Slashdot Mirror
CNN Asks "Can You Hack Back?"
dboothe writes: "CNN.COM has a somewhat interesting article on whether or not it is okay to fight back when being hacked. In the scenario they bring up with the WTO website, it seems pretty clear that they likely should have steered clear, working on the probable assumption that the IP address used was just a dummy machine that had been cracked previously. But what about other situations where it's more of a grey area?"
This is a moot point. Any cracker worth their salt is going to be behind so many machines that attacking back will be impossible without some for-real research and tracking. Just my $0.02.
Have a Happy.
If you have an automated defense system, I don't see as how that is "taking the law into your own hands," you are just protecting your system against intuders and ensuring they won't come back. If you wait a while and then go after their server, that seems more like revenge IMHO.
Theoretically at least.
This would trigger the same shit as the 1st man/woman who applied violence did.
In reality..hmm one could at least make it impossible for him to continue his activities.
- --[... The secret of the hanged man, the smile on his lips... ]-- -
If you see someone logged in from an unknown IP (amusing you screwed both tcp wrappers, OpenSSHD and your firewall up), just start ping flooding that IP. Ping first ask questions latter. Don't bother loging the user out, just ping attack the hell out of him and his network (and pray the God it isn't Bob in the next office on the same ethernet segment as you)
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
So, therefore, while somebody may be attempting to get into your systems, you can't legally break into theirs. There's nothing physically stopping you, but if you were to attack the wrong machine, or their attempt on you was an accident and you (in retaliation) bring down mission-critical systems - you'll get into a nice big legal mess (UK users can face an unlimited fine and 5 years imprisionment - bringing down a system would come under part 3 of the aforementioned Act - IANAL)
Remember - two wrongs do not make a right...
Richy C.
--
Somebody who's running a DDOS attack - unlike the hapless electrohippies - is going to be IP spoofing and using a multitude of machines. If you bounce all the attacking packets back, all you're likely to hit is a large number of machines belonging to innocent people with bad security.
--
--
Wait a minute, this sounds like rock and/or roll. - Rev. Lovejoy
"Two wrongs don't make a right"
As tempting as it may be to give them "a taste of their own medicine", the chances are that you're just going to be attacking an innocent bystander whose machine has been cracked, and is being used to launch the attack on yours.
Even if you do hit back at the actual cracker, so what? So you trash his PC and some files; it's not like it's going to put him out of business, or cost him thousands of pounds to restore it.
IMHO, the best thing to do is just find out as much as you can, co-operate with the authorities, and let them deal out any punishment.
Cheers,
Tim
It's official. Most of you are morons.
Attacking back is just going to give the government and industries a reason to try and pass more controlling legislation. Its too close to them being able to create a "Wild West" analogy, where they would have to protect the "innocent women and children."
There have long been accepted channels for handling these situations, such as contacting the sysadmins for the ISPs, *cough* the FBI & local police (Okay, I know, they are often clueless, but they arent going to get MORE clueful if we keep going AROUND them!), etc.
Check out Magic Firesheep!
Spoofing is not a hard task to accomplish. If I was to attack a machine I knew was well hardened, I might have decided to attack an aggressive, less-protected sysadmin pretending to come from that machine. If I tricked him into attacking back, I would effectively trick him into helping me.
A good sysadmin must learn from the experience, harden his computer, report it to an Incident Response Team, and... Well, be prepared for the next time.
I use PortSentry as one line of defense, and if someone scans the box, they just get dropped into a black hole. (Actually, them and their subnet, in case it's a dynamic IP on a dialup.)
PortSentry allows you to run any arbitrary command when a scan is detected, but he warns against retaliatory action:
Sounds reasonable to me...
---
but I submitted this back in April. It's looks like CNN just rehashed the April 17th article about the same thing.
:)
That point aside though, I think the view of no couter-attacks just stinks. While I don't like the bandwidth that it takes up, how else are we supposed to defend ourselves? What ConXion did was pretty cool.
Hey, just had a thought, the Internet is where WW III will be held! Just imagine, country after country attacking each other through DDoS. 'A' defends by sending all those packets at 'B's ally 'C'. Pretty groovy war games if you ask me.
The difference here is that in cracking attempts, one can easily find oneself enmired in a situation where attempts escalate as the cracker and defender each try to outdo the other. This isn't the case with breaking and entering, as it usually only happens once, and if someone is killed, they cannot continue the escalation.
What recourse do system administrators have? They can build the best defenses possible, but any system built to connect to another can be compromised. The law may or may not be on their side should they decide to retaliate, but law enforecment is notoriously slow to respond in cases of electronic intrusion.
