Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
The Courts Government The Internet News

British Teen Cleared in "E-mail Bomb" Case 155

legaleagll writes "According to this article , a British Judge has ruled that a teen who sent approximately 5,000,000 e-mails to his former employer was not in violation of the U.K.'s Computer Misuse Act. It appears that the Computer Misuse Act is a bit outdated being that it was created 15 years ago when a number, perhaps most, of the current methods for misuse of computers were not contemplated."
This discussion has been archived. No new comments can be posted.

British Teen Cleared in "E-mail Bomb" Case

Comments Filter:
  • 'editors' heh (Score:3, Informative)

    by Neil Blender ( 555885 ) <neilblender@gmail.com> on Thursday November 03, 2005 @12:42AM (#13938546)
    Summary says 3 million, the article clearly, even hyperlinked so it's highlighted, says 5 million.
    • Just as the rape victim shouldn't've worn a short skirt, the employer should've had a faster mailserver damnit!
    • by austinpoet ( 789122 ) on Thursday November 03, 2005 @01:10AM (#13938649)
      The editors converted it from British Emails into American e-mails. Thus 5 million becomes 3 million.

      Oh wait that's still backwards. *shakes fist* damn editors!
    • Re:'editors' heh (Score:1, Insightful)

      by Anonymous Coward
      More importantly, this is a story about an assclown who flooded an e-mail server and got away with his abusive behavior on a technicality in British law... one which will surely be corrected soon.

      How the fuck does this have anything to do with "my rights online?"

      Unless you think I have an inalienable right to be an assclown, in which case, HAND.
    • maybe it's counting upwards like the gmail capacity, he's still sending spam as we speak!
    • No no no... the summary says 3,000,000 and the article says "5 million".

      We all know that "5 million" equals "3,000,000".
      If they meant "5,000,000" they would have written "5 mebimillion".
    • Re:'editors' heh (Score:4, Informative)

      by Tim C ( 15259 ) on Thursday November 03, 2005 @04:32AM (#13939325)
      I thought it had been established long ago that the slashdot editors don't edit as such, they just approve and reject stories. No checking for factual accuracy, grammar, spelling, or any other things real editors would do is performed - it's even in the FAQ.

      That said, that was fine when this was a hobbyist site; it's somewhat irksome now that it's a commercial venture. Not that I pay anything for it, other than the time spent frequenting and contributing of course...
  • by Anonymous Coward on Thursday November 03, 2005 @12:43AM (#13938552)
    What a nerd. "If my electronic mail-bombe doesn't inconvenience my former employer, then my name isn't Melvin Q. Ucklesworth!"

    This is most likely what he said while rubbing his peach-fuzz moustache (nothing to twirl evilly quite yet.)
  • by Palal ( 836081 ) on Thursday November 03, 2005 @12:44AM (#13938556) Homepage
    How do we strike a balance between a piece of legislation that covers any crime that may not have been thought up yet, without prohibiting activities that are not necesserily criminal that will be invented in the future? This is something that no country has come up with yet and this is unlikely to happen any time soon due to various governments in power. (cough)
    • by grogdamighty ( 884570 ) on Thursday November 03, 2005 @01:33AM (#13938753) Homepage
      The obvious answer is that legislation should be for there here and now, updated as necessary for changes in society. Rather, any "enduring" legal work should be through the constitution - the basic rights fleshed out by legislation.

      Thus, the Second Amendment allows citizens to bear arms so that they are never helpless before the government, but more current legislation is designed to keep criminals from using guns to harm citizens (no concealed weapons in certain locales, background checks, etc.)

    • You write something like Miami University has in its Responsible Use of Computing Resources document. You can read it at http://kb.muohio.edu/cgi-bin/webcgi.exe?new,KB=MU K B,case=obj(4831) [muohio.edu] if you are interested.

      There is very little technology specific language in it, and it was written many, many years ago. We look to revise it at a certain interval, and always come to the conclusion that it still stands and applies as well as it did when it was written. The student judicial system and technology advise
    • I don't like the idea of laws that foresee possible misuses of technology in the future, because by their nature they would have to be so vague that they would almost certainly have an adverse affect on freedom. Of course the DMCA is an example of this.

