Slashdot Mirror
Hacker vs. Counter-Hacker — a Legal Debate
Freddybear writes "If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated? Over the last couple of years three legal scholars and bloggers have debated the question on The Volokh Conspiracy weblog. The linked webpage collects that debate into a coherent document. 'The debaters are:
- Stewart Baker, a former official at the National Security Agency and the Department of Homeland Security, a partner at Steptoe & Johnson with a large cybersecurity practice. Stewart Baker makes the policy case for counterhacking and challenges the traditional view of what remedies are authorized by the language of the CFAA.
- Orin Kerr, Fred C. Stevenson Research Professor of Law at George Washington School of Law, a former computer crimes prosecutor, and one of the most respected computer crime scholars. Orin Kerr defends the traditional view of the Act against both Stewart Baker and Eugene Volokh.
- Eugene Volokh, Gary T. Schwartz Professor of Law at UCLA School of Law, founder of the Volokh Conspiracy, and a sophisticated technology lawyer, presents a challenge grounded in common law understandings of trespass and tort.'"
Is there any way to know if you're retaliating against the correct target?
I mean, really. "Is it feasible" is the question for nerds.
Is vigilante justice legal? No. Is self defense legal? Yes. What is what? Depends on the judge.
Just change it to this
""If your house has been robbed, is it legal for you to break into the other persons house and steal your stuff back?"
I look at it as using "reasonable force" to end an attack. If someone is hacking your computer, you have the right to get in there a mess up their computer, to protect yours.
How can I possibly be responsible if conflicting botnets are duking it out through my thoroughly pwned computer? That's my story and I'm sticking to it.
Is it legal for you to steal your stuff back from a robber?
Can you carjack a carjacker if (s)he is driving your car?
Same applies here
Your computer is infected with ransomware, all your documents are encrypted which can only be recovered if you pay out $40. You visit the attackers payment web page, notice it's based on an open source CMS that you're familiar with. You try the default admin credentials and they work, you can now get the decryption key free. Did you just break the law? What if you modify the site to give out all decryption keys for free? What if you remotely decrypt an uninstall the malware from all victim computers?
Someone sends your boss a PDF file infected with a virus. The antivirus catches it, but you want to know who sent the attack, you run the PDF inside a virtual machine with some infected PDFs of your own that are configured to beacon back to a server you control. The attack downloads one of your PDF files and you start receiving beacons from a competitor. Did you just hack them? What if the PDF had an EULA for the malware in it? If you embed MP3 files in the PDF can you send the RIAA after them?
Moral? An argument could be made.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
"If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated?"
Heavens, no. It is not. Next question.
Control is taken, and usually cannot be recovered. Control over one's identity is extremely valuable, as maintaining that control allows one to also maintain control over one's finances and reputation, and in turn that affects one's control over the record of their history, which can heavily influence later abilities.
You do not have a moral or legal right to do absolutely anything you want.
Try getting out of a murder conviction by telling the judge your victim was a proven murderer, so killing the victim was legal.
See how that works out.
The legal arguments are interesting. It's amusing to see lawyers struggle with reasoning through analogy. They're trying to hammer property law, trespass law and assault law into covering this, and it's not working.
In almost all modern online attacks, the immediate source of the the attack is a machine owned by an innocent third party. While this is common online, it is a rare situation in the physical world. It can come up in auto repossessions where the repossession was not legally authorized, the repossession agent reasonably believed that it was, and the vehicle owner resisted. Most states have specific laws in that area, and repossession agents are limited in what they can do.
Depends on the circumstances (and jurisdiction). The 'proven murderer' isn't the key*. What is important is whether you reasonably felt your life or property (or those of a bystander) to be in immediate jeopardy. If so, open fire, or take whatever measures are necessary to stop the threat. It tends to work out fine in most places in the USA.
*You can't reasonably be expected to know an attacker's state of mind or criminal history.
Have gnu, will travel.
