To Hack Back Or Not To Hack Back? 183
dinscott writes "If you think of cyberspace as a resource for you and your organization, it makes sense to protect your part of it as best you can. You build your defenses and train employees to recognize attacks, and you accept the fact that your government is the one that will pursue and prosecute those who try to hack you. But the challenge arises when you (possibly rightfully so) perceive that your government is not able do so, and you demand to be allowed to 'hack back.'"
No (Score:5, Insightful)
Re: (Score:2, Funny)
Don't be a pussy, go for it mah brother! Fuck'em up!
Re: (Score:3)
Re: (Score:3)
I am INVINCIBLE!
Re:No (Score:5, Insightful)
For the most part the people who are hacking into you isn't that personal, you are just an open system with the vulnerability. Hacking back will not do too much except for making it personal. If you want to solve the problem you will need to redo your security.
Besides most hackers will jump from system to system to make it hard to detect. I remember trying to trace a hacker back, I gave up after going into 3 or 4 systems across the globe. Realizing that I could part of the problem not the solution I gave up. And then went on improving security.
Re: (Score:3)
Or, to phrase it another way: if you have the hacking skills to retaliate then you have the skills to be invulnerable to the attack in the first place.
The enemy cracker has a limited number of targets:
1. your router.
2. your firewall.
3. whatever service you provide through your firewall (you do have a DMZ, right?).
4. flooding your bandwidth with traffic from thousands of zombies.
Anyone have any other types of attack that I forgot? And if you cannot secure those (except for #4) then you probably won't be able
Re: (Score:2)
I agree in general but if someone is DOSing you there is not much you can do about it other than 1) get their provider to stop them, 2) get the authorities to stop them, 3) get your provider to drop their traffic, 4) or stop them yourself.
If the first three can't or won't do it in a reasonable time frame, what option do you have. If its a DDOS your only options might be 2) and 4) provided you can determine the command and control source. Which might very likely require you to pwn some number of the bots s
Re: (Score:3)
If you attack back, you create the opportunity for the greatest hacks of all, false ones that get you to target an innocent person or company or organisation. Groups likely to report the attack to their legal authorities who will then prosecute, extradite and jail your silly ass.
Re: (Score:2)
FTFY:
False Analogy: Russia has the ability to nuke us. We have the ability to retaliate with a nuke. We are not invulnerable to a nuke attack.
Except for DDOS this analogy falls on it's nose. If you have the ability to hack (DDOS != hack) you know about computer systems and security well enough to prevent basically all hacks. Third party software being a trouble stop, but nothing you can't mitigate.
Re:No (Score:5, Insightful)
Some ideas of what you can do:
If all else fails, go on 4chan and post "OMG i just made the most secure site evar! Address is ${offender's IP} I bet no one can hack my site and take my bitcoins. "
Re: (Score:3)
Yes. But that doesn't end the problem, the can of worm this opens is a lot more complex than it seems at the surface. The matter in question is nothing less than the state's power monopoly.
If I get robbed, I don't grab my gun and go hunting for the guy who did it. No. I go to the police and ask them to find him. Why do I do that? Because I trust them to have more power, time, experience and resources than me to do just that. But there's more to it than just them being better at it than me. There are two oth
Re: (Score:2)
I remember many years ago some firm brought out a proactive firewall that immediately tried to DOS attack anyone trying to penetrate it
What a stupid idea given how easy it is to spoof a source address! I do hope they are out of business
Good thing.. (Score:5, Insightful)
Re: (Score:3)
You need to be at plus 5, just for that first sentence, and the rest are as good.
1, Company has trouble with commonly skilled criminal crackers.
2. Company gets special permission to take matters into its own hands. To get this, company does special favors for a nation state.
