Teen Sentenced in DOS E-Mail Attack

British prosecutors claimed a victory after an 18-year-old man pleaded guilty on Wednesday to crashing his former employer’s server with a flood of 5 million e-mails.

David Lennon of Bedworth, Warwickshire, was charged with violating the Computer Misuse Act of 1990, which prohibits the unauthorized modification of a computer.

Lennon admitted to having “modified” the server of Domestic and General Group, a company that provides warranties for domestic appliances, by sending the e-mail. But he claimed the e-mail flood was not unauthorized since the website invited comments.

In November a district judge agreed, casting doubt on whether the United Kingdom’s computer crime law was precise enough to allow the successful prosecution of certain kinds of denial-of-service (DOS) attacks.

Prosecutors appealed the ruling, and the Royal Courts of Justice sent the case back to trial on the grounds that the volume of e-mail Lennon sent didn’t constitute authorized use.

As a result, Lennon pleaded guilty and was sentenced to two months’ curfew, according to the Crown Prosecution Service (CPS), which means he is confined to his home for parts of the day.

While the law wasn’t written specifically for an e-mail DOS attack, “it’s flexible enough … that the law can develop alongside as technology develops,” a CPS spokesman said.

U.K. legislators are debating revisions to the Computer Misuse Act, which is part of the Police and Justice Bill, a broad package of law-enforcement legislation.

The revisions would increase the maximum penalty for unauthorized modification of a computer, under which DOS attacks could be included, from five to 10 years. The maximum penalty for unauthorized access would be raised to two years, up from six months.

By Jeremy Kirk, IDG News Service (London Bureau)

Related Links:

• Dangerous Waters

• How a Bookmaker and a Whiz Kid Took On an Extortionist—and Won

Keep checking in at our Security Feed page for updated news coverage.