Lycos goes straight

One way to avoid criminal prosecution

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

After a week of well-deserved criticism, Lycos is abandoning its scheme to launch denial-of-service attacks against spammy websites. Did the company reform in time to avoid criminal prosecution?

A short-lived project by Lycos's European subsidiary to give users a method to "attack" spammers was an overall bad idea, albeit motivated by a laudable goal.

On December 1, 2004 Lycos Europe NV offered users the ability to download a special screensaver that reportedly used the spare cycles of your computer to continuously send HTTP requests to a list of sites that Lycos has put on its "blacklist" as belonging to identified spammers. The assumption is that, if enough people download the screen saver, the "spammers" will be bombarded with tens of millions of HTTP requests, thereby slowing down their servers, and substantially impeding their ability to send spam.

A spokesman for Lycos Europe reportedly defended the tactic stating that it was not a denial-of-service, since the attack was designed to only use up 95 per cent of the available bandwidth, always making sure that at least five per cent of capacity was available - thus, it was lawful, Lycos claimed, because service was not completely "denied."

While the goal of eliminating spam and punishing spammers is a laudable one, the approach taken by Lycos Europe was not only wrong-headed, but likely felonious.

The first problem with the Lycos screensaver solution arises out of the blacklist itself. While many companies maintain such a list, they don't appear to be required to have any particular standards for maintaining, updating, and most importantly removing entities from these lists. And woe to the unfortunate company or entity that finds itself on such a list through an accident or momentary oversight.

Lycos' approach raises the blacklist stakes considerably. It's one thing to be on a list that prevents you from sending mail - quite another if your inclusion suddenly makes you the target of an attack. This is one of the primary reasons that the law traditionally disfavors "self-help". If my company were the victim of a distributed "almost denial-of-service" attack from users of the Lycos screensaver and blacklist, you bet I would be hauling their collective derrieres into court.

Moreover, its not just the blacklisted entities that would suffer in these attacks. The ISPs that host these entities will also experience significant slowdown in performance, as will anyone else whose websites or services are hosted on the same ISP. This is particularly true if the ISP attempts to "load balance" the unusual volume of traffic.

Now, you may reply: "Serves 'em right for hosting the damned spammers." Okay; fair enough. But such a result would mandate that the ISPs be responsible for the content, volume and nature of traffic sent across their networks. We already require ISP's to "take down" infringing copyrighted and trademarked materials, notify the cops if they see illegal porn - now we are going to require them to determine whether a website they host is promoted by someone sending too much email to the wrong people? I don't think so.

Crime and Punishment

The second issue for the screensaver purveyors is distinguishing such software from viruses, worms, Trojan horses, and malicious spyware as applied to the computers onto which it is downloaded.

If those who downloaded the screensaver weren't aware of the fact that they will be a vector for an attack, than the program might be illegal. The essence of the US computer crime statute, like the UK computer misuse act and its variants throughout Europe and Asia, is to proscribe "unauthorized access" to computers. Programs that run on your computer without effective consent and do things you don't want them to (like spyware and Trojans) potentially run afoul of these statutes.

More importantly, if the downloaders did know that they were downloading software that is designed to slow down other people's computers without their consent, then the they themselves run the risk of criminal prosecution. It's not a valid defense to claim that an individual computer itself did not slow down the victim's computer.

That means Lycos Europe was effectively encouraging thousands (if not millions) of people to engage in concerted illegal conduct.

Another problem with the software is that it makes not only its purveyors but also its users potential targets for attack. It has already been reported (and denied) that Lycos Europe was the target itself of a denial-of-service attack. Although its developers claim that the IP addresses of those who use the screensaver and therefore send the traffic are not available to the victims, I personally don't see how you can establish HTTP sessions anonymously directly from your machine. Thus, corporate network owners may find themselves the victims of an escalation of attacks and counter-attacks. See what happens when we take the law into our own hands?

Finally, to Lycos's claim that it was not furthering an "actual" denial-of-service, but merely slowing down the spammers' computers, I say "Nuts!" In fact, virtually none of the actual "denial-of-service" attacks that have been successfully prosecuted involved a complete denial-of-service. The law merely requires that the attack "affect" the victim's computer, or impair its operation. If a Trojan horse were to merely slow your computer down by 95 per cent, but not completely stop it, would this preclude a prosecution of either its author of its purveyors?

After suffering week of well-deserved criticism, Lycos announced on Monday that it's abandoning the denial-of-service program. Smart move. In the US, we have a name for people who intentionally distribute and use software designed to impair the operations of others' computers without their consent. We call them "defendant."

Copyright © 2004, SecurityFocus logo

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Lycos antispam site taken offline
Hackers nobble Lycos anti-spam plan
Lycos screensaver to blitz spam servers

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.