(You don't think the politicians just ask for campaign contributions when they can also ask for "law enforcement assistance" against terrorists, do you? Or that those same terrorists, who think of themselves
Re: (Score:2)
Re: (Score:2)
(cue shady government figure)
Mr. President, we managed to cut unemployment with the no to low skill workforce by sending them off to war in some corner on the other end of the planet, but our higher skilled unemployed can't be assed to join a job where they risk their life for pennies. So here's the plan: We start some "cyber war" against ... Oh, I don't know, let's say Generistan for a placeholder. Then we let that war escalate and have Generistan terrorists blow up some of the middle management in certai
Vigilantism is not a new concept (Score:5, Insightful)
What you're advocating, quite plainly, is that if you break into my house and steal something, that I can then break into your house to take something from you. The law is quite clear on this. As long as hacking into and stealing resources is illegal, you doing the same is just as illegal. Get a Rottweiler and a home alarm and sign up for personalized security patrols. In essence that is what you can do with regards to your electronic resources.
Re: (Score:3, Insightful)
What you're advocating, quite plainly, is that if you break into my house and steal something, that I can then break into your house to take something from you. The law is quite clear on this. As long as hacking into and stealing resources is illegal, you doing the same is just as illegal. Get a Rottweiler and a home alarm and sign up for personalized security patrols. In essence that is what you can do with regards to your electronic resources.
If someone breaks into my house I can shoot them thanks to castle laws, there is no digital equivalent other than hacking them back.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
In Texas you actually are under certain circumstances.
Re:Vigilantism is not a new concept (Score:5, Insightful)
If someone breaks into my house I can shoot them thanks to castle laws, there is no digital equivalent other than hacking them back.
You cannot get in your car, drive to their house and then shoot them, as you are nolonger being threatened by said intruder. Hacking back is exactly that. You've been attacked and then you retaliate after the fact.
Typical conditions that apply to some Castle Doctrine laws include (from wikipedia):
- An intruder must be making (or have made) an attempt to unlawfully or forcibly enter an occupied residence, business, or vehicle.
- The intruder must be acting unlawfully (the Castle Doctrine does not allow a right to use force against officers of the law, acting in the course of their legal duties).
- The occupant(s) of the home must reasonably believe the intruder intends to inflict serious bodily harm or death upon an occupant of the home. Some states apply the Castle Doctrine if the occupant(s) of the home reasonably believe the intruder intends to commit a lesser felony such as arson or burglary.
- The occupant(s) of the home must not have provoked or instigated an intrusion; or, provoked/instigated an intruder's threat or use of deadly force.
Re: (Score:2)
Re:Vigilantism is not a new concept (Score:5, Insightful)
The justification for shooting an intruder in your house is self-defense, since you might reasonably fear for your life if someone's broken into your house (especially if they're armed). The purpose is not to authorize vigilante retaliation or punishment. Therefore, if the person isn't in your house anymore, there is no longer a justification for shooting them.
Actually, even if your house you shouldn't shoot them unless you actually do fear for your life and it's truly self-defense. Not all states require you to prove that (partly due to worries over whether it's possible to prove), but you are not supposed to shoot someone just because you can get away with it.
Re: (Score:2)
Re: (Score:2)
Not according to the State of California (Score:2)
You cannot get in your car, drive to their house and then shoot them, as you are nolonger being threatened by said intruder. Hacking back is exactly that.
Not according to the State of California.
According to the State of California, if I go out on the Internet to the web site of a company in Texas and purchase an item, and have it shipped to me in California, the transaction took place in my home. This is their legal rationale for being able to collect sales tax on the transaction without violating the Interstate Commerce Clause of the US Constitution.
Therefore, if I "hack back" someone who has hacked me, their initial hacking took place wherever they are l
Re: (Score:2)
Re: (Score:2)
- The occupant(s) of the home must not have provoked or instigated an intrusion; or, provoked/instigated an intruder's threat or use of deadly force.
So that means I have to kill him with the first shot? Because else my shot would certainly have provoked him to use deadly force against me, considering that my intention is to shoot him.
