To Hack Back Or Not To Hack Back?

dinscott writes "If you think of cyberspace as a resource for you and your organization, it makes sense to protect your part of it as best you can. You build your defenses and train employees to recognize attacks, and you accept the fact that your government is the one that will pursue and prosecute those who try to hack you. But the challenge arises when you (possibly rightfully so) perceive that your government is not able do so, and you demand to be allowed to 'hack back.'"

No

Bad idea.

Re:No

[jellomizer]

For the most part the people who are hacking into you isn't that personal, you are just an open system with the vulnerability. Hacking back will not do too much except for making it personal. If you want to solve the problem you will need to redo your security.

Besides most hackers will jump from system to system to make it hard to detect. I remember trying to trace a hacker back, I gave up after going into 3 or 4 systems across the globe. Realizing that I could part of the problem not the solution I gave up. And then went on improving security.

Re:No

[stewsters]

This. Working for your business is not worth getting thrown in jail for, and its open season on hackers.

Some ideas of what you can do:

• Cleanse anything that goes into a database. Get a model layer that does this for you.
• You probably don't use UNION or similar keywords but they are used by hackers extensively. We built our own code to search for these keywords and tarpit them.
• If they are all coming from some small IP block in China, block it. Minimal loss in business.
• If they are running automated vulnerability scanners, you could add pages to blacklist their hosts as soon as they try to hit default administration pages for wordpress on your site.
• If its just password guessers, block them. Use ssh keys.
• Nmap the hosts that are targeting you. Most likely they are someone's compromised windows xp machine.
• Report them to the FBI: http://itsecurity.vermont.gov/Report_Crime

If all else fails, go on 4chan and post "OMG i just made the most secure site evar! Address is ${offender's IP} I bet no one can hack my site and take my bitcoins. "

Good thing..

[thisisnotreal]

Things like this never escalate. I keep seeing and feeling in so many ways how delicate this all is...and we keep hammering on it. As. Hard. As. Possible.

Vigilantism is not a new concept

What you're advocating, quite plainly, is that if you break into my house and steal something, that I can then break into your house to take something from you. The law is quite clear on this. As long as hacking into and stealing resources is illegal, you doing the same is just as illegal. Get a Rottweiler and a home alarm and sign up for personalized security patrols. In essence that is what you can do with regards to your electronic resources.

Re:Vigilantism is not a new concept

[lister+king+of+smeg]

What you're advocating, quite plainly, is that if you break into my house and steal something, that I can then break into your house to take something from you. The law is quite clear on this. As long as hacking into and stealing resources is illegal, you doing the same is just as illegal. Get a Rottweiler and a home alarm and sign up for personalized security patrols. In essence that is what you can do with regards to your electronic resources.

If someone breaks into my house I can shoot them thanks to castle laws, there is no digital equivalent other than hacking them back.

Re:Vigilantism is not a new concept

[HockeyPuck]

If someone breaks into my house I can shoot them thanks to castle laws, there is no digital equivalent other than hacking them back.

You cannot get in your car, drive to their house and then shoot them, as you are nolonger being threatened by said intruder. Hacking back is exactly that. You've been attacked and then you retaliate after the fact.

Typical conditions that apply to some Castle Doctrine laws include (from wikipedia):

        - An intruder must be making (or have made) an attempt to unlawfully or forcibly enter an occupied residence, business, or vehicle.
        - The intruder must be acting unlawfully (the Castle Doctrine does not allow a right to use force against officers of the law, acting in the course of their legal duties).
        - The occupant(s) of the home must reasonably believe the intruder intends to inflict serious bodily harm or death upon an occupant of the home. Some states apply the Castle Doctrine if the occupant(s) of the home reasonably believe the intruder intends to commit a lesser felony such as arson or burglary.
        - The occupant(s) of the home must not have provoked or instigated an intrusion; or, provoked/instigated an intruder's threat or use of deadly force.

Re:Vigilantism is not a new concept

[Trepidity]

The justification for shooting an intruder in your house is self-defense, since you might reasonably fear for your life if someone's broken into your house (especially if they're armed). The purpose is not to authorize vigilante retaliation or punishment. Therefore, if the person isn't in your house anymore, there is no longer a justification for shooting them.

