In a time when attacks DOS (Denial of Service Attack) and DDOS Attack (Distributed Denial of Service) is n in the spotlight by Wikileaks and "law Sinde", last December 23 came into force the new Penal Code. Now includes penalties for damage to computer systems, unlike before, no longer have to be physical and just stop or hinder the normal functioning of the systems of third parties, seriously and notutorizada to commit a crime that is punishable by up to two years in prison, including attacks DOS / DDOS.
For those who do not know, and was drafted Article 264 of our Penal Code as of December 23, 2010 and put it by copying and pasting, because the misunderstanding of Law relieve it of its most exact compliance:
" 1. Who by any means, without autorizacióny seriously and erased, would damage, deterioration, alteration, deletion, or did inaccessible data, software or electronic documents outsideWhen the result produced is serious, shall be punished with imprisonment from six months to two years.
2. He who by any means, without the authorization and seriously obstruct or interrupt the operation of a foreign computer system, inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data when the result produced is serious, shall be punished with imprisonment from six months to three years. "
Here we see that the keys to discusNo words would be "so serious ", " obstruct or interrupt the operation of a computer system alien" and " rendering inaccessible computer data." Surely that said, no reviews for all tastes. But I do not doubt, that this article of the Penal Code, consideration was also to punish severely DoS / DDoS attacks, such as those suffered in his time Digg or Genbeta .
from my pointor view the current wording of the Criminal Code is at the discretion of the judge to decide if it hinders, or if service is interrupted, so serious, something that can be very vague and dangerous, especially when a situation of public alarm, or a great effect on the media. In this way, I do not see many problems for the "seriousness of the attack" can be assessed based on actual results of the same (crash, while the system is down, the losses produced economic, etc), or based on the effectiveness of the means used for the attack (number of requestssecond from a certain IP, holding time of calls from a particular IP, exert remote control of a "botnet", to use a specific program for DOS / DDOS, etc), adding more uncertainty to the matter.
is evident that if 3 million English people "decide" at the same time accessing certain web page is very likely that this fall and although the effect may be the same as a DOS / DDOS little can be done from a legal standpoint, but may try to blame the "mastermind" of that "agreement can simultaneously access a website, ifis identified clearly, but I doubt that prosper in a trial. At the end of the day, although the previous action is pursued to a system crash, we can always say that those hits were "legitimate" and individually, one by one, they can not crash the system. Maso least we can say we are in the case of Fuenteovejuna and how we differentiate the mutineers of trying to access the page, or those who simply wanted to "prove" that was fell , given by morbid curiosity?.
However, if a certain number of users is using a tool inFormat as LOIC (Low Orbit Ionic Cannon) , depending on the characteristics of the system and the bandwidth of the connection, you can launch "x" requests per second against a server, and keep them for a while "and" is very likely that if the end result is total collapse of the system during certain period of time, the Court decides to take some action against users who are n IP behind these, at least, to determine his guilt and involvement in the events.
However, since the current wording of Code Penal no distinction, or additional condition for a DOS / DDOS is considered a crime, I worry that the fraud, criminal law, whether it was the intention in the work of the subject (the deliberate use of a specific program to carry out a DOS / DDOS), as in the failure to act with diligence, when there is a legal obligation to act. For example, when your computer is part of a "botnet", and a judge determines that we are guilty of not putting all the technical means at our disposal to prevent your computer being used maliciously by third parties as a result of Therefore, any company, individual, institution or p & amp, desktop search, Republic has suffered serious injury.
David Bravo's lawyer has said that the attacks DOS / DDOS, such as that suffered by the SGAE by Anonymous in recent times from December 23 could be qualified crime, rather than a civil offense prosecutable by hand and is punishable with a simple fine, there is no doubt that change is important.
However, although in the end the judge, with his superior discretion, determines that we are not guilty of anything because they are mere inadvertent victims of a "botnet", it seems likely that ifuncia Microsoft in a recent report,
Spain is a world leader infected systems to become part of "botnets", with an estimate of nearly 382,000 computers affected. Computers, which can be used to perform a wide variety of crimes and telematics since 23 December, part of the Penal Code. not have to be a lynx, to think what this may mean, from a legal standpoint, for some careless users. So if we're not sure of the actual security of our system at this moment, we can ask: Are we one of the users affected by malware? My computer is part of a botnet? Why flash the lights of my ADSL when I should not do it so quickly?.
Unfortunately, as Hispasec denounced in 2007, security was not a priority for users, but in late 2010, with a much more sophisticated malware and difficult to detect by antivirus, it seems that security remains be a priority for English users confident. Of course now, with the Penal Code in hand, these same users can before happy and carefree, with agood reasons to learn a little more computer security and to be more cautious with the software that runs on a noticed or unnoticed in their computer systems. Do not you think?
"Copyleft 2010
"
0 comments:
Post a Comment