Hacked Companies Fight Back With Controversial Steps

PatPending writes with this report on companies taking aggressive steps to deal with electronic attacks: "Known in the cyber security industry as "active defense" or "strike-back" technology, the reprisals range from modest steps to distract and delay a hacker to more controversial measures. Security experts say they even know of some cases where companies have taken action that could violate laws in the United States or other countries, such as hiring contractors to hack the assailant's own systems. Other security experts say a more aggressive posture is unlikely to have a significant impact in the near term in the overall fight against cybercriminals and Internet espionage. Veteran government and private officials warn that much of the activity is too risky to make sense, citing the chances for escalation and collateral damage." If you've been involved in such an action, how did it work out for you?

Asking you to break the law?

Just remember, if a company asks you to break the law then you deserve what's coming to you when you get caught.

Re:Asking you to break the law?

[FutureDomain]

Any way we can "strike back" and demolish this MCPC crap? Some slashdotter who finally gets fed up and trashes their servers would be a nice punishment.

Re:Asking you to break the law?

[SuricouRaven]

"Credit travels upwards, blame travels downwards. That's just the way it works."
- Pointy Haired Boss.

Re:Asking you to break the law?

[sociocapitalist]

Just remember, if a company asks you to break the law then you deserve what's coming to you when you get caught.

Well..if the US government (stuxnet for example) can do it (with no declaration of war), then it mustn't be illegal right? /ironyoff

Re:Asking you to break the law?

[Inda]

No one cares. We've been through this a gajillion times in the past ten years. Spammers and trolls on Slashdot aren't new.

Ignore them or have some fun replying for the +5 Funny.

You must be able to see the funny side? It's like trying to sell hair dye to a bald person.

Re:Asking you to break the law?

[Dogtanian]

Any way we can "strike back" and demolish this MCPC crap?

Yes you can- by shutting up and not filling up every thread with offtopic replies discussing your tedious, misguided scheme to get "revenge". If this was ever legit spam, it's in the hands of trolls now, who know they'll get useful idiots like you to cause way more annoyance than the original posts do (and hence keep doing it).

Seriously, this post applies to you as well.

Re:Asking you to break the law?

[non-plus]

once, we had a less-than-skilled attack on a company i was network admining at. I traced the source down to an ISP in a South American country and ISP and I contacted them stating that such-and-such IP on their network was engaging in an attack on my company. I asked them to look into this and block the user from hitting us thru the routes I provided. They said there was nothing they could do. I asked them what other recourse I had. They told me there was nothing I could do but shut down our systems and hope it went away. I asked them if I could take action to stop it and could I get and e-mail statement to that effect. They sent me an e-mail stating there is nothing they could do and I could do whatever I needed to correct the situation.

I ran it by the legal guys. got a thumbs up. put on a darker hat.

moved a bit of traffic off the oc-12 we had and proceeded to clobber the offending IP address and the nodes at the far end (ISP equipment). I got a very polite call after about an hour telling me that the offender has been pulled off-line and asking if I would be so kind as to stop defending myself as it was killing their network. I stopped my defense and was given a few names with contact info to call in the future should the needs arise.

a good result.

Re:Asking you to break the law?

[Medievalist]

Every time a corporate tool asks me to break the law, I just tell them "No problem! Put it in writing and sign it!", and then they go ask somebody else and I never hear about it again. Totally not kidding.

Re:Asking you to break the law?

[cold+fjord]

Well..if the US government (stuxnet for example) can do it (with no declaration of war), then it mustn't be illegal right? /ironyoff

If Iran can do it without a declaration of war, then it mustn't be illegal, right? (After all, what is a string of assassinations and a little planning for genocide among friends? No doubt the Iranians are envious because they didn't think of it first.)

At least they have a clear vision for the future, one that seems remarkably free of Jews in the Middle East.

Re:Asking you to break the law?

[peawormsworth]

it isnt that I dont disagree with u. But I find it more intuitive to just use two possitives instead of two negatives. Like u could say "it must be legal.. right?". But hey its just my opinion that more people will understand your intent. Also... its not about you alone. I see this all the time.

I do the following

I simply drive to the GeoIP location with my illegal police baton and smack the head of whoever happens to be there at the time when I arrive. I've been doing this for a few years now.

Re:I do the following

[JTsyo]

This explains the concussion I received at Starbucks last month.

Good morning, Mr. Mitnick

Should you or any of the l33t team be killed or captured, the CIO will disavow any knowledge of your actions...

Re:Good morning, Mr. Mitnick

It should be easy for /. to change its comment handler to search and replace "mycleanpc.com" with "wikipedia.org" for all HREFs in comment submissions.

Re:Good morning, Mr. Mitnick

[zill]

It should be easy for spammers to register mycleanpc2.com and continue spamming.

If only there was a HTML attribute that would stop the search engines from following the spam links...

Re:Good morning, Mr. Mitnick

[jc42]

If you read the article now, you'll find that it describes the rel=nofollow attribute as meaning something very different from its literal meaning. Many search sites interpret it as meaning "Don't use this link to influence page rank". But they still follow the link, and index what it points to.

Actually, this change in interpretation happened fairly quickly. When I first read about rel=nofollow, I added it to the links in a lot of my own web pages. The reason is that I was responsible for several web sites that presented the client with a link to a document, plus a list of links that converted the document to a list of different formats. I'd learned that this caused a serious problem: When a search bot ran across such a page, it attempted to extract the document in all of the listed formats. When hit with dozens of such requests per second from all the Internet's search bots, this brought the servers to their knees, and effectively locked out human clients. Producing PDF, PS, and EPS is expensive ...

So I added the rel=nofollow links. This worked for a few months. Then, slowly, the search bots returned to following all the links to extract all the documents in all our supported formats. Maybe they weren't using this to affect their page rank (for "pages" that don't actually exist), but it still bogged our servers down with zillions of requests for all our documents in all our formats.

So I started a project to identify all the search bots. When one of them is spotted, its attempts to convert a document to another format is simply dropped, with a brief comment explaining why. This was fast, so it restored our servers to usability by mere humans.

OTOH, google ads fairly quickly terminated our account. We totally failed to get an explanation (or any contact with humans) from them, but we're pretty sure that our transgression was returning different data to googlebots than the data returned to nicer clients that don't bog down our servers. This is strictly forbidden by their EULA, of course. But we can't survive their following all the rel=nofollow links, and forcing our servers to use all the time that it takes to convert all our documents to all our supported formats. Producing PDF, PS, EPS, and now SVG is expensive ...

If there's a way to tell all search bots "Don't follow this link; it merely returns the same data in a different format", I'd like to know about it. But I suspect that, if such exists, it will be reinterpreted in the same way that rel=nofollow is reinterpreted.

Re:Good morning, Mr. Mitnick

[badkarmadayaccount]

Content-Encoding header is what you really need, though no client supports it reasnobly enough to request a given format...

Re:Good morning, Mr. Mitnick

[jc42]

Content-Encoding header is what you really need, ...

How so? I don't see how it has anything to do with what I was describing. How would one use it in a situation where you have a number of different format converters, and you want to let a client select one of them?

As far as I can tell, Content-Encoding merely lets me tell a client what format/language I'm sending. I don't see any way it can be used on the client side to select from a list of formats. Maybe I'm missing something ...

Re:Good morning, Mr. Mitnick

[badkarmadayaccount]

The client sends something like "Accept-Content-Encoding:gzip,deflate,plaintext", and the server replies with content, specifying what the exact encoding is. What if the client could ask for pdf? Oops - https://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Requests I think wikipedia has some better ideas than my rusty old memory...

Stupid

[phantomfive]

What are you going to do, DDOS some script-kiddie's computer?

The only time I've ever heard of something like this working out, it was when someone actually went to the effort to find out who was hacking them, and then turned the case over to the police. There was a story like that covered here on Slashdot several years ago.

Re:Stupid

[Wolfling1]

A couple of months ago, when I ws selling my motorbike, I received a few of those 'I'm on an offshore oilrig and I want to buy your bike' spams. I was curious, so I constructed a honeypot to see if I could gather some intel on the perps before going to the police.

Sure enough, within a day, I had IP addresses and was able to resolve to the attackers location. He was stupid enough to not be using a proxy, and stupid enough to leave some vulnerabilities open on his PC - that made it very easy to be certain that he was the attacker.

I collated my data, and presented it to the Feds. They weren't interested. Couldn't even care less.

So I contacted the attacker independently (through my own proxies), and let them know that they should get better at what they're doing, or get out of the game. They didn't try to contact me again.

I can understand why people would be tempted to undertake their own vigilante actions.

Re:Stupid

[phantomfive]

Just an idea, if it's something you really care about, it helps to get a lawyer to contact the police. They are a lot more careful when you do, and a lot more likely to respond.

Re:Stupid

[Taco+Cowboy]

Unfortunately there are still too many of those who believe that the law will "protect" them

Even here, we can see those who fervently advocate going to the police / fbi / court even in the cyberwar cases

There's no point to go to the law when the other side does not believe in one - and, the law there is, in most cases, do not have the jurisdiction over those black hat, in the first place

Re:Stupid

[SuricouRaven]

The law is only for those who commit really serious crimes, like copyright infringement.

Re:Stupid

[rtb61]

More accurately "What are you going to do, DDOS some script-kiddie's rotating IPv4 address" and attack some innocent bystander who has a capped download limit and must pay excess charges for downloads and uploads, not only blocking them from using the internet but also having to pay for excess usage charges.

There is only one active response to be considered, gather all the evidence, reduce the risk of the attack but allow it to continue, contact the appropriate authorities supply the evidence and demonstrate the continuing attack isolated to a safe zone. Consult with the police as necessary to resolve the issue.

Consider if those make an error in a retaliatory strike only to take on an innocent party who takes the appropriate legal active response, once the idiots who launched a retaliatory strike have been busted, it will be interesting to see how indulgent the judge will be to the excuse of "but I was only seeking revenge" when assigning an appropriate prison sentence.

Re:Stupid

[dargaud]

I have a friend who has a small commercial website selling niche equipment. He sent a big purchase to a customer before discovering that the credit card was invalid or stolen (don't remember). It turned out that it really was niche equipment and a few google searches turned out one guy who was just expecting the very same equipment to launch an expedition. That guy had a website where it was all advertised for sponsors. He used the same login credentials on both sites ! So my friend logged into his customer's website, changed the front page to a message such as "I'm a big fat thieve and I just stole $$$ worth of equipment", changed the password and waited. He quickly received the money and an apology.

