Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Businesses Government The Internet

To Hack Back Or Not To Hack Back? 183

dinscott writes "If you think of cyberspace as a resource for you and your organization, it makes sense to protect your part of it as best you can. You build your defenses and train employees to recognize attacks, and you accept the fact that your government is the one that will pursue and prosecute those who try to hack you. But the challenge arises when you (possibly rightfully so) perceive that your government is not able do so, and you demand to be allowed to 'hack back.'"
This discussion has been archived. No new comments can be posted.

To Hack Back Or Not To Hack Back?

Comments Filter:
  • No (Score:5, Insightful)

    by Anonymous Coward on Wednesday June 12, 2013 @02:30PM (#43988537)
    Bad idea.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Don't be a pussy, go for it mah brother! Fuck'em up!

    • Re:No (Score:5, Insightful)

      by jellomizer ( 103300 ) on Wednesday June 12, 2013 @03:00PM (#43988879)

      For the most part the people who are hacking into you isn't that personal, you are just an open system with the vulnerability. Hacking back will not do too much except for making it personal. If you want to solve the problem you will need to redo your security.

      Besides most hackers will jump from system to system to make it hard to detect. I remember trying to trace a hacker back, I gave up after going into 3 or 4 systems across the globe. Realizing that I could part of the problem not the solution I gave up. And then went on improving security.

      • by khasim ( 1285 )

        Or, to phrase it another way: if you have the hacking skills to retaliate then you have the skills to be invulnerable to the attack in the first place.

        The enemy cracker has a limited number of targets:
        1. your router.
        2. your firewall.
        3. whatever service you provide through your firewall (you do have a DMZ, right?).
        4. flooding your bandwidth with traffic from thousands of zombies.

        Anyone have any other types of attack that I forgot? And if you cannot secure those (except for #4) then you probably won't be able

        • by DarkOx ( 621550 )

          I agree in general but if someone is DOSing you there is not much you can do about it other than 1) get their provider to stop them, 2) get the authorities to stop them, 3) get your provider to drop their traffic, 4) or stop them yourself.

          If the first three can't or won't do it in a reasonable time frame, what option do you have. If its a DDOS your only options might be 2) and 4) provided you can determine the command and control source. Which might very likely require you to pwn some number of the bots s

          • by rtb61 ( 674572 )

            If you attack back, you create the opportunity for the greatest hacks of all, false ones that get you to target an innocent person or company or organisation. Groups likely to report the attack to their legal authorities who will then prosecute, extradite and jail your silly ass.

    • Re:No (Score:5, Insightful)

      by stewsters ( 1406737 ) on Wednesday June 12, 2013 @03:34PM (#43989237)
      This. Working for your business is not worth getting thrown in jail for, and its open season on hackers.

      Some ideas of what you can do:
      • Cleanse anything that goes into a database. Get a model layer that does this for you.
      • You probably don't use UNION or similar keywords but they are used by hackers extensively. We built our own code to search for these keywords and tarpit them.
      • If they are all coming from some small IP block in China, block it. Minimal loss in business.
      • If they are running automated vulnerability scanners, you could add pages to blacklist their hosts as soon as they try to hit default administration pages for wordpress on your site.
      • If its just password guessers, block them. Use ssh keys.
      • Nmap the hosts that are targeting you. Most likely they are someone's compromised windows xp machine.
      • Report them to the FBI: http://itsecurity.vermont.gov/Report_Crime [vermont.gov]

      If all else fails, go on 4chan and post "OMG i just made the most secure site evar! Address is ${offender's IP} I bet no one can hack my site and take my bitcoins. "

    • Yes. But that doesn't end the problem, the can of worm this opens is a lot more complex than it seems at the surface. The matter in question is nothing less than the state's power monopoly.

      If I get robbed, I don't grab my gun and go hunting for the guy who did it. No. I go to the police and ask them to find him. Why do I do that? Because I trust them to have more power, time, experience and resources than me to do just that. But there's more to it than just them being better at it than me. There are two oth

    • Absolutley!

