Hacktivists, Tech Giants Protest Georgia's 'Hack-Back' Bill (threatpost.com) 82
lod123 shares a report from Threatpost: As Georgia Governor Nathan Deal considers whether to sign a controversial piece of legislation that would allow companies to 'hack back' with offensive initiatives in the face of a cyberattack, companies from across the tech spectrum are lining up to protest the measure. Also, a hacktivist group has targeted Georgia Southern University, two restaurants and a church to protest the bill. Opponents have twin beefs when it comes to Senate Bill 315: Some are questioning whether legitimizing offensive attacks will open the door to a new kind of corporate warfare; and others are concerned that the law will have a chilling effect on cyber-research by criminalizing white-hat activity like vulnerability research and pen-testing.
Google and Microsoft are in the former camp, and have asked Deal to veto the bill, which was passed by the Georgia General Assembly in March and which is nearing its deadline for signing into law. The two giants take issue with a provision in the bill that allows "active defense measures that are designed to prevent or detect unauthorized computer access." In a letter to the governor, the two argued that S.B. 315 "will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions," and that "provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes." They added: "On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity... [B]efore Georgia endorses the 'hack back' authority in 'defense' or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy." Tripwire also filed a letter with the governor's office: "[A]ccording to the wording of S.B. 315, well-intentioned ('white-hat') researchers could be subject to civil or criminal prosecution when following industry best practices in investigating a website for protection from a potential cyber-attack. It is our firm belief that an explicit exception is required to exclude prosecution when the party in question is acting in good-faith to protect a business or their customers from attack. Without this exclusion, S.B. 315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses."
Google and Microsoft are in the former camp, and have asked Deal to veto the bill, which was passed by the Georgia General Assembly in March and which is nearing its deadline for signing into law. The two giants take issue with a provision in the bill that allows "active defense measures that are designed to prevent or detect unauthorized computer access." In a letter to the governor, the two argued that S.B. 315 "will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions," and that "provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes." They added: "On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity... [B]efore Georgia endorses the 'hack back' authority in 'defense' or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy." Tripwire also filed a letter with the governor's office: "[A]ccording to the wording of S.B. 315, well-intentioned ('white-hat') researchers could be subject to civil or criminal prosecution when following industry best practices in investigating a website for protection from a potential cyber-attack. It is our firm belief that an explicit exception is required to exclude prosecution when the party in question is acting in good-faith to protect a business or their customers from attack. Without this exclusion, S.B. 315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses."
Re: Self defense isn't a 'wrong'. (Score:1)
There's a massive difference between self defence of yourself and your property, and state sanctioned offensive cyber attacks. I realise you have an agenda, but honestly, this is less akin to a reaction to an attack and you being able to randomly attack anyone you want because, as the bill shows, you don't need to prove you were underthreat to begin with. How would you feel if you weren't the attacker, but the attacked? How would your business feel if a big rival took action against your systems, without du
Re: (Score:1)
Obviously Georgia's answer is that you, the victim, should stop feeling sorry for yourself and go on the offensive.
How is this even a serious proposal?? If you have the resources to "hack back" how is it you don't have the resources to protect your network in the first place?
A more reasonable law would be something like... Build a great firewall of Georgia, and make the Russians pay for it!!
Re: (Score:1)
Mr. Kemp would tell you "make the DNC and a former administration pay for it." ;-)
Look, Georgia Code 16-9-93, which SB 315 modifies, like a far greater percentage of Georgia law than anyone cares to admit, is completely boneheaded to start with. (Not that US law is really any better, and in some cases much worse). Computer security by fiat is a totally asinine concept. It exists simply to pass the buck for suits and good 'ol boys, (sigh, yes, of all genders, races, ethnicities, creeds, etc, not just the Son
Re: Self defense isn't a 'wrong'. (Score:4, Insightful)
This bill is essentially having you walk through a crowded square, blindfolded, and if someone grabs your butt you're allowed to pull out a pair of uzis and start firing at random.
Yes, I feel that is an accurate description of hacking back against a network of zombie machines owned, often unwittingly, by innocent people around the world.
Re: (Score:2)
Back in the 90s I hacked someone back.
I noticed that the lights on my modem flickered about once every 5 seconds, despite me not generating any traffic. I checked the logs and saw someone was sending ICMP pings, which were bouncing harmlessly off the firewall. I wanted them to stop doing it anyway for some reason...
So I tried to telnet to the source IP address, and it worked. I found myself with a prompt and no idea what I was talking to. Tried a few random commands like HELP and LS, but none worked. Eventu
Re: (Score:1)
This bill is essentially having you walk through a crowded square, blindfolded, and if someone grabs your butt you're allowed to pull out a pair of uzis and start firing at random.