Re:Stupid

[psithurism]

So I contacted the attacker independently (through my own proxies)

"Dear Sir, you can not trace me; you'll never find me; I'm tunneling my connection all over the globe! I'm the guy selling the motorbike at 187 Second Street and I'll have you know..."

let them know that they should get better at what they're doing

This is actually what I wanted to comment on; I don't think you should give those guys any info about how you found them, they just might improve their game and make it harder for someone to respond to them. Maybe some vigilante will try to take them down some day; I think you should leave them stupid and hope.

Not true that fighting back doesn't work.

[jcrb]

I was doing due diligence on a computer security firm once who had be subject to a DDoS blackmail attack, you know, give us $5,000 or will we will keep your web site down. Well they back traced the control to some cyber cafe in eastern Europe and worked with the State Department to actually get the local police to go in and arrest the people involved.

If someone is actively hacking you then hacking them back isn't a crime (or it shouldn't be) its just self defense. And if you have to hire some firm to do it I don't see how it is any different than hiring armed security guards or private detectives.

If the law says you can't defend yourself from someone trying to ruin your business then the law is an ass.

Re:Not true that fighting back doesn't work.

95% of the time your "retaliation" isn't being targeted at the actual attacker, you are far more likely to be attacking some 3rd party's legitimate, vulnerable server that is acting as a re-director for the attacker. Now the 3rd party is going to be pissed that you're harming their business.

Re:Not true that fighting back doesn't work.

[smileygladhands]

I was doing due diligence on a computer security firm once who had be subject to a DDoS blackmail attack, you know, give us $5,000 or will we will keep your web site down. Well they back traced the control to some cyber cafe in eastern Europe and worked with the State Department to actually get the local police to go in and arrest the people involved.

If someone is actively hacking you then hacking them back isn't a crime (or it shouldn't be) its just self defense. And if you have to hire some firm to do it I don't see how it is any different than hiring armed security guards or private detectives.

If the law says you can't defend yourself from someone trying to ruin your business then the law is an ass.

Equal to "If someone breaks into your home, you should be able to break into their home."

Re:Not true that fighting back doesn't work.

[bky1701]

An eye for an eye makes the whole world blind, especially when the guy who just got poked in his good eye opens fire on everybody else.

To me, tracking them down (let me guess, you can do a traceroute?) isn't exactly hacking by any means. Finding the person and telling law enforcement is not hacking, it is arguably the antithesis of hacking (not to say you got the right person, but that's aside the point). That makes your later claim that this is somehow like having someone holding a gun to your head, thus justifying "self defense," all the more confusing.

Re:Not true that fighting back doesn't work.

[jcrb]

To me, tracking them down (let me guess, you can do a traceroute?) isn't exactly hacking by any means. Finding the person and telling law enforcement is not hacking, it is arguably the antithesis of hacking (not to say you got the right person, but that's aside the point)..

No they tracked them down by using an automated intrusion tool to break into one of the DDoS attack machines and then followed the stepping stone servers back to the control machine.

Re:Not true that fighting back doesn't work.

[jcrb]

Equal to "If someone breaks into your home, you should be able to break into their home."

More like, "your neighbor is throwing rocks through your windows from inside his house and the police can't be troubled to do anything about it so you go over and stop him, and if his door is locked you may have to break it down"

Re:Not true that fighting back doesn't work.

[girlintraining]

If someone is actively hacking you then hacking them back isn't a crime (or it shouldn't be) its just self defense. And if you have to hire some firm to do it I don't see how it is any different than hiring armed security guards or private detectives.

Real world thinking doesn't apply here. In the real world, if someone attacks you, you can beat them up and claim self-defense because you know it was them. In the digital world, very likely the person you are targeting is innocent. If a computer DDoS' your network, you don't DDoS them back, you block that IP address -- because criminals don't use their own computers to conduct attacks, and neither do they sign every packet with their name, address, and phone number. So when you unload on who you think is attacking you, then (by your own logic) they have every right to retaliate against you! At that point you've created the digital equivalent of a bar room brawl, but with weapons of mass destruction. And with every response by either party comes the increased risk of drawing another person into the conflict.

If everyone, or even a substantial minority, follows this logic it leads to the internet becoming lawless war zone where business simply cannot be conducted anymore because the network's reliability has been shot to hell. And let me be clear: You're not above screwing up. Even major name security researchers from businesses that specialize in this routinely get the names of the people involved wrong. Often. Open wifi, proxies, bot nets, the number of ways you can appear to be someone other than yourself is dizzying. Hell, I'm posting this through Tor... good luck even finding out who I am. Criminals have access to much better security than that... what do you think the odds are of figuring out who they are if you can't even figure out who I am when I'm making no special effort to hide my real identity?

Re:Not true that fighting back doesn't work.

[icebike]

I hate that I have to point this out, but please, those of sound mind, repeat after me -

Defense is NOT the same thing as reactive offense.

I note that no longer do we hear government officials suggesting we should just sit quietly in our seats as
aircraft are hijacked anymore.

Re:Not true that fighting back doesn't work.

[sycodon]

I always thought the cousin Greedo approach would be appropriate.

Spammers/hackers should sleep with the fishes.

Re:Not true that fighting back doesn't work.

[bky1701]

Denial of Service is difficult to defend against, but it is impossible to retaliate against, since it universally uses botnets. It is not "hacking," either. You basically have no recourse of any kind in that situation other than some not-so-useful technical stopgaps to mitigate damage. If you go after people who "attacked you," you're simply further hurting innocent civilians, and deserve to be slapped with the same jail time as the original attackers.

In the case of actual hacking, I have no sympathy. Use proper security and you will not need to worry about it. Unlike denial of service, most commonly exploited security holes are easily fixed - especially if you know they exist (which extortion implies.) Trying to hack back while you have security holes still present in your systems is asking for serious trouble.

Re:Not true that fighting back doesn't work.

[bky1701]

That is more advanced, but still, not exactly hacking by my standards (or of the kind TFA implies). It also still has the potential to have been falsified. In the "eye for an eye" reasoning, what if they were smart enough to give you a false IP and you DoS'd it back, only to find out it was owned by some foreign government?

I guess I'm just not sure how the first half of your post relates to the second. What actually happened sounds fairly reasonable and not anything like what TFA is talking about; they didn't try to smoke the attacker, they found them and reported them.

Re:Not true that fighting back doesn't work.

[jcrb]

I guess I'm just not sure how the first half of your post relates to the second. What actually happened sounds fairly reasonable and not anything like what TFA is talking about; they didn't try to smoke the attacker, they found them and reported them.

You are missing that in order to report them they had to break into all the machines on the control path back to the source. If using exploit penetration tools to compromise attack machines and their command/control nodes isn't "hacking" I'm not sure what your definition of the word is.

Re:Not true that fighting back doesn't work.

[cavreader]

"If someone breaks into your home, you should be able to break into their home."

But you can just shoot someone breaking into your home.

Re:Not true that fighting back doesn't work.

[sycodon]

LOL...well, I guess Greedo would work too!

Spammers and Hackers should sleep with the asteroids.

Re:Not true that fighting back doesn't work.

[mysidia]

Equal to "If someone breaks into your home, you should be able to break into their home."

It's more like "If someone breaks into your home, you catch their license plate number. You should be able to break into whatever house the license plate is registered to, and see if you can find your stuff."

No you don't. Investigating the crime is law enforcement's job.

Re:Not true that fighting back doesn't work.

[bky1701]

Considering the machine was already compromised with a botnet, it couldn't be that difficult. Hence I don't really see it that way. Also, it was not an aggressive attack on the intermediate - just getting information irrelevant to the party hacked into. So technically, you can call it hacking, but in the grand scheme of things... not really that high on the list.

Re:Not true that fighting back doesn't work.

[blueg3]

but it is impossible to retaliate against, since it universally uses botnets

And, as we know, botnets are impossible to take down.

Re:Not true that fighting back doesn't work.

[PaddyM]

Ah yes, self-defense. Like that scene from the Big Lebowski, when they find out who stole their car? "Do you see what happens, Larry? This is what happens when you f%$K a stranger in the @$$."

I think working "with the State Department to actually get the local police to go in and arrest the people" is a bit different than hacking someone back. Especially when "hacking them back" might be hacking the wrong person's Ferrari to bits.

Re:Not true that fighting back doesn't work.

[bky1701]

I'd say more pointless. Sure, you can, but that is a substantial effort probably ultimately not worth it. Again, it also tends to consist of criminal acts against third parties, which is not the best idea in the world.

Re:Not true that fighting back doesn't work.

[rtaylor]

Many botnet clients apply security patches to prevent others from taking the machine.

Re:Not true that fighting back doesn't work.

[lightknight]

Thank you. That was the first problem I noticed with their revenge-oriented approach.

Re:Not true that fighting back doesn't work.

[lightknight]

Except in this case, you need to make sure those bricks are coming from that house. Forged IP addresses and what not.

Re:Not true that fighting back doesn't work.

[lightknight]

Well, theoretically, if one were so obsessively inclined, it is possible to spelunk your way upstream, router by router, to track down the offending computers, even when the attacker is using forged IP addresses. Although, I imagine that even the cozy relationship that the various law / intelligence agencies and the various network providers normally enjoy would immediately become rather frosty if they found you doing that.

Once you have one member of the offending botnet, you find out how it has been compromised. A quick port scan can be telling here, but compromising the machine by other methods can be done, if necessary. Then you'd probably copy the botnet software to a VM for some dissection. Then you'd probably create some software of your own, to silently log any future connections to that machine, while trying to figure out how the botnet is being controlled. Eventually, you'll be able to track down the original (command) computer (even if they're using an IRC channel, or website, or relaying a command from one machine to the next ala Whisper Down the Alley style), and then the fun starts...botnet operators HATE IT when you compromise their command machines, and use the built-in webcam to take a picture of them. They really hate it when you record video. They're even more surprised when they're running Ubuntu, and think Linux would somehow prevent them from being hacked...

But yes, the obvious answer to an attacker on your network is to run to the comms room, and physically remove the network cables. As for the above, well, it's hard to find a programmer that's been angered deeply enough to engage in that kind of investigating.

Re:Not true that fighting back doesn't work.

[lightknight]

And yet sadly, those machines suffer from 0-day exploits that even the botnet owners are unaware of.