      I remember many years ago some firm brought out a proactive firewall that immediately tried to DOS attack anyone trying to penetrate it

      What a stupid idea given how easy it is to spoof a source address! I do hope they are out of business

  • Good thing.. (Score:5, Insightful)

    by thisisnotreal ( 888437 ) on Wednesday June 12, 2013 @02:32PM (#43988547)
    Things like this never escalate. I keep seeing and feeling in so many ways how delicate this all is...and we keep hammering on it. As. Hard. As. Possible.
    • You need to be at plus 5, just for that first sentence, and the rest are as good.

      1, Company has trouble with commonly skilled criminal crackers.
      2. Company gets special permission to take matters into its own hands. To get this, company does special favors for a nation state.
      (You don't think the politicians just ask for campaign contributions when they can also ask for "law enforcement assistance" against terrorists, do you? Or that those same terrorists, who think of themselves

      • by fisted ( 2295862 )
        Yes, they do.
      • (cue shady government figure)

        Mr. President, we managed to cut unemployment with the no to low skill workforce by sending them off to war in some corner on the other end of the planet, but our higher skilled unemployed can't be assed to join a job where they risk their life for pennies. So here's the plan: We start some "cyber war" against ... Oh, I don't know, let's say Generistan for a placeholder. Then we let that war escalate and have Generistan terrorists blow up some of the middle management in certai

  • by Anonymous Coward on Wednesday June 12, 2013 @02:36PM (#43988581)

    What you're advocating, quite plainly, is that if you break into my house and steal something, that I can then break into your house to take something from you. The law is quite clear on this. As long as hacking into and stealing resources is illegal, you doing the same is just as illegal. Get a Rottweiler and a home alarm and sign up for personalized security patrols. In essence that is what you can do with regards to your electronic resources.

    • Re: (Score:3, Insightful)

      What you're advocating, quite plainly, is that if you break into my house and steal something, that I can then break into your house to take something from you. The law is quite clear on this. As long as hacking into and stealing resources is illegal, you doing the same is just as illegal. Get a Rottweiler and a home alarm and sign up for personalized security patrols. In essence that is what you can do with regards to your electronic resources.

      If someone breaks into my house I can shoot them thanks to castle laws, there is no digital equivalent other than hacking them back.

      • If someone breaks into your house and steals something, you're not allowed to hunt them down, break into their house, and steal it back.
      • by HockeyPuck ( 141947 ) on Wednesday June 12, 2013 @02:54PM (#43988787)

        If someone breaks into my house I can shoot them thanks to castle laws, there is no digital equivalent other than hacking them back.

        You cannot get in your car, drive to their house and then shoot them, as you are nolonger being threatened by said intruder. Hacking back is exactly that. You've been attacked and then you retaliate after the fact.

        Typical conditions that apply to some Castle Doctrine laws include (from wikipedia):

                - An intruder must be making (or have made) an attempt to unlawfully or forcibly enter an occupied residence, business, or vehicle.
                - The intruder must be acting unlawfully (the Castle Doctrine does not allow a right to use force against officers of the law, acting in the course of their legal duties).
                - The occupant(s) of the home must reasonably believe the intruder intends to inflict serious bodily harm or death upon an occupant of the home. Some states apply the Castle Doctrine if the occupant(s) of the home reasonably believe the intruder intends to commit a lesser felony such as arson or burglary.
                - The occupant(s) of the home must not have provoked or instigated an intrusion; or, provoked/instigated an intruder's threat or use of deadly force.

        • So then after the fact is a no-no but catching them in the act you're saying is entirely ok.
          • by Trepidity ( 597 ) <[delirium-slashdot] [at] [hackish.org]> on Wednesday June 12, 2013 @03:19PM (#43989075)

            The justification for shooting an intruder in your house is self-defense, since you might reasonably fear for your life if someone's broken into your house (especially if they're armed). The purpose is not to authorize vigilante retaliation or punishment. Therefore, if the person isn't in your house anymore, there is no longer a justification for shooting them.

            Actually, even if your house you shouldn't shoot them unless you actually do fear for your life and it's truly self-defense. Not all states require you to prove that (partly due to worries over whether it's possible to prove), but you are not supposed to shoot someone just because you can get away with it.

