Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Google Government Microsoft Software United States

Hacktivists, Tech Giants Protest Georgia's 'Hack-Back' Bill (threatpost.com) 82

lod123 shares a report from Threatpost: As Georgia Governor Nathan Deal considers whether to sign a controversial piece of legislation that would allow companies to 'hack back' with offensive initiatives in the face of a cyberattack, companies from across the tech spectrum are lining up to protest the measure. Also, a hacktivist group has targeted Georgia Southern University, two restaurants and a church to protest the bill. Opponents have twin beefs when it comes to Senate Bill 315: Some are questioning whether legitimizing offensive attacks will open the door to a new kind of corporate warfare; and others are concerned that the law will have a chilling effect on cyber-research by criminalizing white-hat activity like vulnerability research and pen-testing.

Google and Microsoft are in the former camp, and have asked Deal to veto the bill, which was passed by the Georgia General Assembly in March and which is nearing its deadline for signing into law. The two giants take issue with a provision in the bill that allows "active defense measures that are designed to prevent or detect unauthorized computer access." In a letter to the governor, the two argued that S.B. 315 "will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions," and that "provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes." They added: "On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity... [B]efore Georgia endorses the 'hack back' authority in 'defense' or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy."
Tripwire also filed a letter with the governor's office: "[A]ccording to the wording of S.B. 315, well-intentioned ('white-hat') researchers could be subject to civil or criminal prosecution when following industry best practices in investigating a website for protection from a potential cyber-attack. It is our firm belief that an explicit exception is required to exclude prosecution when the party in question is acting in good-faith to protect a business or their customers from attack. Without this exclusion, S.B. 315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses."
This discussion has been archived. No new comments can be posted.

Hacktivists, Tech Giants Protest Georgia's 'Hack-Back' Bill

Comments Filter:
  • An ip will be discovered.
    An ip that can only be connected to one user and their desktop computer.
    Follow the ip back and discover one user with a modem in front of their desktop computer.
    Every ip is only ever given to one user in front of their computer by an ISP. The ISP ip can only end with a modem.
    So every ip can only be a direct connection to one persons desktop computer connected to their modem.
    Once that ip is discovered in the wild follow the ip back to the user's computer.
    Stop that users deskto
  • myopic (Score:5, Informative)

    by Virtucon ( 127420 ) on Wednesday May 02, 2018 @09:36PM (#56544762)

    another example of why we need to have informed legislators in gov't. This won't solve anything but to allow companies to attack proxied hosts who have either been compromised themselves or are sitting in public clouds. The latter is the bigger issue which cloud providers struggle with. It may also be true that companies that avail themselves of fighting back may themselves be targets for violation of US Federal law where it comes to illegal computer access.

  • by thomst ( 1640045 ) on Wednesday May 02, 2018 @09:40PM (#56544770) Homepage

    ... that this Georgia statute-in-waiting could potentially be held to be superceded by 18 U.S. Code 1030 (the section added by the Computer Fraud and Abuse Act of 1986).

    CFAA specifically covers unauthorized access to U.S. government computers and computers belonging to or containing information belonging to a "financial organization" - although that definition, in practice, has been considerably stretched charges brought in a number of criminal cases [wikipedia.org]. That broadening of its applicability could, I suspect, theoretically cause an appeal of any conviction under the yet-to-be-enacted Georgia law to be upheld on grounds that it represents an unwarranted overreach by Georgia.

    OTOH, IANAL, and how Federal courts might react is going to guesswork on anybody's part (including actual lawyers, and people who play them on TV), until it's both signed into law and challenged at the Federal level ...

  • ... visit Georgia.

  • by Anonymous Coward

    So, I spoof the source address of a port scan against a bunch of Georgian companies with some innocent victims address, and being "attacked" they attack innocent victim.

    Popcorn time.

    Maybe call it cyber swatting :)

  • by argumentsockpuppet ( 4374943 ) on Wednesday May 02, 2018 @11:32PM (#56545028)

    Someone willing to break the law can knock innocent businesses and individuals off of the internet with practically zero fear of getting caught or stopped. That's the state of the internet right now. Truly fixing that situation is impossible without a degree of frightening fascism that would be the end of the internet as we know it. I'd love to see a world where there weren't millions of stupidly insecure devices connected to the internet, not to mention the hundreds of thousands of devices with reasonable security still managing to have vulnerabilities that haven't been patched yet. Without a single country controlling what is allowed to connect to the internet (a bad idea,) it's not a solvable problem.