If someone steals your car and drive it to land they own, do you have the right to trespass onto it to get your car back? If you see them driving it away in a tow truck, do you have the right to shoot out the tires of the tow truck if you can do so without causing losses to third parties? Do you have the right to shoot the driver of the tow truck? If the car thief is driving your car away, do you have the right to shoot out the tires if it won't damage third parties? Do you have the right to shoot the driver if third parties won't be hurt?
Perhaps a more important question: Should you have these rights?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The concept of self help in law is that one can not apply self help. The idea is that one is supposed to go through the proper complaint process and let the law and the courts dtermine the validity of the claim and the degree of remedy. The exception is immediate danger of death or great physical harm. One can defend against an attack in progress by a person using violence. But preventative or retaliatory actions are usually criminal acts. So the history of law would be against allowing someone to hack to punish or track a supposed violator.
Of course it isn't. The only time something that's normally a crime isn't is when violence is self-defense. Absolutely nothing else in our system of law has a "he started it" defense. Leaving aside that no judge is going to accept that hacking is violence without legislative action that will never happen, the normal standards of self-defense could still never apply. Given that you can't know you've been hacked until after it's done, it would instead be retaliatory, which is naughty.
Some people above are debating whether stealing stolen stuff is a crime. The answer is: it's not stealing. That is still your stuff. If somebody grabs your shit right off your person, that's also assault, so you're free to tackle them to get it back. If they steal it off a table or something, you might have more of a problem; you're still not stealing, but depending on where you live and whether the prosecutor's got a bug up his ass, using force to retrieve your stuff might get you in trouble. Same for carjacking your stolen car, and if you don't somehow do it the same time it happens to you, I imagine using a gun like that would at least get you arrested anywhere, in court anywhere but Texas, and convicted anywhere north of the Mason-Dixon line.
The larger point here: hacking is not exactly the same as assault, theft, or trespass, and applying the same logic to it is something almost any good judge would refuse to do for fear of unintended consequences. For instance: since you don't know who's hacking you until you've checked them out, if you counter-hack them, you might wind up hacking the police. That's kind of a good thing from a civil rights standpoint, as it means they are on the same level as us, bound by the same natural consequences of their actions, but hacking the police would only be legal in a goddamn utopia. Furthermore, counter-hacking might theoretically lead you to the wrong person if you're not as skilled as your attacker. While this is not the reason trespass is illegal, one can easily imagine trying to steal your stuff back and getting the wrong house, and that's when you're looking for a physical location which you know is associated with a specific person. With counter-hacking, you're looking for a computer somewhere which may or may not belong to your attacker which may or may not have PID stored that is legitimately associated with said bastard.
So, the whole argument boils down to this: hacking is hacking. It is not other activities, and cannot be usefully treated as similar to other crimes. The closest other thing is wiretapping, and nobody asks if it's okay to do that in a retaliatory fashion. Because of historical computer culture stuff, it might be argued that hacking shouldn't always be illegal, but currently it is, so that is the very obvious answer to the original question of this article. They should've been asking "should counter-hacking be legal," and because of the potential for harm to uninvolved third parties, I am kind of surprised to find myself saying that it should definitely not be. Counter-hacking should never happen without a warrant, and evidence gathered by it needs to be scrutinized very closely to make sure the right guy is caught.
"If someone breaks into my computer system, is it legal for me to break into his?". OK, rephrase it: "If someone breaks into my house, it is legal for me to break into his?". Answer the second, you've answered the first.
in most cases you do not have a chance to successfully "hack back" anyway. The typical hacker victim is much more vulnerable than the typical hacker himself.
The one in the middle with no clue on security will be used by the bad ones and destroyed by the good ones? Odds are high that you will hit an innocent (or at least, clueless) bystander. From his point of view, both sides are evil ones.
In the other hand, **AA may not hack, but instead sue those people serving as proxy, maybe attacking them will prevent far bigger economical damages if they get sued (and that, without going to the "intelligence" agencies that could attribute to such proxies as originators of cyberterrorism in a near future).