      Really, it should be extremely difficult to pass a new law, and it should be clear that there is a solid need for it. Yes, that means the first people who commit crimes using new technology in new ways may not be prosecuted (note that I'm not talking about
    • How do we strike a balance between a piece of legislation that covers any crime that may not have been thought up yet, without prohibiting activities that are not necesserily criminal that will be invented in the future?
      What if we give people the responsibility and power to evaluate a given situation as it applies to a certain law? I think we should call them "judges"...
    • Simple you provide a set of guidelines, perhaps backed up by examples, that define misuse. For instance phrase it thus:

      Any action that deliberately sets out to damage, render unavailable or diminish in capability any computer system.

      It would be quite easy to prove that sending 3,000,000 emails to your ex-employer, especially in a short span of time, would fall foul of that law. Yes, you have to prove intent but you would have to do that anyway. Accidents wouldn't fall foul of this law but a clause for n

    • Some years ago a friend of mine was a phreaker. Eventually he got caught.
      The cops had to individually read out each phone call from the itemized list they had been given saying something like "on 12th september 1985 did you make a call to 555 5555" and he had to answer yes or no. It took them 10 hours of interview to get through the list.
      When it got down to it there wasn't a suitable law in statue and they could only charge him with "Theft of Electricity" and he ended up with a minor fine.

      • When it got down to it there wasn't a suitable law in statue and they could only charge him with "Theft of Electricity" and he ended up with a minor fine.

        After I quit from a job, due to my salary being 3 months in arrears, I took the company to court to recover the money owed. To counterattack they tried to think of claims to make against me, like $100,000 in losses because I had left unexpectedly. Another was that I had used their Internet (dial up) access after I quit, which was true for a few days till

    • How do we strike a balance between a piece of legislation that covers any crime that may not have been thought up yet, without prohibiting activities that are not necesserily criminal that will be invented in the future? This is something that no country has come up with yet and this is unlikely to happen any time soon due to various governments in power. (cough)

      There are many such laws. For example, criminal damage. If you infringe on another's property rights by physically damaging his/her property (b
    • The government of the United States has that situation covered, it has something called the "Patriot Act" which effectively outlaws any action that would inconvenience the US government, any corporation, or anybody who has given enough money to the proper people.
    • I'm not sure where you're from, but the way it works in the US (roughly) is that laws set down general rules, and its application to new situations is governed by courts. Courts thereby create a body of precendents that function similar to laws. If legislators don't like what the courts are doing with a law, then they go back and change or amend the law.
    • A charge of Mischeif [justice.gc.ca] covers just about anything nasty you can think of. The reference pointed to is Canadian law, but I presume that British law contains an equivalent (since Canadian and British law were only disconnected in the last century or so).

      430. (1) Every one commits mischief who wilfully
      (a) destroys or damages property;
      (b) renders property dangerous, useless, inoperative or ineffective;
      (c) obstructs, interrupts or interferes with the lawful use, enjoyment or operation of property; or
      . .

  • by CyricZ ( 887944 ) on Thursday November 03, 2005 @12:45AM (#13938562)
    Perhaps it is time for that business to invest in a more modern mail server. Indeed, even the lowliest of Dell servers running Linux or FreeBSD can easily handle 5 million email messages, even if sent in a very short period of time. A large amount of mail should never cause the server to completely crash, even if it does consume much bandwidth and cause other delays.

    • Indeed, even the lowliest of Dell servers running Linux or FreeBSD can easily handle 5 million email messages, even if sent in a very short period of time.


      Erm, i'd severely doubt that, let me email 5,000,000 messages in 5 minutes and see if your server/network dies.
      • by CyricZ ( 887944 ) on Thursday November 03, 2005 @12:54AM (#13938593)
        Would my server straight out die? Of course not. It would queue the messages for as long as possible, and if the server happened to run out of disk space, it would begin rejecting the messages. The one thing it would not do is crash.