            • Comment removed based on user account deletion
            • Actually a lot of states allow lethal defense to prevent a forcible felony (or even a felony) in some states. Illinois, not exactly a bastion of vigilantism or lax gun laws, only requires felony theft/burglary to invoke castle law "self-defense." That means you can basically shoot anyone who breaks into your home if there is more than $500 worth of stuff in your apartment/house.
        • You cannot get in your car, drive to their house and then shoot them, as you are nolonger being threatened by said intruder. Hacking back is exactly that.

          Not according to the State of California.

          According to the State of California, if I go out on the Internet to the web site of a company in Texas and purchase an item, and have it shipped to me in California, the transaction took place in my home. This is their legal rationale for being able to collect sales tax on the transaction without violating the Interstate Commerce Clause of the US Constitution.

          Therefore, if I "hack back" someone who has hacked me, their initial hacking took place wherever they are l

          • As you well know, California has never collected sales taxes on such transactions. It's a use tax, which clearly shows that they think the sale took place elsewhere and the use took place in your home.
        • - The occupant(s) of the home must not have provoked or instigated an intrusion; or, provoked/instigated an intruder's threat or use of deadly force.

          So that means I have to kill him with the first shot? Because else my shot would certainly have provoked him to use deadly force against me, considering that my intention is to shoot him.

      • by Hentes ( 2461350 )

        That's not a digital equivalent either.

      • You can hack back, right up to your demarc, after that Castle Doctrine ends. What you are suggesting is finding out where the people who broke into your house live and shooting them.
      • Comment removed based on user account deletion
      • If someone breaks into my house I can shoot them thanks to castle laws, there is no digital equivalent other than hacking them back.

        The digital equivalent would be to infect/hack them WHILE THEY ARE CONNECTED to you during their hack, as a means to make them stop.

        As soon as they disconnect and you track them back down, you're talking about walking into THEIR house and shooting them. That's still murder.

      • Lets ignore the morally correct point that fighting fire with fire isn't actually legal. Lets just think about what you hope to accomplish.

        Suppose that you poses the time and skills to properly track your attacker back to their actual home system(s), and you manage to crack it. You upload an virus you wrote in your free time that spreads through their computer, deletes all files, and hides in the BIOS afterwards, frying hardware with malicious hardware calls. After you disconnect from their newly cratere
        • by bonehead ( 6382 )

          Lets ignore the morally correct point that fighting fire with fire isn't actually legal.

          Hmm.... That sounded a whole lot like you are using morality and legality as synonyms. That's far from the truth. In fact, in a surprisingly large number of situations, they are antonyms.

      • by dutchwhizzman ( 817898 ) on Wednesday June 12, 2013 @11:27PM (#43992333)
        That's not an equivalent. That's the only way you can try and get "justice" if law enforcement doesn't take care of the perpetrators, but it's not a digital equivalent. Let me put it to you this way: If someone was to come into your house and murder your significant other. Would it be okay if the police were to find them and kill their significant other, without trial? Because that would be an equivalent too. The law deals with these things not by revenge or "an eye for an eye", but by (hopefully) proper research, apprehension of the suspects and a fair trial. Hacking back isn't any of those.
    • What you're advocating, quite plainly, is that if you break into my house and steal something, that I can then break into your house to take something from you. The law is quite clear on this. As long as hacking into and stealing resources is illegal, you doing the same is just as illegal. Get a Rottweiler and a home alarm and sign up for personalized security patrols. In essence that is what you can do with regards to your electronic resources.

      no its saying if you break into my house i can shoot you. welcome to texas.