Perhaps the only viable alternative at this time is to strike back. Who can say?
www.alarmist.org
--- Hot Shot City is particularly good.
NetworkWorld Fusion (idg.net subsidiary) has a pretty good feature on this this week, and from what i gathered from it most netadmins/sysengineers *wanted* to go back after people in the process of penetrating their systems, but the overwhelming majority *wouldn't* ... they opted for setting up 'honeypots' and the like to lure the criminals in and monitor them (presumably) long enough to confirm identity/ensure enuf info is gathered for conviction... check it out ... good article.
The problem with even having this discussion is that it assumes that the victim of the initial attack, and the attacker, are operating in a vacuum -- or at least that they both have direct connections to internet backbones. Most times this is not the case; both parties have upstream ISPs that carry their outbound and inbound traffic to the rest of the world. In the unlikely event that the victim can locate the true source of the attack, and not just an owned machine, retaliating against the attacker will constitute an even greater load on the victim's ISP and probably create a DOS condition at the attacker's ISP.
Let's do the math: we retaliate, and twice as many people (or more) are subjected to a DOS. Hmm, doesn't sound like a good strategy.
I have ads.doubleclick.net pointing at 127.0.0.1 so I don't get the banner BS. The link doesn't work for me, as CNN seems for redirect the page to an ads.doubleclick.net page, which results in a 404 and I can't see the original CNN page. Anyone else that blocks doubleclick in this manner getting the same thing?
-- Ever notice that fast-burning fuse looks exactly the same as slow-burning fuse? I didn't... (Edgar Montrose)
Someone starts attacking you. You start attacking back, and then they see they are being attacked, have the same idea, and step up their attack on you. You then see that their attack has escalated, so you too escalate your attack. Wash, rinse, repeat, until you're both throwing GB's back and fourth. Not a good plan.
Syllable : It's an Operating System
Say you wanted to attack 'System X.com', someone who has large pipes and is difficult to flood, etc.
You could initiate an attack against other machines who are known to "hack back", spoofing your packets to look like they are coming from 'System X.com'.
'System X.com' then suffers from a distributed denial of service attack originating from those systems where the syadmins think they are "hacking back".
---
Interested in the Colorado Lottery?
Interested in the Colorado Lottery or Powerball games?
check out http://colotto.com
Of course you need to make sure you aren't attacking an innocent bystander who's been compromised. I think that's kinda obvious.
I do not like crack backs or spam
I would not try it from my box,
I would not try it in my sox,
I wouldn't use your subnet,
I despise the cracks and spam and yet,
you ask would I do it if I thought I could,
you ask would I do it whether I thought I should,
The 'puter in the middle is just a little pawn,
They don't like it either, the damage that is spawned.
they are witless, a helpless little lamb,
and so I do not like crack backs and spam!
Let's consider a situation where you're being attacked and you can identify where it's coming from and that they are indeed the cause.
Yes, you could attack back. However you probably don't want to continue your attack forever, just for practical reasons. Once you stop, the attacker is probably going to like you even less than when you started. You might stop some dumb script kiddies, but you could have stopped them by blocking their IP. Real hackers will just be egged on more.
Personally, I'm for getting people to leave me alone more than I'm for "justice". The only reason I'd consider retaliating is if they do some attack that I can't stop any other way.
Sure it can. First, off, what if the webhost believes wrongly, and they target an innocent machine.
If they correctly identify the attackers and give them a dose of their own medicine, the attack will quickly stop.
Maybe, but maybe not. Many hackers would simply take the challenge and escalate their attacks back. Any hacker doing anything remotely serious in this regard will be using a staging machine of an innocent third party. Wiping that machine won't help anyone - it will just make the hacker compromise another innocent third party machine to stage a revenge from.
If however the attacker is using computers that have been previously taken over, whats the damage? Those computers (more than likely only desktop's in some business or school) cant access the net for a small amount of time. No big deal. No one loses money and some college kid just can't check his email on that machine for a little bit. Big deal.
Oh come on, get serious. So some poor school teacher comes in to find that his classroom server has been thoroughly trashed, and he's got to spend his lunch time doing restores and explaining to the kids how yesterdays work got lost. Lovely. If, instead of being a gung-ho bastard the original victim had simply emailed the admin of the compromised machine and said 'BTW your box is being used to stage hack attacks on me' the teacher would have been able to do a backup and plan a sensible re-install of the box in an orderly fashion. - Plus may have been more willing to help find the real hacker.
