To Hack Back Or Not To Hack Back?

dinscott writes "If you think of cyberspace as a resource for you and your organization, it makes sense to protect your part of it as best you can. You build your defenses and train employees to recognize attacks, and you accept the fact that your government is the one that will pursue and prosecute those who try to hack you. But the challenge arises when you (possibly rightfully so) perceive that your government is not able do so, and you demand to be allowed to 'hack back.'"

No

Bad idea.

Re:No

Don't be a pussy, go for it mah brother! Fuck'em up!

Re:No

[jellomizer]

For the most part the people who are hacking into you isn't that personal, you are just an open system with the vulnerability. Hacking back will not do too much except for making it personal. If you want to solve the problem you will need to redo your security.

Besides most hackers will jump from system to system to make it hard to detect. I remember trying to trace a hacker back, I gave up after going into 3 or 4 systems across the globe. Realizing that I could part of the problem not the solution I gave up. And then went on improving security.

Re:No

[stewsters]

This. Working for your business is not worth getting thrown in jail for, and its open season on hackers.

Some ideas of what you can do:

• Cleanse anything that goes into a database. Get a model layer that does this for you.
• You probably don't use UNION or similar keywords but they are used by hackers extensively. We built our own code to search for these keywords and tarpit them.
• If they are all coming from some small IP block in China, block it. Minimal loss in business.
• If they are running automated vulnerability scanners, you could add pages to blacklist their hosts as soon as they try to hit default administration pages for wordpress on your site.
• If its just password guessers, block them. Use ssh keys.
• Nmap the hosts that are targeting you. Most likely they are someone's compromised windows xp machine.
• Report them to the FBI: http://itsecurity.vermont.gov/Report_Crime

If all else fails, go on 4chan and post "OMG i just made the most secure site evar! Address is ${offender's IP} I bet no one can hack my site and take my bitcoins. "

Re:No

[khasim]

Or, to phrase it another way: if you have the hacking skills to retaliate then you have the skills to be invulnerable to the attack in the first place.

The enemy cracker has a limited number of targets:
1. your router.
2. your firewall.
3. whatever service you provide through your firewall (you do have a DMZ, right?).
4. flooding your bandwidth with traffic from thousands of zombies.

Anyone have any other types of attack that I forgot? And if you cannot secure those (except for #4) then you probably won't be able to "hack back".

Re:No

[noh8rz10]

just do it like Goldeneye, with that russian dude.

Re:No

[Archangel+Michael]

I am INVINCIBLE!

Re:No

[rtb61]

If you attack back, you create the opportunity for the greatest hacks of all, false ones that get you to target an innocent person or company or organisation. Groups likely to report the attack to their legal authorities who will then prosecute, extradite and jail your silly ass.

Re:No

[Opportunist]

Yes. But that doesn't end the problem, the can of worm this opens is a lot more complex than it seems at the surface. The matter in question is nothing less than the state's power monopoly.

If I get robbed, I don't grab my gun and go hunting for the guy who did it. No. I go to the police and ask them to find him. Why do I do that? Because I trust them to have more power, time, experience and resources than me to do just that. But there's more to it than just them being better at it than me. There are two other, very important reasons, why we have those guys in the first place.

It also serves an important equalizing purpose where EVERYONE, not just someone with the knowledge, experience or resources to do so, can find justice. You needn't be armed to the teeth or wealthy enough to afford your private army to defend your private property and your life.

The second reason is easily overlooked but at least equally important: Due process. It's not just some angry mob who wants to string up someone, anyone, for a crime that happened (the more heinous the crime, the closer the noose). Of course the police isn't free from prejudice and also very interested to close cases, but we're still far, far away from "It must've been Jones, he looks funny and I heard someone say it could only have been him".

If a government is unable or unwilling to fulfill their duty of actually wielding this power monopoly, someone will step in to fill that power vacuum. Usually it's called vigilantism. And usually it doesn't really end well.