    • by AK Marc ( 707885 )
      If someone breaks into your house every day, is it "wrong" to follow them home then let the air out of their tires, hoping that slows them down enough they don't break in again the next day?
  • by ganjadude ( 952775 ) on Wednesday June 12, 2013 @02:38PM (#43988609) Homepage
    The real question is what to do when our own government is the one "hacking" our pages
  • Bad Idea. (Score:5, Insightful)

    by wjcofkc ( 964165 ) on Wednesday June 12, 2013 @02:41PM (#43988637)
    What if the hacker is already attacking from a computer that is not theirs. Firing back would make you no better than them.
    • by DarkOx ( 621550 )

      Firing back would make you no better than them

      Why a compromised machine is a compromised machine. Its already not really under the legal owners control anymore, even if it happens to still be doing what they want it to. I think from an ethical standpoint its acceptable collateral damage.

      • The way I see it, it's not different then when MS threatened to boot botnetted machines off the net.
        • by DarkOx ( 621550 )

          And they would have been right to do it.

          • by bonehead ( 6382 )

            As an admin for a quite large ISP, we do exactly that every single day. As soon as we know someone's computer is sending spam, step 1 is to change their email password, step 2 is to disable all internet connectivity.

            Yes, our TS department does work with them to clean up the infection. But until we're satisfied that they are malware free, they're offline.

        • Threatened? Promised, and I still wait for that to be fulfilled.

  • by Hentes ( 2461350 ) on Wednesday June 12, 2013 @02:41PM (#43988643)

    After the flawed warfare analogy of the military, we now have a flawed cowboy analogy. How can these people be that shortsighted, everyone knows that the internet is like cars.

  • You can get anything from 30 years [mmajunkie.com] to a century [vice.com] in jail for things that goes into the hacking umbrella, even for things that traditionally you won't call attacking. And if you are outside US, a drone [motherjones.com] could visit you.

    This usually goes attackers or people that exploits or just bumps against a vulnerability in US government/institution sites, but even if you do against an "evil" organization (and that it is not just a nsa/fbi cover operation or whatever) it could eventually be used against you.

  • There's nothing more frustrating as a black hat to hammer away at an apparently impenetrable and indifferent target.

    • by bonehead ( 6382 )

      Yep. About 12 years ago I was working for a small-ish company that really only relied on connectivity during business hours, and even then, if it went down, the lack of email was the only "big" concern, and was easily dealt with by picking up the phone.

      Noticed one day at about 15 minutes before quitting time that someone was trying to break into our email server. I took great pleasure in simply unplugging the T1 from the router and going home for the night. Came in a little early the next day to get thin

  • by mlts ( 1038732 ) * on Wednesday June 12, 2013 @02:44PM (#43988673)

    With the fact that compromised hosts are the first thing an intruder has between them and their target, how can one be sure that the host attacking them is malicious, or just a compromised box being used as a proxy or launching point for attacks?

    If it was a compromised box, and it gets retaliated against, there might be a chance that the IDS/IPS system on the compromised network will log the back-strike, which can easily mean civil/criminal charges.

    My take: Block them at the router for a couple days and go on. Trying to "counter-hack" can get one in a world of hurt.

    • And if it is a compromised machine they simply move to another network and continue the attack. Aren't you glad you blocked the first at the router?
  • by MozeeToby ( 1163751 ) on Wednesday June 12, 2013 @02:51PM (#43988747)

    Someone breaks into your place of business, what are your rights? You can bar the door, obviously. You physically intimidate them into leaving sure. You can shoot them... well... if you're in danger and can't get away (or even if you can in some places)... and you have the right to own the gun you're shooting... and well, you better be able to explain yourself.

    What you can't do is follow them home and smash their stuff. And you really, really can't start an international incident, that kind of thing is looked down upon.

    • And you also better be damn sure you're attacking the right person and not some poor company who has already had their own systems compromised. Most people are really bad detectives and just aren't qualified to determine who to hack back against. And usually your attacker doesn't have much of a footprint to attack. So while I support your right to actively defend yourself, don't be a Zimmerman and shoot some unarmed kid with a bag of candy in his pocket.

      • by DarkOx ( 621550 )

        Hey the trial is not over yet. And that "unarmed" kid DID do bodily injury to Zimmerman. I think I wait for the court and a jury to decide who provoked who and who was retaliating. I was not there, I doubt you were either, and neither of us know all the evidence.

    • "You can shoot them... well... if you're in danger and can't get away (or even if you can in some places)."