Curious - Say I (the attacker) steal a piece of gum from the Incredible Hulk (the victim). I run away through a crowded shopping mall (a web server belonging to a financial service organization). The Hulk gives chase, destroying stores and injuring bystanders (millions in damages, downtime), while I cleverly dash through maintenance back routes and such. I escape, but the Hulk indeed discovers my wallet (evidence) left at the scene.
How much can the mall sue the Hulk for? And if the wallet was but a fake wallet, does the Hulk smash more stores? Show your work. (Just kidding, but I do enjoy the many issues addressed here)
If the guy was in the act of murdering your family I'd say it would work out pretty well. Don't forget that the purpose of the reverse hacking is to stop a crime in progress.
Back when highspeed internet wasn't as ubiquitous as it is today, I remember a friend on IRC who owned a computer shop telling me some stories of counter hacking. I have no idea how legit the following story is since I wasn't actually there for any of it, and I'm fuzzy on a lot of the details since it was related to me nearly 10 years ago. Despite all that, I think it has some relevance in that it's an easy target to pick specifics from and discuss them, rather than having to rely on sketchy car analogies
He had been doing a virus removal on a customers PC on a slow day, and decided to run some network monitoring tools on it first. He instantly noticed traffic to an IRC server, recorded the details, then attempted to connect to it. It wouldn't let him in at first, but eventually he got around that by changing the version string on his normal IRC client in order to mimic what the virused computer was replying to. He found some hundred or so zombie machines sitting in a channel, renamed himself to something similar to the naming convention of the rest of the zombie machines, then let it sit for a few days.
Eventually he checked his logs and saw the hacker logging in to the server and running various commands on the botnet. Upon closer inspection, he realized that the hackers IP address matched that of the IRC server. That made him think that the guy must have been dumb and was hosting it from his own connection (definitely a possibility in the early 2000s), so he scrolled through his logs some more and found instances of the hacker giving commands to ddos various targets. At that point my friend claims to have directed the botnet to ddos the IP of the IRC server they were connected to. It subsequently went down, leaving the hacker with no way to control the botnet anymore.
Again, I have no idea how much of that story is true, however it still makes a good example to pick at in regards to legality of counter hacking. I would argue that up until he ordered the botnet to attack its controller, everything was perfectly legal.
*Generally nothing has been taken. Instead, they are using your equipment.
*Even in the case where something is taken, it's just copied, not removed from your possession.
Try convincing the courts that this is true. The media industries have spent billions of dollars on tens-of-thousands of cases to convince the public and the courts that the above is real, actual robbery.
Q: Is it legal to steal someone's grow op?
A: No, but they'd have to be incredibly stupid to report you to the police.
Seriously, if you report a hacking attack, you're going to have your computers inspected to gather evidence. Personally, if I were running a botnet, that's the last thing I'd want.
Sony put a root kit on my computer.
EA sold me a crappy game with crappy DRM that screwed with my computer.
So I can retaliate?
Silly laws and feel-goodism be damned. Hunt them down and kill them all.
If I'm on my computer when someone 'hacks' or breaks in to my computer or network, that is one thing and I feel that I would have the right to defend that. Going on to an offensive or retaliatory response would most likely be a violation of some law or another.
For instance, if someone breaks into your house, regardless of their intent, and you scare them off through whatever means, do you have the right to pursue the individual? That is basically going to be a case-by-case situation based on your location and the laws governing that. If you chase someone down and beat the snot out of them for breaking into your house, and you call it 'detaining a person', then you are probably guilty of assault.
Of course the electronic equivalent is going to be different. If someone breaks into your computer or network and you are able to cut them off, then that would be it. Once you go on the offensive to try and determine their identity or retaliate, the law will most likely (if the case were to make it to court) tell you that you were wrong for attempting retaliation and that you are, by your actions, taking revenge or basically committing the same crimes which were perpetrated upon you.