A government's power monopoly, like every privilege handed to a government by its people, must be justified by that government. If it cannot justify why it should be granted that privilege, the people will take it back. With or without legal backing.

Good thing..

[thisisnotreal]

Things like this never escalate. I keep seeing and feeling in so many ways how delicate this all is...and we keep hammering on it. As. Hard. As. Possible.

Re:Good thing..

[Artifakt]

You need to be at plus 5, just for that first sentence, and the rest are as good.

1, Company has trouble with commonly skilled criminal crackers.
2. Company gets special permission to take matters into its own hands. To get this, company does special favors for a nation state.
        (You don't think the politicians just ask for campaign contributions when they can also ask for "law enforcement assistance" against terrorists, do you? Or that those same terrorists, who think of themselves as involved in a war, respect a strong distinction between homeland security and the US military, or similar set ups in other countries?)
3. More skilled political/military crackers, who may also even be backed by the full special resources of another nation, now treat the company as just another arm of a government's military, and even if they have some strange desire to abide by the Geneva convention or other limits, can make a fair case it's a 'legitimate' target.
4. War between two nation states breaks out, starting with computer actions, and with the Company's assets as the primary battlefield.
5. Since everyone thinks cyber-war sounds dumb, there are no firm lines, and the war that starts inside computers ends as the company's employees face special attention from landmines, IEDs and rocket propelled grenades.

Yes, I left out the "?" and "profit" steps. Anyone really think they need to be there?

Vigilantism is not a new concept

What you're advocating, quite plainly, is that if you break into my house and steal something, that I can then break into your house to take something from you. The law is quite clear on this. As long as hacking into and stealing resources is illegal, you doing the same is just as illegal. Get a Rottweiler and a home alarm and sign up for personalized security patrols. In essence that is what you can do with regards to your electronic resources.

Re:Vigilantism is not a new concept

[lister+king+of+smeg]

What you're advocating, quite plainly, is that if you break into my house and steal something, that I can then break into your house to take something from you. The law is quite clear on this. As long as hacking into and stealing resources is illegal, you doing the same is just as illegal. Get a Rottweiler and a home alarm and sign up for personalized security patrols. In essence that is what you can do with regards to your electronic resources.

If someone breaks into my house I can shoot them thanks to castle laws, there is no digital equivalent other than hacking them back.

Re:Vigilantism is not a new concept

[HockeyPuck]

If someone breaks into my house I can shoot them thanks to castle laws, there is no digital equivalent other than hacking them back.

You cannot get in your car, drive to their house and then shoot them, as you are nolonger being threatened by said intruder. Hacking back is exactly that. You've been attacked and then you retaliate after the fact.

Typical conditions that apply to some Castle Doctrine laws include (from wikipedia):

        - An intruder must be making (or have made) an attempt to unlawfully or forcibly enter an occupied residence, business, or vehicle.
        - The intruder must be acting unlawfully (the Castle Doctrine does not allow a right to use force against officers of the law, acting in the course of their legal duties).
        - The occupant(s) of the home must reasonably believe the intruder intends to inflict serious bodily harm or death upon an occupant of the home. Some states apply the Castle Doctrine if the occupant(s) of the home reasonably believe the intruder intends to commit a lesser felony such as arson or burglary.
        - The occupant(s) of the home must not have provoked or instigated an intrusion; or, provoked/instigated an intruder's threat or use of deadly force.

Re:Vigilantism is not a new concept

[Hentes]

That's not a digital equivalent either.

Re:Vigilantism is not a new concept

[Trepidity]

The justification for shooting an intruder in your house is self-defense, since you might reasonably fear for your life if someone's broken into your house (especially if they're armed). The purpose is not to authorize vigilante retaliation or punishment. Therefore, if the person isn't in your house anymore, there is no longer a justification for shooting them.

Actually, even if your house you shouldn't shoot them unless you actually do fear for your life and it's truly self-defense. Not all states require you to prove that (partly due to worries over whether it's possible to prove), but you are not supposed to shoot someone just because you can get away with it.

the question was posed wrong

[ganjadude]

The real question is what to do when our own government is the one "hacking" our pages

Re:Well, sure

[DougOtto]

No, but three lefts do.

