Cyber Defense Law | Botnet | Computer Crime Lawsuit

Microsoft breaks new legal ground. From a US Federal court, Microsoft has obtained a temporary restraining order (ex parte TRO) that allows Microsoft and its white hat affiliates to take (apparently) aggressive technical measures against the Waledac botnet.

The TRO is available for download at The TRO explicitly orders Verisign to lock domains at the registry level and to hold the domains in escrow.

Query whether any of these steps by Verisign would arguably qualify as "hacking" in the absence of the TRO. For discussion purposes, we can define "hacking" as entering a computer without authority -- or exceeding authority within a computer -- and causing damage. Maybe one could say Verisign is "hacking" because, as it locks domains, it:

1. enters computers that it owns or duly controls;

2. exceeds its authority in those computers because it is locks domains that putatively belong to another person; and

3. damages that other person.

Stephen Paluck of Beaverton, Oregon, complains that actions taken under the TRO interrupted service for his domain,, and he's done nothing wrong. Wingfield & Worthen, "Microsoft Battles Cyber Criminals," Wall Street Journal, 26 Feb. 2010.

Legal and Technical Measures Invoked Against Botnet

Microsoft further says, "Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet . . ." The company does not reveal what these additional countermeasures are. Query whether any of these measures would arguably qualify as "hacking" in the absence of the TRO or other legal justification.

PCWorld sheds some light on those additional countermeasures: "Waledac distributes instructions through command-and-control servers that work with a peer-to-peer system. [According to a researcher who worked with Microsoft,] 'We disrupted the peer-to-peer layer to redirect traffic not to botmaster servers but to our servers.'"

In my research, I have only found one case [Cartier Int'l, B.V. v. Dipadova, CV 00-06717 (C.D. Cal.) (entered Nov. 7, 2000)] where a judge authorized technical measures -- the disabling of a web page (a legal hack) -- to combat an online threat or menace. Has anyone found any other such case?

On the issue whether any of the technical steps in this Waledac botnet case are causing "damage": Microsoft posted a $54,600 bond so that money would be available to compensate the defendants (presumably these people are mainly botnet herders) if the TRO causes damage to them without justification.

Legal Lessons from Microsoft's Team

Microsoft is teaching us how to use civil law enforcement measures -- as distinguished from criminal law enforcement -- to respond to malicious Internet behavior like phishing, hacking, cybertheft and identity theft.

Notice that Microsoft is not doing this in the dark. It is working through our open public court system, so that Microsoft is transparent and accountable and all can see what is happening and evaluate it.

–Benjamin Wright - Legal Issues Instructor at the SANS Institute, where he teaches professionals on the law of malware, e-discovery, data security, internal investigations and the Computer Fraud and Abuse Act.

[This post was originally published 2010 on Mr. Wright's Google Buzz page.]