Slashdot Mirror
To Hack Back Or Not To Hack Back?
dinscott writes "If you think of cyberspace as a resource for you and your organization, it makes sense to protect your part of it as best you can. You build your defenses and train employees to recognize attacks, and you accept the fact that your government is the one that will pursue and prosecute those who try to hack you. But the challenge arises when you (possibly rightfully so) perceive that your government is not able do so, and you demand to be allowed to 'hack back.'"
Bad idea.
Things like this never escalate. I keep seeing and feeling in so many ways how delicate this all is...and we keep hammering on it. As. Hard. As. Possible.
http://www.youtube.com/watch?v=_zXKtfKnfT8
I mean, two wrongs always make a right, right?
What you're advocating, quite plainly, is that if you break into my house and steal something, that I can then break into your house to take something from you. The law is quite clear on this. As long as hacking into and stealing resources is illegal, you doing the same is just as illegal. Get a Rottweiler and a home alarm and sign up for personalized security patrols. In essence that is what you can do with regards to your electronic resources.
The real question is what to do when our own government is the one "hacking" our pages
have you seen my sig? there are many others like it but none that are the same
First Kennedy hit Puig
Then Greinke hit Montero
Then Kennedy hit Greinke
So obviously Kennedy needs to watch his back.....
What if the hacker is already attacking from a computer that is not theirs. Firing back would make you no better than them.
Brought to you by Carl's Junior.
After the flawed warfare analogy of the military, we now have a flawed cowboy analogy. How can these people be that shortsighted, everyone knows that the internet is like cars.
Even as a massive multinational corporation, you do not have the resources or the expertise. You expose your company to massive legal liability. And you're not prepared for the aftermath. Few enemies are as determined as those bent on revenge.
You can get anything from 30 years to a century in jail for things that goes into the hacking umbrella, even for things that traditionally you won't call attacking. And if you are outside US, a drone could visit you.
This usually goes attackers or people that exploits or just bumps against a vulnerability in US government/institution sites, but even if you do against an "evil" organization (and that it is not just a nsa/fbi cover operation or whatever) it could eventually be used against you.
There's nothing more frustrating as a black hat to hammer away at an apparently impenetrable and indifferent target.
"When information is power, privacy is freedom" - Jah-Wren Ryel
With the fact that compromised hosts are the first thing an intruder has between them and their target, how can one be sure that the host attacking them is malicious, or just a compromised box being used as a proxy or launching point for attacks?
If it was a compromised box, and it gets retaliated against, there might be a chance that the IDS/IPS system on the compromised network will log the back-strike, which can easily mean civil/criminal charges.
My take: Block them at the router for a couple days and go on. Trying to "counter-hack" can get one in a world of hurt.
Someone breaks into your place of business, what are your rights? You can bar the door, obviously. You physically intimidate them into leaving sure. You can shoot them... well... if you're in danger and can't get away (or even if you can in some places)... and you have the right to own the gun you're shooting... and well, you better be able to explain yourself.
What you can't do is follow them home and smash their stuff. And you really, really can't start an international incident, that kind of thing is looked down upon.
I would cyber hack their cyber organization till it makes their cyber heads spin! I wouldnt tell any of my cyber friends about it though.
I apologize for being one of the only ones to RTFA, however, I find it humorous:
[quote]
This is the same kind of reasoning that feeds blood feuds through the principle of “an eye for an eye” — “if you kill someone in my family, I will kill someone in yours. Innocent or not, I will shoot.”
[/quote]
I was always under the impression that an eye for an eye implied some sort of responsibility on the perpetrator, not everyone else... Maybe better written as:
"if you kill someone in my family, you will get killed"
In general, its a fluffy feel-good read about making bigger gub'mint.
When I was in highschool, I used to belong to a forum, and if Our forum got defaced, or corrupted by another entity we would attack back. Most of the time we would not have any issues with that particular group ever again.
You never have the option to take the law into your own hands. If you don't like the job your government(police) are doing, then work on them. But you never have the option to take the law into your own hands.
Hitting back shouldn't be tolerated within companies or organizations. It's just dumb policy. It was your own fault for failing to properly secure your system or use the right tools. If you have no other options it's the fault of your industries and you need to speak up.