It looks to me like there is something to gain (the end of these attacks and such) and not very much to lose by striking back. It would be different if we were talkign about shooting at someone and hoping they were the real attacker, but we are talking about internet access.
Retaliating against hackers is simply stooping to their level, and innocent people are almost certain to get hurt in the process.
-----
We just need some good Intrusion Countermeasueres Engines like in Neuromancer. Something to bake the central nerveous system of script kiddies. Oh wait, they are already mostly baked anyhow. Oh wait, Where am i? Where are my pants?
---
Play Six Pack Man. I
...so why not at least stop the attack short?
That is, the argument that goes "Any DDOS attacker worth his beans would be using innocent people's machines to attack, anyway", although I generally agree with it, has this one hole: Those machines are ALREADY cracked, their network pipe is ALREADY saturated with the attack they're unknowingly doing to you, so they're ALREADY down! You attacking back just ensures that they FIND OUT that they were having problems, no? Personally, if my system was cracked and being used to attack someone, I'd want my system downed right away, even if it had to be done by a counterattack directed at me!
That said, I'm guessing that innocent third-parties getting attacked from both sides won't care who's right and who's wrong, they'll sue whoever they can trace easier - and that will be the retaliating sysadmin.
Procrastination -- because good things come to those who wait.
I use Junkbuster and don't have that problem, I also don't have to look at the banner ads. The problem you're having is that attempting the connection to doubleclick returns an error (due to your box reseting the HTTP connection to localhost), which causes the page to stop loading. A filtering proxy will instead return a 1x1 pixel GIF or some other content, so that your browser is fooled into thinking everything is OK and the ad loaded.
I'm sorry, but if something is wrong, it is wrong. Period. End of statement. It would be similar to saying that if I catch somebody shoplifting in my store, I'm allowed to break into that person's house and steal his television. As was pointed out in a previous thread here, two wrongs do not make a right.
However, I do not see anything wrong with using such tools as exist to try to determine the identity of any person that attempts to hijack my machine. This isn't illegal, by any definition of the word. And it gives me something more to tell the authorities (when applicable); rather than a "somebody cracked my system," I can tell them "so-and-so cracked into my system, and here's my proof."
My system has been targeted by a couple of brain-dead individuals over the past few years. I've used whatever tools I could find to try to track those people down.
I'm happy that the US FBI takes such things very seriously, and have developed (or otherwise obtained) tools and techniques far beyond what I can do as an individual. I am currently satisified with this, although I had once been the subject of an attack that originated in India. I don't know if a super-jurisdictional legal authority would help here; it might be worth looking into.
I see no need to set up an internet vigilante force to "string 'em up" -- lynch mentality is never something that I think a polite society should strive for.
--
"May I have ten thousand marbles, please?"
I totaly believe that its ones inate right to slef-defense if being attacked. This right though should be limited to self-defense in a physical manner if that is how you are being attacked. Being attacked on the net and fighting back in this manner just doesn't seem like the correct thing to do. As an ISP/IT company Conxion has a responsibility to handle the attack through the appropriate channels. If a US citizen cannot legally do this type of thing then why should the fact that Conxion is a major corporation shouldn't make it acceptable. Especially troubling is this little blurb: "Conxion was so proud of having given the attackers a dose of their own medicine that it issued a press release about the incident." My first thought after reading the press release was DUH! you just comitted a crime and then made a public announcement regarding your actions. This alone should be enough evidence to take some form af action against Conxion based on thier own admission. One should not stoop to an act of terrorism as a form of retaliation. You would think that a company with such strong Microsoft affiliations ought to be weary (after all the DOJ/monopoly actions) of doing such a thing. Two wrongs don't make a right...no matter how good it feels.
Prospecting Stinks. Stop Wasting Time on Cold Calling.
Like my parents told me when I was growing up "never start a fight, but if you find yourself in a fight, you finish it."
If a person is attacked in their home by an intruder most people would be inclined to fight back. If an intruder breaks into a business, many big companies have armed guards and off duty cops as security. It is not wrong to repel an attacker. An attacker may be hurt in the process of being repelled. Most people, and even our system of law, will usually find the attacker asked for it.
So why should computer intruders be different? Why is it OK for a person to fight back bodily but it's hands-off if it's over a computer network? Do computers have more rights in our society than humans? No. Not the last time I checked.
So why not have aggressive firewall software? If some script-kiddie tries to hit your machine and your software turns around and toasts his, you'll be doing him/her a favor in life.
script kid hacks machine
anger, rage come over you.
hot grits give relief.