        • And then it spawns more and more processes to process the mail, eating up ram, at which point any other services on the box may be overloaded and deprived of resources.
          Immense disk swapping ensues. System load increases.
          Server 'crashes' (becomes so unusable as to be unresponsive even to administrative use, much less queueing or sending mail anymore).
          • by Anonymous Coward
            And then it spawns more and more processes to process the mail, eating up ram, at which point any other services on the box may be overloaded and deprived of resources.

            The default configuration of sendmail and many other common MTAs is to delay and stop accepting email to prevent exactly that.
          • There are numerous ways to limit the excessive resource misallocation you mention. Again, any half decent mail server can do that, as can any half decent operating system.

            And a thrashing server is not a crashed server by any means. If it's running a decent operating system (most UNIX-like systems, for instance), it should be working just fine within a short amount of time. Yes, it may not be the most responsive system for a little while, but it sure hasn't crashed.

          • And then it spawns more and more processes to process the mail, eating up ram, at which point any other services on the box may be overloaded and deprived of resources.

            No, the mail server is a dedicated box, and thee are limits to how many processes it will spawn. What it will do is queue a bunch of messages and work through the backlog. I can build a $3k box (plus the cost of a storage array if needed) that will handle a 20Mbit stream of mail all day long. This isn't rocket science.

            • No, the mail server is a dedicated box, and thee are limits to how many processes it will spawn. What it will do is queue a bunch of messages and work through the backlog. I can build a $3k box (plus the cost of a storage array if needed) that will handle a 20Mbit stream of mail all day long. This isn't rocket science.

              Perhaps this should start out as "no my mail server is a dedicated box..."?

              See, there are other people in the world than yourself. And, while it's not hard to put together a Linux/sendmail ser
              • See, there are other people in the world than yourself. And, while it's not hard to put together a Linux/sendmail server that can handle a 20 Mb stream, building one that also runs, oh, say, a web server, WebDAV, SQL, and a few other services useful to a small business may lead you to places where it's not true anymore.

                Anybody that runs production hardware like that deserves what they get. There are serious security problems with running all-in-one solutions; if your needs are really so small, get a site

                • by mcrbids ( 148650 ) on Thursday November 03, 2005 @04:53AM (#13939392) Journal
                  I take you you have little/no experience working with small businesses?

                  My "not credible" numbers are very typical for scenarios I work in. In this world of small enterprises, it's very normal to run an entire business with just a single server. Bitch all you want to about whatever security issues, I sure have.

                  Small business owners tend to have a case of megalomania. If they can pet the box, they "own" it. Thus, they'll spend $2,000 on a server rather than $25/mo on a managed solution because they can pet the box, even as they explain about the increased downtime because they don't have a dedicated admin, like their ISP.

                  Just because it's not true in your world, doesn't mean it isn't true!
                  • o, the mail server is a dedicated box, and thee are limits to how many processes it will spawn. What it will do is queue a bunch of messages and work through the backlog. I can build a $3k box (plus the cost of a storage array if needed) that will handle a 20Mbit stream of mail all day long. This isn't rocket science. Perhaps this should start out as "no my mail server is a dedicated box..."?
                    Actually what I think the proper terminology is: "No, MOST mail servers run on a dedicated box!" For this we k
                  • Small business owners tend to have a case of megalomania. If they can pet the box, they "own" it. Thus, they'll spend $2,000 on a server rather than $25/mo on a managed solution because they can pet the box, even as they explain about the increased downtime because they don't have a dedicated admin, like their ISP.

                    sure... we call these people "victims"

                  • Small business owners tend to have a case of megalomania. If they can pet the box, they "own" it. Thus, they'll spend $2,000 on a server rather than $25/mo on a managed solution because they can pet the box, even as they explain about the increased downtime because they don't have a dedicated admin, like their ISP.

                    Were you expecting sympathy? Anyway, My $2k pricetag was for a low-end server. If we're going to self host (instead of using a managed host for the web side of things like any smart businessper

      • Erm, i'd severely doubt that, let me email 5,000,000 messages in 5 minutes and see if your server/network dies.

        Dude, if you can get a server/network which lets you email 5,000,000 messages in 5 minutes then I am pretty sure he can get a server/network to handle them.