Reckless endangerment and possible manslaughter for what might even have been accidental, nope, not warranted. Now if someone tries to pen-test your butt, I hope that you can discriminate the real offender and that have good aim. :-)
Yes, I feel that is an accurate description of hacking back against a network of zombie machines owned, often unwittingly, by innocent people around the world.
Oh, I do get your point, but I think the real problem if this bill is signed is that it will be used as cover for deliberate network abuse and break-ins under merely the pretext of "active defense". "Oh, excuse me, I dropped my cell and grabbed your butt trying to catch it."
Re: Self defense isn't a 'wrong'. (Score:1)
Actually, if it were "perfectly" sensible, then there wouldn't be a non-zero number of innocents killed in self-defense incidents
Retarded argument is retarded.
"Hurrr durrr if fighting back against Nazis in WW2 were sensible them there wouldn't have been a non-zero number of innocent civilians killed"
Re: Self defense isn't a 'wrong'. (Score:1)
Retarded argument is retarded.
Fallacious rebuttal is fallacious.
"Hurrr durrr if fighting back against Nazis in WW2 were sensible them there wouldn't have been a non-zero number of innocent civilians killed"
Quick fulfilment of Godwin's law, eh? But actually, yes, the practice of war-making is yet another example of abusiveness rearing its ugly head, showing why it is not perfectly sensible as well.
Interesting that you left out that key modifier though, did you just not realize how that adjective renders the claim faulty?
It matters. So does how warmongering defends itself by claiming persecution as the Nazis did(and Japan and Italy), and as how the Allies, both American, UK
Re: Self defense isn't a 'wrong'. (Score:2)
Interesting that you left out that key modifier though, did you just not realize how that adjective renders the claim faulty?
It's a useless adjective; there's no such thing as perfection. I was being charitable and assuming you had included it by accident. If you're actually concerned with perfection then you are a far sillier man than I had thought.
Re: (Score:2)
What the hell are you talking about? Stop projecting so much.
Of course it can be used by anybody in a "stand your ground" situation.
Re: Because in Georgia... (Score:3, Interesting)
As for whether or not they've succeeded... we shall leave that as an excercise for the reader. ;)
Re: (Score:1)
We can maybe pin that down a little more. The Secretary of State suffered considerable embarrassment last year after the Kennesaw State "incident" wherein more than one un-contracted security researcher reported non-earthshaking problems with web-facing systems having to do with the State's voter registration system, which only got reported to him after the press got hold of it. We can't really blame the KSU people for keeping it under their hat, given the way the guy in Kemp's office who earlier accidental
Re: (Score:1)
Sorry, got distracted and didn't catch some bad html cut'n'paste while editing. Ms. Smith's article's URL:
https://www.csoonline.com/arti... [csoonline.com]
Re: (Score:2)
You know where this is going to end up. Hackers will attack one retaliatory strike capability network using systems from either another innocent network or one also with retialatory strike capability, then sit back and watch the fireworks. Or even get a network to attack itself like the elite newbie hacker who on a chat forum, used his elite coding skillz to remotely reformat the disk drives of the system at 127.0.0.1
What is expected (Score:2)
An ip that can only be connected to one user and their desktop computer.
Follow the ip back and discover one user with a modem in front of their desktop computer.
Every ip is only ever given to one user in front of their computer by an ISP. The ISP ip can only end with a modem.
So every ip can only be a direct connection to one persons desktop computer connected to their modem.
Once that ip is discovered in the wild follow the ip back to the user's computer.
Stop that users deskto
Re:What is expected (Score:5, Informative)
Or more likely, the IP is part of an outbound load balancing proxy with a bunch of AWS servers sitting behind it.
Re: (Score:2)
You really think so? What happens when the IP belongs to a business that provides free WiFi to their customers?
Re: (Score:2)
Re: (Score:2)
Or the internet cafe a couple of floors below the dude using a laptop with wi-fi in a New York apartment?
The only thing that can stop a bad guy hacking (Score:2)
Re: (Score:2)
This applies if the government is doing it too, right?
myopic (Score:5, Informative)
another example of why we need to have informed legislators in gov't. This won't solve anything but to allow companies to attack proxied hosts who have either been compromised themselves or are sitting in public clouds. The latter is the bigger issue which cloud providers struggle with. It may also be true that companies that avail themselves of fighting back may themselves be targets for violation of US Federal law where it comes to illegal computer access.
Re: (Score:2)
Brianna Wu is standing and seems pretty tech savvy.