Re:Not true that fighting back doesn't work.

[lightknight]

Yes, but in the case of the hijacked airplane, you'd probably have a >75% chance of attacking the right people (the hijackers), whereas with a 'cyber'attack,' the number is drastically lower.

Re:Not true that fighting back doesn't work.

[Tastecicles]

no investigation required, you know where your stuff is. It's a problem of recovery. That you can do yourself.

Re:Not true that fighting back doesn't work.

[Cabriel]

Real world thinking doesn't apply because the assumptions are too simple.

If a man pays another man to beat you up, who are you going to beat up in self-defence: The man in front of you or the man holding the money?

Okay, maybe not an exact case. If a first man tells a second man you slept with the second man's wife, and that second man comes to beat you up (he was tricked and doesn't really know what's going on, much like a server), who are you going to beat up: the man in front of you or the man who lied to him?

I see no inherent problem with retaliating against the server that is attacking your server. What if the man coming to beat you up is a surgeon due to perform in two hours and you defend yourself sufficiently? His not being able to perform his scheduled surgery is collateral damage not unlike taking down a server performing an important function.

What I'm saying is that it should be up to the server administrators to make sure their servers aren't being used in illegal fashions or they should be held liable if their server is used (in whole or in part) in illegal activities in the same way the man in the above examples will be held liable for assaulting you regardless of his motivation.

Re:Not true that fighting back doesn't work.

[locopuyo]

An eye for an eye makes the whole world blind,

No it doesn't. Person A pokes person B's eye out. Society pokes person A's eye out and it stops there. Two eyes are poked out and it is done. Everyone else's eyes are fine. That is a terrible quote and does nothing for your point.

Re:Not true that fighting back doesn't work.

[cold+fjord]

Denial of Service is difficult to defend against, but it is impossible to retaliate against, since it universally uses botnets. It is not "hacking," either. You basically have no recourse of any kind in that situation other than some not-so-useful technical stopgaps to mitigate damage. If you go after people who "attacked you," you're simply further hurting innocent civilians, and deserve to be slapped with the same jail time as the original attackers.

Not necessarily.

Interpol says 25 arrests target hackers

February 29, 2012

PARIS — Interpol said yesterday that 25 suspected members of the loose-knit Anonymous hacker movement have been arrested in a sweep across Europe and South America.

The international police agency said in a statement that the arrests in Argentina, Chile, Colombia, and Spain were carried out by national law enforcement officers working under the support of Interpol’s Latin American working group of specialists on information technology crime.

The suspects, between ages 17 and 40, are suspected of planning coordinated cyberattacks against institutions including Colombia’s defense ministry and presidential websites, Chile’s Endesa electricity company and national library, and other targets.

(A little old to be called "script kiddies", BTW.)

Re:Not true that fighting back doesn't work.

[DarwinSurvivor]

That's a common misconception in many countries, I *highly* recommend you verify that information for your geographic area.

Re:Not true that fighting back doesn't work.

[mysidia]

no investigation required, you know where your stuff is. It's a problem of recovery. That you can do yourself.

No, you suspect your stuff is somewhere, but that doesn't give you the right to cause criminal damage to someone else's property or to trespass upon it. Even if they had broken into your property, your course of action may now mean that they won't be charged with the crime, but that you will instead, or that you two would share a jail cell.

Just because their truck was taken by someone without permission and used to haul your stolen stuff.

It's still criminal to break in, even if your supposed rationale for doing it is recovery.

Re:Not true that fighting back doesn't work.

[sabt-pestnu]

Do you think that, perhaps, being attacked might tip them off that their server has been compromised? Perhaps when nothing else - even direct contact by harmed parties - failed to produce action?

Re:Not true that fighting back doesn't work.

[sabt-pestnu]

> it's hard to find a programmer that's been angered deeply enough to engage in that kind of investigating.

But it is much easier to find one amenable to being paid to engage in that kind of investigating.

Re:Not true that fighting back doesn't work.

[deroby]

As counter-everything as it may sound there have been 'stories' around that come down to the fact that the burglar outranks you in terms of 'rights'. Although I'm sure some of those are simply sensationalism, given their sheer number there (probably) is some truth in them.
* burglar hurts himself while robbing your house => owner gets sued for neglect & involuntary injuries.
* burglar threatens family, shop-owner shoots first => shop-owner gets arrested for manslaughter
* people now actively seek advice on whether they should get some insurance for the situation where the dog might hurt someone breaking in !?!
* etc etc...
(simply google for 'burglar sues' and there's plenty of examples)

I consider myself rather non-extremist, but going by supra I often think it wouldn't be all that bad to abandon all current law and start over again because current legislation has missed the mark by quite a distance. Sadly the 'new' law would probably be written entirely by big corp (cf the golden rule : he who owns the gold rules) and 'stealing' music would get you life while stealing someone's phone actually would be good for the economy as the victim will have to buy a new one.

[man, Monday 10:05 and I'm already cynical... it's going to be a hard week...]

Re:Not true that fighting back doesn't work.

[lightknight]

True, but to employ a programmer of that quality would be cost prohibitive; you'd be wanting a programmer among programmers here. Hence the anger / revenge here, as it overcomes the inability of said employees to afford such talent (the market doesn't know how to deal with revenge-oriented people, since money means nothing to them, and they can't be bought off; it's the equivalent of hitting a singularity).

Re:Not true that fighting back doesn't work.

[dkf]

No it doesn't. Person A pokes person B's eye out. Society pokes person A's eye out and it stops there. Two eyes are poked out and it is done. Everyone else's eyes are fine. That is a terrible quote and does nothing for your point.

Except that there's a real danger that then A's friends come round and take a baseball bat to B's kneecaps, and B's friends then shoot up A's neighborhood, and so on. Vengeance has a nasty way of escalating. The quote is actually saying that sometimes (possibly even often) you've got to take less than exact revenge precisely to stop things from getting out of hand over something initially small, leaving everyone worse off.

Re:Not true that fighting back doesn't work.

[infinitelink]

So someone leaves a gun lying around, another picks it up, and I the perfect shot am not supposed to put a bullet down the barrel pointed at me? Or a more likely scenario, you leave your pencil on the table, another picks it up and tries to stab me; the angle is perfect for me to snap the pencil in three places with a few quick, simple moves, in such a way as to render it essentially useless as an attack implement (and destroying their current effective weapon), but since it is someone else's (yours, rather than the attacker's), it's wrong to destroy the thing being used to attack me? Sorry man, sucks as it may, think about it. You are being assaulted with a utensil, and if that utensil is the means to attack...actually these cases fail because in either of them the attacker can still hit or pull another weapon immediately right there, but in the case of someone relying upon a third party computer that's it, it's what they've got, they'll have to get another first and there is distance between you and them. Destroying, therefore, that weapon of theirs is even more justified.

Re:Not true that fighting back doesn't work.

[SuricouRaven]

Do you really want this decision put in the hands of individuals with no oversight? Remember the old expression: One man's terrorist is another's freedom-fighter. A lot of Anonymous's actions have been justified as counterattacks against those who threaten the freedom of the internet.

Re:Not true that fighting back doesn't work.

[mjr167]

The difference between a terrorist and a freedom fighter depends on who wins.

Re:Not true that fighting back doesn't work.

In the US it depends on the state. This is legal and encouraged in some states.

Re:Not true that fighting back doesn't work.

[flirno]

This was in the news a few months ago and the police investigation came down on the side of the homeowner (who I believe was a woman) so in some states this really does work.

Re:Not true that fighting back doesn't work.

[CSMoran]

95% of the time people make up random statistics based on what they believe instead of what is real

Max recursion depth exceeded.

Re:Not true that fighting back doesn't work.

[a90Tj2P7]

(A little old to be called "script kiddies", BTW.)

It has nothing to do with age, it's about the skill level required to do what they do.

Re:Not true that fighting back doesn't work.

[locopuyo]

It isn't "eye for an eye" if something else is being done like your example. Which is why "an eye for an eye makes the whole world blind" is a such a bad quote to use. The original eye for an eye has to do with court punishment not vengeance.

Re:Not true that fighting back doesn't work.

[gl4ss]

that's not fighting back in the black ice sense, that's just doing ORDINARY POLICE WORK.

Re:Not true that fighting back doesn't work.

[cavreader]

Oh it's perfectly legal in the state I live in and while I have not researched every state law regarding shooting someone breaking into your home I doubt you would even be charged. Someone breaking into my house at night would really regret it, for a few seconds at least. I do have your standard security system installed throughout the house but it really does nothing but notify the security company monitoring the system and they just call the police in case you are not able to. I only turn on the interior motion detectors when I go on a trip. One thing the alarm system doesn't do is make a lot of noise and start flashing red lights while shouting "Intruder Alert!" to scare the intruder. By the time the police got to the house the only thing they would be doing is calling the medical examiner to collect the corpse.

Re:Not true that fighting back doesn't work.

[psithurism]

I kinda agree with you, probably kinda sensationalist, but a scary trend, however look what I didn't find on google:

No results found for "dead burglar sues".

Something to keep in mind.

Worked out quite well

I got the location of the punks house and nailed his mom while he was in the basement.

Feeding time came around and mom did not bring down the hot pockets according the regular schedule and he peeked his head above ground.

Said, "Hi. I'm from the company you were trying to hack. By the way your Mom is quite talented. Going to be around more often"

Re:Worked out quite well

[elsurexiste]

Not sure if you're an asshole...

...or a Winrar.

Got him back good

[spaceman375]

One morning our net was SLOW. Turned out most of our 200+ computers were participating in a DOS attack on a computer in Texas. We traced back where the infection started, checked the logs on that computer, and found the source.

Then we called his mother.

She unplugged his PC and told us she'd deal with him when he got home from school.

Re:Got him back good

[icebike]

You had logs and were still penetrated? What OS has logs and gets penetrated?

Re:Got him back good

[MobileTatsu-NJG]

You had logs and were still penetrated? What OS has logs and gets penetrated?

Well, if you're talking back doors, penetration, and encountering logs,you're probably talking OSX!

Re:Got him back good

[blueg3]

You had logs and were still penetrated? What OS has logs and gets penetrated?

All of them.

