Slashdot Mirror
FBI Monitoring Hacking Targets For Retaliation
An anonymous reader writes: As high profile security breaches continue to grab headlines, little is being done visibly by the government to prevent future attacks. This is prompting some victims (and potential victims) to find creative ways to stop the hackers. The FBI is now concerned that U.S. companies and institutions are themselves breaking laws by retaliating with cyberattacks of their own. "In February 2013, U.S officials met with bank executives in New York. There, a JPMorgan official proposed that the banks hit back from offshore locations, disabling the servers from which the attacks were being launched ... Federal investigators later discovered that a third party had taken some of the servers involved in the attack offline, according to the people familiar with the situation. Based on that finding, the FBI began investigating whether any U.S. companies violated anti-hacking laws in connection with the strike on those servers, according to people familiar with the probe."
dey be gettin haxxed!
Disabling servers from which an attack is being launched against you isn't "retaliation". That's self-defense. Now, I know that striking back at the right target isn't easy, and some "innocent" people may get hurt, but if you are being attacked, and some third party's stuff is being used to attack you, you're still not "retaliating" if you damage that stuff in an attempt to end the attack.
They are concerned because some of these Attacks are perpetrated by the FBI/NSA/CIA.
Can't have people retaliating against their own infiltration operations...
Too bad the internet's down in North Korea, they'd be interested in this story for sure!
An i(phone) for and i(phone) and a (blue)tooth for a (blue)tooth.
I'm not sure what else to infer from a story that implies the fbi is investigating jpmorgan for criminal activity...
Catch the people defending themselves.
And I am all for it.
...should you not defend yourself?
as if the FBI/CIA/NSA aren't already tools of the plutocratic multi-nationals.
i believe that the only reason they don't want them doing it on their own is that it robs the 3-letter agencies of political glory.
never bring a twinkie to a food fight.
I know I shouldn't say it but this is completely fucking awesome. We live in a cyberpunk future!
Is this the same FBI that told us NK was responsible for the Sony hack?
Federal Bureau of Incompetence.
"If any question why we died, Tell them because our fathers lied."
Normally I would be against this, but nowadays hackers are mostly just extortionists. Not to mention the damage they've done to the work done by real hackers trying to protect freedom. Really, I think this generation of hackers just need to be purged so the scene can get back to normal.
As high profile security breaches continue to grab headlines, little is being done visibly by the government to prevent future attacks. This is prompting some victims (and potential victims) to find creative ways to stop the hackers. The FBI is now concerned that U.S. companies and institutions are themselves breaking laws by retaliating with cyberattacks of their own.
If a law is never enforced and nothing is done to those that break that "law" (subject: the hackers), why would they think anything else except others expecting the law to not be enforced and nothing is done to those that break that law (subject: the companies)?
In what universe can the FBI hold a straight face and even claim there is a law being broken when the fine for that crime is "nothing" with a jail sentence of "nothing" and a punishment of "nothing"?
When I was at Defcon, there was a random guy looking for hackers to attack back after his company had been breached. This to me seems like more of the same, meaning there are folks who know literally nothing about the culture or what is involved in such an attack blindly hiring people that say they can deliver in terms of retaliation. How can they be measured? What are these folks going to do when they have a bay of pigs type failure in their plans of cyber retaliation? Doesn't this then just promote a cycle of attack followed by failed retaliations thus causing more loss than the initial breach?
but not ok for anyone else. this is what happens when governments routinely skirt the law.
the companies wouldn't have an incentive to do that.
- Zav - Imagine a Beowulf cluster of insensitive clods...
In light of the recent Sony hacks, I am pretty certain that retaliation is not the same as a well-implemented security.
Since when is "retaliation" part of the police's job?
They are there to prevent crimes and there to find out who did a crime. Or at least... that should be their job.
Is anyone surprised by the attitude of the FBI? They're cops. Cops are people who ignore you when you report a theft or assault, protect their own skins instead of the public, then throw you in jail for carrying a weapon to defend yourself.
Gamingmuseum.com: Give your 3D accelerator a rest.
Dog in the manger. Can't protect you, can punish you for doing anything to protect yourself.
I figure if I can shoot a person for shooting at me then I can hack a person that's hacking me.
Why not allow retaliation? If someone throws the first punch you should be allowed to beat their ass into a bloody mess. Just my honest opinion.
... defend itself, should it be granted legal immunity when it seeks revenge? Because 99% of these hacks are the byproduct of insecure systems from either (1) inadequately updating their systems, (2) badly configured setups due to underfunding, and/or (3) badly configured setups due to incompetence on the part of the IT staff or executives who demand a crippled system. It's often comparable to a bank vault that leads direct to the outside covered with paper sheet as a door.
Meanwhile, the notion that the government is there to proactively defend you is absurd and a ridiculous standard for a basis on retaliation. And if the issue is the police/FBI having really bad follow-up on catch criminals, especially cyber criminals, well, welcome to the internet and everyone else's position. Given how difficult it is to even find most cyber criminals with a little bit of effort on the criminals part, it's hard to justify holding the government to task for not seeking out and punishing ever example, especially when (1) insurance covers most losses in banks and (2) most instances of security breaches involving computers are preventable on the part of banks. In short, insurance rates go up and the bank suffers the consequences for its lack of vigilance* in the first place.