As a security professional (ie, do it for a job), the last thing you want to do is counterattack...as good as that may feel, at best, it will muddy the waters, and at worst, it will hurt innocent, (probably) insecure, bystanders. The most annoying thing you should be doing is contacting the Tech/Admin contact of the domain(s) that are attacking you, and letting them know what is happeneing. And if that is in the middle of the night for the contact person...
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
I have the @Home cable modem service through Shaw (a cable carrier in western Canada,) and I almost lost my account for portscanning someone who was looking for trojan horse programs. (In the case that got in in trouble, I believe it was SubSeven.)
I had some personal firewall software, and I decided I'd portscan anyone who tried to get into my system since if they had even the most basic defenses, they'd know I saw them.
Either way, apparently, any use of portscanners on systems I don't own is explicitly prohibited in the TOS.
Ah well, it doesn't bother me that they were scanning me for vulnerabilities; it bothers me that one would scan me, then report me when I scan them back. -_-;
It's a bad idea to set up something that 'automatically hacks back' e.g. launches an attack back at the attacker. The reason is, that now the hacker doesn't even need to launch his own attack, he only needs to tickle a system in the right way to provoke a reaction, if that reaction acts against another host with the same system installed: wonderful, we have a loop.
... now all we need is the routers in between reacting to the enhanced network traffic for a nice chain reaction (did you ever see the video with the room full of tabletennisballs on moustraps).
It gets even better if the mail, seeing that one mailer is overburdened, gets redirected to an alternative host (or something similar for other services)
Just try to imagine that you are the sysadmin who later should sort out the mess, maybe it was even started by some accident or some rampant virus.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
Juvenile weenie
Cracked your weak security
Install SSL
The government wants to have its cake and eat it too. It has had a decades old policy of counting encryption technology as munitions so why doesn't the 2nd amendment come into play? Just because our arms are electronic doesn't mean that the penumbra of the 2nd amendment doesn't cover them. Self defense does apply with all the benefits and risks associated with it. It's just that human shield situations (zombie computers) exist much more frequently in electronic fights than in physical ones.
The laws exist, it's just laws that leftists are uncomfortable with so the available tools and precedents are not taken advantage of because too many of our defenders come from the left tradition. That's not to say that they need to change their voting patterns (or at least it's not germane to this discussion) but they have their own blind spots just like people coming from the right tradition do.
I know, I know, we've invested a lot of capital to have encryption code escape from the munitions designation. But we don't oppose the idea that encryption or other technology can be dangerous, we oppose the law because it's stupid, hindering the good guys while leaving the bad guys with all the technology they need. This also happens to be the argument that the NRA uses on most gun control measures they oppose. Could we have allies we didn't even know about?
DB
It is never a good idea to "hack back" for many reasons:
* How can you be sure that a) the attacking site(s) are the real attackers and b) that the
attacking sites are _knowingly_ attacking? IP spoofing or using zombies to a ttack are generally
very easy.
* If it's illegal to be hacked, it is illegal to retaliate. You can't steal someone's lunch
because they steal yours.
* It could only exacerbate your problem if you piss off the attacker(s). You don't know who you
are dealing with.
* You are then legally and criminally liable if you, for example, DoS amazon.com because you
detected an attack from them and they sue you or the Fibbies come knocking on your door.
* What if you trace an "attack" to a single IP you assume is a desktop computer and turns out to
be an AOL proxy and you DoS 10,000+ lusers? AOL won't like that nor will their customers.
The people, like the one in the article, who gloat about "hacking back" make my skin crawl. 7h3y
ar3 such 31337 d00dz n 7h3y g07z such ski11z...NOT! *gag*
BTW, I've seen most often people getting IP addresses slightly wrong when they complain about a supposed hacker coming from my Company's network so what if you get the IP or hostname a bit wrong and attack the wrong site?
-core
I'd like to point out that the approximate number of uses of "hack" vs. "crack" (in about 165 messages) is around 2 to 1 in favor of "hack". (~75 vs. ~40). I thought we were all trying to change the usage of "hack"? How on earth are we going to do this if we don't use it correctly ourselves?
The article makes two good points against counter-attack:
:) ) is to log everything, look into it to try to identify the culprit conclusively, prove fiscal loss and/or denial of service - a.k.a resource theft; and then take the nice report to the authorities.
1. Hitting an innocent bystander - since attacks usually come from hijacked and spoofed locations/addresses.
2. Retaliation against an illegal attack by the same means is also illegal - vigilanteism doesn't solve the problem, it reduces it to a pissing contest.
