The majority of the traffic on the web is from bots. For the most part, these bots are used to discover new content. These are RSS Feed readers, search engines crawling your content, or nowadays AI bo
In germany we have § 303 b StGB. In short it says if you hinder someone elses dataprocessing through physical means or malicous data you can go to jail for up to 3 years . If it is a major process for someone you can get up to 5 and in major cases up to 10 years.
So if you have a zipbomb on your system and a crawler reads and unpacks it you did two crimes. 1. You hindered that crawlers dataprocessing 2. Some isp nodes look into it and can crash too. If the isp is pissed of enough you can go to jail for 5 years. This applies even if you didnt crash them due to them having protection against it, because trying it is also against the law.
Having a zipbomb is part of a gray area. Because trying to disrupt dataprocessing is illegal, having a zipbomb can be considered trying, however i am not aware of any judgement in this regard
Edit: btw if you password protect your zipbomb, everything is fine
Severely disrupting other people’s data processing of significant import to them. By submitting malicious data requires intent to cause harm, physical destruction, deletion, etc, doesn’t. This is about crashing people’s payroll systems, ddosing, etc. Not burning some cpu cycles and having a crawler subprocess crash with OOM.
Why the hell would an ISP have a look at this. And even if, they’re professional enough to detect zip bombs. Which btw is why this whole thing is pointless anyway: If you class requests as malicious, just don’t serve them. If that’s not enough it’s much more sensible to go the anubis route and demand proof of work as that catches crawlers which come from a gazillion IPs with different user agents etc.
If you are succesful in disrupting some dataprocessing doesnt matter, trying to do it is illigal. If you put it there to disrupt crawlers you are trying to disrupt an entities dataprocessing.
If your isp does dpi an archive bomb is able to crash their server. Even if they have measures againt it, it is still illigal because trying it is illigal.
The intent is to get rid of crawlers which are disrupting the operation of your servers. That’s not intent of doing harm to the crawler’s operator, or their business. It’s analogous to telling a hawker to fuck off: Polite, no, but them being able to profit off you is not your responsibly, you do not have to accede to that. And intent to harm the ISP is even less reasonable to assume.
That’s out of date anyway. How about this one. DPI is limited to OSI level 5 and only allowed to resolve network issues – and a crawler crashing is not a network issue.
A crawler is a data processing machine, nothing more. therefor you are disrupting dataprocessing through data. If you think its not thats ok too. I would still advise to contact your lawyer in germany if you are thinking about hosting a zipbomb
A crawler is a data processing machine, nothing more. therefor you are disrupting dataprocessing through data. If you think its not thats ok too.
Nah it’s definitely disrupting data processing, even though at a very low-key level – you’re not causing any data to become invalid or such. It’s the intent to harm the operator that’s the linchpin: “Jemandem einen Nachteil zufügen”. “Jemand” needs to be a person, natural or legal. And by stopping a crawler you don’t want to inflict a disadvantage on the operator you want to, at most, stop them from gaining an advantage. “Inflict disadvantage” and “prevent advantage” are two different things.
I would still advise to contact your lawyer in germany if you are thinking about hosting a zipbomb
Good idea, but as already said before: First, you should contact a sysadmin. Who will tell you it’s a stupid idea.
TL;DR: It’s illegal to have publically available or share.
Making it illegal to create one for research purposes on your own hardware is not illegal as far as I know. And if it is, I wouldn’t mind seeing someone challenge that with the EU.
For research purposes you could make it password protected, which would make it legal, though. Like i said having one is a gray area, because the law is made extremly vague. Like i said i dont know of any judgements about it, but it is still a possibility. If you life in germany and are inclined for an archive bomb and care about your legal safety contact a lawyer beforehand
Out of curiosity, what is illegal about it, exactly?
I mean i am not a lawyer.
In germany we have § 303 b StGB. In short it says if you hinder someone elses dataprocessing through physical means or malicous data you can go to jail for up to 3 years . If it is a major process for someone you can get up to 5 and in major cases up to 10 years.
So if you have a zipbomb on your system and a crawler reads and unpacks it you did two crimes. 1. You hindered that crawlers dataprocessing 2. Some isp nodes look into it and can crash too. If the isp is pissed of enough you can go to jail for 5 years. This applies even if you didnt crash them due to them having protection against it, because trying it is also against the law.
Having a zipbomb is part of a gray area. Because trying to disrupt dataprocessing is illegal, having a zipbomb can be considered trying, however i am not aware of any judgement in this regard
Edit: btw if you password protect your zipbomb, everything is fine
Severely disrupting other people’s data processing of significant import to them. By submitting malicious data requires intent to cause harm, physical destruction, deletion, etc, doesn’t. This is about crashing people’s payroll systems, ddosing, etc. Not burning some cpu cycles and having a crawler subprocess crash with OOM.
Why the hell would an ISP have a look at this. And even if, they’re professional enough to detect zip bombs. Which btw is why this whole thing is pointless anyway: If you class requests as malicious, just don’t serve them. If that’s not enough it’s much more sensible to go the anubis route and demand proof of work as that catches crawlers which come from a gazillion IPs with different user agents etc.
Telecom for example does Deep PackageInspection. That is rather well kown. Derec made a statement years ago that it is normal for other european isps too. Here is a secondary source for it, i cant find the primary source anymore https://netzpolitik.org/2012/berec-studie-dpi-bei-vielen-providern-bereits-im-einsatz/
If you are succesful in disrupting some dataprocessing doesnt matter, trying to do it is illigal. If you put it there to disrupt crawlers you are trying to disrupt an entities dataprocessing.
If your isp does dpi an archive bomb is able to crash their server. Even if they have measures againt it, it is still illigal because trying it is illigal.
The intent is to get rid of crawlers which are disrupting the operation of your servers. That’s not intent of doing harm to the crawler’s operator, or their business. It’s analogous to telling a hawker to fuck off: Polite, no, but them being able to profit off you is not your responsibly, you do not have to accede to that. And intent to harm the ISP is even less reasonable to assume.
That’s out of date anyway. How about this one. DPI is limited to OSI level 5 and only allowed to resolve network issues – and a crawler crashing is not a network issue.
Good to know
A crawler is a data processing machine, nothing more. therefor you are disrupting dataprocessing through data. If you think its not thats ok too. I would still advise to contact your lawyer in germany if you are thinking about hosting a zipbomb
Nah it’s definitely disrupting data processing, even though at a very low-key level – you’re not causing any data to become invalid or such. It’s the intent to harm the operator that’s the linchpin: “Jemandem einen Nachteil zufügen”. “Jemand” needs to be a person, natural or legal. And by stopping a crawler you don’t want to inflict a disadvantage on the operator you want to, at most, stop them from gaining an advantage. “Inflict disadvantage” and “prevent advantage” are two different things.
Good idea, but as already said before: First, you should contact a sysadmin. Who will tell you it’s a stupid idea.
I wonder if having a robots.txt file that said to ignore the file/path would help.
I’m assuming a bad bot would ignore the robots.txt file. So you could argue that you put up a clear sign and they chose to ignore it.
Good question i dont know tbh. Would be an interesting question for a lawyer influencer
TL;DR: It’s illegal to have publically available or share.
Making it illegal to create one for research purposes on your own hardware is not illegal as far as I know. And if it is, I wouldn’t mind seeing someone challenge that with the EU.
For research purposes you could make it password protected, which would make it legal, though. Like i said having one is a gray area, because the law is made extremly vague. Like i said i dont know of any judgements about it, but it is still a possibility. If you life in germany and are inclined for an archive bomb and care about your legal safety contact a lawyer beforehand