      Not sure how it works in the US, but in Canada which has far far less self defence laws, the specific law says you can do anything you need to do you get the intruder out immediately. Which would mean that the government would have to prove beyond a reasonable doubt that shooting the intruder did not speed up his removal from your property. I found it quite strange reading the Criminal Code; The right

    • Me again,
      And specifically, I think you might actually be wrong in part.

      "preventing the other person from taking, damaging or destroying the property or from making it inoperative, or retaking the property from that person; and"

      In Canada:
      The criminal does not technically still have to be on your property, for you to defend your stolen property from him.
      So if they stole something from you when they hacked your systems, and we consider hacking synonymous with breaking and entering. It definitely might be legal

    • by dwpro ( 520418 )

      In real life terms, what is a DDOS? Let's try a car analogy. Lets say it's like someone stealing a bunch of cars and driving them to your business and have them blare their horns. I think in this case I would feel justified opening all the hoods and unhooking the batteries, maybe even taking the keys to the car so that they could be returned to the rightful owner or at least not stolen again and made to honk incessantly. Which, back in digital (fake?) life, would be "hacking back" in my mind, and comple

  • You never have the option to take the law into your own hands. If you don't like the job your government(police) are doing, then work on them. But you never have the option to take the law into your own hands.
    • You never have the option to take the law into your own hands.

      never heard of a citizens arrest? castle doctrine? stand your ground laws?

      theoretically at least we are the government - by the people for the people.

  • Comment removed based on user account deletion
  • Ohhhhhh mannnn, if I could fucking hack back... You don't even know. But until its legal to do so, its too much of a risk to my livelihood.
  • Most corporations have no problem creating phantom business units to hide profits and losses, inflate executive salaries, etc, etc.

    How do we know they aren't doing the same thing with an eye towards creating "disposable" and nearly unconnected entities they can use/abandon/reuse to launch counter-attacks or reconnaissance missions against targets they think are attacking them?

    Buy a handful of servers, hire some contractors to install and do basic setup on them in some leased colo space, lather, rinse, repea

  • Okay, let's assume your a name is awesomeness in IT Security and Hacking; furthermore, let's assume that you:

    1. Detect the hack
    2. Stop the hack
    3. Recover from the hack
    4. Determine the true source
    5. Can retaliate
    6. Successfully retaliate
    7. Bask in your glory

    Still sounds like great way to end up dead. You never know who your playing with.

  • But, think if it was legal. That would be some fun to be had, until things got out of hand and such. At a certain point, it's more cost effective to send someone with a gun.

  • by rvw ( 755107 ) on Wednesday June 12, 2013 @03:24PM (#43989137)

    In Soviet Russia, the government hacks you! In the United States however it's not hacking anymore, because the law says all channels are open for Big Brother, and hacking de-facto does not exist anymore. How about that?

  • by Anonymous Coward on Wednesday June 12, 2013 @03:26PM (#43989163)

    What I find interesting is that people seem to equate a hack back with showing up at someone's house after they're long gone from your place and punching out their window in retribution.

    As a sysadmin who has dealt with a number of compromised servers, here is where that analogy fails: I have NEVER seen a hack where the hacker just leaves after they gain access. They create backdoors to ensure that they have access to your network in the future, and will likely try to use your assets in future attacks.

    To use the break-in analogy: Most hackers are STILL IN YOUR HOUSE.

    Now, one can argue all day about whether it's a waste of resources to hack back, but back hack is certainly not equivalent to tracking someone down and throwing a brick throw their window. In the vast majority of hacks I've personally encountered, a hack back would be active defense.

    • by Todd Knarr ( 15451 ) on Wednesday June 12, 2013 @03:58PM (#43989441) Homepage

      Thing is, most of the "hack back" responses don't involve going after the hacker still in your system. They boil down to trying to figure out who the hacker is, where they live, and then going to that address and attacking whoever's there. Which of course raises such issues as "Did your attacker leave a false trail that would lead you to attack someone not involved in the attack on you?" and "What are you going to do if that uninvolved party decides to hack back themselves?". Few of the proponents of "hack back" seem willing to discuss those issues, they mostly brush them off as "That won't happen.". When probed as to exactly what it won't and what'll keep it from happening, though, they start flailing badly rather than giving coherent answers. And none of them want to commit to accepting full legal liability if it does happen. If it won't happen, what's the problem with agreeing to accept a liability you'll never need to accept?