Re: (Score:2)
Can't believe that's something new in Texas. Or any Southern state.
Re: (Score:2)
Depends on whether the self defense clause includes property or just life.
Re: (Score:3)
That's not a digital equivalent either.
Re: (Score:2)
Re: (Score:2)
closer would be shooting at the sniper across the road after he started shooting at me which is again justified as self defense.
Re: (Score:2)
Re: (Score:2)
If someone breaks into my house I can shoot them thanks to castle laws, there is no digital equivalent other than hacking them back.
The digital equivalent would be to infect/hack them WHILE THEY ARE CONNECTED to you during their hack, as a means to make them stop.
As soon as they disconnect and you track them back down, you're talking about walking into THEIR house and shooting them. That's still murder.
I AM THE BAT-MAN....HACKER! wait, start again... (Score:3)
Suppose that you poses the time and skills to properly track your attacker back to their actual home system(s), and you manage to crack it. You upload an virus you wrote in your free time that spreads through their computer, deletes all files, and hides in the BIOS afterwards, frying hardware with malicious hardware calls. After you disconnect from their newly cratere
Re: (Score:2)
Lets ignore the morally correct point that fighting fire with fire isn't actually legal.
Hmm.... That sounded a whole lot like you are using morality and legality as synonyms. That's far from the truth. In fact, in a surprisingly large number of situations, they are antonyms.
That's not an equivalent (Score:4, Insightful)
Re: (Score:2)
Says who? Something similar exists, it doesn't outright kill you but depending on the circumstances it can sure mess up your life.
Re: (Score:2)
What you're advocating, quite plainly, is that if you break into my house and steal something, that I can then break into your house to take something from you. The law is quite clear on this. As long as hacking into and stealing resources is illegal, you doing the same is just as illegal. Get a Rottweiler and a home alarm and sign up for personalized security patrols. In essence that is what you can do with regards to your electronic resources.
no its saying if you break into my house i can shoot you. welcome to texas.
Re: (Score:2)
the question was posed wrong (Score:5, Insightful)
Re: (Score:2)
Get a better government.
Re: (Score:2)
Actually it's one of the hardest things one could possibly try. Usually it comes with a lot of bloodshed.
If it's not worth risking your life, it's probably not bad enough yet.
Bad Idea. (Score:5, Insightful)
Re: (Score:3)
Firing back would make you no better than them
Why a compromised machine is a compromised machine. Its already not really under the legal owners control anymore, even if it happens to still be doing what they want it to. I think from an ethical standpoint its acceptable collateral damage.
Re: (Score:2)
Re: (Score:2)
And they would have been right to do it.
Re: (Score:2)
As an admin for a quite large ISP, we do exactly that every single day. As soon as we know someone's computer is sending spam, step 1 is to change their email password, step 2 is to disable all internet connectivity.
Yes, our TS department does work with them to clean up the infection. But until we're satisfied that they are malware free, they're offline.
Re: (Score:2)
Threatened? Promised, and I still wait for that to be fulfilled.
Cowboy analogy (Score:5, Funny)
After the flawed warfare analogy of the military, we now have a flawed cowboy analogy. How can these people be that shortsighted, everyone knows that the internet is like cars.
Re: (Score:2)
I'm confused. Wasn't it a set of tubes?
Very bad moment (Score:2)
You can get anything from 30 years [mmajunkie.com] to a century [vice.com] in jail for things that goes into the hacking umbrella, even for things that traditionally you won't call attacking. And if you are outside US, a drone [motherjones.com] could visit you.
This usually goes attackers or people that exploits or just bumps against a vulnerability in US government/institution sites, but even if you do against an "evil" organization (and that it is not just a nsa/fbi cover operation or whatever) it could eventually be used against you.
More fun to just defend (Score:2)
There's nothing more frustrating as a black hat to hammer away at an apparently impenetrable and indifferent target.