    People think that securing your own systems is sufficient to protect your company, but it isn't. In order to protect your business from malicious activity you need control of the fabric outside of your company. A typical small company can't protect the ISP routers that connect them to the internet, and so can't protect themselves against a DDOS. How many hops are between your customer and your website? Unless you're running your website through CloudFront, Azure, or Google; you won't have the resources to absorb the attack without losing business. I remember watching Microsoft get DDOS'd off of the internet, and Google. Even Amazon has had outages, so no matter what you do, your website isn't bulletproof.

    The internet gives freedom, enormous freedom, to people, but it's disproportionate. Malicious attackers who don't have to follow the law have more power than people and companies required to do things legally. Bringing balance to that equation, by allowing victims to fight back, could have huge repercussions. They could be great or terrible, but I believe most organizations and people would do less harm than the current law breakers, if they had the freedom to fight back.

    I understand the arguments against legalizing fighting back, but honestly the "innocent" people likely to be harmed are the people who were negligent in securing their own equipment. I have a hard time feeling bad for those people.

    Some ISP is going to have routers with insecure firmware. Those routers are going to be roped into a DDOS attack that takes some sleezy spamming company's website down and the spammer company is going to kill thousands of innocent consumer routers, who couldn't have secured their routers even if they'd been interested in security and knowledgeable of their options. But what's the result of that?

    It's evolution. The free market can solve this problem, but not if the government is so focused on protecting innocents that they protect the law breakers at the expense of those who have to follow the law. The criminals have freedom. I am in favor of giving law abiding people a limited subset of that freedom.

    I can argue either side of this argument, but I choose this side to represent. See my user ID.

    • by AmiMoJo ( 196126 )

      I'd love to see a world where there weren't millions of stupidly insecure devices connected to the internet

      It's an impossible dream and probably wouldn't help, I'm afraid.

      We need to re-engineer the network to distrust the clients. Most of early protocols were built on trust, e.g. DNS wouldn't lie to you, return IP addresses were genuine and all requests made in good faith. That legacy is slowly being undone.

      • Spam filtering rules/systems often distrust client IPs already. However a DDoS is a horse of a different color. DDoS typically uses protocols which the clients would use, as such the differences between a DDoS and the "Slashdot Effect" are likely indistinguishable from the ISPs perspective. And without digging heavily into packet captures, one would have a hard time distinguishing between them on the victim's side as well. The main difference being whether there was an increase or decrease in revenue around
  • Weirdly Written (Score:4, Insightful)

    by rtb61 ( 674572 ) on Wednesday May 02, 2018 @11:44PM (#56545056) Homepage

    The law itself looks as strange as. I did not know it could be considered a criminal offence to disclose a password, seriously, what twit put that in there. Freedom of speech means, you are fully entitled to release passwords not necessarily keep your job but certainly claims of a criminal offence are insane. Also you can only access a computer for business purposes, like WTF, social media not allowed, workers social contacts a criminal offence. Let alone an empty 'active defence measures' without defining what an active defence measure are and what are acceptable and what are not and clearly the law is tied to one state. No matter how nuts they try to get with location of the crime, tying it to the residence of the business, regardless of the location of the attack, apparently anywhere in the world or the source of the attack anywhere in the world but it only refers to counties and not states or nations.

    You can claim legal what ever you want in what ever crazy state of the US but it will get interesting when it affects other states and countries and whose law applies when, regardless of silly claims about the residence of the owner of the network and ignoring location of the network under attack and or the location of the attacking network.

    • It refers to counties because it is a State law defining, among other things, which county will have jurisdiction. If you're in Minnesota, and you hack into a network in Fulton county (much of Atlanta), then the Fulton county sheriff's department will be the one to charge you and file for extradition.

      And no, releasing passwords is not a free speech issue. If I stole your email password and posted it here, would you say, "well, that's your right"? Let's assume that I know you're on vacation and won't b

    • by jbdigriz ( 8030 )

      A lot of the idiosyncratic weirdness is due to the fallout from the Kennesaw incident with the state's voter registration system last year. Among other things, election worker passwords were publicly available. Lawsuits are still in motion, I believe, including one against the SOS, I think. The bill in a lot of respects is an attempt to close the barn door after the horses left a different barn altogether. WABE has a good timeline here:

      https://www.wabe.org/two-georg... [wabe.org]

      Politico has some good info as well her

  • by Anonymous Coward

    If you're a supposed "White hat hacker" doing "research" than "best practices" or what I might call "common courtesy" might be that you notify a company of your intentions so as to not raise "undue alarm".

    If your intentions are pure than being rebuffed may be disappointing but not alarming or really negative. And with the proper approach you may find that a lot of companies won't mind provided your doing it for no charge, won't publish their names and give them an early viewing of your findings before publi

    • Of course this is a fairy tale. Supposed "white hat hackers" are in it for the money (or fame leading to money) and if they happen to find a vulnerability in a "big name" company (for sufficiently large values of "big") I have no doubt they'll exploit that knowledge for their better outcome not the target.

