUI's and other more grievous crimes don't even necessarilly end up in prison for the first offense. Sending people to prison for over 5 years for taking down a website is absurd. It's something that should probably be dealt with via stiff fines. In most cases it's just a frikkan' website. In most cases no ones life or well-being rely on it... perhaps a separate more severe punishment like prison time could be reserved for those public service type sites that might exist with a greater purpose...

    At least the 'maximum punishment' of 2 years they are seeking does not seem too severe. If that maximum sentence isn't abused, and used only for those repeat offenders who just don't learn it seems alright...
    • by aldheorte (162967)
      Mod parent up. You can beat someone senseless and get a year or less in jail, but send to many requests to a computer and you get two years. It's senseless and probably has roots in the same hysteria that drove the Salem witch trials (something unknown/arcange/magical from the perspective of the law makers).
  • I think they mean they're making DDOS attacks more illegal. I can't believe that such destructive behavior was previously legal, nor do I believe that merely passing a law will have the slightest effect on reality. I mean, I'm frequently amazed at how stupidly U.S.-centric our Congress is when it passes laws regarding Internet crime, but I guess such thinking isn't limited to just our government. Practically speaking, such a law is likely to encourage more and more damaging attacks, just to show how ineffe
  • ... we can no longer use the term "the server is borked".
  • Heh...I read this as "Sweden to Make Dental Service Attacks Illegal". No comment........
  • Of course, this being /. I didn't read TFA but any country where if I stagger into a bar already drunk, they deny me service and throw me out physically and _they_ get charged for it is alright by me!

  • More importantly (Score:3, Informative)

    by denoir (960304) on Monday February 19, 2007 @07:33PM (#18075452)
    What is just briefly mentioned in the article is that conspiracy to make a DOS attack will be punishable. It seems like a very vaguely defined crime and because the tough sentences it would give the police search warrants way too easily. Technically to be a suspect all you need to have is a computer - what else kind of evidence could there be before an attack is actually committed?
    • Re: (Score:1, Insightful)

      by romland (192158)
      what else kind of evidence could there be before an attack is actually committed?
      Oh, having a botnet of a few hundred zombies comes to mind...
  • inmate one:hey
    inmate two:yea, what are you in for?
    inmate one:I murdered my family. You?
    inmate two:... DOS
  • How about a MINIMUM of two years in prison?
  • Aren't DoS attacks already illegal by way of tort law?
  • They're not illegal already ?
    Don't they fall under some sort of Don't be an asshole common-law ?
  • The attack on the police homepage was nothing but a very simple javascript function on a HTML page, constantly reloading a large JPEG on www.polisen.se. The URL was then spread on a large discussion forum (namely flashback), which made everyone upset with the piratebay raid contribute to bringing down the site. Good luck charging thousands of people with broadband connections for visiting a webpage.
  • Make it illegal, so people stop doing it. Why didn't anyone ever come up with the idea of making Terrorism illegal, then we'd have saved a TON of money and quite a few people would've saved their lives, for example by not going to Iraq?

    What do you mean, it doesn't work? It has to, or they wouldn't pass a law making a DDoS illegal. Or do you mean they would pass an unenforceable law, because

    a) DDoSs are by their very definition international
    b) Drones are used that don't even know they participate
    c) Finding a
    • by jamyskis (958091)
      To be quite frank, this is only to close loopholes in the law that DDoSers use to escape punishment - more a formality than anything else. Hacking into computers is still quite a legal grey area in many countries - people who steal bank details through phishing or other means would be prosecuted under theft laws, for example. Technically speaking, under current law in Sweden and previously in the UK, DDoS could not have been considered damaging or theft by law, as no hardware damage was caused and nothing w
      • So you think I should no laugh about that law that some county in California (I think) has which makes it illegal (and can get you fined for up to 500 bucks) to detonate a nuclear device within city limits?

        Personally, I find this law ridiculous. But when you put it that way, it suddenly becomes very sensible and sane.
        • by jamyskis (958091)
          Well...just wait for bin Laden to detonate a nuclear device in the State of California and then watch in glory as the FBI leads the world's biggest manhunt to chase up 500 bucks.
          • If it doesn't cross state borders it's none of the FBI's biz. So he should wait 'til the wind blows from the east.
  • What is the definition that they will use for Denial-of-Service attack i.e., when would I be considered under a DoS, if my site completely goes down? Or if I see a 50% drop in performance? Also, who will they arrest? If I had a spyware/malware on my PC without my knowledge would I be considered an offender? These things probably need to be crystallized too.

"Everything should be made as simple as possible, but not simpler." -- Albert Einstein

Working...