It seems to me ... (Score:3)
... that this Georgia statute-in-waiting could potentially be held to be superceded by 18 U.S. Code 1030 (the section added by the Computer Fraud and Abuse Act of 1986).
CFAA specifically covers unauthorized access to U.S. government computers and computers belonging to or containing information belonging to a "financial organization" - although that definition, in practice, has been considerably stretched charges brought in a number of criminal cases [wikipedia.org]. That broadening of its applicability could, I suspect, theoretically cause an appeal of any conviction under the yet-to-be-enacted Georgia law to be upheld on grounds that it represents an unwarranted overreach by Georgia.
OTOH, IANAL, and how Federal courts might react is going to guesswork on anybody's part (including actual lawyers, and people who play them on TV), until it's both signed into law and challenged at the Federal level ...
The Hatfields and McCoys ... (Score:2)
Swatting v2.0 (Score:1)
So, I spoof the source address of a port scan against a bunch of Georgian companies with some innocent victims address, and being "attacked" they attack innocent victim.
Popcorn time.
Maybe call it cyber swatting :)
Kinda want to see it (Score:4, Insightful)
Someone willing to break the law can knock innocent businesses and individuals off of the internet with practically zero fear of getting caught or stopped. That's the state of the internet right now. Truly fixing that situation is impossible without a degree of frightening fascism that would be the end of the internet as we know it. I'd love to see a world where there weren't millions of stupidly insecure devices connected to the internet, not to mention the hundreds of thousands of devices with reasonable security still managing to have vulnerabilities that haven't been patched yet. Without a single country controlling what is allowed to connect to the internet (a bad idea,) it's not a solvable problem.
People think that securing your own systems is sufficient to protect your company, but it isn't. In order to protect your business from malicious activity you need control of the fabric outside of your company. A typical small company can't protect the ISP routers that connect them to the internet, and so can't protect themselves against a DDOS. How many hops are between your customer and your website? Unless you're running your website through CloudFront, Azure, or Google; you won't have the resources to absorb the attack without losing business. I remember watching Microsoft get DDOS'd off of the internet, and Google. Even Amazon has had outages, so no matter what you do, your website isn't bulletproof.
The internet gives freedom, enormous freedom, to people, but it's disproportionate. Malicious attackers who don't have to follow the law have more power than people and companies required to do things legally. Bringing balance to that equation, by allowing victims to fight back, could have huge repercussions. They could be great or terrible, but I believe most organizations and people would do less harm than the current law breakers, if they had the freedom to fight back.
I understand the arguments against legalizing fighting back, but honestly the "innocent" people likely to be harmed are the people who were negligent in securing their own equipment. I have a hard time feeling bad for those people.
Some ISP is going to have routers with insecure firmware. Those routers are going to be roped into a DDOS attack that takes some sleezy spamming company's website down and the spammer company is going to kill thousands of innocent consumer routers, who couldn't have secured their routers even if they'd been interested in security and knowledgeable of their options. But what's the result of that?
It's evolution. The free market can solve this problem, but not if the government is so focused on protecting innocents that they protect the law breakers at the expense of those who have to follow the law. The criminals have freedom. I am in favor of giving law abiding people a limited subset of that freedom.
I can argue either side of this argument, but I choose this side to represent. See my user ID.
Re: (Score:2)
I'd love to see a world where there weren't millions of stupidly insecure devices connected to the internet
It's an impossible dream and probably wouldn't help, I'm afraid.
We need to re-engineer the network to distrust the clients. Most of early protocols were built on trust, e.g. DNS wouldn't lie to you, return IP addresses were genuine and all requests made in good faith. That legacy is slowly being undone.
Re: (Score:2)
Weirdly Written (Score:4, Insightful)
The law itself looks as strange as. I did not know it could be considered a criminal offence to disclose a password, seriously, what twit put that in there. Freedom of speech means, you are fully entitled to release passwords not necessarily keep your job but certainly claims of a criminal offence are insane. Also you can only access a computer for business purposes, like WTF, social media not allowed, workers social contacts a criminal offence. Let alone an empty 'active defence measures' without defining what an active defence measure are and what are acceptable and what are not and clearly the law is tied to one state. No matter how nuts they try to get with location of the crime, tying it to the residence of the business, regardless of the location of the attack, apparently anywhere in the world or the source of the attack anywhere in the world but it only refers to counties and not states or nations.
You can claim legal what ever you want in what ever crazy state of the US but it will get interesting when it affects other states and countries and whose law applies when, regardless of silly claims about the residence of the owner of the network and ignoring location of the network under attack and or the location of the attacking network.