Let me get this straight

[bky1701]

The hackee is going to hack the hacker? How exactly does that work? This would be like Poland invading Germany to get back at them for WWII; it probably will go about as well as the first time. Not to mention, in this case, it is quite likely the actual hacker routed through someone else's compromised computer, thus having zero effect, breaking the law, and only doubly slapping some poor SOB in the middle. Real reasonable, sensible, ethical activities here.

Re:Let me get this straight

[Hentes]

Exactly, in any case "active defence" is always an uneven battle. A small IT team that's main job is to keep the system running and most likely has little experience in hacking, and has tons of other work they also have to take care of, versus a team of experienced hackers (if they are just scriptkiddies then they most likely don't worth the effort) who do this full-time.

Strike Back tech

[GremlinInExile]

http://xkcd.com/538/

Re:Strike Back tech

[Fear+the+Clam]

I never understood the "drug him" part in the second panel. Why would one need drugs? Just hit him with a wrench until he gives up the password.

Look out for the ICE!

[Geoffrey.landis]

Obviously, they're in the process of developing Gibson's black ICE!
We should be afraid.

Re:Look out for the ICE!

[Coisiche]

More insightful than funny I'd say because it's an inevitable outcome.

Corporate entities acknowledge legal constraints but will ignore moral or ethical constraints unless it somehow affects quarterly earnings per share. Now if someone is injured or killed during a physical intrusion onto corporate premises then that will, in most countries, have significant legal repercussions and possibly an inquiry. On the other hand, if someone makes an electronic intrusion into systems then if anything "unfortunate" were to happen to them and there is no obvious link to and significant physical distance from the corporate entity, then what's the problem?

IP address tracking fiasco part 2

[k(wi)r(kipedia)]

A cyber strike-back policy can turn out to be the more malevolent version of the attempt by some media monopolists to track and threaten alleged copyright infringers by IP address. But where the track-and-sue approach pays lip service to the law, this one's attempting the online equivalent of vigilante justice. It would be interesting what methods these "security" companies will resort to.

Not even his computer.

[khasim]

If the script-kiddie knows anything at all he'll be attacking from a zombie he's already "owned".

I think this is more sensationalism than fact.

Re:Not even his computer.

[LordLimecat]

How are you going to root the zombie?

This is retarded, its borne out of the notion that any computer on the internet can be hacked if only you have the right skills. Thats not really accurate, you either need a vulnerability or a way to get the victim to install a rootkit (phishing / whatever you want to call it).

Unless the hacker has decided to leave RDP open or left ports 135-139 exposed, its not going to be as easy as "just counterhack them".

I rather imagine I could hand out my IP to everyone on the internet, and that noone would be able to "just hack me"; and my "firewall" consists of a simple natting router.

Re:Not even his computer.

[Bert64]

Not easy perhaps, depending on what's being used as a relay... But theoretically if the hacker was able to compromise the box then it should be possible for you to do the same.

Re:Not even his computer.

[Taco+Cowboy]

Not if the hacker closed the hole after he sneaked in (from that same vulnerability)

Re:Not even his computer.

[xenobyte]

Root the zombie?

Not necessary. Just kick it off the net. You can easily flood most private low-bandwidth machines off the net without breaking a sweat bandwidth-wise yourself.
If the attacker switches, repeat and rinse.

Re:Not even his computer.

[LordLimecat]

Here you go:
Your IP Address Is: 69.138.178.32

Ill even give you a hint, port 4242 is forwarded.

Get to hacking, I expect a rooted machine by morning.

Re:Not even his computer.

[LordLimecat]

Not necessarily. Vast majority of zombies were hit by driveby exploits for flash, java, whatever. It generally isnt a targetted attack, because its a lot harder to target it without social engineering. It also generally isnt possible to just "hack" a home computer, because you have a natting firewall with no forwarding in the vast majority of cases as well as the built in Windows firewall to deal with.

How you plan to get unrequested traffic from the internet through the NAT and past the Win firewall I would be interested to hear.

The only real way to hack those computers would be to look for a vulnerable UPnP app that has set up forwarding thru both firewalls and which is also able to be exploited, or else to start spreading your own viruses (which is most certainly very illegal). Its not a level playing field either, because these companies would be hugely liable if they were to do so, and would be easy to find and prosecute; meanwhile the botmasters reside in Eastern Europe, so good luck bringing them to trial.

Re:Not even his computer.

[LordLimecat]

Sounds like a low-level DoS which will get the target ISP to start rejecting you and your own ISP to send you a nastygram.

In other words, an easy way to get yourself kicked off the net.

Re:Not even his computer.

[LordLimecat]

In fact, as I recall, about 3 years ago I set up a filezilla server on my home comp, set up basic user accounts, and posted the details to 4chan. Nothing really happened; I think someone tried to upload a decompression bomb, some others started uploading material of questionable legality, etc, but noone got the admin password.

I left it up for several days and eventually some bots noticed the FTP server and began attempting bruteforce the admin password, but nothing else happened.

Now I ask you, if its so easy to just hack someone once you get the IP, why were they fiddling with FTP rather than owning the whole box?

Re:Not even his computer.

[mcgrew]

I rather imagine I could hand out my IP to everyone on the internet, and that noone would be able to "just hack me"

Wow, your setup must be pretty weak if a musician can hack you!

BTW, I discovered to my horror and embarrassment that I'm probably the one behind this often repeated mistake, when I was looking at some stuff I wrote over ten years ago; amazing what one single typo from on person can snowball into. So I apologize to the entire internet; my bad. Damned weak spacebars they makethese days...

Re:Human psychology

[bky1701]

Yes. It takes sense to know that you don't shoot back at a chaingun with a pistol, but most people are too dense to realize they are not l33t h4x themselves capable of greater than whatever was just done to them.

Re:May I slurp your snap?

[Eightbitgnosis]

My favorite part of the MyCleanPC spam is most definitely the names of the accounts

Best defense....

[gstrickler]

1. Never put sensitive data on a computer connected to the internet, unless it absolutely must be there.
2. Never keep sensitive data that you don't need, overwrite it, then delete.
3. Never put confidential data into any computer system, networked or not. If you must, do so only if it's encrypted and secured by strong authentication at all times.
4. Use all practical forms of security, firewalls, strong authentication, multiple networks with isolation, IDS, AV/anti-malware, no running as Admin/root, separate accounts for every user with appropriate access restrictions, including separate accounts for any services running on your servers, whole disk encryption, etc.

The first 3 are what I call the "Mr Miyagi" approach, "Best defense, no be there." Item 4 is what most companies focus on, but it's not nearly as useful if you haven't used 1-3.

Re:Best defense....

[techno-vampire]

I'd suggest a change to your point four: don't use an OS for your servers that requires AV/anti-malware unless you have no other choice.

Yes, I know that there are a small number of exploits for Linux and the various BSDs, but the vast majority of them target Windows. Just keeping your servers off of Windows will make it much harder for crackers or worms from getting a foothold, and the skript kiddies probably won't have a cheat sheet for your OS. That doesn't mean that if you don't use Windows you can ignore all of the other excellent suggestions you made in point 4, but it will probably make them more effective.

Re:Best defense....

[techno-vampire]

Absolutely! My thought was that by avoiding the use of Windows for your servers you'd be minimizing your potential attack vectors, making your job much easier.

Re:Best defense....

[girlintraining]

Never put sensitive data on a computer connected to the internet, unless it absolutely must be there.

o_O Not very realistic when we live in an "always on / always connected" world. Everything is merging into the network and stand alone devices are a minority.

Never keep sensitive data that you don't need, overwrite it, then delete.

Also, you should burn all the clothes you haven't worn in over a week (you obviously don't need that many clothes), not have a junk drawer, and while you're at it, delete any data on your system with an access time older than 3 months. Also, delete sarcasm.sys ...

Never put confidential data into any computer system, networked or not. If you must, do so only if it's encrypted and secured by strong authentication at all times.

Confidential, defined: Everything that isn't out on the curb with a big sign that says "Free" on it. Also, you should stop using the internet since most of it isn't secured and uses strong authentication... there's never a reason to use plain-text data exchanges. I mean, I don't even leave the house without my PGP key, and when I hangout with my friends, we use finger signs that are one-way encrypted... because otherwise someone might understand us and that would be bad.

Use all practical forms of security, firewalls, strong authentication, multiple networks with isolation, IDS, AV/anti-malware, no running as Admin/root, separate accounts for every user with appropriate access restrictions, including separate accounts for any services running on your servers, whole disk encryption, etc.

Basically, throw everything you can at the problem and hope something stops the attacker, and if you frustrate everyone who has to use the system because it requires 30 character long passwords rotated every 15 minutes, 9 levels of encryption, and a sample of hair, blood, finger print scan, iris scan, and ass cheek measurements... it might not be secure enough to protect grandma's secret goolash recipe.

The first 3 are what I call the "Mr Miyagi" approach, "Best defense, no be there." Item 4 is what most companies focus on, but it's not nearly as useful if you haven't used 1-3.

I take a somewhat simpler approach to security: Build it so that breaking it costs more than the value of what you're protecting. There is no perfect security. All of it can be hacked. Your only responsibility, professionally, ethically, morally, is to make it cost them as much or more to break through than whatever is being guarded. Criminals are just as rational as anyone else: They go for the low hanging fruit, the most gain for the least effort. I call it the "Mr. Bear Grylls" approach, 'You only have to run faster than the guy next to you when escaping a lion."

Re:Best defense....

[gstrickler]

I take a somewhat simpler approach to security: Build it so that breaking it costs more than the value of what you're protecting. There is no perfect security. All of it can be hacked. Your only responsibility, professionally, ethically, morally, is to make it cost them as much or more to break through than whatever is being guarded.

My recommendations do that, both by making sure the data has the lowest possible value (items 1-3), and by making it as difficult at possible (item 4).

As for you earlier comments, Go back and read again, they all allow for all of the situations you addressed. You have misinterpreted them.

Re:Best defense....

[a90Tj2P7]

Never keep sensitive data that you don't need, overwrite it, then delete.

Also, you should burn all the clothes you haven't worn in over a week (you obviously don't need that many clothes), not have a junk drawer, and while you're at it, delete any data on your system with an access time older than 3 months. Also, delete sarcasm.sys ...

I think he's (badly) trying to say that you shouldn't repurpose media that was used for sensitivie info without sanitizing it.

Re:Best defense....