Re: (Score:2)
Yep. About 12 years ago I was working for a small-ish company that really only relied on connectivity during business hours, and even then, if it went down, the lack of email was the only "big" concern, and was easily dealt with by picking up the phone.
Noticed one day at about 15 minutes before quitting time that someone was trying to break into our email server. I took great pleasure in simply unplugging the T1 from the router and going home for the night. Came in a little early the next day to get thin
Are you SURE it was that party? (Score:5, Insightful)
With the fact that compromised hosts are the first thing an intruder has between them and their target, how can one be sure that the host attacking them is malicious, or just a compromised box being used as a proxy or launching point for attacks?
If it was a compromised box, and it gets retaliated against, there might be a chance that the IDS/IPS system on the compromised network will log the back-strike, which can easily mean civil/criminal charges.
My take: Block them at the router for a couple days and go on. Trying to "counter-hack" can get one in a world of hurt.
Re: (Score:2)
Re: (Score:2)
Even operating systems have some provisions. Linux has the TARPIT option with iptables which will slow attacks down.
However, what I intended to mean by blocking at the router is if the attack was from one known IP. Of course, the attack would change sources if it is a real intruder.
Honeypots are the best matter of course. An attacker then just not has to deal with trying to get through the usual security measures... but then has to check the veracity of any data they receive. If they get ahold of a web
Put it in real life terms (Score:5, Insightful)
Someone breaks into your place of business, what are your rights? You can bar the door, obviously. You physically intimidate them into leaving sure. You can shoot them... well... if you're in danger and can't get away (or even if you can in some places)... and you have the right to own the gun you're shooting... and well, you better be able to explain yourself.
What you can't do is follow them home and smash their stuff. And you really, really can't start an international incident, that kind of thing is looked down upon.
Re: (Score:3)
And you also better be damn sure you're attacking the right person and not some poor company who has already had their own systems compromised. Most people are really bad detectives and just aren't qualified to determine who to hack back against. And usually your attacker doesn't have much of a footprint to attack. So while I support your right to actively defend yourself, don't be a Zimmerman and shoot some unarmed kid with a bag of candy in his pocket.
Re: (Score:2)
Hey the trial is not over yet. And that "unarmed" kid DID do bodily injury to Zimmerman. I think I wait for the court and a jury to decide who provoked who and who was retaliating. I was not there, I doubt you were either, and neither of us know all the evidence.
Re: (Score:2)
"You can shoot them... well... if you're in danger and can't get away (or even if you can in some places)."
Not sure how it works in the US, but in Canada which has far far less self defence laws, the specific law says you can do anything you need to do you get the intruder out immediately. Which would mean that the government would have to prove beyond a reasonable doubt that shooting the intruder did not speed up his removal from your property. I found it quite strange reading the Criminal Code; The right
Re: (Score:2)
I think everything is a matter of law in a court.
Insanity in a court is not insanity in the real world, it is a legal concept that is defined and interpreted very differently by a judge than by a physician. I would assume that "reasonableness" would be another word that is interpreted completely differently in a court setting, and like any legal definition the interpretation would be the judges domain.
Re: (Score:2)
Me again,
And specifically, I think you might actually be wrong in part.
"preventing the other person from taking, damaging or destroying the property or from making it inoperative, or retaking the property from that person; and"
In Canada:
The criminal does not technically still have to be on your property, for you to defend your stolen property from him.
So if they stole something from you when they hacked your systems, and we consider hacking synonymous with breaking and entering. It definitely might be legal
Re: (Score:2)
In real life terms, what is a DDOS? Let's try a car analogy. Lets say it's like someone stealing a bunch of cars and driving them to your business and have them blare their horns. I think in this case I would feel justified opening all the hoods and unhooking the batteries, maybe even taking the keys to the car so that they could be returned to the rightful owner or at least not stolen again and made to honk incessantly. Which, back in digital (fake?) life, would be "hacking back" in my mind, and comple
vigilantism (Score:2)
Re: (Score:2)
You never have the option to take the law into your own hands.
never heard of a citizens arrest? castle doctrine? stand your ground laws?
theoretically at least we are the government - by the people for the people.