1. Most states don't even let you stand your ground when faced with an assailant on the street you can clearly identify. Hacking back is stand your ground without even the requirement of knowing who is attacking you before drawing and using a weapon in many cases (most)?
2. Many corporations have punitive policies that prohibit or limit employees' self-defense rights on their campuses or even during the work hours. For example, I think one of the major pizza chains won't let drivers who regularly drive into very bad parts of town keep even a blunt weapon, let alone a legal firearm on them.
So why should corporations get a right which is dangerous, hard to limit collateral damage and which is a corollary to a right that is badly limited in most parts of the US for the flesh and blood citizens?
You done goofed, your hack attacks have been backtraced, and we have informed the cyberpolice, the consequences will never be the same!
After all, as we've recently found out the major culprit in most computer hackings seems to be the government. Now, it's very plain that no matter what the circumstances, anyone hacking into the government's computers is going to be considered to be breaking the law so you're better off to turn the other cheek, or in this case, computer, and make sure that they get what they want.
Ohhhhhh mannnn, if I could fucking hack back... You don't even know. But until its legal to do so, its too much of a risk to my livelihood.
Most corporations have no problem creating phantom business units to hide profits and losses, inflate executive salaries, etc, etc.
How do we know they aren't doing the same thing with an eye towards creating "disposable" and nearly unconnected entities they can use/abandon/reuse to launch counter-attacks or reconnaissance missions against targets they think are attacking them?
Buy a handful of servers, hire some contractors to install and do basic setup on them in some leased colo space, lather, rinse, repeat a few times and you have a distributed nationwide network, for all intents and purposes disconnected from the parent company and available to launcher counter-attacks, problems, etc.
Screw up, get fingered, have problems? Walk away. Send in different contractors to strike the equipment, box it and ship it off....to another data center, where different contractors can set it up again.
For a Fortune 500 business they could do this with the rounding error in their budget.
Okay, let's assume your a name is awesomeness in IT Security and Hacking; furthermore, let's assume that you:
Still sounds like great way to end up dead. You never know who your playing with.
But, think if it was legal. That would be some fun to be had, until things got out of hand and such. At a certain point, it's more cost effective to send someone with a gun.
In Soviet Russia, the government hacks you! In the United States however it's not hacking anymore, because the law says all channels are open for Big Brother, and hacking de-facto does not exist anymore. How about that?
What I find interesting is that people seem to equate a hack back with showing up at someone's house after they're long gone from your place and punching out their window in retribution.
As a sysadmin who has dealt with a number of compromised servers, here is where that analogy fails: I have NEVER seen a hack where the hacker just leaves after they gain access. They create backdoors to ensure that they have access to your network in the future, and will likely try to use your assets in future attacks.
To use the break-in analogy: Most hackers are STILL IN YOUR HOUSE.
Now, one can argue all day about whether it's a waste of resources to hack back, but back hack is certainly not equivalent to tracking someone down and throwing a brick throw their window. In the vast majority of hacks I've personally encountered, a hack back would be active defense.
Why? Not because of any failed cowboy analogy, or belief in how the wonderful rule of law will solve all of our problems for us, but for this one simple reason:
I don't trust you, or anybody, to be able to identify who is attacking you, or even to correctly determine if you are even being attacked at all. Do you need a car analogy? Giving people blanket authorization to strike back at their virtual attackers is like handing Dilbert's boss a rocket launcher and asking him to do something about the lack of available spaces in the office parking lot. If you believe that your network is being attacked and feel the need to strike back at the perpetrators, then please:
I can't promise you that this will _solve_ your problem, but it will give you some time to cool down, realize that your original reaction was based on faulty and incomplete evidence, and keep you busy for a few hours doing something useful instead of being part of the problem.
... you never go dark !
