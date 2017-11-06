Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Should Private Companies Be Allowed To Hit Back At Hackers? (vice.com) 16

Posted by BeauHD from the revenge-hacking dept.
An anonymous reader quotes a report from Motherboard: The former director of the NSA and the U.S. military's cybersecurity branch doesn't believe private companies should be allowed to hit back at hackers. "If it starts a war, you can't have companies starting a war. That's an inherently governmental responsibility, and plus the chances of a company getting it wrong are fairly high," Alexander said during a meeting with a small group of reporters on Monday. During a keynote he gave at a cybersecurity conference in Manhattan, Alexander hit back at defenders of the extremely common, although rarely discussed or acknowledged, practice of revenge hacking, or hack back. During his talk, Alexander said that no company, especially those attacked by nation state hackers, should ever be allowed to try to retaliate on its own.

Using the example of Sony, which was famously hacked by North Korea in late 2014, Alexander said that if Sony had gone after the hackers, it might have prompted them to throw artillery into South Korea once they saw someone attacking them back. "We can give Sony six guys from my old place there," he said, presumably referring to the NSA, "and they'd beat up North Korea like red-headed stepchild -- no pun intended." But that's not a good idea because it could escalate a conflict, and "that's an inherently governmental responsibility. So if Sony can't defend it, the government has to." Instead, Keith argued that the U.S. government should be able to not only hit back at hackers -- as it already does -- but should also have more powers and responsibilities when it comes to stopping hackers before they even get in. Private companies should share more data with the U.S. government to prevent breaches, ha said.

  • No, not unless regular people are allowed to do the same.

  • Terrible idea. (Score:4, Interesting)

    by Lordpidey ( 942444 ) on Monday November 06, 2017 @07:09PM (#55503005) Homepage
    One of the most BASIC things to do in hacking, is cover your traces by making it LOOK like you're someone else.

    So, naturally the best way to harm corporation X, would be to hack corporation Y, but leave lots of evidence that it was corporation X, thus causing Y to attack X.

    • Also add to the fact that a lot of people are - to put it bluntly - stupid, and will probably misinterpret the source of an attack, launching a counterattack against an uninvolved 3rd party.

  • Absolutely! We can treat this as an assault, in that the aggressor loses the legal ground and the victim has a reasonable defense. Even when the defense is an offensive response.

    • You of course are forgetting that many hacks involve breaching someone else to use as a stepping stone, or misdirection like DDOS floods from innocent 3rd parties via reflection amplification attacks. Both of which would only allow the retaliating company to strike at people who are also being victimized.

      Terrible idea.

  • ..you can't have companies starting a war. That's an inherently governmental responsibility, and plus the chances of a company getting it wrong are fairly high

    s/responsibility/profit center/

  • Oh hell no (Score:3)

    by mhkohne ( 3854 ) on Monday November 06, 2017 @07:14PM (#55503025) Homepage

    These guys can't secure their servers in the most basic ways, and they want to be allowed to do their own target id (I'm supposed to believe they won't screw that up?) and then take offensive action?

    They'll attack the right target perhaps 1 out of 20 events. They'll attack someone at random every so often and then say 'whoops! We screwed up! Sorry!'.

    No, these corporate bozos are not the people we want dealing with such threats.

  • The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.

  • Hell No! (Score:3)

    by jwhyche ( 6192 ) on Monday November 06, 2017 @07:15PM (#55503031) Homepage

    No company should ever be allowed to take the law in to is own hands. Their response to any such issue should be to close the holes and repair the damage. Let law enforcement handle the rest.

    That is unless we want a ShadowRun type society where corporations can field their own private police forces and armies. But if this came to pass I doubt we would get the magic that came with it.

  • I practice the art of counter hacking on occasion but do it comfortably behind a slew of different proxies or remote shell accounts that are not registered directly to my employer. That way my employer maintains plausible deniability and cannot be held accountable for anything I do. However, I do have a unspoken agreement with upper management that I am allowed the latitude required to mitigate any and all attacks possible. So if that means knocking off sites with enormous packet floods or even exploiting t

  • In the same sentence? From the guy who perjured himself in congress? Hackback is a bad idea for those who might get the wrong target, sure. But the crowd that gets our guys, as well as guilty and innocent around the world killed and maimed for obscure ends in the pursuit of the petrodollar...shouldn't be doing that either. Just fix your bugs and holes and let it all bounce off. You need to do that anyway.
  • What is this, the laziest application of Betteridge's law of headlines in /. history? Of course not. Vigilantism is _never_ a good idea. It takes years of training and constant surveillance to apply force and violence even as evenly as police do and let's face it, they screw it up all the time. You want some random yahoo who's probably mad as hell their severs just got DDOS'd doing it?

    • Re: (Score:2)

      by sconeu ( 64226 )

      Vigilantism is _never_ a good idea.

      Unless you wear a cool suite with a cowl shaped like bat-ears and a cape... and use lots of cool tech.

  • They should be required to follow the law as any individual would be required. The last thing we need is for businesses to be above the law or rather to have laws applied differently to businesses than they are to individuals. If businesses can hit back then individuals suffering attacks should be able to hit back too.

  • Aren't their documented incidents of retaliation against hackers harming innocent third party internet businesses? That's why we let law enforcement hand out consequences instead of engaging in vigilante justice. (That being said the guys who chased after the Texas church shooter are awesome!)

