Slashdot Mirror
Hacker vs. Counter-Hacker — a Legal Debate
Freddybear writes "If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated? Over the last couple of years three legal scholars and bloggers have debated the question on The Volokh Conspiracy weblog. The linked webpage collects that debate into a coherent document. 'The debaters are:
- Stewart Baker, a former official at the National Security Agency and the Department of Homeland Security, a partner at Steptoe & Johnson with a large cybersecurity practice. Stewart Baker makes the policy case for counterhacking and challenges the traditional view of what remedies are authorized by the language of the CFAA.
- Orin Kerr, Fred C. Stevenson Research Professor of Law at George Washington School of Law, a former computer crimes prosecutor, and one of the most respected computer crime scholars. Orin Kerr defends the traditional view of the Act against both Stewart Baker and Eugene Volokh.
- Eugene Volokh, Gary T. Schwartz Professor of Law at UCLA School of Law, founder of the Volokh Conspiracy, and a sophisticated technology lawyer, presents a challenge grounded in common law understandings of trespass and tort.'"
Is there any way to know if you're retaliating against the correct target?
I mean, really. "Is it feasible" is the question for nerds.
Is vigilante justice legal? No. Is self defense legal? Yes. What is what? Depends on the judge.
Just change it to this
""If your house has been robbed, is it legal for you to break into the other persons house and steal your stuff back?"
I look at it as using "reasonable force" to end an attack. If someone is hacking your computer, you have the right to get in there a mess up their computer, to protect yours.
How can I possibly be responsible if conflicting botnets are duking it out through my thoroughly pwned computer? That's my story and I'm sticking to it.
Is it carjacking to carjack your stolen car?
0.0 -.- 0.0 -.- 0.0
that's not a rhetorical question, I really don't know. If I where on the jury, I think my response would be "good for you, acquitted."
Moral? An argument could be made.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
"If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated?"
Heavens, no. It is not. Next question.
Control is taken, and usually cannot be recovered. Control over one's identity is extremely valuable, as maintaining that control allows one to also maintain control over one's finances and reputation, and in turn that affects one's control over the record of their history, which can heavily influence later abilities.
You do not have a moral or legal right to do absolutely anything you want.
Try getting out of a murder conviction by telling the judge your victim was a proven murderer, so killing the victim was legal.
See how that works out.
Is it legal for you to steal your stuff back from a robber?
Can you carjack a carjacker if (s)he is driving your car?
Same applies here
Doesn't this concept validate everything the *IAA does in attempting to control use of their "IP"?
If MY 0's and 1's are steal-able stuff then THEIR 0's and 1's are the same...
Not real wild about that idea.
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
Is it legal for you to steal your stuff back from a robber?
Under English law, you cannot steal something which belongs to you — theft is the dishonest appropriation of property belonging to another with intention to permanently deprive.
The legal arguments are interesting. It's amusing to see lawyers struggle with reasoning through analogy. They're trying to hammer property law, trespass law and assault law into covering this, and it's not working.
In almost all modern online attacks, the immediate source of the the attack is a machine owned by an innocent third party. While this is common online, it is a rare situation in the physical world. It can come up in auto repossessions where the repossession was not legally authorized, the repossession agent reasonably believed that it was, and the vehicle owner resisted. Most states have specific laws in that area, and repossession agents are limited in what they can do.
If MY 0's and 1's are steal-able stuff then THEIR 0's and 1's are the same...
The difference, to my mind, is that theft applies to property (at least, it does under English law), and I'd argue that a 0s and 1s are not capable of being property. Their order may be capable of protection, as copyright, but, in this case, it is the copyright which is owned, not the underlying sequence of bits.
Depends on the circumstances (and jurisdiction). The 'proven murderer' isn't the key*. What is important is whether you reasonably felt your life or property (or those of a bystander) to be in immediate jeopardy. If so, open fire, or take whatever measures are necessary to stop the threat. It tends to work out fine in most places in the USA.
*You can't reasonably be expected to know an attacker's state of mind or criminal history.
Have gnu, will travel.