[gstrickler]

No, that's a separate issue. I'm literally saying that if you don't need the data, don't keep it. If it's sensitive, overwrite it, then delete it. In many businesses, they keep sensitive data (in logs, databases, etc.) that they have no use for. For example, they needed a CC number for a few seconds to process a transaction, but for reasons that have nothing to do with the transaction, they write the CC number to a log of a database. If you don't need the information, don't keep it.

So, I didn't do a bad job of stating what you think I said, I stated exactly what I meant.

Black ICE got him....

[PrimalChrome]

Looks like he pulled a Wilson.

Stop playing the troll's game !!

[Taco+Cowboy]

One of the troll's aim is for others to repeat "mcpc"

What you are doing is just that, repeating it, 4 times

Stop playing that troll's game

Stop repeating "mcpc"

Control your temptation

Re:Stop playing the troll's game !!

I'm pretty sure that tells the search engine not to follow the links in the comments. I fimd the comment just fine with Google

Re:Stop playing the troll's game !!

[macraig]

I don't think his goal is to get others to repeat the term; I don't think he's depending upon that at all. Notice that he's not merely mentioning the name, he associates a URL with EVERY SINGLE mention of it. I think doing that, buried in seemingly legitimate text at a highly ranked site(s) (Slashdot ain't the only place he's doing this) and the effect that has on Google and Bing is his goal. Simply mentioning the name alone probably does little if anything. Doesn't it water-down the effectiveness of his SEO goal when I deliberately associate the term with an undesirable URL? That was my goal, not to play his game but to rain it out.

Re:Stop playing the troll's game !!

[ArsenneLupin]

I'm pretty sure that tells the search engine not to follow the links in the comments.

Actually, this is no longer true. Nowadays, google even follows stuff that are not even links. Mention http:/// in plain text, and google will follow it. I've got a couple of perl scripts available for download on my site, and some have URLs embedded in them, which the script pieces together with other stuff to get a real URL to download. Google crawls the script, recognizes the pieces as URLs, and the download attempts show up in my logs...

So yes, spamming forums helps the spammers again, and that even if the forum doesn't allow to embed links! Well played, Google!

Re:Stop playing the troll's game !!

[X10]

One of the troll's aim is for others to repeat "mcpc"

It's not a troll. It's a joke.

Re:Stop playing the troll's game !!

[DarkOx]

Lets call it MyCleanPc not mcpc, which is really close to the trade name MCPc; MCPc is a legitimate reseller and professional services organization. I am former employee of MCPc and I can tell you when I worked there they always treated me well, and did right by their customers too.

Please don't conflate their name MyCleanPc which seems to have a somewhat dubious reputation and is a different company.

Re:Stop playing the troll's game !!

[petermgreen]

I think google must have realised they threw the baby out with the bathwater when they brought in nofollow and either started ignoring it or at least treating it as merely an advisory note along the lines of "this link may be user contributed and hence lower importance than others on the site".

While the "old web" of traditional websites set up by individuals and linking to each other still exists more and more content is moving to wikis, forums and similar or to pages that are primerally accessed by following links (or sometimes copy/pasting urls if the forum doesn't allow links) from those wikis and forums. Heck many projects are now using wikis as their main websites. A search engine that wants to find the best results doesn't want to completely ignore this information just because there is some risk it is spam-contaiminated.

Companies are known to strike back

[Taco+Cowboy]

There are companies that I know, who employed "private contractors" to do things that they can not legally do, to "make things right"

One of those companies, when its refinery was damaged by some African guerillas, got its own "private contractors" to hit back, and they hit back very very hard

So, I am not surprise of what they will do on the Cyberwar front - the "private contractors" can do anything for you, so long as you pay them

Re:Companies are known to strike back

Might one contact such "private contractors" via Soldier Of Fortune magazine?

Re:Companies are known to strike back

[mrclisdue]

I was under the impression that "private contractors" had something to do with "shrinking genitalia." Which would also be somewhat effective.

cheers,

Re:Companies are known to strike back

[Taco+Cowboy]

SoF is but one of the many venues that you can find "private contractors", and they come with all kinds of "skill sets"

Re:Companies are known to strike back

[Taco+Cowboy]

You missed out on the word "part"

Re:Companies are known to strike back

[MobileTatsu-NJG]

Might one contact such "private contractors" via Soldier Of Fortune magazine?

You want the best, right? A few years ago a crack commando unit was sent to prison by a military court for a crime they didn't commit. These men promptly escaped from a maximum security stockade to the Los Angeles underground. Today, still wanted by the government, they survive as soldiers of fortune. If you have a problem, if no one else can help, and if you can find them, maybe you can hire them.

Re:Companies are known to strike back

[Sir_Sri]

In that situation you should pay off the local government police and or military forces. If you can't pay them more than the local militias or criminals, you shouldn't do business there.

That is, in effect, what happens in civilized countries. You pay taxes for police services, if the services aren't up to the task you pay (technically 'lobby') politicians to write laws for you that will get the police up to the task or out of the way.

cyber security is a different matter. There's no one you can pay unless you're a huge multinational, and even then you may not have a presence wherever the problem initiated from. If you're hacked domestically you have the same recourse as physical security, call the police, if there aren't laws that will cover you, pay politicians to write some. But if you get hacked from a foreign country there's really nothing you can do except build hardened systems in the first place. Counter hacking doesn't seem like a good idea, because they, being criminals, are somewhat less hindered by morals and laws than you are, and can retaliate thusly. I suppose if you're really big you pay politicians in both countries to write treaties for you. But that would just serve to make counter hacking illegal.

Re:Companies are known to strike back

[Richard+Steiner]

I think most posters here are too young to know what you're talking about. :-)

Re:Companies are known to strike back

We live in the age of bittorrent and Netflix and there was a 2010 A-Team film.

Maybe you're just too old to be commenting. ;)

Re:Companies are known to strike back

[lister+king+of+smeg]

not unless they are under 3 (http://www.imdb.com/title/tt0429493/)
A-team movie 2010

Re:Companies are known to strike back

[Scoldog]

The movie was only released in 2010. Are you saying that Slashdot users are younger than 2 years old?

Re:Companies are known to strike back

[MobileTatsu-NJG]

Was that one of those movies that basically everybody saw or was that pretty much only on the radar of fans of the original show?

Re:Companies are known to strike back

[Taco+Cowboy]

In that situation you should pay off the local government police and or military forces. If you can't pay them more than the local militias or criminals, you shouldn't do business there.

As long as there's money to be made, most multi-national corporations (mnc) will pay

But sometimes the local government isn't the one who pull the shot - and the more complicated the situation is, the more you need "private contractors" to carry out "the tasks"

Re:Companies are known to strike back

[cold+fjord]

I was under the impression that "private contractors" had something to do with "shrinking genitalia." Which would also be somewhat effective.

Indeed.

Lynchings in Congo as penis theft panic hits capital
Benin alert over 'penis theft' panic
Journalist Tracks Rumors Of Penis Thievery

---
As an atheist, I truly believe Africa needs God
"When people stop believing in God, they don't believe in nothing -- they believe in anything." -- GK Chesterton

Re:Companies are known to strike back

[hairyfeet]

Companies hell, I've had cops come up to me in the shop that wanted obviously illegal stuff done, frankly i think they had seen too many episodes of CSI and actually thought you could hack a network with a VB GUI.

But honestly this kind of shit surprises me not in the least, anyone who has read some of the stuff that has been dumped onto Wikileaks knows that you can buy pretty much anything if the money is good enough. Personally I'm waiting for a cyber version of the Pinkertons, a little private army you can hire to do whatever dirty little thing you need done in cyberspace. After all thanks to many otherwise pretty damned lawless countries having Internet access in a way its like the wild west only the criminals don't have to physically come over the border to do their raiding before heading back to their personal hole in the wall. So to see the corps fighting back when the law itself can't really do shit thanks to countries that don't play by the same rules? Really not surprising.

Re:Companies are known to strike back

[Tastecicles]

heh... I've had police approach me for forensic recoveries, each and every time I've told them they couldn't afford me.

Fucking useless wankers.

Re:Companies are known to strike back

[Taco+Cowboy]

Haven't read 2600 ever since it became mainstream

Re:Companies are known to strike back

There is this other magazine but you've probably never heard of it.

Re:Companies are known to strike back

[MobileTatsu-NJG]

I loved it, but to me it was a dumb movie made by people who love the show. If you're looking for a serious movie you won't like it. I'd say that if you didn't like Starship Troopers, skip this one.

Re:Companies are known to strike back

[Taco+Cowboy]

There are, and they are only in soft copies

Re:Companies are known to strike back

[azalin]

If recent post quality is an indicator, that might not be so far fetched... *sigh*
By the way: How many movie plots do you remember from films you saw under the age of 3?

Re:Companies are known to strike back

[L4t3r4lu5]

... i think they had seen too many episodes of CSI and actually thought you could hack a network with a VB GUI.

I cringed as much as the next nerd when I heard that line, but if you think about it it actually make sense. The fact that the terms are inaccurate is immaterial. She could have told them she fired up Backtrack 5 and used a known buffer overflow vulnerability in $PerimiterSwitchSoftware to get access to the internal network, and a remote code execution attack to enable directory traversal and and run w3svc as Admin, giving her free reign over the network. Would they have understood any more?

You're thinking of it as the actress saying lines for your amusement. She's not. She's telling a colleague, who wouldn't understand anyway, a bunch of buzzwords and jargon to dissuade them from getting too involved in something which will only confuse them, and distract them from their own involvement in the situation.

If Finance ask you about backups, do you tell them about cron jobs and the difference between differential and full backups? No, you tell them it's daily and hosted off site, and they should worry more about getting your pay cheque ready for the last Friday of the month.

Re:Companies are known to strike back

Starship Troopers wasn't a serious movie? Jeez, you yanks really don't get irony do you?

Re:Companies are known to strike back

[queBurro]

The 0xA team?

Re:Companies are known to strike back

[geminidomino]

I think when he said "serious" he actually meant "good."

The guy behind it should have spent less time going for "irony" and more time going for "making the characters not come off as complete fuckwits."

Re:Companies are known to strike back

[hackula]

Saw it, but it was so terrible that I slept through all of the "plot" parts.

Re:Companies are known to strike back

[a90Tj2P7]

... but if you think about it it actually make sense. The fact that the terms are inaccurate is immaterial. She could have told them [a realistic explanation]. Would they have understood any more?

... She's telling a colleague, who wouldn't understand anyway, a bunch of buzzwords and jargon to dissuade them from getting too involved in something which will only confuse them, and distract them from their own involvement in the situation.