Re: (Score:2)
oh man (Score:2)
How do we know they aren't already? (Score:2)
Most corporations have no problem creating phantom business units to hide profits and losses, inflate executive salaries, etc, etc.
How do we know they aren't doing the same thing with an eye towards creating "disposable" and nearly unconnected entities they can use/abandon/reuse to launch counter-attacks or reconnaissance missions against targets they think are attacking them?
Buy a handful of servers, hire some contractors to install and do basic setup on them in some leased colo space, lather, rinse, repea
Bang On Idea That . . . NOT ! (Score:2)
Okay, let's assume your a name is awesomeness in IT Security and Hacking; furthermore, let's assume that you:
Still sounds like great way to end up dead. You never know who your playing with.
Totally not a good idea (Score:2)
But, think if it was legal. That would be some fun to be had, until things got out of hand and such. At a certain point, it's more cost effective to send someone with a gun.
In Soviet Russia (Score:3)
In Soviet Russia, the government hacks you! In the United States however it's not hacking anymore, because the law says all channels are open for Big Brother, and hacking de-facto does not exist anymore. How about that?
Re: (Score:2)
Internet Castle Law (Score:3, Insightful)
What I find interesting is that people seem to equate a hack back with showing up at someone's house after they're long gone from your place and punching out their window in retribution.
As a sysadmin who has dealt with a number of compromised servers, here is where that analogy fails: I have NEVER seen a hack where the hacker just leaves after they gain access. They create backdoors to ensure that they have access to your network in the future, and will likely try to use your assets in future attacks.
To use the break-in analogy: Most hackers are STILL IN YOUR HOUSE.
Now, one can argue all day about whether it's a waste of resources to hack back, but back hack is certainly not equivalent to tracking someone down and throwing a brick throw their window. In the vast majority of hacks I've personally encountered, a hack back would be active defense.
Re:Internet Castle Law (Score:4, Interesting)
Thing is, most of the "hack back" responses don't involve going after the hacker still in your system. They boil down to trying to figure out who the hacker is, where they live, and then going to that address and attacking whoever's there. Which of course raises such issues as "Did your attacker leave a false trail that would lead you to attack someone not involved in the attack on you?" and "What are you going to do if that uninvolved party decides to hack back themselves?". Few of the proponents of "hack back" seem willing to discuss those issues, they mostly brush them off as "That won't happen.". When probed as to exactly what it won't and what'll keep it from happening, though, they start flailing badly rather than giving coherent answers. And none of them want to commit to accepting full legal liability if it does happen. If it won't happen, what's the problem with agreeing to accept a liability you'll never need to accept?
Just don't do it. (Score:5, Insightful)
Why? Not because of any failed cowboy analogy, or belief in how the wonderful rule of law will solve all of our problems for us, but for this one simple reason:
I don't trust you, or anybody, to be able to identify who is attacking you, or even to correctly determine if you are even being attacked at all. Do you need a car analogy? Giving people blanket authorization to strike back at their virtual attackers is like handing Dilbert's boss a rocket launcher and asking him to do something about the lack of available spaces in the office parking lot. If you believe that your network is being attacked and feel the need to strike back at the perpetrators, then please:
I can't promise you that this will _solve_ your problem, but it will give you some time to cool down, realize that your original reaction was based on faulty and incomplete evidence, and keep you busy for a few hours doing something useful instead of being part of the problem.