      You have no doubt of it because you're the kind of cunt who would do that. You shouldn't project your own values onto other people, though.

      I haven't "hacked" anything in well over a decade, but back when I was interested in that stuff I would regularly run scans for common volnurabilities and then send anonymized email to the administrators of vulnerable hosts letting them know what I found. Did I sniff around their networks a bit first? Sure. Did I ever blackmail anyone or use their resources to get "f

  • Once upon a time, I used to reach out to US-based hosting providers that spammers used. In the unlikely event I received a response back, it was to inform me they won't do anything about Canadian Pharmacy websites unless you can prove that they sent that spam email--being a mere beneficiary of spam is not enough. It took being one of the world's largest spamming operations for McColo to be shut down, and it was done by the upstream service providers. Feds don't have time for this. I propose we take a page f

  • Thus this state law is not legal, and the power for authorizing this sort of behavior falls to the Federal Government.

    Unless the bill explicitly states that it works only within the state's borders and where all entities involved are within said jurisdiction, this will get struck down on any reasonable challenge.

    • Read the bill. It's short. It defines "unauthorized computer access", four kinds of access that don't count (including "cybersecurity active defense measures"), and which county will have jurisdiction.
    • What about foreign powers? Forget fighting back against Texas, Florida, and Maine, there is also the rest of the world to worry about. What if this leads to an international incident and World War III?

      One has to wonder what usefulness of this bill would be if limited to within the state's boundaries. Is there a remote possibility that the increased amount of hacking attempts resulting from botnet infections would improve the security situation and thus harden Georgia's infrastructure from outside attack,
  • If this becomes law, it gets fairly easy to eliminate the competition. Here's how:

    1. Find out IP address(es) belonging to your competitor.
    2. Find a company that uses "offensive security" to defend itself.
    3. Spoof it ip of rival from 1. and attack company from 2.
    4. Watch rival go down in flames from the counter attack.

    • by dkman ( 863999 )

      Step 1: hack into Georgia's power grid
      Step 2: attack networks
      Step 3: those networks attack back, taking down Georgia's power grid
      Step 4: hilarity ensues

      • I was proposing a fun game, but you had to take it way out of proportion.

        That's what you do when they don't get smart after the first few demos. Didn't you see your Batman, you don't start with the face, the victim doesn't feel anything afterwards anymore.

  • I am a network admin in the Atlanta area. If this passes, what should I do?

    What sort of " Cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access" would you consider?

    If you could legally strike back at attackers, would you? How would you do it?

    • It is not clear that DDoS is allowed, as DDoS is not detection, nor is it entirely unauthorized access. This does appear to legally allow a third party entity access to another party's entire network and data for the purposes of remediating an infection or stopping an attack.
  • CEO: we were recently hacked and our customer data was exposed to the world due to our terrible security practices, so we hacked back and DDoS'ed the attackers website!
    Media:: that sounds scintillating enough for a front page story, what happened next?
    CEO: We're being sued by a hosting provider for the DDOS, and the hackers managed to switch my wifes insulin order with carfentanil, killing her instantly. But hey! hacking back right?
  • Reading the current wording on the current bill, SB315, states that access without authority is illegal, except when actively attempting to detect and/or prevent unauthorized access.

    Basically it is saying is that a third party can access your network without authorization to shutdown a PC infected with malware (ie. a botnet), or trace the malware back to the point origin.
    • Basically it is saying ...

      No, you can't do that with the law!

      Instead, try for "the maximum that a creative lawyer could stretch this to mean..." and then double it.

      • "Active" means doing something. It is not just reactive, it is active. It means taking preventative measures. Pre-emptive strikes are a defensive measure. Weaken the opponent to reduce their offensive capacity.

        Unauthorized access is plain and clear. There is an exception where a third party can take action, "for defensive purposes", to gain unauthorized access to a "suspect" system.

        This is the cybersecurity equivalent of "probable cause", and there is no limitation of it to law enforcement entities onl
  • This bears the seeds of Gibson's dystopian vision of never-ending corporate cyber-warfare. Hard to see how companies could resist using this as a pretext for gaining commercial advantage.

  • So people are making a huge deal out of this but the reality is, no matter what Georgia state authorizes in terms of retaliatory action, etc, most attacks originate from outside of the state or outside of the country and if a company launched a retaliatory attack across state lines or even country boundaries it would be in federal jurisdiction not state, so this bill would be a moot point.

"If it's not loud, it doesn't work!" -- Blank Reg, from "Max Headroom"

Working...