Bad Idea.

[wjcofkc]

What if the hacker is already attacking from a computer that is not theirs. Firing back would make you no better than them.

Re:Bad Idea.

[DarkOx]

Firing back would make you no better than them

Why a compromised machine is a compromised machine. Its already not really under the legal owners control anymore, even if it happens to still be doing what they want it to. I think from an ethical standpoint its acceptable collateral damage.

Cowboy analogy

[Hentes]

After the flawed warfare analogy of the military, we now have a flawed cowboy analogy. How can these people be that shortsighted, everyone knows that the internet is like cars.

Are you SURE it was that party?

[mlts]

With the fact that compromised hosts are the first thing an intruder has between them and their target, how can one be sure that the host attacking them is malicious, or just a compromised box being used as a proxy or launching point for attacks?

If it was a compromised box, and it gets retaliated against, there might be a chance that the IDS/IPS system on the compromised network will log the back-strike, which can easily mean civil/criminal charges.

My take: Block them at the router for a couple days and go on. Trying to "counter-hack" can get one in a world of hurt.

Put it in real life terms

[MozeeToby]

Someone breaks into your place of business, what are your rights? You can bar the door, obviously. You physically intimidate them into leaving sure. You can shoot them... well... if you're in danger and can't get away (or even if you can in some places)... and you have the right to own the gun you're shooting... and well, you better be able to explain yourself.

What you can't do is follow them home and smash their stuff. And you really, really can't start an international incident, that kind of thing is looked down upon.

Re:Put it in real life terms

[NewWorldDan]

And you also better be damn sure you're attacking the right person and not some poor company who has already had their own systems compromised. Most people are really bad detectives and just aren't qualified to determine who to hack back against. And usually your attacker doesn't have much of a footprint to attack. So while I support your right to actively defend yourself, don't be a Zimmerman and shoot some unarmed kid with a bag of candy in his pocket.

Re:Well, sure

[Mattcelt]

And two Wrights make an airplane.

vigilantism

[tist]

You never have the option to take the law into your own hands. If you don't like the job your government(police) are doing, then work on them. But you never have the option to take the law into your own hands.

Re:It's a terrible idea

[g0bshiTe]

I work for Umbrella you fool! We have the resources we have the expertise.

In Soviet Russia

[rvw]

In Soviet Russia, the government hacks you! In the United States however it's not hacking anymore, because the law says all channels are open for Big Brother, and hacking de-facto does not exist anymore. How about that?

Internet Castle Law

What I find interesting is that people seem to equate a hack back with showing up at someone's house after they're long gone from your place and punching out their window in retribution.

As a sysadmin who has dealt with a number of compromised servers, here is where that analogy fails: I have NEVER seen a hack where the hacker just leaves after they gain access. They create backdoors to ensure that they have access to your network in the future, and will likely try to use your assets in future attacks.

To use the break-in analogy: Most hackers are STILL IN YOUR HOUSE.

Now, one can argue all day about whether it's a waste of resources to hack back, but back hack is certainly not equivalent to tracking someone down and throwing a brick throw their window. In the vast majority of hacks I've personally encountered, a hack back would be active defense.

Re:Internet Castle Law

[Todd+Knarr]

Thing is, most of the "hack back" responses don't involve going after the hacker still in your system. They boil down to trying to figure out who the hacker is, where they live, and then going to that address and attacking whoever's there. Which of course raises such issues as "Did your attacker leave a false trail that would lead you to attack someone not involved in the attack on you?" and "What are you going to do if that uninvolved party decides to hack back themselves?". Few of the proponents of "hack back" seem willing to discuss those issues, they mostly brush them off as "That won't happen.". When probed as to exactly what it won't and what'll keep it from happening, though, they start flailing badly rather than giving coherent answers. And none of them want to commit to accepting full legal liability if it does happen. If it won't happen, what's the problem with agreeing to accept a liability you'll never need to accept?