If Finance ask you about backups, do you tell them about cron jobs and the difference between differential and full backups? No, you tell them it's daily and hosted off site...

Oversimplifying or glossing over things is perfectly fine, deliberate misinformation is reprehensible and only causes future problems. The level of detail you go into should vary for the target audience, but never the accuracy. Obviously, talking about a TV show - where everything from law and medicine to the operation of cars is usually completely flawed - is one thing, but I'd definitely never defend the idea of deliberately miseducating people IRL just because you don't think they'd understand. That's how people were taught the improper terms and processes they'll misuse in the future. For example, the layman could probably understand something like "I used a specialized software package to exploit a security hole that let me get into their system and then take it over."

Re:Companies are known to strike back

[mcgrew]

Counter hacking doesn't seem like a good idea, because they, being criminals, are somewhat less hindered by morals and laws than you are

Some criminals steal with a gun, others steal with a pen. If you think MNCs give two shits about the law or morality (Sony's XCP for example) or revenge, you're awfully naive. Hell, a better example than XCP is this. Note that Sony was never charged with a crime, and nobody from the mining company was charged with negligent homicide (as they should have been IMO). As much as I hate Sony for rooting my computer, I hate Purina more -- they killed my grandfather. Nobody went to jail for his death, either.

Corporations have no morals and no fear of the law. They are all sociopathic and some are simply parasites on society.

Re:Companies are known to strike back

[L4t3r4lu5]

Why couldn't she have written a UI for the "specialised software package" in VB? A form with the appropriate fields and checkboxes for variables could easily be coded to pass instructions to a CLI application.

Why are we arguing about this?!

Re:Companies are known to strike back

[Sir_Sri]

Corporations very much fear the law. The law could dissolve them and arrest their CEO. That's why they buy their way into convenient laws at all.

Re:Companies are known to strike back

[budgenator]

Oh come on and lighten up, it was WAY better than Battlefield Earth! "Starship Troopers" absolutely nailed the 1950's DOD and CD training film style so popular during the "Cold War" - "Red Menace " era.

Re:Companies are known to strike back

[geminidomino]

Oh come on and lighten up, it was WAY better than Battlefield Earth!

Talk about your "damning with faint praise."

So is having your balls slammed in the car door!

Re:Companies are known to strike back

[MobileTatsu-NJG]

The characters being fuckwits was the point of the movie. Starship Troopers is a satire. If you don't get that while watching the movie you won't like it.

Re:Companies are known to strike back

[MobileTatsu-NJG]

Heh. Me = Pity("Foo");

Re:Companies are known to strike back

[geminidomino]

Oh, I did get that. It's not like it was anywhere in the vicinity of "subtle" or anything, but it's not even *good* satire. If you're going to make a satire with two-dimensional characters whose only recognizable trait is a common theme of "mind-crushing stupidity and tactical incompetence" then you really ought to go for a screwball comedy a la "Team America."

"Satire" and "shitty movie" aren't mutually exclusive.

Re:Companies are known to strike back

[St.Creed]

But the fact that a lot of people took it serious was priceless :)

Team America was never in danger of being taken serious - and thus completely harmless. Starship Troopers is probably the better movie of the two, even if I did like Team America more.

Re:Companies are known to strike back

[hairyfeet]

Because it was a case of Star Trek technobabble bullshit friend, and in this case frankly technobabble bullshit wasn't required because we are talking about tech that exists and 4 minutes in google would have given whomever wrote the scene the appropriate words but instead they went buzzword bingo which is what made it funny. Hell I wouldn't be surprised if some writer just stuck their head into the IT dept and the guys there decided to pull an "ID10T" on 'em for shits and giggles. I know my former boss would love to go ID10T and PEBKAC Sequence Error Z0-MG on those that didn't know their asses from a 7/11 yet insisted on having everything explained to them like they knew WTF you were saying.

Re:Companies are known to strike back

[mcgrew]

The law could dissolve them and arrest their CEO.

LOL, tell that to the CEO of Sago mines. Despite failing to follow mine safety laws that resulted in the death of two dozen men, the CEO got out with a golden parachute.

CEOs only go to prison if they defraud other rich bastards, like Ken Lay or Bernie Madoff. They can rob and kill and maim as many peasants as they wish with impunity, just so long as another rich man doesn't lose a few pennies.

Plead the 5th.

[girlintraining]

If you've been involved in such an action, how did it work out for you?

I have, and let me tell you, it was... hey, hold that thought for just a second, someone's knocking at the door...

Indeedy

[obarthelemy]

I've been in contact about a job with a French cybersecurity company that has subsidiaries in 3 countries to be able to be able to offer 24x7 service, and, avowedly, do stuff (counter-attack for ex.) that would be illegal in France.

I don't have a big issue with counter-attacks existing, and being nasty (let's face it, if you beat on me, I'm gonna beat on you). I do have an issue with the potential for counter-attack evolving into spying and pro-active stuff. I'm sure they're doing it already.

Re:Indeedy

[jimicus]

I don't have a big issue with counter-attacks existing, and being nasty (let's face it, if you beat on me, I'm gonna beat on you). I do have an issue with the potential for counter-attack evolving into spying and pro-active stuff. I'm sure they're doing it already.

I'm quite sure the ability to do so has existed for many years.

Way back in the mists of time I administered a network with a CIPE VPN. (This was shortly after CIPE had been found to have a number of holes that weren't going to be plugged - it was in the process of being decommissioned but I digress). The straw that broke the camels back with that was when I spotted odd behaviour, ran tcpdump on each end of the VPN and discovered that a very particular type of traffic - VoIP as it happens - was going in one end of the tunnel but not coming out the other.

Of course, it's entirely possible the block was based on packet-type heuristics rather than realtime decryption - apparently it's possible to guess with a fair degree of accuracy what sort of traffic you're looking at simply by looking at the size and frequency of the packets. In any case, it's concerning enough that a telco thought this was appropriate.

Re:MyCleanPC is fraudware

[Mashiki]

Well, I found your post insightful and informative. I would like to subscribe to your newsletter good sir.

Honeypots, misinformation

[Dan+East]

I would think lots of honeypots, dead ends, and misinformation would be effective. It would be difficult for the hacker to know when they have accessed legitimate machines or information. That's one of the problems with typical security is that it typically provides confirmation when an access attempt has failed. If instead of indicating failed access, you instead direct them to bogus data, it would make the hacker's life rather miserable.

What if it was a hospital?

[khasim]

If your system is compromised you do not have the right to have it keep running and attacking people. That is the responsibility any node on the network holds inherently.

That's a great idea right up until it is a server in a hospital that is being used for the attack.

More like, if someone is assaulting you you should be able to punch back just as hard, or hard enough to make them stop.

No. I'm going to have to go with the other post:

Equal to "If someone breaks into your home, you should be able to break into their home."

And not just that but also a house you THINK belongs to the attacker when it is just one that the attacker is using.

Re:What if it was a hospital?

Two wrongs don't make a right and protection of property doesn't automagically justify the taking of life.

Re:What if it was a hospital?

[NormalVisual]

Might as well bring down that server - if there happened to be patients died as a result, it's not your fault either, it's the fault of the hospital IT staff that let their server to be compromised

I'm guessing the court probably won't feel the same way when you're sued for everything you've got by the dead patient's family and the hospital, especially when an expert witness testifies that all you'd have to have done to stop the attack was insert a couple of firewall rules or null route the target IP for a little while.

Re:What if it was a hospital?

Might as well bring down that server - if there happened to be patients died as a result, it's not your fault either, it's the fault of the hospital IT staff that let their server to be compromised

Yeah, well, that's your opinion. The law disagrees. A server of ACME Inc. was used by Black Hat to attack your server, which means Black Hat broke the law and, if caught, will be in trouble. The problem is that you, too, attacked ACME Inc.'s servers, and now you're in trouble too. In fact, you're in more trouble than Mr. Black Hat since he used 7 proxies while you or your contractor didn't.

And in military parlance, it's called "collateral damage"

Correct. But you and what army is going to convince the judge that you're free to kill innocents too?

Re:What if it was a hospital?

[psithurism]

I just want to apologize for all of your posts being modded "-1 Disagree"

You're posts are clearly on topic and raised great avenues for discussion. I know the Mods think so today because they they gave all the responses you generated +5 insightful instead of ignoring the conversation thread.

So thanks for taking one for the team to make ./ interesting to read today :^)

if there happened to be patients died as a result, it's not your fault either, it's the fault of the hospital IT staff that let their server to be compromised

Seriously though? You're unable to ignore a packet stream without a counter offensive and yet the hospital is at fault for their poor security?

Re:Limited Nuclear strike

[0123456]

It's the only way to be sure...

How about physical reprisals?

[swb]

When the money in play gets big enough I would think that physical reprisals would become an increasing likelihood. The money providing private security in Iraq and Afghanistan was good, but these guys are looking for new markets and selling an anti-hacking service that involves your attacker winding up dead in a car crash or of an accidental overdose has a certain appeal.

Doesn't End Well

Google Multi-bet.

"Seems there has been blackmail and hack attempts to at least two online bookies,
Multibet.com and Centrebet"

"syn flood on port 80 - MASSIVE one

The server was originaly in Alice, thus killing the Alice network. Telstra then implemented their "DDoS protection" (www.radware.com - ironically, when we told our current DDoS protectors this, they laughed) in their Sydney office. It took out part of their core network in Sydney straight away before they killed the www server ips." http://forums.whirlpool.net.au/archive/237347

They just bought more bots to the fight.

False flag

[PPH]

So, if I want to hack Lockheed Martin, I route my attack through a compromised Boeing system. Then I sit back and watch the antics ensue.

Re:False flag

[proctor]

no no....you route it through beijing like everybody else.

Re:False flag

[PPH]

no no....you route it through beijing like everybody else.

Why? I'm the #3 defense contractor behind Boeing and Lockheed. If I can get them to take each other down, I move into #1.

That's the ???? before Profit!

Good luck with that.

[khasim]

Might as well bring down that server - if there happened to be patients died as a result, it's not your fault either, it's the fault of the hospital IT staff that let their server to be compromised

Good luck with that in court. I'm sure the judge and jury will completely understand your need to risk the lives of patients because you wanted to.

After all, if you were competent then you'd be able to block the attacks or at the very least mitigate/ameliorate any possible damage from them.