It's kind of funny and pathetic at the same time that an article of over 10,000 words is written by such intelligent people about a subject that is not ever defined. Each one throws their own spin on the term without ever proposing a clear definition. Hacking-back, it seems, is a toy phrase designed to generate an endless argument. After having read the entire article though, I realize that if one defines "hacking-back" as attempting to harm the intruder, then it seems clear that this would be vigilantism, and would be illegal. However, if one defines "hacking-back" as performing tasks which merely identify the offender, such as leaving packets which the intruder may gather which could then eventually report back to the victim their whereabouts, then the "hot pursuit" and "self-defense" arguments apply and hold a lot of water. I find that Volokh's ending statements particularly won me over: "the law has always placed in your own hands — or, if you prefer, has never taken away from your own hands — the right to defend yourself and your property (subject to certain limits). By using this right, you aren’t taking the law into your own hands. You’re using the law that has always been in your hands." and "defense of property must generally be nonlethal", so it seems to me that as long as you're as long as you're not causing lethal harm to the attacker or anyone else, a claim of self-defense finds a lot of legal standing, precedent and much analogy.
Sent from my ENIAC
Just use someone other person's internet connection and TOR. The CIA isn't going to turn you in, nor will they bother to find you.
In the meatspace world, if someone breaks into your home or place of business, and you retaliate by breaking into their home, then you are both guilty of breaking and entering. I tend to apply the same rules to the online world, so my advice to people affected by this would be to report the problem to the police, credit card companies (your card details are insecure, so lock the cards and get new ones with different numbers), and your antivirus/computer security provider (even if only to let them know that their product failed to keep you safe, either due to their failure or because you installed some dodgy software).
Having said that, tracing back to the C&C hub used to get into your system should be fairly easy, but even if you manage to hack that hub, all you will find is a compromised computer whose owner either doesn't know or doesn't care that the computer is running slow. You may find an uplink to another system, but given the sophistication of botnets today, determining the address of the computers that instigate the C&C network will be outside the scope of the vast majority of people, especially someone whose system is configured to allow it to be hacked in the first place...
unauthorized access to a computer system is against the law. nice and simple, but what if, using the "home invasion" scenario, a crook (botnet, hacker, etc) was to steal your valuables (information) and in those valuables was a necklace (poisoned piece of code) that ultimately prevented the crook (hacker) from coming back (blocking connections to your network/ip/pc/etc) to pilfer your house (pc) again?
basically, if you steal a bomb and it blows up in your hands....whos fault is that? (rhetorical)
If revenge were to be legal, then the new viruses would hack into 'hackers' computer and then allow him to hack back into the attacking(victim's) computer. Ha!
I remember what I was taught as a child... Two wrongs don't make a right...
- just because you're not paranoid, doesn't mean I'm not out to get you.
Can we really be damned about what's legal on the internet anymore? I must advocate a course of action leaning towards "That which is best for the health of the internet." In an age where litigation threatens to destroy the internet and its fundamental functions such as DNSsec, and the sending of messages such as spam, terrorist plans, child pornography, and rebellious intent, should those who hold the internet dear and want to protect it, prevent censorship and surveillance, and foster the growth of freedom in all things, really give a rat's ass about legality? Let's hold to a simpler credence that morality is what matters.
Hacking in cyberspace can be likened to assault in the real world. DDoS is injurious to ones ability to use their network services. Theft of information becomes like armed robbery, and altering information pertaining to services so as to cause undesired operation can be likened to using threats and violence to say, force someone to draw money from an ATM.
In Section 35 and 37 of the Canadian Criminal Code, there are provisions for a person being assaulted to defend themselves with equal force to that of their attacker. If someone has a gun, you're very justified in breaking their arm to keep them from shooting you, or in shooting them first. And then there's a lot of blathering about how you can't provoke someone into fighting you then beat the fire out of them.
It seems very clear to me that repelling this type of cyber-assault should be met in kind, and with no remorse, hesitation, or mercy. An eye for an eye, a tooth for a tooth, and an rm -rf / for an rm -rf /
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
But make sure anyone who decides to go wild west loses any legal remedies against the hacker, including the right to sue for copyright infringement. Any innocent 3rd parties would of course retain full legal rights.
Its a good ridence to society if people are content to frag each other without wasting public resources or making us serve in juries.