If someone steals your car and drive it to land they own, do you have the right to trespass onto it to get your car back? If you see them driving it away in a tow truck, do you have the right to shoot out the tires of the tow truck if you can do so without causing losses to third parties? Do you have the right to shoot the driver of the tow truck? If the car thief is driving your car away, do you have the right to shoot out the tires if it won't damage third parties? Do you have the right to shoot the driver if third parties won't be hurt?
Perhaps a more important question: Should you have these rights?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Of course it isn't. The only time something that's normally a crime isn't is when violence is self-defense. Absolutely nothing else in our system of law has a "he started it" defense. Leaving aside that no judge is going to accept that hacking is violence without legislative action that will never happen, the normal standards of self-defense could still never apply. Given that you can't know you've been hacked until after it's done, it would instead be retaliatory, which is naughty.
Some people above are debating whether stealing stolen stuff is a crime. The answer is: it's not stealing. That is still your stuff. If somebody grabs your shit right off your person, that's also assault, so you're free to tackle them to get it back. If they steal it off a table or something, you might have more of a problem; you're still not stealing, but depending on where you live and whether the prosecutor's got a bug up his ass, using force to retrieve your stuff might get you in trouble. Same for carjacking your stolen car, and if you don't somehow do it the same time it happens to you, I imagine using a gun like that would at least get you arrested anywhere, in court anywhere but Texas, and convicted anywhere north of the Mason-Dixon line.
The larger point here: hacking is not exactly the same as assault, theft, or trespass, and applying the same logic to it is something almost any good judge would refuse to do for fear of unintended consequences. For instance: since you don't know who's hacking you until you've checked them out, if you counter-hack them, you might wind up hacking the police. That's kind of a good thing from a civil rights standpoint, as it means they are on the same level as us, bound by the same natural consequences of their actions, but hacking the police would only be legal in a goddamn utopia. Furthermore, counter-hacking might theoretically lead you to the wrong person if you're not as skilled as your attacker. While this is not the reason trespass is illegal, one can easily imagine trying to steal your stuff back and getting the wrong house, and that's when you're looking for a physical location which you know is associated with a specific person. With counter-hacking, you're looking for a computer somewhere which may or may not belong to your attacker which may or may not have PID stored that is legitimately associated with said bastard.
So, the whole argument boils down to this: hacking is hacking. It is not other activities, and cannot be usefully treated as similar to other crimes. The closest other thing is wiretapping, and nobody asks if it's okay to do that in a retaliatory fashion. Because of historical computer culture stuff, it might be argued that hacking shouldn't always be illegal, but currently it is, so that is the very obvious answer to the original question of this article. They should've been asking "should counter-hacking be legal," and because of the potential for harm to uninvolved third parties, I am kind of surprised to find myself saying that it should definitely not be. Counter-hacking should never happen without a warrant, and evidence gathered by it needs to be scrutinized very closely to make sure the right guy is caught.
But I'll bet breaking and entering is still illegal, even if the only reason you do it is to get your stuff back.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
"If someone breaks into my computer system, is it legal for me to break into his?". OK, rephrase it: "If someone breaks into my house, it is legal for me to break into his?". Answer the second, you've answered the first.
in most cases you do not have a chance to successfully "hack back" anyway. The typical hacker victim is much more vulnerable than the typical hacker himself.
But I'll bet breaking and entering is still illegal,
I am not aware of a crime of "breaking and entering" under English law — it's possible that there is one which I have not come across, of course.
The nearest I know is the crime of burglary — which is, in effect, trespass plus theft (or a number of other crimes, including rape and criminal damage, depending on whether the relevant intention is there). However, if the only act upon entering the premises is the removal of one's own property, the second part is not made out, so it remains just trespass.
The one in the middle with no clue on security will be used by the bad ones and destroyed by the good ones? Odds are high that you will hit an innocent (or at least, clueless) bystander. From his point of view, both sides are evil ones.
In the other hand, **AA may not hack, but instead sue those people serving as proxy, maybe attacking them will prevent far bigger economical damages if they get sued (and that, without going to the "intelligence" agencies that could attribute to such proxies as originators of cyberterrorism in a near future).
I would tend to agree with you about the theft issue. But it still leaves the whole "ownership of information" in the murk. If I had the right to pursue someone digitally back to the system used to copy "my" data (i.e. "my IP") and then possibly take action against what I deem to be the offending system, what kind of power would that convey to any commercial rights holder seeking the source of, say, shared files? To my mind, the concept of justified retaliatory action is not even a slippery slope, it's a cliff...