Valid big conclusion, useless article. (Score:4, Insightful)
While hacking back is generally a bad idea for a variety of reasons (such as, it's most likely an innocent user's computer being used as a bot), the article was a monstrosity of uselessness. An individual back hacking a Chinese government hacker isn't going to start cyber world war 3 and the entire notion that it would is stupid. The reasoning for why you don't back hack is completely invalid. It's simply a matter of not being worth it. Most attacks are going to happen through bots and wiping out the bots is just going to hurt innocents and possibly destroy evidence.
Re: (Score:2)
wiping out actual attacker machines is useless because they will be attacking from disposable VM's and such, unless you have a payload that will
a) root the guest OS
b)break out of the hypervisor
c) root the host OS
d) destroy valuable hardware components
you will be wasting time
Re: Valid big conclusion, useless article. (Score:2)
Yes, but most people are not going to take kindly to their system being attacked. If you can manage to just take out the bot software, then fine. If it hurts their system though you're probably looking at jail time.
Are you in the hacking business? (Score:2)
And BTW, how come we got hacked? Can we fix that hole please? I've got to tell the board in 20 minutes what happened and that it won't happen again.
We already had this argument. (Score:3)
And here's what I said last time. [slashdot.org]
Let's see if I can get +5 just for linking to a comment that got +5.
Want to hack back? (Score:2)
If you hack back, just remember to follow the 11th Commandment:
THOU SHALL NOT GET CAUGHT.
World governance (Score:2)
While I agree that eye for eye retaliation cannot work in a civilized society, I note the unfortunate proposal of a world governance.
World governance is often called as a way to kill any ability to do something in our lifetimes. We are now familiar with world finance governance to avoid crisis, and we know it will never happen.
Governance means there is Sovereignty. Sovereignty means there is People involved in a social pact. This is what a Nation is. There is no such World Nation. I do not have the solution
Re: (Score:2)
"World government" is doomed to fail. Not because the red tape would wrap up everything worthwhile, but simply due to human nature.
Take a look at the EU. It's not a union of European states. It's a conglomerate of states that try to find out how to rip off the others for their own goals.
If that's your goal for a world government, we have a world government already.
Why bother asking? (Score:2)
If your government demonstrated it is unable or unwilling to prosecute someone committing a crime towards you and you have the abilities, resources and willingness to commit the same crime, who would keep you from doing so? The government proved it won't.
Re:Well, sure (Score:5, Funny)
Re:Well, sure (Score:5, Funny)
And two Wrights make an airplane.
Re: (Score:2)
That means six lefts make an airplane.
and oddly enough takes you back the way you came.
Re:Well, sure (Score:4, Insightful)
And two rights make up what's left of the Constitution.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Be gone with your heathen argumentation. In the Book it said "go forth and multiply", not "go forth and add".
Re: (Score:3)
Re: (Score:3)
I was always under the impression that an eye for an eye implied some sort of responsibility on the perpetrator, not everyone else.
It's more of a statement of limited liability. A longer version of it would be "Ye have heard that it hath been said, an eye for an eye, and a tooth for a tooth. So if someone poketh thee in thine eye, thou don't get to kill every member of their family. Just poke them back and then knocketh it off. They didn't expect this kind of Spanish Inquisition, thou doth know."
Re: (Score:2)
"An eye for an eye, it was all that filled their minds
And another eye for another eye till everyone is blind."
Re: (Score:3, Funny)
Replacing one bad analogy with another isn't much better. An "eye for an eye" sought to limit the amount of revenge you were allowed to take. For instance, if someone put your eye out, you weren't entitled to burn down his house with his children it it and rape his wife.
Even in America, that right is reserved for the Feds.
In modern philosophy, the whole concept has been replaced with the idea that you should love the people who are destined to burn in hell forever.
dammit, why can't i ever NOT be s
Re: (Score:2)
Re: (Score:2)
Hans plays with Lotte, Lotte plays with Jane
Jane plays with Willi, Willi is happy again
Suki plays with Leo, Sacha plays with Britt
Adolf builds a bonfire, Enrico plays with it
--- Peter Gabriel, Games without frontiers