You mean, the attacker using a server in the hospital to attack you is okay, but it's not okay when you retaliate ?

I mean that if a patient dies because of the cracker then it isn't your concern.

But if a patient dies because YOU decided to take out that server ... enjoy your stay at the Federal Pound Me In The Ass Prison.

Re:Good luck with that.

[pspahn]

After all, if you were competent then you'd be able to block the attacks or at the very least mitigate/ameliorate any possible damage from them.

Which highlights the very valid point that competence is irrelevant when the incompetence of many contributes to the attack. The hospital was also incompetent, so what is their liability if they're already operating a compromised system on behalf of their patients? Is this only a problem once that system is used to compromise another?

There's a good need for a 10,000' view of this.

Re:Good luck with that.

[Taco+Cowboy]

After all, if you were competent then you'd be able to block the attacks or at the very least mitigate/ameliorate any possible damage from them.

We are talking about a counter strike

Corporation A being attacked by cyberpunks somewhere

Corporation A might have suffered damages, or might not be, it does not matter, because the attack on Corporation A had taken place, and Corporation A is determined to strike back

Which means, the competency of the IT staffs of Corporation A do not fall in this equation - because all the counter-strike will be handled by "private contractors", not the staffs of Corporation A
 

Re:Good luck with that.

[cold+fjord]

No court system in the world has any jurisdiction over "private contractors", or they won't be "private contractors"

Either you are trolling or there is a huge gap between your understanding of the law and what the situation actually is. I suggest you talk to a lawyer before you test your theory in real life.

I hope you aren't mixed up in this nonsense: Sovereign Citizens: Radicals Exercising 'God-Given Rights' or Fueling Domestic Terrorism?
That would be unlikely to end well. Sovereign Citizens - A Growing Domestic Threat to Law Enforcement

Re:Good luck with that.

[CheeseyDJ]

No court system in the world has any jurisdiction over "private contractors", or they won't be "private contractors"

Where do these people live? In space?

Re:Good luck with that.

[sphealey]

= = = = Either you are trolling or there is a huge gap between your understanding of the law and what the situation actually is. I suggest you talk to a lawyer before you test your theory in real life.= = = =

Yes, who can ever forget when Hewlett-Packard received the corporate death penalty for running a cell phone hacking scheme through a third-party contractor.

sPh

Re:Good luck with that.

[DarkOx]

I can see both sides of this one. I think at some point you SHOULD have the right to take matters into your own hands.

If its a more traditional attack and you are seeing a pattern of what appears to be breakin attempt obviously you should drop all traffic from that network and contact the authorities. End. What if its DOS though?

I would say you should contact the administrator of whatever domain the attack appears to becoming form. Which is an excellent reason why proxy and anonymous registrations should be barred. If its just a SYN flood its probably spoofed but anything else means either they are behind it or one of their systems has been owned and they NEED to fix it.

If they won't help you, I'd move on to their ISP who can see the traffic and verify what's happening, they should cut them off until they fix it.

If the ISP won't help you I'd move on to law enforcement. If they still won't help you, having documents all this, I think its fair game for you to do your own take down. Hospital or not.

Re:Good luck with that.

[Hatta]

Do a little research on Blackwater/XE and you'll see just how much the law actually applies to private defense contractors.

Re:Good luck with that.

[bledri]

Do a little research on Blackwater/XE and you'll see just how much the law actually applies to private defense contractors.

I'm 99.999999% certain that if a private citizen hired Blackwater/XE to kill someone, or initiate some sort of military action that both would be in serious trouble with the law. Hiring someone to do something illegal is illegal. Not sure why everyone is conflating this with the government (the entity that makes the laws) hiring private contractors to do it's bidding...

Re:Good luck with that.

[cold+fjord]

Yes, who can ever forget when Hewlett-Packard received the corporate death penalty for running a cell phone hacking scheme through a third-party contractor.

Let me know when hackers are subject to the death penalty for phone hacking, then we can talk about corporations. And you can't really forget something you didn't know.

Plea hearing postponed in HP spy scandal redux

SAN JOSE, Calif.--More than four and a half years after a California judge effectively dismissed criminal charges against the major players in Hewlett-Packard's spying scandal, federal prosecutors are bringing the case back to life.

  A father-and-son team of private investigators went before a judge today in the U.S. District Court in San Jose intending to plead guilty on charges relating to HP's controversial probe of boardroom leaks to journalists, which took place in late 2005 and early 2006.

Matthew DePante, 32, and his father Joseph DePante, 64, were arraigned last week on charges of conspiring to . . .

An eye for an eye

[techno-vampire]

An eye for an eye makes the whole world blind...

Actually, an eye for an eye can be very appropriate, if you understand what the passage is really saying: not that you're entitled to an eye for an eye, but to no more than an eye for an eye or a tooth for a tooth. It doesn't so much institutionalize revenge as place a fair limit on it. There are, of course, two problems here: first, making sure you've identified the culpret correctly and second, how much hacking, DDOS or whatever is appropriate. Personally, if the attacker lives in a country where the law is respected, turning the evidence over to the proper authorities is probably your best bet. If not, have fun; after all, what's the worm going to do? Tell the police, "He found out I was hacking his computer, so he hacked me back?"

How do you know you've found the source?

[GodfatherofSoul]

I'm not a networking guy, but I'm pretty sure the legitimate hackers are using leap frogging through zombied machines to attack you. So, how you know that you're at the original hacker's machine(s) and not another innocent zombie?

Re:How do you know you've found the source?

I'm a security analyst in a fortune 500 company, and I agree 100% with your statement, any hacker worth a grain of salt will be hiding either via proxies / vpns / Toor / zombie jumpboxes and often a combination of them all.
Giving some other PC the blame for your attack on a system is the standard, that's what makes attribution so difficult.
  Even script kiddies these days have it easy, checkout http://www.fastandeasyhacking.com/ its a GUI front end for Metasploit which is kind of like a swiss army knife for hacking. Jumping from other pc's that you have owned is called Pivoting, its one of the many nice features of Armitage (the front end replacement for metasploit).
Personally I've pondered paying someone to make me a offensive firewall, (I'm no coder) which I'd have to limit to certain ranges of the internet and not others (ie so some pwnd machine in some gov org couldn't potentially attack me and I auto strike back) running something like a DBautopwn script or something. But Yeah decided that was a dangerous path to take and I canned the idea, not wanting a fed knocking at my door asking me why my ip is attacking all the things.
Doe's anyone remember an offensive firewall from the 90's? I used to have one, can't remember what it was called, was running on Windows 95 or 98, can't remember which, but essentially, it would sit in your sys tray and behave like a normal firewall, until it saw someone portscanning you or something suspect, then it would alert you and give you some options, you could send them a msg via a interface using I think the WinPopup protocol, so you could send them a msg and be "hey wtf are you doing? We have traced your address and the police have been called", they would instantly disconnect at that point and would become unpingable (back in the days of dialup heh, they would yank the modem cable immediately)
for the guys that didn't give up scanning you or whatever you then could send some sort of exploit which would cause a BSOD on their machine (suppose not that hard back with win95/98, think it was using a abnormally large tcp packet with odd flags set) Can anyone remember what that was called? I'd love to fire it up in a vm testlab environment these days.

Re:How do you know you've found the source?

[TenAngryPistols]

Is this real life? I don't want to live on this planet anymore...

Pointless stupidity doing collatoral damage

[dbIII]

The computer someone retaliates against could just be the previous victim of the cracker. If they have owned a government system of any kind at all (even something that provides a bus timetable) and you attack it then you could be in some very deep shit legally with a courtroom opponent that will spend whatever it takes of taxpayers money to make an example of you.

Re:Pointless stupidity doing collatoral damage

[flyingfsck]

Yah, the few times I went to the trouble of tracing an attack back, it always ended up at a government ocmputer, so the above was my exact thought too.

Re:Pointless stupidity doing collatoral damage

[sabt-pestnu]

I would think that many governments would be happy to learn details of *what way* their computer is compromised.

And if they aren't eager to learn those details, I am sure that the AP might be.

Re:Pointless stupidity doing collatoral damage

[dbIII]

It's a tricky situation, by informing them of a crime your name may well be the only one they have when it comes to the time to look for scapegoats :(
Computer security is a thankless task unless people owe you thanks for enough that you are considered almost indispensable.

Why not fix this before you get hit?

[ka9dgx]

Capability based security makes it possible to manage the complexity of our deployed software and limit damage caused by a process gone rogue. Imagine each process with it's own sandbox, and you've got an idea how powerful it is. It doesn't mean giving up Linux either... as the Genode project looks on track to give us capabilities with complete linux compatible programs clients in the tree.

Let's stop worrying about cyberwar, and help these guys get a permanent solution in place instead. Then we can worry about how to get IP6 deployed everywhere, and take our internet back.

I Was Involved In This Once

[mentil]

Years ago I worked at an ISP, and one of our websites was defaced. The FBI traced the vandal back to his AIM account name and left it at that. One of my coworkers checked the AIM profile, which contained some personally identifying information. One phone book later we had a phone number, and some phone calls were made of an, err, 'intimidating' nature. We weren't defaced again (setting a Frontpage password probably helped, too).

Slashdot is Toast

[DougReed]

I've just about had it. Slashdot used to be news for Nerds. Now it's almost entirely mindless bullshit, and the last straw is when spammers are permitted to confiscate the site, and Slashdot management allows it. As if it's my job to waste my mod points to mark this crap as Troll.

I am logging off, and deleting Slashdot from my home page. Have at it trolls. All yours now.

Who specifically is retaliating?

[WaffleMonster]

While summary and TFA seem to imply some sort of vigilantie response it never enumerates even a single example of what that would be or cites any incidents where retaliation had actually been carried out.

TFA only seems to provide any detail or information about misdirection, honey pots..etc to thwart attacks and obscure important information...All obvious and non contraversial actions.

What I find most distrubing is this little jem:

"In April, Department of Homeland Security Secretary Janet Napolitano told the San Jose Mercury News that officials had been contemplating authorizing even "proactive" private-entity attacks, although there has been little follow-up comment."

How are idiots like Janet even allowed to be secretary of anything? I don't know whats worse having such thoughts or publically admitting to having had them.

Re:Who specifically is retaliating?

[sabt-pestnu]

> How are idiots like Janet even allowed to be secretary of anything? I don't know whats worse having such thoughts or publically admitting to having had them.