  • Just don't do it. (Score:5, Insightful)

    by Minwee ( 522556 ) <dcr@neverwhen.org> on Wednesday June 12, 2013 @03:31PM (#43989207) Homepage

    Why? Not because of any failed cowboy analogy, or belief in how the wonderful rule of law will solve all of our problems for us, but for this one simple reason:

    I don't trust you, or anybody, to be able to identify who is attacking you, or even to correctly determine if you are even being attacked at all. Do you need a car analogy? Giving people blanket authorization to strike back at their virtual attackers is like handing Dilbert's boss a rocket launcher and asking him to do something about the lack of available spaces in the office parking lot. If you believe that your network is being attacked and feel the need to strike back at the perpetrators, then please:

    • 1) Keep it in your pants. Nobody is really impressed by that, and
    • 2) Collect evidence, read your logs, make an actual effort to figure out what is going on, and then forward that information to the appropriate responsible parties, and finally,
    • 3) Let them investigate and deal with it.

    I can't promise you that this will _solve_ your problem, but it will give you some time to cool down, realize that your original reaction was based on faulty and incomplete evidence, and keep you busy for a few hours doing something useful instead of being part of the problem.

  • While hacking back is generally a bad idea for a variety of reasons (such as, it's most likely an innocent user's computer being used as a bot), the article was a monstrosity of uselessness. An individual back hacking a Chinese government hacker isn't going to start cyber world war 3 and the entire notion that it would is stupid. The reasoning for why you don't back hack is completely invalid. It's simply a matter of not being worth it. Most attacks are going to happen through bots and wiping out the bots is just going to hurt innocents and possibly destroy evidence.

    • by Lehk228 ( 705449 )
      I disagree, wiping out bots makes the internet safer, except for the knuckleheads with botnet software ont heir machine.

      wiping out actual attacker machines is useless because they will be attacking from disposable VM's and such, unless you have a payload that will

      a) root the guest OS
      b)break out of the hypervisor
      c) root the host OS
      d) destroy valuable hardware components

      you will be wasting time
  • If not, you don't hack, or hack back. People/Corporations do things for profit, monetary or otherwise. If I were a CIO (employers, CV available on demand...) I'd be less than impressed in my staff indulging in revenge rather than in selling our product or helping our clients.

    And BTW, how come we got hacked? Can we fix that hole please? I've got to tell the board in 20 minutes what happened and that it won't happen again.
  • by bistromath007 ( 1253428 ) on Wednesday June 12, 2013 @04:46PM (#43989935)
    Here it is. [slashdot.org]

    And here's what I said last time. [slashdot.org]

    Let's see if I can get +5 just for linking to a comment that got +5. :V
  • If you hack back, just remember to follow the 11th Commandment:
    THOU SHALL NOT GET CAUGHT.

  • While I agree that eye for eye retaliation cannot work in a civilized society, I note the unfortunate proposal of a world governance.

    World governance is often called as a way to kill any ability to do something in our lifetimes. We are now familiar with world finance governance to avoid crisis, and we know it will never happen.

    Governance means there is Sovereignty. Sovereignty means there is People involved in a social pact. This is what a Nation is. There is no such World Nation. I do not have the solution

    • "World government" is doomed to fail. Not because the red tape would wrap up everything worthwhile, but simply due to human nature.

      Take a look at the EU. It's not a union of European states. It's a conglomerate of states that try to find out how to rip off the others for their own goals.

      If that's your goal for a world government, we have a world government already.

  • If your government demonstrated it is unable or unwilling to prosecute someone committing a crime towards you and you have the abilities, resources and willingness to commit the same crime, who would keep you from doing so? The government proved it won't.

Technology is dominated by those who manage what they do not understand.

Working...