Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker vs. Counter-Hacker — a Legal Debate

Posted by timothy on from the shhh-this-is-the-conspiracy-room dept.

Freddybear writes "If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated? Over the last couple of years three legal scholars and bloggers have debated the question on The Volokh Conspiracy weblog. The linked webpage collects that debate into a coherent document. 'The debaters are:
  • Stewart Baker, a former official at the National Security Agency and the Department of Homeland Security, a partner at Steptoe & Johnson with a large cybersecurity practice. Stewart Baker makes the policy case for counterhacking and challenges the traditional view of what remedies are authorized by the language of the CFAA.
  • Orin Kerr, Fred C. Stevenson Research Professor of Law at George Washington School of Law, a former computer crimes prosecutor, and one of the most respected computer crime scholars. Orin Kerr defends the traditional view of the Act against both Stewart Baker and Eugene Volokh.
  • Eugene Volokh, Gary T. Schwartz Professor of Law at UCLA School of Law, founder of the Volokh Conspiracy, and a sophisticated technology lawyer, presents a challenge grounded in common law understandings of trespass and tort.'"

32 of 182 comments (clear)

  1. Retaliation by Anonymous Coward · · Score: 5, Interesting

    Is there any way to know if you're retaliating against the correct target?

    1. Re:Retaliation by FriendlyLurker · · Score: 2

      Is there any way to know if you're retaliating against the correct target?

      Does "hack back into the system from which the attack originated" == "retaliating against" or is it merely investigation into the perpetrators?

      Considering many bot nets are state run (think wikileaks take-downs) Id venture that the answer official will always be "No, do not investigate [our possible] botnet activity"

    2. Re:Retaliation by Freddybear · · Score: 3, Interesting

      At least some of the argument in TFA assumes that the botnet's toolkit has itself been cracked and exploits are available making it possible to turn the tables on the botnet controllers. That may be a rather large assumption, even just for the sake of the argument.

    3. Re:Retaliation by Onymous+Coward · · Score: 2

      This concern is one of the fundamental issues to consider in discussing philosophy of "violence". Another is what degree of force is appropriate.

      Thinking on these things and recognizing that people make mistakes in both action and perception, and that people often have a tendency to perceive malice from others, it seems that there's a positive bias for violence. That is, "violence begets violence".

      Similarly to how servers on the net should be conservative in what they do, liberal in what they accept, and how this maximizes smooth interoperation, humans should minimize the appearance or effect of harm to others and maximize tolerance of injury from others to negate the aforementioned spiraling violence bias. Though this philosophy is hard to swallow for people with chips on their shoulders. (Probably already victims of injury.)

    4. Re:Retaliation by utkonos · · Score: 3, Interesting

      10 times out of 10, if you hack into the system where the attack is coming from, you will be hacking into a system owned by an innocent third party that was also hacked. You are then violating that party a second time. Lets take a more concerning scenario: You discover an attack that is originating from a competitor. You hack back into their system. This situation can only end badly. First, if they were responsible you have now spoiled evidence. Second, if they are not responsible and were also hacked as a jumping off point, you now have hacked into a competitor's system and compromised them. You should now have to pay damages because they have not way to tell that you didn't steal their corporate secrets while you were there in their system.

    5. Re:Retaliation by LordLimecat · · Score: 2

      Better question, does "correct target" have any meaning when the jury has not yet convicted anyone of hacking you?

      As far as I am aware, most first world countries' legal systems do not allow the offended party to act as judge and jury.

    6. Re:Retaliation by MakerDusk · · Score: 2

      Not easily. The commercial botnets typically use a command-and-control structure with various proxies or zombied hosts in between the attacker and the victim. Tracing or cracking one's way back through the botnet can often cause more damange to the intermediate hosts than the botnet is causing.

      BS. What "damage" will it cause?

      Chances are it's just another victim's computer. Since they're being used as a node, it would only be common sense for their to be a script that forcibly removes it from the internet so that you can't follow it to the next level. So by gaining access, you might trigger something that bricks another victim's computer. Why this is done? So that you can't get the IP that is controlling the node, and so that you can't appropriate the other computers that are being controlled by the node.

