The owner of a web host tried to promote his anti-DDoS kit and highlight vulnerabilities by launching two brief DDoS (distributed denial of service) attacks against the Hong Kong stock exchange, but he instead wound up convicted and sentenced to nine months in jail.
According to the South China Morning Post, 28-year-old Tse Man-lai, owner of local web hoster Pacswitch Globe Telecom, in October was found guilty of “highly reckless” cyberattacks on the Hong Kong Exchanges and Clearing (HKEx) news site on two days in August last year.
He was sentenced on Friday.
Judge Kim Longley cited seven companies with a combined value of HK$1.5 trillion that were forced to suspend trading because of the attacks, including HSBC and Cathay Pacific Airways.
Tse claimed that he accessed the HKEx site in two brief spurts, the first lasting 390 seconds and the second lasting only 70 seconds.
In his defence, Tse said he was only on long enough to take photos and video footage documenting his attacks – a premise that the judge accepted.
Tse had sought to demonstrate that the exchange’s news site was still vulnerable after having endured two other DDoS attacks from hundreds of computers outside of Hong Kong.
He claims to have invented a technique to prevent such attacks and planned to use the screen images and video of his attacks to market his defence method.
The South China Morning Post noted that a former lawmaker for the technology industry spoke up for Tse, saying that his work had “advanced IT” in Hong Kong.
Senior Inspector Raymond Cao Wai-ki, of the Commercial Crime Bureau technology crime division, told the Post that Tse’s hacking didn’t damage the site, but that the prison term would send a clear message that the Internet is “not a lawless territory”.
Is Tse’s sentence fair? Wasn’t he acting as an ethical hacker, out to poke the stock exchange in the ribs? Didn’t the stock exchange need that poke, given that it was still vulnerable after suffering a DDoS?
Yes, HKEx did need a wake-up call, but when it comes to ethical hacking, the devil’s in the details.
The details here include the fact that Tse didn’t receive authorisation to test the stock exchange’s defences.
On the subject of liability for ethical hacking, Struan Robertson, legal director at Pinsent Masons LLP, and editor of OUT-LAW.com, told Info Security Magazine a few years ago that, at least in England, the lack of authorisation could have netted Tse up to two years in prison or up to 10 years if he had modified data during the course of his marauding:
"Broadly speaking, if the access to a system is authorised, the hacking is ethical and legal. If it isn't, there's an offence under the Computer Misuse Act. The unauthorised access offence covers everything from guessing the password, to accessing someone's webmail account, to cracking the security of a bank... There's no defence in our hacking laws that your behavior is for the greater good. Even if it's what you believe."
Tse should have brought the security threat to HKEx’s attention.
Clever marketing stunts deserve to be applauded, but not when they amount to sticking your foot out and causing others to stumble.
Hong Kong skyline image from Shutterstock.