        • >> Dude, if you can get a server/network which lets you email 5,000,000 messages in 5 minutes then I am pretty sure he can get a server/network to handle them.

          Umm, no. I don't see anything about methods in TFA, but wouldn't you launch the attack from multiple IPs across multiple address blocks. Like, you know, a "distributed" DOS?

          Only one outcome to that scenario...
    • YEARH MAAAN!!!! Thos guys derverved to got raped!!!
    • by Anonymous Coward
      I'am wondering if this helps my case in any way. I stand trial in the Netherlands because I informed a spammer I dodn't like there e-mails. Quite often, 70.000 times according to the spammer, but I think rule #1 is in effect. p.s. In the Netherlands initials are used when newspapers report about suspects, my initials are actually A.C.
    • Hmm, I notice you still don't post your email address publically though.
  • Proof... (Score:5, Insightful)

    by hoka ( 880785 ) on Thursday November 03, 2005 @12:48AM (#13938576)
    That law has a hard time keeping up with technology. It takes a long time for laws to be made, changed, proven, and stand up in court. It doesn't take nearly as long in the technological world for attacks, defenses, and things in general to change. This is where a lot of the problems are coming from, since most of the time when you get things that are pushed out quickly there are all sorts of acts or laws such as the DMCA or Canadian Do-Not-Call list) which contain all sorts of problems in one way or another. It's just a shame it will take so long for things to really shape up.

    Really quite a predicament when too fast means you get poorly written laws, and too slow means the bad guys can work "legally" for a while...
    • Re:Proof... (Score:3, Interesting)

      by woolio ( 927141 ) *
      I think its the letter of the law that confuses people.

      If 1000 people camped out in the middle of a public road in front of the entrance to a company, would they be breaking a crime by not allowing people to enter/exit? In essence, they would be executing a "denial of service" attack to the companies road.

      Or what if a few 18-wheelers decided to park in the middle of an interstate to block it. This is also a DOS attack.

      What if 1 million people concertedly & simultaneously dialed 911 for "testing pur
      • IANAL either, and I speak only for the UK

        If 1000 people camped out in the middle of a public road in front of the entrance to a company, would they be breaking a crime by not allowing people to enter/exit? In essence, they would be executing a "denial of service" attack to the companies road.

        Yes, they are comitting a crime. Such protests do take place occasionally, and there's always video footage of the police dragging protesters off to the cells, because you are not allowed to block a road or an entrance
    • A long time for laws to be made? Are you kidding?

      The minimum time it takes for a law to pass takes precisely as long as it takes for something to blow up. You want a law passed all you need to do is connect it to some explosion and it will be in tomorrow.
      • Thats why I specifically referred to laws that are put together with haste as being riddled with problems, and while not necessarily technologically specific, the PATRIOT act makes an excellent example of this. I'm no lawyer but I'd make a guess that proper laws (or really anything) that has a lot of time and debate put into it will make a better law than something pushed out the door in a few days.
  • Your Rights Online? (Score:4, Interesting)

    by goofyheadedpunk ( 807517 ) <(goofyheadedpunk) (at) (gmail.com)> on Thursday November 03, 2005 @12:50AM (#13938581)
    At first I was a bit confused as to why this was posted in the your rights online section, until I considered this case from the point of view of the poor bastard that got blasted by the former employee. Denial of service attacks have been around quite some time before 1990. If UK law doesn't considered this sort of computer act to be illegal what else isn't? What is illegal?
    • Illegal is to use lynx and to type URL manually, as was covered by previous slashdot posts.
      If this guy would be punished for annoying people by sending 3 millions E-Mails, it would set precedent to punish spammers.

      It would seriously harm advertising industry, if spam would be banned. No responsible jugde would allow this to happen.
      • It would seriously harm advertising industry, if spam would be banned. No responsible jugde would allow this to happen.

        how so??? I don't get spam from reputable companies anyway... all my spam comes from some tossers in Florida trying to get me to buy Medz, or replica watches, or get a degree for no work... no reputable businesses there.