Re: (Score:2)
And no, releasing passwords is not a free speech issue. If I stole your email password and posted it here, would you say, "well, that's your right"? Let's assume that I know you're on vacation and won't b
Re: (Score:1)
A lot of the idiosyncratic weirdness is due to the fallout from the Kennesaw incident with the state's voter registration system last year. Among other things, election worker passwords were publicly available. Lawsuits are still in motion, I believe, including one against the SOS, I think. The bill in a lot of respects is an attempt to close the barn door after the horses left a different barn altogether. WABE has a good timeline here:
https://www.wabe.org/two-georg... [wabe.org]
Politico has some good info as well her
"White hat hacker" bullshit must end (Score:1)
If you're a supposed "White hat hacker" doing "research" than "best practices" or what I might call "common courtesy" might be that you notify a company of your intentions so as to not raise "undue alarm".
If your intentions are pure than being rebuffed may be disappointing but not alarming or really negative. And with the proper approach you may find that a lot of companies won't mind provided your doing it for no charge, won't publish their names and give them an early viewing of your findings before publi
Re: "White hat hacker" bullshit must end (Score:3)
Of course this is a fairy tale. Supposed "white hat hackers" are in it for the money (or fame leading to money) and if they happen to find a vulnerability in a "big name" company (for sufficiently large values of "big") I have no doubt they'll exploit that knowledge for their better outcome not the target.
You have no doubt of it because you're the kind of cunt who would do that. You shouldn't project your own values onto other people, though.
I haven't "hacked" anything in well over a decade, but back when I was interested in that stuff I would regularly run scans for common volnurabilities and then send anonymized email to the administrators of vulnerable hosts letting them know what I found. Did I sniff around their networks a bit first? Sure. Did I ever blackmail anyone or use their resources to get "f
Letter of Marque and Reprisal? (Score:2)
Once upon a time, I used to reach out to US-based hosting providers that spammers used. In the unlikely event I received a response back, it was to inform me they won't do anything about Canadian Pharmacy websites unless you can prove that they sent that spam email--being a mere beneficiary of spam is not enough. It took being one of the world's largest spamming operations for McColo to be shut down, and it was done by the upstream service providers. Feds don't have time for this. I propose we take a page f
This is interstate commerce nature in true form (Score:2)
Thus this state law is not legal, and the power for authorizing this sort of behavior falls to the Federal Government.
Unless the bill explicitly states that it works only within the state's borders and where all entities involved are within said jurisdiction, this will get struck down on any reasonable challenge.
Re: (Score:2)
Re: (Score:2)
One has to wonder what usefulness of this bill would be if limited to within the state's boundaries. Is there a remote possibility that the increased amount of hacking attempts resulting from botnet infections would improve the security situation and thus harden Georgia's infrastructure from outside attack,
Please allow this to fly (Score:2)
If this becomes law, it gets fairly easy to eliminate the competition. Here's how:
1. Find out IP address(es) belonging to your competitor.
2. Find a company that uses "offensive security" to defend itself.
3. Spoof it ip of rival from 1. and attack company from 2.
4. Watch rival go down in flames from the counter attack.
Re: (Score:2)
Step 1: hack into Georgia's power grid
Step 2: attack networks
Step 3: those networks attack back, taking down Georgia's power grid
Step 4: hilarity ensues
Re: (Score:2)
I was proposing a fun game, but you had to take it way out of proportion.
That's what you do when they don't get smart after the first few demos. Didn't you see your Batman, you don't start with the face, the victim doesn't feel anything afterwards anymore.
What would you do if you were in my place? (GA) (Score:2)
What sort of " Cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access" would you consider?
If you could legally strike back at attackers, would you? How would you do it?
Re: (Score:2)
Re: (Score:2)
Not DDoS, but investigative hacking. (Score:2)
Basically it is saying is that a third party can access your network without authorization to shutdown a PC infected with malware (ie. a botnet), or trace the malware back to the point origin.
Re: (Score:2)
Basically it is saying ...
No, you can't do that with the law!
Instead, try for "the maximum that a creative lawyer could stretch this to mean..." and then double it.
Re: Not DDoS, but investigative hacking. (Score:2)
Unauthorized access is plain and clear. There is an exception where a third party can take action, "for defensive purposes", to gain unauthorized access to a "suspect" system.
This is the cybersecurity equivalent of "probable cause", and there is no limitation of it to law enforcement entities onl
Re: Law crafted to stop embarrassment (Score:2)
William Gibson was prescient. Again. (Score:2)
This bears the seeds of Gibson's dystopian vision of never-ending corporate cyber-warfare. Hard to see how companies could resist using this as a pretext for gaining commercial advantage.
hacking across state lines is federal jurisdiction (Score:1)