Just don't do it.

[Minwee]

Why? Not because of any failed cowboy analogy, or belief in how the wonderful rule of law will solve all of our problems for us, but for this one simple reason:

I don't trust you, or anybody, to be able to identify who is attacking you, or even to correctly determine if you are even being attacked at all. Do you need a car analogy? Giving people blanket authorization to strike back at their virtual attackers is like handing Dilbert's boss a rocket launcher and asking him to do something about the lack of available spaces in the office parking lot. If you believe that your network is being attacked and feel the need to strike back at the perpetrators, then please:

• 1) Keep it in your pants. Nobody is really impressed by that, and
• 2) Collect evidence, read your logs, make an actual effort to figure out what is going on, and then forward that information to the appropriate responsible parties, and finally,
• 3) Let them investigate and deal with it.

I can't promise you that this will _solve_ your problem, but it will give you some time to cool down, realize that your original reaction was based on faulty and incomplete evidence, and keep you busy for a few hours doing something useful instead of being part of the problem.

Re:bad analogy

[Minwee]

I was always under the impression that an eye for an eye implied some sort of responsibility on the perpetrator, not everyone else.

It's more of a statement of limited liability. A longer version of it would be "Ye have heard that it hath been said, an eye for an eye, and a tooth for a tooth. So if someone poketh thee in thine eye, thou don't get to kill every member of their family. Just poke them back and then knocketh it off. They didn't expect this kind of Spanish Inquisition, thou doth know."

Valid big conclusion, useless article.

[AJH16]

While hacking back is generally a bad idea for a variety of reasons (such as, it's most likely an innocent user's computer being used as a bot), the article was a monstrosity of uselessness. An individual back hacking a Chinese government hacker isn't going to start cyber world war 3 and the entire notion that it would is stupid. The reasoning for why you don't back hack is completely invalid. It's simply a matter of not being worth it. Most attacks are going to happen through bots and wiping out the bots is just going to hurt innocents and possibly destroy evidence.

I AM THE BAT-MAN....HACKER! wait, start again...

[TiggertheMad]

Lets ignore the morally correct point that fighting fire with fire isn't actually legal. Lets just think about what you hope to accomplish.

Suppose that you poses the time and skills to properly track your attacker back to their actual home system(s), and you manage to crack it. You upload an virus you wrote in your free time that spreads through their computer, deletes all files, and hides in the BIOS afterwards, frying hardware with malicious hardware calls. After you disconnect from their newly cratered system, how long is if going to be until the next random punk off the internet trys to probe your security?

< 00.1 second.

Good luck with your vendetta, I hope it works out for you.

We already had this argument.

[bistromath007]

Here it is.

And here's what I said last time.

Let's see if I can get +5 just for linking to a comment that got +5. :V

Re:bad analogy

Replacing one bad analogy with another isn't much better. An "eye for an eye" sought to limit the amount of revenge you were allowed to take. For instance, if someone put your eye out, you weren't entitled to burn down his house with his children it it and rape his wife.
Even in America, that right is reserved for the Feds.
In modern philosophy, the whole concept has been replaced with the idea that you should love the people who are destined to burn in hell forever.
  dammit, why can't i ever NOT be sarcastic.

That's not an equivalent

[dutchwhizzman]

That's not an equivalent. That's the only way you can try and get "justice" if law enforcement doesn't take care of the perpetrators, but it's not a digital equivalent. Let me put it to you this way: If someone was to come into your house and murder your significant other. Would it be okay if the police were to find them and kill their significant other, without trial? Because that would be an equivalent too. The law deals with these things not by revenge or "an eye for an eye", but by (hopefully) proper research, apprehension of the suspects and a fair trial. Hacking back isn't any of those.

Re:Well, sure

[Opportunist]

And two rights make up what's left of the Constitution.

Re:Well, sure

[Opportunist]

Be gone with your heathen argumentation. In the Book it said "go forth and multiply", not "go forth and add".