The suggestion (mine as well as that of respected experts
If we retaliate against a script kiddie, we'll either hit Grandma Smith who gladly gave her AOL password to an 'AOL representative' online, or we DOS the punk - so what?
If we get the law involved, we get him effectively killed in the computer industry - and even have him pulled off the lecture circuit a'la Mitnik.
170th post!!
-- What you do today will cost you a day of your life.
Another poster made the comment that the whole point of security is to make the cracker go away.
.. Needless to say, a) being sensitive to being port/IP scanned and b) making sure your hosts don't respond to any ports you don't run services for will help too ..
Tactically, one could say a retaliatory crack against the offender *might* serve as a deterrent. It might also invite further attacks that otherwise would not have happened if the attacker had not been provoked by an intrusion into *his* territory (and don't forget crackers are very territorial creatures..) and the whole episode can easily escalate out of control. Strategically, you have to take the larger situation into account and move into the psychological realm. Since you want to discourage people from playing games with your system, the best response is probably something that takes the fun out of it by denying them the satisfaction of a response. IP/subnet blocking is a good example of this -- they can poke at your host all night long and not have any noticeable effect. A strategy that ties in well with this approach is one I like to call the 'threshold effect' -- anyone below a certain nuisance threshold is ignored, and once they become disruptive enough to be worth going after, they have enough of an attack signature to be traceable. Track them down and identify them first, before they know they've triggered the alarms, then let them know you know exactly who they are and what they're up to and would they please cut it the fsck out?, then go to the cops (net, local, or federal as the case may be) if nothing else works. Depending on how much sense they have, one or the other of these measures is likely to encourage them to play nice
73 de N5VB (ex-KD5BIV) AR SK
If I spill hot coffee on myself at McDonalds and burn my lap
/.er seems to be, they sure buy the corporate propaganda, hook, line, and sinker.
Two facts:
1. The coffee was around 200 degrees.
2. The lady was in the drive-through
Two questions:
1. Why would you serve coffee that is hot enough to cause third-degree burns?
2. Where do you put your drink when you go through the drive through?
I don't believe McDonald's was found guilty of any wrongdoing; rathre, they were found guilty of negligence - a legal term that means "They should have known better." McDonald's should have known that many (if not most) of their customers put their drinks in their laps, and that their coffee would cause third degree burns. Given those two undisputed facts, it is a statistical certainty that someone's crotch would get burned badly.
Keep in mind also that all the woman wanted initially was for McDonald's to pay part of her medical bills. If they has said "We're so sorry" and written a small (to them) check, it would have been over on done with. Instead they said "You STUPID woman! You should have known better!" and promptly launched a propaganda campaign that has clearly had its intended effect, as evidenced by that note in your post. So the woman sued for millions and won.
It's funny, as anti-corporate as the typical
Let's assume J. Random Crax0r is trying to get into my system, or DoS it, or jab at it with cyber-doggie-doo-on-a-stick, or whatever. What's my objetctive? The same thing if someone were attacking me IRL: neutralize the threat.
I don't believe that "hacking back" is per se illegal... it all depends on the situation. For instance, if this particular er33t d00d is launching an attack on my computer, I should be perfectly justified in taking whatever actions are necessary to eliminate the threat. If this means simply blocking him out at the firewall, that's nifty-cool by me. On the other hand, if I can disable his computer remotely and stop the attack, that is acceptable as well, in my opinion. Disabling his computer and playing hopscotch with a magnet on his hard disk would not be acceptable, however.
Let's say the attacker had hijacked another machine, and was using it to do his evil deeds. Well, my condolences to the user whose machine was hijacked, but that doesn't eliminate the threat to me now, does it? I still think I would be justified in disabling the attacking machine, if it were necessary to stop the attack. Say someone steals a car, and is trying to run down my car with it. Wouldn't be justified in disabling the other car, even though the attackers don't own it? Of course I would be, because it still poses a threat.
Of course, as in real life, the less force that is used, the better. The important thing is to draw the distinction between neutralizing the threat, and seeking retaliation.
Just my $0.03 CDN.
- Adam Schumacher
-----------------------
Nicotine free Amish .sig.
There was a Slashdot article about a year and a half ago linking an IDG article about sysadmins going to crackers' homes and destroying their equipment or beating them up. Personally, I thought the article was either a fabrication or a joke being played on a gullible reporter.
/. discussion?
Can anyone find a link to the
What I'm listening to now on Pandora...