I think of many horrible, or impossible, or absurd things. I often admit them. And sometimes they make their way into popular culture. Can you say "Fish fingers and custard"?

The worst thing you can do is not think of a thing. When that thing comes to pass anyway, you get blind-sided. And blamed for not thinking of it. Even if you could not have done anything about it.

The second worst thing you can do is to not admit you thought of it. When it inevitably comes out that you DID think of it, people call you names.

But when you think of it, and admit you thought of it, when the name calling begins, you can serenely reply, "and you heard that from where, again?"

Re:Who specifically is retaliating?

[sabt-pestnu]

And no, Fish fingers and custard wasn't one of mine.

Fun with script kiddies

[rossz]

A rather incompetent script kiddie kept trying to hack one of my servers some years ago. Poking back, I found he had left the entire C: drive on his windows box shared to the world. So I dropped a gift into his startup directory. Yeah, not much of a story.

Re:Fun with script kiddies

[ledow]

Meanwhile, some old grandma whose computer was used as an intermediate proxy to hide a hacker's traces (obtained by a click-and-run virus created by the hacker with barely a knowledge of how it worked) turns her machine on to find that her files were deleted / strange messages popped up / the PC was unbootable / whatever you did to them.

Or, even better, another of the hacker's targets was compromised and rather than directly attacked, it was used to goad you into attacking them so that when the police came looking, it was your IP dropping stuff into their compromised shares and not the original hacker (who could have cleared their traces).

I'm not saying it's true, but it could easily happen - this is what botnets are FOR - to hide some illicit activity that CAN be controlled by a human remotely so that you think it's coming from somewhere but it's really just a bot repeating the commands it is given from the real hacker's IP. You have no idea who you attacked or why (you could quite easily have been attacking his friends PC, for example, that he didn't want to get the blame for).

As the article suggests, you're the incomptent here, not them. You got goaded into attacking a random target that might well have just been a proxy and probably did so from an obvious IP that was traceable to you. And, guess what, I don't think "I was just retaliating for an attempted crime against myself" would have worked as a legal defence.

When I was younger, my brother came into my room and asked me to have a look at something. Some guy in an IRC chatroom claimed to be able to see all my brother's files because he was running an old version of mIRC (which, admittedly, he was).

"No problem," I said. "Get him to tell us the contents of our AUTOEXEC.BAT" (yep, that's how long ago). Cue copy-pasted unmodified AUTOEXEC.BAT from his own computer which didn't even come close to resembling the multiconfig, highly customised, DOS through Windows 98 config we'd made for our computers. Then he admitted he just wanted to "send us an update" which would have had a virus on it. Sadly, IRC pretty much reveals your IP address to everyone and most script-kiddies DIDN'T know how to proxy their connections back then.

Always wished we'd asked for a more sensitive file. It would have been much more interesting if we'd asked for some innocent-sounding file that we knew would contain his passwords or ISP login. As it was, he just got his IP banned for a while, I think.

Cyberpunk much?

[Chrontius]

I'm not the only person who thinks we're living in the cyberpunk future Gibson warned us about, am I?

We even have chromed-out cybernetics, though they're fairly fashion-over-function these days.

It's up to /.

[Taco+Cowboy]

We are not anonymous nor 4chan

We are all guests on /.

We must respect /.'s decision on what to do

If /, decides that it wants this annoyance to continue, that this annoyance will continue

Re:It's up to /.

[PIBM]

Well, we now have that nice little flag. Perhaps if we make good use of it some spam might get deleted one day ?

Re:It's up to /.

[drkim]

Perhaps we could use something called "active defense" or "strike-back" technology to fight these MCPC floods?

Ooops. Sorry guys, that put us accidentally back on-topic.

Carry on...

Re:It's up to /.

[ArsenneLupin]

Woosh! (Hint: look at what thread GP is being posted to...)

Re:It's up to /.

"by Taco Cowboy (5327)
We are not anonymous nor 4chan"

Speak for yourself, buddy.

Re:It's up to /.

[johndmartiniii]

Is /, better than /.?

Re:It's up to /.

[__aaeihw9960]

Yeah, it's pretty neat, but it's totally underground right now so you probably wouldn't like it. I mean I liked it before it was cool. But you probably wouldn't.

Re:It's up to /.

[Maritz]

Hey do those glasses have lenses...?

Re:It's up to /.

[stoatwblr]

As a point of interest - targetting the source machine will make you feel good but achieves very little in the overall scheme of things unless you have a very fat pipe. Routers are much less robust. They generally can't handle a large stream of traffic directed at their own IP addresses (which is why I tend to have my routers using private address space). Not that I advocate this mind of thing, of course. It's on par with sending "ping of bluescreen" to virus-spreading windows boxes and is naughty.

Stop dreaming

[stooo]

Some strange people should really stop dreaming about all that "cyber war" BS....

Re:Better Idea

[cold+fjord]

No, then it's a BETTER idea. Not only is it better for you to have legal protection from being sued for disabling the system, but it's a BETTER idea for someone to stop the compromised system which is probably also leaking very sensitive identify data from patients.

Yes, and the lawful way you accomplish that is to call the hospital and inform their IT staff*. You don't hack the hospital, especially if you don't want to be sued for the downtime and costs to repair the damage you did that both the hospital and its vendors had to work to repair.

A punch comes from a direction, you disable the guy obviously punching from there. Possibly someone else told him to do it; that's one less guy punching you right now though. That's one less guy he can tell anyone ELSE to punch (or worse).

IP packets aren't a punch. You are justified in alerting the hospital, and blocking their packets anywhere from your network to the edge of theirs. You are not justified in hacking them.

*You do realize that hospitals are 24 hour a day operations, right?

Striking back at innocent bots

[sirlark]

Since most the damage is going to come from botnets, wouldn't striking back just be hurting some innocent grandma who visited the wrong website? Unless they actually dedicate some resources into finding out who's behind the botnet, something various governments and large multi-nationals have a spectacularly poor record at; not 0% success, but close. And I imagine that most of the time they'll run straight into either a large organised crime ring (mafia, russian mob, etc) or worse, a national government like China. Bad idea.

Re:Better Idea

[AmiMoJo]

How about instead of hitting the nuclear war button you try contacting the owner first, or their ISP?

Pot, kettle...

[Chrisq]

Veteran government and private officials warn that much of the activity is too risky to make sense, citing the chances for escalation and collateral damage.

So the government is saying that responses to attacks should be proportionate and legal ...... Pot, kettle... black

Re:Depends on who you are dealing with

[ledow]

Right up until the day you find out that you were DoS'd by a compromised hospital computer on the outskirts of a student hospital network and managed to take out an entire healthcare provider in "retaliation".

Sure, they shouldn't be compromised, but you have no idea who their digital neighbours are and/or who you're actually attacking. Attacking back is one of the most stupid things to do, ever.

And one day you will get caught by the big-brother of the guy you pummel into the ground because of the digital equivalent of "we were told he was the guy who attacked us".

Re:Revision

[TFAFalcon]

So what happens when people start faking attacks on their server, so they have an excuse to attack their competition?

Re:Better Idea

[TFAFalcon]

What if the person who punched you has moved away in the time it took you to turn around and you punch the guy that was standing behind him? Not only did you not reduce the number of people attacking you, but, if everyone acted like you, you now have one more person wanting to kick your ass.

Somewhat Related

[valdezjuan]

Say you work for company, which gets compromised and data is exfiltrated out of the network to a known source (the attacker used scp so the ip address, username and password are left within bash history or some other bash log). You find it within minutes or before the scp is completed. How do people feel about logging into the machine the data is being exfiltrated to and erasing it from the remote server?
Even if the 3rd party box is one they popped and not the attackers true machine, your not damaging the machine, network, etc., you are just removing 'unauthorized data' (granted, it may be a very fine line).

I got them back...

[Kookus]

"If you've been involved in such an action, how did it work out for you?"

I don't know. Some douchebags hacked my gaming box so I got them back by hacking their computers. It seemed like they were hacking from a computer fan manufacturing plant or something, because there were literally thousands of devices reporting the same rpms being operated there. I figured it would be funny to mess around with the operating speeds of those fans in the hopes of creating a tornado or something.

They also seemed to be obsessed with U2... apparently, they gave band members nicknames like #35 and #38.

The problem is this is a slippery slope legally

[davydagger]

Then how do you prove that someone you hacked into attacked you first? What happens when you get hacked, but the attacker claims he was responding to an attack by you, and therefor legimitizes it?

What happens with its the government/RIAA/microsoft using this to silence critics. Massive DDoS against wikileaks or other whistleblower sites? What about a smaller site trying to get off the ground with less of a name that has valuable information?

right vs wrong will be determined on who has the better lawyer.

ICE

[whitroth]

Unless, like my system, you have black-ICE installed....

              mark "geez, slashdotters don't even read anymore...."

Can we users do the same ?!

[freaker_TuC]

Valid question, not?

And what are they going to do about botnet-infested PC's, trojans and hacked systems?

Facing Reality

[SuperKendall]

Yes, and the lawful way you accomplish that is to call the hospital and inform their IT staff*.

Yes, and WHEN that fails?

Obviously if you have enough info to call someone you should. But what if you do not?

There's simply no scenario under which it is better to let the system keep running if you cannot determine who to contact to shut it off - or even if they are unable to....

IP packets aren't a punch.

Yes, they are.

You are justified in alerting the hospital, and blocking their packets anywhere from your network to the edge of theirs.

And letting everyone else stay compromised and under attack. How totally selfish of you.

*You do realize that hospitals are 24 hour a day operations, right?

You appear to be the one that cares so little about them you would let servers stay compromised until something REALLY serious happens.

And on a side note, how many hospitals are going to have network facing infrastructure that is vital to the hospital running if it should go down, with no backup?

Face it, you set up a terrible straw man and are just upset I have burnt it to a crisp.

I let you have the last word since you think only in hypotheticals and not reality. But anyone reading to this point understands how things are in the real world, and that you have provided ZERO justification for your stance to leave systems up that continue to harm others.

Re:Better Idea

[SuperKendall]

Yes, obviously you would contact them first IF YOU COULD.

I'm only talking about cases where you cannot really ID the owner of the server attacking you, or they are unable/unwilling to do anything.

Government Wonks

[Somebody+is+Grar]

Note that the government are really the only ones saying "there's nothing you can do." Meaning there's nothing THEY can do.