      • "It would seriously harm advertising industry, if spam would be banned. No responsible jugde would allow this to happen."

        That is not the judge's choice. He only interprets laws, he cannot invent it. You are thinking of America, I think?
    • What is illegal?

      Getting on trains, if you're Brazilian.
    • If UK law doesn't considered this sort of computer act to be illegal what else isn't? What is illegal?

      The Computer Misuse Act 1990 [opsi.gov.uk] created three offences: unauthorised access to computer material, unauthorised access with intent to commit or facilitate commission of further offences, and unauthorised modification of computer material. In this case, the judge ruled that a DoS isn't an unauthorised modification because the modification to the server caused by each individual email was authorised. Earlier

  • revenge (Score:4, Funny)

    by Muhammar ( 659468 ) on Thursday November 03, 2005 @12:57AM (#13938601)
    maybe the company can claim that the dude made some threats in the past. Maybe they can label him as a super-advanced cyber-terrorist and extradite him to US. (Maybe they can make him disapper there - in one of the secret prisons.) Wait - with the Blunkett laws, maybe they can do this without US help.
  • by EiZei ( 848645 ) on Thursday November 03, 2005 @01:06AM (#13938630)
    It's illegal to mod your gaming console or copy your copy-protected CDs to your iPod but go ahead and fuck up some email servers? Got it.
  • spam (Score:1, Insightful)

    While he got off on the computer misuse charge, what about spamming? Couldn't it be argued he was sending unsolicited email to this bloke? Do the UK have such laws?
    • Re:spam (Score:3, Informative)

      by sr180 ( 700526 )
      He had a previous relationship with the company concerned, them being his employer, so it could not be classified as spam.
    • Re:spam (Score:3, Interesting)

      I don't think any *criminal* act was carried out here. This doesn't mean the company couldn't sue for loss of earnings or disruption to buisness. It's just not something the Crown can prosecute for. Of course, that's my best guess. I'm no law expert.
  • Congrats (Score:4, Funny)

    by SnarfQuest ( 469614 ) on Thursday November 03, 2005 @01:28AM (#13938734)
    Let's all send him email's of congratulation. 5,000,000 per ./ reader seems appropriate.

    Or maybe sign him up for a few catalogs.
  • slashdotted (Score:1, Funny)

    by Anonymous Coward
    Computer Misuse Act is a bit outdated being that it was created 15 years ago when a number, perhaps most, of the current methods for misuse of computers were not contemplated.

    yes, i'm feeling like slashdotting my employer's website.
  • by ZachPruckowski ( 918562 ) <zachary.pruckowski@gmail.com> on Thursday November 03, 2005 @01:46AM (#13938792)
    If the editors had written it like "his previous employers, who are at this link: _______", then we'd get to see if they got around to updating that server. My money is on 'yes'.
  • This is so blatantly obvious; since the teen is not doing anything illegal, couldn't the company just do the very same thing. Perhaps stretching it futher to SMS-bomb, phone-bomb, snailmail-bomb and DoS-bomb him for the rest of his sorry life?

  • Just imagine that :) His device in his pocket, vibrating all day long... neeeeaaat?

    Perhaps his exec forced him to do that?
  • by irw ( 204684 ) on Thursday November 03, 2005 @06:14AM (#13939641)
    The Computer Misuse Act seems to have been designed to encode the electronic equivalent of breaking-and-entering (offences 1 & 2) and criminal damage (offence 3).

    Denial of service is probably very difficult to encode in a similar fashion, since I do not see what *criminal* offence it would equate to.

    In this particular care, there is no essential difference between sending a million emails and sending a million letters by post - both would swamp the service, but equally both are simply making use of the (e)mailing infrastructure as it was designed. (Yes I know letters cost more. That's irrelevant - they require more effort to deliver, and are priced accordingly).

    Taking a different example, such as opening thousands of connections to a server with intent to deprive others' of access to it, I still can't see what equivalent physical world *criminal* offence has been committed. In this case an analogy requires many people, but what difference is it if a thousand people stand on the pavement outside a shop entrance effectively preventing other shoppers from entering, due to weight of numbers? Sure, the police can ask people to move on, which is the same as closing those open connections, no?