Actually, even if your house you shouldn't shoot them unless you actually do fear for your life and it's truly self-defense. Not all states require you to prove that (partly due to worries over whether it's possible to prove), but you are not supposed to shoot someone just because you can get away with it.

the question was posed wrong

[ganjadude]

The real question is what to do when our own government is the one "hacking" our pages

Bad Idea.

[wjcofkc]

What if the hacker is already attacking from a computer that is not theirs. Firing back would make you no better than them.

Are you SURE it was that party?

[mlts]

With the fact that compromised hosts are the first thing an intruder has between them and their target, how can one be sure that the host attacking them is malicious, or just a compromised box being used as a proxy or launching point for attacks?

If it was a compromised box, and it gets retaliated against, there might be a chance that the IDS/IPS system on the compromised network will log the back-strike, which can easily mean civil/criminal charges.

My take: Block them at the router for a couple days and go on. Trying to "counter-hack" can get one in a world of hurt.

Put it in real life terms

[MozeeToby]

Someone breaks into your place of business, what are your rights? You can bar the door, obviously. You physically intimidate them into leaving sure. You can shoot them... well... if you're in danger and can't get away (or even if you can in some places)... and you have the right to own the gun you're shooting... and well, you better be able to explain yourself.

What you can't do is follow them home and smash their stuff. And you really, really can't start an international incident, that kind of thing is looked down upon.

Internet Castle Law

What I find interesting is that people seem to equate a hack back with showing up at someone's house after they're long gone from your place and punching out their window in retribution.

As a sysadmin who has dealt with a number of compromised servers, here is where that analogy fails: I have NEVER seen a hack where the hacker just leaves after they gain access. They create backdoors to ensure that they have access to your network in the future, and will likely try to use your assets in future attacks.

To use the break-in analogy: Most hackers are STILL IN YOUR HOUSE.

Now, one can argue all day about whether it's a waste of resources to hack back, but back hack is certainly not equivalent to tracking someone down and throwing a brick throw their window. In the vast majority of hacks I've personally encountered, a hack back would be active defense.

Just don't do it.

[Minwee]

Why? Not because of any failed cowboy analogy, or belief in how the wonderful rule of law will solve all of our problems for us, but for this one simple reason:

I don't trust you, or anybody, to be able to identify who is attacking you, or even to correctly determine if you are even being attacked at all. Do you need a car analogy? Giving people blanket authorization to strike back at their virtual attackers is like handing Dilbert's boss a rocket launcher and asking him to do something about the lack of available spaces in the office parking lot. If you believe that your network is being attacked and feel the need to strike back at the perpetrators, then please:

• 1) Keep it in your pants. Nobody is really impressed by that, and
• 2) Collect evidence, read your logs, make an actual effort to figure out what is going on, and then forward that information to the appropriate responsible parties, and finally,
• 3) Let them investigate and deal with it.

I can't promise you that this will _solve_ your problem, but it will give you some time to cool down, realize that your original reaction was based on faulty and incomplete evidence, and keep you busy for a few hours doing something useful instead of being part of the problem.

Valid big conclusion, useless article.

[AJH16]

While hacking back is generally a bad idea for a variety of reasons (such as, it's most likely an innocent user's computer being used as a bot), the article was a monstrosity of uselessness. An individual back hacking a Chinese government hacker isn't going to start cyber world war 3 and the entire notion that it would is stupid. The reasoning for why you don't back hack is completely invalid. It's simply a matter of not being worth it. Most attacks are going to happen through bots and wiping out the bots is just going to hurt innocents and possibly destroy evidence.

That's not an equivalent

[dutchwhizzman]

That's not an equivalent. That's the only way you can try and get "justice" if law enforcement doesn't take care of the perpetrators, but it's not a digital equivalent. Let me put it to you this way: If someone was to come into your house and murder your significant other. Would it be okay if the police were to find them and kill their significant other, without trial? Because that would be an equivalent too. The law deals with these things not by revenge or "an eye for an eye", but by (hopefully) proper research, apprehension of the suspects and a fair trial. Hacking back isn't any of those.

Re:Well, sure

[Opportunist]

And two rights make up what's left of the Constitution.