  2. Vigilante Justice by Anonymous Coward · · Score: 5, Interesting

    Is vigilante justice legal? No. Is self defense legal? Yes. What is what? Depends on the judge.

    1. Re:Vigilante Justice by Firethorn · · Score: 3, Insightful

      The problem here is that self defense is legal in context of preventing harm to yourself - typically this means your body. You're not allowed to attack somebody for busting up your car with a hammer, for example.

      Except for their lagging behind, as far as I'm concerned any retaliatory measures should be done by the police, or if the attack originates in a country that doesn't cooperate with your police, the military.

      IE You're in the USA:
      hack comes from within the USA - FBI, ie federal police. If if comes from next door, local police
      Hack comes from, say, Australia - The FBI contacts their counterparts there and the investigation continues
      From a country without formal legal agreements - Interpol assists
      From a hostile country, such as North Korea? Military, maybe.

      --
      I don't read AC A human right
    2. Re:Vigilante Justice by ILMTitan · · Score: 2

      That is not true. You are allowed to use degrees of non-lethal force (such as a fist) to defend your property.

      From the Wikipedia article on self-defense:
      "The ownership and possession of property confer a certain right to defend that possession, [including] a defense of it which results in an assault and battery, and that which results in the destruction of the means used to invade and interfere with that possession."[4]
      People v. Kane, 131 N.Y. 111 (142 N.Y. 366, 37 N.E. 104)

    3. Re:Vigilante Justice by hobarrera · · Score: 3, Insightful

      This isn't really self defense; your actions didn't PREVENT harm from ocurring to you, this was rather vendetta: he did X to me, I did it back.
      I don't think this should be legal, because it could escalate into cyber-wars. Much like you can't steal something that was stolen from you in the first place - you can't take justice into your own hands.

    4. Re:Vigilante Justice by Firethorn · · Score: 2

      As the AC mentioned, that leads to you being able to use force against a fraudster, which in the real world would land you in prison along with him.

      For that matter, robbing your house could be considered a psychological attack compared with hacking a computer system.

      My core point was that counter-hacking can't be considered under the same context as self-defense statutes, because generally speaking there's nobody's body on the line.

      --
      I don't read AC A human right
    5. Re:Vigilante Justice by BronsCon · · Score: 2

      If the retaliation occurs after the fact, this is correct; however, if the retaliation occurs while the instigating attack is ongoing, you are preventing [further] harm by putting an end to the offending party's ability to attack. That's textbook self defense [which does allow for use of nonlethal force and destruction of the means used to carry out the attack in cases where one is defending their property].

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    6. Re:Vigilante Justice by hobarrera · · Score: 2

      Yes, but closing the port is enough to stop him.
      This is akin to shooting someone's head of, when you notice he's walking towards an open window - closing the window would have been enough.

    7. Re:Vigilante Justice by AmiMoJo · · Score: 2

      From a hostile country, such as North Korea? Military, maybe.

      So if Anonymous hacks Iranian servers that would justify Iran sending a few missiles our way? Or if a random Israeli hacker hits some Iranian sites that makes their country a valid target too?

      Hacking is rarely done at state level, so military force is extreme and almost certainly unlawful.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. Robber vs Counter-Robber by ryanmc1 · · Score: 5, Insightful

    Just change it to this
    ""If your house has been robbed, is it legal for you to break into the other persons house and steal your stuff back?"

    1. Re:Robber vs Counter-Robber by Anonymous Coward · · Score: 3, Insightful

      No, the analogy is good, you're reading it too literally. The question is not whether hacking equals robbing, but whether being wronged gives you authority to retaliate in the same way against the other party, regardless of the actual way you've been wronged. This is something that most legal systems in the world usually explicitly disallow: if an act is against the law when done against you, it is still against the law if you do it in retaliation against the offending party.

    2. Re:Robber vs Counter-Robber by Fnord666 · · Score: 4, Funny

      Throwing a computer into the mix and using new words doesn't change the underlying philosophical debate, and certainly won't ever bring it to an end.

      True, but apparently it does mean that I can patent it!

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  4. "Take em' down", I say! by patchouly · · Score: 2

    I look at it as using "reasonable force" to end an attack. If someone is hacking your computer, you have the right to get in there a mess up their computer, to protect yours.

