Lycos goes straight

One way to avoid criminal prosecution

  • alert
  • submit to reddit

Website security in corporate America

After a week of well-deserved criticism, Lycos is abandoning its scheme to launch denial-of-service attacks against spammy websites. Did the company reform in time to avoid criminal prosecution?

A short-lived project by Lycos's European subsidiary to give users a method to "attack" spammers was an overall bad idea, albeit motivated by a laudable goal.

On December 1, 2004 Lycos Europe NV offered users the ability to download a special screensaver that reportedly used the spare cycles of your computer to continuously send HTTP requests to a list of sites that Lycos has put on its "blacklist" as belonging to identified spammers. The assumption is that, if enough people download the screen saver, the "spammers" will be bombarded with tens of millions of HTTP requests, thereby slowing down their servers, and substantially impeding their ability to send spam.

A spokesman for Lycos Europe reportedly defended the tactic stating that it was not a denial-of-service, since the attack was designed to only use up 95 per cent of the available bandwidth, always making sure that at least five per cent of capacity was available - thus, it was lawful, Lycos claimed, because service was not completely "denied."

While the goal of eliminating spam and punishing spammers is a laudable one, the approach taken by Lycos Europe was not only wrong-headed, but likely felonious.

The first problem with the Lycos screensaver solution arises out of the blacklist itself. While many companies maintain such a list, they don't appear to be required to have any particular standards for maintaining, updating, and most importantly removing entities from these lists. And woe to the unfortunate company or entity that finds itself on such a list through an accident or momentary oversight.

Lycos' approach raises the blacklist stakes considerably. It's one thing to be on a list that prevents you from sending mail - quite another if your inclusion suddenly makes you the target of an attack. This is one of the primary reasons that the law traditionally disfavors "self-help". If my company were the victim of a distributed "almost denial-of-service" attack from users of the Lycos screensaver and blacklist, you bet I would be hauling their collective derrieres into court.

Moreover, its not just the blacklisted entities that would suffer in these attacks. The ISPs that host these entities will also experience significant slowdown in performance, as will anyone else whose websites or services are hosted on the same ISP. This is particularly true if the ISP attempts to "load balance" the unusual volume of traffic.

Now, you may reply: "Serves 'em right for hosting the damned spammers." Okay; fair enough. But such a result would mandate that the ISPs be responsible for the content, volume and nature of traffic sent across their networks. We already require ISP's to "take down" infringing copyrighted and trademarked materials, notify the cops if they see illegal porn - now we are going to require them to determine whether a website they host is promoted by someone sending too much email to the wrong people? I don't think so.

Crime and Punishment

The second issue for the screensaver purveyors is distinguishing such software from viruses, worms, Trojan horses, and malicious spyware as applied to the computers onto which it is downloaded.

If those who downloaded the screensaver weren't aware of the fact that they will be a vector for an attack, than the program might be illegal. The essence of the US computer crime statute, like the UK computer misuse act and its variants throughout Europe and Asia, is to proscribe "unauthorized access" to computers. Programs that run on your computer without effective consent and do things you don't want them to (like spyware and Trojans) potentially run afoul of these statutes.

More importantly, if the downloaders did know that they were downloading software that is designed to slow down other people's computers without their consent, then the they themselves run the risk of criminal prosecution. It's not a valid defense to claim that an individual computer itself did not slow down the victim's computer.

That means Lycos Europe was effectively encouraging thousands (if not millions) of people to engage in concerted illegal conduct.

Another problem with the software is that it makes not only its purveyors but also its users potential targets for attack. It has already been reported (and denied) that Lycos Europe was the target itself of a denial-of-service attack. Although its developers claim that the IP addresses of those who use the screensaver and therefore send the traffic are not available to the victims, I personally don't see how you can establish HTTP sessions anonymously directly from your machine. Thus, corporate network owners may find themselves the victims of an escalation of attacks and counter-attacks. See what happens when we take the law into our own hands?

Finally, to Lycos's claim that it was not furthering an "actual" denial-of-service, but merely slowing down the spammers' computers, I say "Nuts!" In fact, virtually none of the actual "denial-of-service" attacks that have been successfully prosecuted involved a complete denial-of-service. The law merely requires that the attack "affect" the victim's computer, or impair its operation. If a Trojan horse were to merely slow your computer down by 95 per cent, but not completely stop it, would this preclude a prosecution of either its author of its purveyors?

After suffering week of well-deserved criticism, Lycos announced on Monday that it's abandoning the denial-of-service program. Smart move. In the US, we have a name for people who intentionally distribute and use software designed to impair the operations of others' computers without their consent. We call them "defendant."

Copyright © 2004, SecurityFocus logo

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Lycos antispam site taken offline
Hackers nobble Lycos anti-spam plan
Lycos screensaver to blitz spam servers

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.