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
If the guy was in the act of murdering your family I'd say it would work out pretty well. Don't forget that the purpose of the reverse hacking is to stop a crime in progress.
Back when highspeed internet wasn't as ubiquitous as it is today, I remember a friend on IRC who owned a computer shop telling me some stories of counter hacking. I have no idea how legit the following story is since I wasn't actually there for any of it, and I'm fuzzy on a lot of the details since it was related to me nearly 10 years ago. Despite all that, I think it has some relevance in that it's an easy target to pick specifics from and discuss them, rather than having to rely on sketchy car analogies
He had been doing a virus removal on a customers PC on a slow day, and decided to run some network monitoring tools on it first. He instantly noticed traffic to an IRC server, recorded the details, then attempted to connect to it. It wouldn't let him in at first, but eventually he got around that by changing the version string on his normal IRC client in order to mimic what the virused computer was replying to. He found some hundred or so zombie machines sitting in a channel, renamed himself to something similar to the naming convention of the rest of the zombie machines, then let it sit for a few days.
Eventually he checked his logs and saw the hacker logging in to the server and running various commands on the botnet. Upon closer inspection, he realized that the hackers IP address matched that of the IRC server. That made him think that the guy must have been dumb and was hosting it from his own connection (definitely a possibility in the early 2000s), so he scrolled through his logs some more and found instances of the hacker giving commands to ddos various targets. At that point my friend claims to have directed the botnet to ddos the IP of the IRC server they were connected to. It subsequently went down, leaving the hacker with no way to control the botnet anymore.
Again, I have no idea how much of that story is true, however it still makes a good example to pick at in regards to legality of counter hacking. I would argue that up until he ordered the botnet to attack its controller, everything was perfectly legal.
So, where are the internet cops?
http://soylentnews.org/~tibman
breaking and entering v., n. entering a residence or other enclosed property through the slightest amount of force (even pushing open a door), without authorization. If there is intent to commit a crime (of any description beyond the actual entry), this is burglary. If there is no such intent, the breaking and entering alone is common trespass.
I stopped a police officer cold on this. Told him he had three seconds to get the fuck out of my kitchen (I had just come in from work and found him there talking to my wife who was clearly unhappy) or I would treat him as a trespasser. He only had to look at the 5D maglite hanging off my belt to know what that meant - and he didn't have a fucking leg to stand on. I am Master and Law in my own home, and he didn't have a warrant. Bye bye, titfuck.
Operation Guillotine is in effect.
It's kind of funny and pathetic at the same time that an article of over 10,000 words is written by such intelligent people about a subject that is not ever defined. Each one throws their own spin on the term without ever proposing a clear definition. Hacking-back, it seems, is a toy phrase designed to generate an endless argument. After having read the entire article though, I realize that if one defines "hacking-back" as attempting to harm the intruder, then it seems clear that this would be vigilantism, and would be illegal. However, if one defines "hacking-back" as performing tasks which merely identify the offender, such as leaving packets which the intruder may gather which could then eventually report back to the victim their whereabouts, then the "hot pursuit" and "self-defense" arguments apply and hold a lot of water. I find that Volokh's ending statements particularly won me over: "the law has always placed in your own hands — or, if you prefer, has never taken away from your own hands — the right to defend yourself and your property (subject to certain limits). By using this right, you aren’t taking the law into your own hands. You’re using the law that has always been in your hands." and "defense of property must generally be nonlethal", so it seems to me that as long as you're as long as you're not causing lethal harm to the attacker or anyone else, a claim of self-defense finds a lot of legal standing, precedent and much analogy.
Sent from my ENIAC
From a legal perspective, no it is not legal to steal your stuff back from a robber. If you can prove it is yours, then you can get the police to force them to give it back, but if you know it is yours and don't have proof, then you can be arrested for stealing it back, and since you are a normally law abiding citizen, and the person you stole from is a dangerous robber, the police would rather arrest you because you are not actually dangerous.