    1. Re:"Take em' down", I say! by Anonymous Coward · · Score: 2, Informative

      That's not reasonable force when the alternative is to block the act through some other non-aggressive means. And as the AC poster above suggests, you don't know you are retaliating against the correct target.

  5. ....on the gripping hand by russotto · · Score: 4, Funny

    How can I possibly be responsible if conflicting botnets are duking it out through my thoroughly pwned computer? That's my story and I'm sticking to it.

  6. No by dcollins117 · · Score: 2

    "If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated?"

    Heavens, no. It is not. Next question.

  7. The trouble with analogy by Animats · · Score: 3, Interesting

    The legal arguments are interesting. It's amusing to see lawyers struggle with reasoning through analogy. They're trying to hammer property law, trespass law and assault law into covering this, and it's not working.

    In almost all modern online attacks, the immediate source of the the attack is a machine owned by an innocent third party. While this is common online, it is a rare situation in the physical world. It can come up in auto repossessions where the repossession was not legally authorized, the repossession agent reasonably believed that it was, and the vehicle owner resisted. Most states have specific laws in that area, and repossession agents are limited in what they can do.

  8. Let's do some comparisons by davidwr · · Score: 2

    If someone steals your car and drive it to land they own, do you have the right to trespass onto it to get your car back? If you see them driving it away in a tow truck, do you have the right to shoot out the tires of the tow truck if you can do so without causing losses to third parties? Do you have the right to shoot the driver of the tow truck? If the car thief is driving your car away, do you have the right to shoot out the tires if it won't damage third parties? Do you have the right to shoot the driver if third parties won't be hurt?

    Perhaps a more important question: Should you have these rights?

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Let's do some comparisons by RobertLTux · · Score: 2

      thats when you flag down the nearest Disco Car and explain things quickly then they can have more Disco Cars help as needed so the guy can be fitted for nice Shiny Bracelets.

      --
      Any person using FTFY or editing my postings agrees to a US$50.00 charge
  9. Re:Who cares? by Daniel+Dvorkin · · Score: 4, Interesting

    You may not have noticed this (yet) but nerds are not above the law. "Can I do this?" is obviously the first question a nerd should ask in a situation like this. "Will I go to prison for doing this?" should be a close second.

    --
    The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
  10. ...What a Stupid Question. by bistromath007 · · Score: 5, Insightful

    Of course it isn't. The only time something that's normally a crime isn't is when violence is self-defense. Absolutely nothing else in our system of law has a "he started it" defense. Leaving aside that no judge is going to accept that hacking is violence without legislative action that will never happen, the normal standards of self-defense could still never apply. Given that you can't know you've been hacked until after it's done, it would instead be retaliatory, which is naughty.

    Some people above are debating whether stealing stolen stuff is a crime. The answer is: it's not stealing. That is still your stuff. If somebody grabs your shit right off your person, that's also assault, so you're free to tackle them to get it back. If they steal it off a table or something, you might have more of a problem; you're still not stealing, but depending on where you live and whether the prosecutor's got a bug up his ass, using force to retrieve your stuff might get you in trouble. Same for carjacking your stolen car, and if you don't somehow do it the same time it happens to you, I imagine using a gun like that would at least get you arrested anywhere, in court anywhere but Texas, and convicted anywhere north of the Mason-Dixon line.

    The larger point here: hacking is not exactly the same as assault, theft, or trespass, and applying the same logic to it is something almost any good judge would refuse to do for fear of unintended consequences. For instance: since you don't know who's hacking you until you've checked them out, if you counter-hack them, you might wind up hacking the police. That's kind of a good thing from a civil rights standpoint, as it means they are on the same level as us, bound by the same natural consequences of their actions, but hacking the police would only be legal in a goddamn utopia. Furthermore, counter-hacking might theoretically lead you to the wrong person if you're not as skilled as your attacker. While this is not the reason trespass is illegal, one can easily imagine trying to steal your stuff back and getting the wrong house, and that's when you're looking for a physical location which you know is associated with a specific person. With counter-hacking, you're looking for a computer somewhere which may or may not belong to your attacker which may or may not have PID stored that is legitimately associated with said bastard.

