Feeds

Lycos goes straight

One way to avoid criminal prosecution

  • alert
  • submit to reddit

SANS - Survey on application security programs

After a week of well-deserved criticism, Lycos is abandoning its scheme to launch denial-of-service attacks against spammy websites. Did the company reform in time to avoid criminal prosecution?

A short-lived project by Lycos's European subsidiary to give users a method to "attack" spammers was an overall bad idea, albeit motivated by a laudable goal.

On December 1, 2004 Lycos Europe NV offered users the ability to download a special screensaver that reportedly used the spare cycles of your computer to continuously send HTTP requests to a list of sites that Lycos has put on its "blacklist" as belonging to identified spammers. The assumption is that, if enough people download the screen saver, the "spammers" will be bombarded with tens of millions of HTTP requests, thereby slowing down their servers, and substantially impeding their ability to send spam.

A spokesman for Lycos Europe reportedly defended the tactic stating that it was not a denial-of-service, since the attack was designed to only use up 95 per cent of the available bandwidth, always making sure that at least five per cent of capacity was available - thus, it was lawful, Lycos claimed, because service was not completely "denied."

While the goal of eliminating spam and punishing spammers is a laudable one, the approach taken by Lycos Europe was not only wrong-headed, but likely felonious.

The first problem with the Lycos screensaver solution arises out of the blacklist itself. While many companies maintain such a list, they don't appear to be required to have any particular standards for maintaining, updating, and most importantly removing entities from these lists. And woe to the unfortunate company or entity that finds itself on such a list through an accident or momentary oversight.

Lycos' approach raises the blacklist stakes considerably. It's one thing to be on a list that prevents you from sending mail - quite another if your inclusion suddenly makes you the target of an attack. This is one of the primary reasons that the law traditionally disfavors "self-help". If my company were the victim of a distributed "almost denial-of-service" attack from users of the Lycos screensaver and blacklist, you bet I would be hauling their collective derrieres into court.

Moreover, its not just the blacklisted entities that would suffer in these attacks. The ISPs that host these entities will also experience significant slowdown in performance, as will anyone else whose websites or services are hosted on the same ISP. This is particularly true if the ISP attempts to "load balance" the unusual volume of traffic.

Now, you may reply: "Serves 'em right for hosting the damned spammers." Okay; fair enough. But such a result would mandate that the ISPs be responsible for the content, volume and nature of traffic sent across their networks. We already require ISP's to "take down" infringing copyrighted and trademarked materials, notify the cops if they see illegal porn - now we are going to require them to determine whether a website they host is promoted by someone sending too much email to the wrong people? I don't think so.

Crime and Punishment

The second issue for the screensaver purveyors is distinguishing such software from viruses, worms, Trojan horses, and malicious spyware as applied to the computers onto which it is downloaded.

If those who downloaded the screensaver weren't aware of the fact that they will be a vector for an attack, than the program might be illegal. The essence of the US computer crime statute, like the UK computer misuse act and its variants throughout Europe and Asia, is to proscribe "unauthorized access" to computers. Programs that run on your computer without effective consent and do things you don't want them to (like spyware and Trojans) potentially run afoul of these statutes.

More importantly, if the downloaders did know that they were downloading software that is designed to slow down other people's computers without their consent, then the they themselves run the risk of criminal prosecution. It's not a valid defense to claim that an individual computer itself did not slow down the victim's computer.

That means Lycos Europe was effectively encouraging thousands (if not millions) of people to engage in concerted illegal conduct.

Another problem with the software is that it makes not only its purveyors but also its users potential targets for attack. It has already been reported (and denied) that Lycos Europe was the target itself of a denial-of-service attack. Although its developers claim that the IP addresses of those who use the screensaver and therefore send the traffic are not available to the victims, I personally don't see how you can establish HTTP sessions anonymously directly from your machine. Thus, corporate network owners may find themselves the victims of an escalation of attacks and counter-attacks. See what happens when we take the law into our own hands?

Finally, to Lycos's claim that it was not furthering an "actual" denial-of-service, but merely slowing down the spammers' computers, I say "Nuts!" In fact, virtually none of the actual "denial-of-service" attacks that have been successfully prosecuted involved a complete denial-of-service. The law merely requires that the attack "affect" the victim's computer, or impair its operation. If a Trojan horse were to merely slow your computer down by 95 per cent, but not completely stop it, would this preclude a prosecution of either its author of its purveyors?

After suffering week of well-deserved criticism, Lycos announced on Monday that it's abandoning the denial-of-service program. Smart move. In the US, we have a name for people who intentionally distribute and use software designed to impair the operations of others' computers without their consent. We call them "defendant."

Copyright © 2004, SecurityFocus logo

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Lycos antispam site taken offline
Hackers nobble Lycos anti-spam plan
Lycos screensaver to blitz spam servers

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.