A guy a know had a bike stolen when he was a kid. He had the serial number, and he went with the cops down to the garage of the person he knew stole their bike. Sure enough, the bike was there, along with 20 or 30 others. The problem? It was in pieces. The frame had the serial number, and the police said they could take the frame, but when he pointed out his wheels and handlebars, they said "Sorry, you can't have those because we don't know they are yours". His father was with him and said "What if we just take them anyway?" The police told them they would arrest him and charge him with theft. However, when all was said and done, the person who had 20 or 30 stolen bicycles parted out in his shop was not arrested and not charged with theft.
If you are not allowed to question your government then the government has answered your question.
If there is intent to commit a crime (of any description beyond the actual entry), this is burglary
This isn't the case under English law — the crime must be one from a set list, which varies according to when the necessary intention was formed, for it to be burglary. (It looks like the example I use above of rape is incorrect too.) We agree, it seems, that, without this element, it's just a matter of trespass.
what kind of power would that convey to any commercial rights holder seeking the source of, say, shared files?
I'm not sure I understand your question, unfortunately — it seems like an interesting one to consider so, if you happened to think of another way of asking it, please do post back!
In the meatspace world, if someone breaks into your home or place of business, and you retaliate by breaking into their home, then you are both guilty of breaking and entering. I tend to apply the same rules to the online world, so my advice to people affected by this would be to report the problem to the police, credit card companies (your card details are insecure, so lock the cards and get new ones with different numbers), and your antivirus/computer security provider (even if only to let them know that their product failed to keep you safe, either due to their failure or because you installed some dodgy software).
Having said that, tracing back to the C&C hub used to get into your system should be fairly easy, but even if you manage to hack that hub, all you will find is a compromised computer whose owner either doesn't know or doesn't care that the computer is running slow. You may find an uplink to another system, but given the sophistication of botnets today, determining the address of the computers that instigate the C&C network will be outside the scope of the vast majority of people, especially someone whose system is configured to allow it to be hacked in the first place...
I remember what I was taught as a child... Two wrongs don't make a right...
- just because you're not paranoid, doesn't mean I'm not out to get you.
Can we really be damned about what's legal on the internet anymore? I must advocate a course of action leaning towards "That which is best for the health of the internet." In an age where litigation threatens to destroy the internet and its fundamental functions such as DNSsec, and the sending of messages such as spam, terrorist plans, child pornography, and rebellious intent, should those who hold the internet dear and want to protect it, prevent censorship and surveillance, and foster the growth of freedom in all things, really give a rat's ass about legality? Let's hold to a simpler credence that morality is what matters.
Hacking in cyberspace can be likened to assault in the real world. DDoS is injurious to ones ability to use their network services. Theft of information becomes like armed robbery, and altering information pertaining to services so as to cause undesired operation can be likened to using threats and violence to say, force someone to draw money from an ATM.
In Section 35 and 37 of the Canadian Criminal Code, there are provisions for a person being assaulted to defend themselves with equal force to that of their attacker. If someone has a gun, you're very justified in breaking their arm to keep them from shooting you, or in shooting them first. And then there's a lot of blathering about how you can't provoke someone into fighting you then beat the fire out of them.
It seems very clear to me that repelling this type of cyber-assault should be met in kind, and with no remorse, hesitation, or mercy. An eye for an eye, a tooth for a tooth, and an rm -rf / for an rm -rf /
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
Sony put a root kit on my computer. EA sold me a crappy game with crappy DRM that screwed with my computer.
So I can retaliate?
How many senators do you own? If the answer is zero, the answer to your question is no. Make that a maybe if you don't currently own any senators but have sufficient funds to buy a few, outspending Sony in the process.
"Convictions are more dangerous enemies of truth than lies."
I believe you, but I have to say, that's just bizarre. Entering someone's home should be a much more serious crime than, say, walking across the lawn without permission.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Entering someone's home should be a much more serious crime than, say, walking across the lawn without permission
The intrusion to privacy certainly feels a lot higher in the second case.
If you happened to be interested in the situations in which trespass in itself becomes a criminal activity under English law, there's a one page guide from our prosecutor's office, which explains it pretty well.
But make sure anyone who decides to go wild west loses any legal remedies against the hacker, including the right to sue for copyright infringement. Any innocent 3rd parties would of course retain full legal rights.
Its a good ridence to society if people are content to frag each other without wasting public resources or making us serve in juries.