    So, the whole argument boils down to this: hacking is hacking. It is not other activities, and cannot be usefully treated as similar to other crimes. The closest other thing is wiretapping, and nobody asks if it's okay to do that in a retaliatory fashion. Because of historical computer culture stuff, it might be argued that hacking shouldn't always be illegal, but currently it is, so that is the very obvious answer to the original question of this article. They should've been asking "should counter-hacking be legal," and because of the potential for harm to uninvolved third parties, I am kind of surprised to find myself saying that it should definitely not be. Counter-hacking should never happen without a warrant, and evidence gathered by it needs to be scrutinized very closely to make sure the right guy is caught.

    1. Re:...What a Stupid Question. by bistromath007 · · Score: 2

      Your ability to not-read what I wrote and still read a whole bunch of extra words into it is a truly astonishing talent. I can tell that you didn't really read it due to one simple error: when I talked about self-defense, you failed to notice that I said nothing else has a "he started it" defense. With the exception of "fighting words," which is a very weak defense where it exists, and defense of property, which is explicitly not a defense in more backward locales, everything you mentioned in your tirade was a sub-set of self-defense. So, my statement stands. There is nothing criminal, except for violence, which becomes legal when somebody else does it to you. The fact that I addressed some entirely morally defensible uses of force which would, in some areas, be illegal, should've tipped you off that I'm on your side of that debate, which remains largely irrelevant to the issue at hand.

      Perhaps people who are actually pacifist idiots would listen to you more often if you weren't such a zealot that it impaired your reading comprehension.

  11. irrelevant in the most cases by allo · · Score: 2

    in most cases you do not have a chance to successfully "hack back" anyway. The typical hacker victim is much more vulnerable than the typical hacker himself.

  12. Re:Who cares? by Smallpond · · Score: 4, Insightful

    "...No ethically-trained software engineer would ever consent to write a DestroyBaghdad procedure. Basic professional ethics would instead require him to write a DestroyCity procedure, to which Baghdad could be given as a parameter." -- Nathaniel Borenstein

  13. How about a case study from the early 2000s by dpidcoe · · Score: 2

    Back when highspeed internet wasn't as ubiquitous as it is today, I remember a friend on IRC who owned a computer shop telling me some stories of counter hacking. I have no idea how legit the following story is since I wasn't actually there for any of it, and I'm fuzzy on a lot of the details since it was related to me nearly 10 years ago. Despite all that, I think it has some relevance in that it's an easy target to pick specifics from and discuss them, rather than having to rely on sketchy car analogies

    He had been doing a virus removal on a customers PC on a slow day, and decided to run some network monitoring tools on it first. He instantly noticed traffic to an IRC server, recorded the details, then attempted to connect to it. It wouldn't let him in at first, but eventually he got around that by changing the version string on his normal IRC client in order to mimic what the virused computer was replying to. He found some hundred or so zombie machines sitting in a channel, renamed himself to something similar to the naming convention of the rest of the zombie machines, then let it sit for a few days.

    Eventually he checked his logs and saw the hacker logging in to the server and running various commands on the botnet. Upon closer inspection, he realized that the hackers IP address matched that of the IRC server. That made him think that the guy must have been dumb and was hosting it from his own connection (definitely a possibility in the early 2000s), so he scrolled through his logs some more and found instances of the hacker giving commands to ddos various targets. At that point my friend claims to have directed the botnet to ddos the IP of the IRC server they were connected to. It subsequently went down, leaving the hacker with no way to control the botnet anymore.

    Again, I have no idea how much of that story is true, however it still makes a good example to pick at in regards to legality of counter hacking. I would argue that up until he ordered the botnet to attack its controller, everything was perfectly legal.

  14. Re:Who cares? by budgenator · · Score: 2

    So if I was checking my Email, and found this phishing email in it specifically asking me to send information like name, address, social security number ect to them; would it be wrong of me to write a program that sends them a tetrabytes of names, addresses, social secrurity numbers, credit card numbers, all sliced and diced into uselessness?

    --
    Apocalypse Cancelled, Sorry, No Ticket Refunds