Keep the government out of it, if someone hacks you do something about it yourself. Or maybe im the only one that thinks governments shouldn't be allowed to have any legal control over the internet
... is part of the problem I run a website small enough that I (perhaps foolishly) get an email for EVERY failed http request. This makes it easy for me to spot patterns of failed hacks and even build some automated detection of hack attempts into my system. I have had LIMITED success with reporting the hack back to the machine owner. I do this because I figure, either A) it's almost always a compromised machine and therefore unfair and unhelpful to try to hack back, or B) a rogue admin is using company hardware to launch attacks in the off-hours. Either way, the company is made aware that their assets are being abused, and will hopefully have the smarts to fix it, and in the case of "B", the admin has probably lost their job and doesn't know which site reported his abuse, which in turn improves my chances of not getting a retaliation attack later. I'd guess that 95% of all attempts on my system are from compromised systems, and of those, 90% are script kiddies... always trying to access phpMyAdmin, wp-login, or some other randomly psudo-important folder such as /admin or /login. In the rare cases where the server appears to be out of country, or not owned by a recognizable company, I simply opt for the ban-hammer. I ban via database rather than the router because I don't have access to the router... which is nice because it lets me dream about formulating plans for some XKCD style mind-F#@King.
Point is: Reporting the abuse will likely not net an arrest let alone fame and glory, but if enough people are reporting the abuse, someone will take notice and do something about it. Also, no matter how you slice it, reporting the abuse through the proper channels decreases the odds that the hacker will KNOW it was you who reported the abuse, and now people with better tracking skills that myself are working on it.
Which has more power: the hammer, or the anvil?
An attack can come from a pc who the attacker does not own. I.e RAT's. to do damage to no attackers is incredibly stupid. Comparing irl warfare and Internet warfare is incredibly stupid
While hacking back is generally a bad idea for a variety of reasons (such as, it's most likely an innocent user's computer being used as a bot), the article was a monstrosity of uselessness. An individual back hacking a Chinese government hacker isn't going to start cyber world war 3 and the entire notion that it would is stupid. The reasoning for why you don't back hack is completely invalid. It's simply a matter of not being worth it. Most attacks are going to happen through bots and wiping out the bots is just going to hurt innocents and possibly destroy evidence.
AJ Henderson
If not, you don't hack, or hack back. People/Corporations do things for profit, monetary or otherwise. If I were a CIO (employers, CV available on demand...) I'd be less than impressed in my staff indulging in revenge rather than in selling our product or helping our clients.
And BTW, how come we got hacked? Can we fix that hole please? I've got to tell the board in 20 minutes what happened and that it won't happen again.
"The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
Lets ignore the morally correct point that fighting fire with fire isn't actually legal. Lets just think about what you hope to accomplish.
Suppose that you poses the time and skills to properly track your attacker back to their actual home system(s), and you manage to crack it. You upload an virus you wrote in your free time that spreads through their computer, deletes all files, and hides in the BIOS afterwards, frying hardware with malicious hardware calls. After you disconnect from their newly cratered system, how long is if going to be until the next random punk off the internet trys to probe your security?
< 00.1 second.
Good luck with your vendetta, I hope it works out for you.
HA! I just wasted some of your bandwidth with a frivolous sig!
The last time I got hacked, I wrote some software that went in and messed up some centrifuge thingys of the host country my hacker was from.
That'll teach 'em.
Have been hacking and hacking and hacking :)
You turds actually trusted the US government? AKA the Rothchilds and Rockefellers? AKA Majestic 12? AKA Bilderberg?
If you knew the whole time you were being fucked in the ass by rape would you fight back to prevent it?
It's a simple concept really.
Here it is.
:V
And here's what I said last time.
Let's see if I can get +5 just for linking to a comment that got +5.
He said we should hack the computers that try to hack us. I started laughing and couldn't stop, he just glared at me. I said, "Oh, you were serious!" and then laughed some more.
Just the image of a huge multinational family image company getting caught hacking into thousands of macines world wide was funny to me.
Yes, we have heard of sysadmins who configure their systems to conduct email floods instead of reading their friggin logs DB. After they get done with the ass reaming from their boss, everyone has completely forgotten about the original vector.
Lets ignore the morally correct point that fighting fire with fire isn't actually legal.
Hmm.... That sounded a whole lot like you are using morality and legality as synonyms. That's far from the truth. In fact, in a surprisingly large number of situations, they are antonyms.