    Since most electronic systems only enact operations which have equivalents in the physical world, I do not see how it would be right to create a law which makes the electronic equivalent illegal, when the physical original is not. This use of legislation creates the likes of the DMCA.

    The Computer Misuse Act is a rare example of a really *good* law which is (1) broad enough to capture most offenders (2) easily tested for applicabilty i.e. not complicated with exceptions, extensions, etc and (3) not so vague that it is open to abuse.
    • Hmm, thinking about it, does anyone know if there is a charge of criminal harassment?
    • The Computer Misuse Act is a rare example of a really *good* law which is (1) broad enough to capture most offenders (2) easily tested for applicabilty i.e. not complicated with exceptions, extensions, etc and (3) not so vague that it is open to abuse.

      From TFA:
      The CMA, which was introduced in 1990, does not specifically include a denial-of-service attack as a criminal offense, something some members of the U.K. parliament want changed. However, it does explicitly outlaw the "unauthorized access" and "

      • by irw ( 204684 ) on Thursday November 03, 2005 @09:52AM (#13940327)
        Why not set up www.you're-not-allowed-to-look-at-this.com and launch a criminal suit against anyone who has a peek? In fact, you are officially NOT AUTHORISED to read this message.

        You wouldn't get very far with this argument. Anything placed on a website is published. Anything published is public, therefore access is de facto authorised.

        Now obviously you can put access controls on a website. But then you've taken a step to define authorised access. If you give someone a username and password, you've granted access. If someone obtains a username or password without permission, that's unauthorised. If someone bypasses this access control (and this bypass would probably have to be non-trivial; so if for example someone could cut and paste a URL which went directly to the material without being prompted, this would not apply) then it is unauthorised.

        I personally think that "computer material" was a bad choice of phrase, and that "computer system(s)" is more appropriate. I cannot think of a way in which access controls could be devised which would NOT involve the owner of a computer system defining (at least implicitly) "authorised access". I'd make the assumption that in giving permission to put computer material on a computer system the owner of the material has agreed with the owner of the system on what arrangements are made for authorised access.

        If my reading is correct it means a court gets to decide what is or is not authorised based on the circumstances, which is the Right Way IMO. Putting every conceivable situation in the Act would either be draconian or prone to loopholes as previously unconsidered situations arise.

        Please give post your e-mail address so I can send details of the criminal suit against you 5 million times.

        You're joking, of course. I suspect you could be charged with harassment (though maybe not criminally) and I would seek an injunction to stop you. Furthermore, the fact that you have made a threat which you are capable of carrying out might be common assault (which is a criminal offence).

  • Attack? (Score:2, Insightful)

    by FreakUnique ( 927847 )
    Just because this guy sent x amount of emails it doesn't take away the fact that he destroyed a computer network infrstructure, which can be applied as criminal damage. That can be recompensed by the criminal for replacing the equipment and lost revenue. On a similar note, some berk's managed to ping my website into submission so that it cannot be view for the rest of the month. If I ever find who did it then there will be serious hell to pay.
    • Just because this guy sent x amount of emails it doesn't take away the fact that he destroyed a computer network infrstructure, which can be applied as criminal damage.

      The sending of emails was using the system in the manner for which it was designed. If the system cannot cope, design a better system.

      If you send a 30-ton package via airmail and the plane crashed because it was overladen, that's not your fault. The package should have been refused. Similarly, the email system designer should/could have

  • Article does not say...

    What the f*** was he sending that many emails for in the first place?

    Because even if the law that dinged him is outdated, if DOS'ing (or even as simple as making mishchief) _was_ his intent, given the results, criminal activity was present (it seems that he just got charged specifically with the wrong thing).

  • There's no case for prosecuting children for a minor one-time assualt, when every minute the organised crime syndicate of marketeers known as spammers continue their mass harrassment of the entire population to a far worse extent.

    Slashdot had better hope so or else they could be eligible for DoS prosecution.

Matter cannot be created or destroyed, nor can it be returned without a receipt.

Working...