Better things are available for your limited life. E.g.:
masturbate
cunnilingus/fellatio
intercourse
ménage à trois
gaming
partake in competitive sports
more masturbation
pr0n
meeting like minded people in real life
helping those in need
further masturbation
If you hack back, just remember to follow the 11th Commandment:
THOU SHALL NOT GET CAUGHT.
You cannot get in your car, drive to their house and then shoot them, as you are nolonger being threatened by said intruder. Hacking back is exactly that.
Not according to the State of California.
According to the State of California, if I go out on the Internet to the web site of a company in Texas and purchase an item, and have it shipped to me in California, the transaction took place in my home. This is their legal rationale for being able to collect sales tax on the transaction without violating the Interstate Commerce Clause of the US Constitution.
Therefore, if I "hack back" someone who has hacked me, their initial hacking took place wherever they are located, but my "hack back", in defence of the computer located in my home, took place in my home.
So this is precisely the same as if someone broke into my house and tampered with my machine to steal bank account and other information, and during the tampering, I, in my home, shot them.
It really doesn't matter that the bullet landed somewhere in Taipei, the transaction happened in California in my hose, just as if I had purchased something.
While I agree that eye for eye retaliation cannot work in a civilized society, I note the unfortunate proposal of a world governance.
World governance is often called as a way to kill any ability to do something in our lifetimes. We are now familiar with world finance governance to avoid crisis, and we know it will never happen.
Governance means there is Sovereignty. Sovereignty means there is People involved in a social pact. This is what a Nation is. There is no such World Nation. I do not have the solution to hacking problems, but I am convinced world governance cannot be the solution.
That's not an equivalent. That's the only way you can try and get "justice" if law enforcement doesn't take care of the perpetrators, but it's not a digital equivalent. Let me put it to you this way: If someone was to come into your house and murder your significant other. Would it be okay if the police were to find them and kill their significant other, without trial? Because that would be an equivalent too. The law deals with these things not by revenge or "an eye for an eye", but by (hopefully) proper research, apprehension of the suspects and a fair trial. Hacking back isn't any of those.
I was promised a flying car. Where is my flying car?
...isn't that being given access?
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
If your government demonstrated it is unable or unwilling to prosecute someone committing a crime towards you and you have the abilities, resources and willingness to commit the same crime, who would keep you from doing so? The government proved it won't.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I love how the terms Hacker and Hack have been subverted to denote what used to be named Cracker and Cracking.
An eye for an eye, a tooth for a tooth ? We'll all end up blind and toothless
If your attacker was spoofing your IP, you've just attacked an innocent party.
Punishment without trial, and vigilante justice is not the way forward.
... and today's pet project has
You will regret doing it if you'll live...
Lets ignore the morally correct point that fighting fire with fire isn't actually legal. Lets just think about what you hope to accomplish.
I want to send my black ice against them and make sure their neurons are fried and they are no longer capable of hacking!
Lets ignore the morally correct point that fighting fire with fire isn't actually legal.
Hmm.... That sounded a whole lot like you are using morality and legality as synonyms. That's far from the truth. In fact, in a surprisingly large number of situations, they are antonyms.
I am saying that an eye for an eye vigilantism isn't legal, nor is it moral.
HA! I just wasted some of your bandwidth with a frivolous sig!
Sure, counterattacking is great! It's especially useful when you're being attacked from a forged IP address, or a bunch of malware zombies running on cracked machines, or when the attackers are forging your IP address for their queries to DNS servers or other smurfing amplifiers.
That sales guy at $YOUR_CUSTOMER who answered some phishing mail needs to know that his PC is infected with malware that's trying to phish you; you might find gentler approaches than a DDOS attack or ICANN domain name takedown to stop his machine.
And sure, exampledomain.com really ought to rate-limit their DNS servers and run them on ISPs that use BCP38 to reduce IP address spoofing, but nuclear weapons from orbit aren't the right response to the problem. Ok, actually, there are some days that nuclear weapons from orbit really do seem to be the appropriate response, but that's when you find out that they're using Amazon AWS cloud services as a backup, so nuking Philadelphia just didn't do the job.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
But it's very satisfying, and sometimes effective.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."