Now, if you wanted to argue that we should grant more right to the notion of federal or internationally licensed private investigators who have more leeway into questionable computer usage, I'd see some basis for that. Or if the discussion was about working to further refine security and promote companies do a better job of securing their systems, I'd love to hear that discussion--the recent PHP article highlights just how bad things are. Or if the discussion was about when the police/FBI fail to act even when you bring all the evidence, then we could have a discussion about the failings of the system to bring justice and how we can work to improve it.
But when you call for vigilantism on something as mondane as white collar crime where the end harm is almost always just a marginal increase in insurance rates, it's really hard to get behind the notion of the desire or need. It sounds more like more white collar accounting that figures it costs less to engage in criminal activity than to do the proper ongoing security or pay the nominal insurance rate increases. There's nothing particularly noble or engaging in the justice scene over that. But, then, perhaps I'd feel differently if we weren't simultaneously having a public debate about unarmed black men been shot and killed by police.
I mean, if the government can't defend you, should you not defend yourself? It would seem the Black Panthers had it right all along.
* The very notion of a bank is to provide defense and security of others assets. When they fail, they're also setup to replace as best as possible those assets. That a bank fails and actually sees vigilantism just grants me little confidence in the bank because it indirectly is saying that it not only failed once to do its job but it needs to seek out the criminals to try to set an example because it's such a problem. If it were really a one-off, once-in-a-blue-moon thing, then they'd be able to adequate take the one-time write-off and possibly improve their security a bit. Clearly, it's such a problem now that they're seeking to just attack criminals in a vain hope that it'll improve their image with criminals.
God forbid you punish the actual criminals who did the crime. No, you must blame the racist police and the brutal American soldier. That's Obama's America. I say we let respond to every cyber attack either with a 10 times worse counter-attack or we identify the source and send a Predator in to take out the building. Our government has let China steal our technologies for years with no punishment. It' time to punish them. I can't stand that we have a coward for a President and idiots for voters who are too stupid to know what's happening.
You mean, if they were asking for it, should they just suffer the attack and not defend themselves?
Forget legal aspects.
In many countries there are legal limits which prevent youngsters from being prosecuted. Yet teenagers can (and it is progressively easier) to hack a target just for fun. Or even based on a reasonable motive (which still doesn't change the aggression aspects of such act).
That situation applies both to national attacks against national organizations and to aggression against foreign countries. What to do? The problem is too much power in the hands of individuals and the integration of controls with networks (internet of things). We may face big problems if we don't implement the right controls.
The search for cost reduction (e.g. on eliminating local people to press buttons, perhaps even due to other reasons) may cause disasters which we'll be unable to undo. In the past we were lucky the right persons were in position to avoid the worst. Since more and more is done online, someone might "press a button" without the understanding or the sensitiveness needed to appreciate the consequences.
This is really becoming a global-scale problem. For starters, I'd suggest the creation of an association between USA, Russia and China (I'm not a national of either one) with power enough to veto automatic aggressions or retaliations between members. Much of the present tension would be prevented with that. It's not enough (see Ukraine) but it could help.
Is this the same FBI that told us NK was responsible for the Sony hack?
Federal Bureau of Incompetence.
I just wish we could get all the incompetence located in a single bureau. Tim S.
And thanks for being a business apologist. We're talking about an organization that (1) is specifically constructed specifically to maximize the collection of money and (2) which can use that money to defend itself in a multitude of ways that are not in any way offense or extralegal that should be sufficient to protect its interests.
Honestly, "suffer the attack and not defend themselves"? You act as if the company is being raped and I'm asking that they willingly comply. Yet the better analogy is pointing out that you as a bank don't throw the bank vault's money onto the street corner and then bitch and moan that the police aren't so apt to cover your ass proactively or retroactively or that you feel a right to go all Batman on the street thugs when if you had actually used some of the money to build a vault and hired some guards, none of this would have likely happened.
Now, in the unlikely event you actually got bank robbers with blow torches that cut through the wall in the night, I can see the complaint. Yet even then it's only money and there's zero reason to engage in extralegal activity unless you think the government is itself complicit in the crime.
PS - It's this article and the recent previous article covering the Sony Pictures hack that really wish hacks like you would have some perspective. Every day there's PEOPLE who are robbed of money in all sorts of ways, including fraud from banks. Yet I doubt you'd argue it okay for them to expropriate money from the bank through the internet to correct the injustice because the government isn't stepping in to help. Meanwhile, actually people are being raped, killed, etc and the police are too often part of the problem, and yet we see the discussion about police brutality warped into a race discussion when all those 2nd Amendment huggers* in most any other circumstance would be so gun-ho about their guns and govn'mnt. Of course, the fact we don't hear that is precisely why we think it's redneck racism, but that's a digression from the real point. Anyways, this all reeks of a hypocrisy that really doesn't make me crying over what all amounts to slightly higher insurance rates and perhaps a bank or two who will finally invest properly in their online security.
* And I'd call myself a 2nd Amendment hugger, except I realize the absurdity of extrajudicial activism argued as a matter of course regardless of whether it's a gun or whatever. Yes, it might be a necessity, but to so quickly call for guns involved in a non-gun situation as a solution... Meanwhile, that guns aren't suggested in a gun situation... *sigh* An eye for an eye, a tooth for a tooth. And companies are like a Beholder, where they have many eyes than you or are and to pretend they should have the same privilege without clearly having the same level of consequence... Honestly, the whole discussion is so apples and oranges to the core notion of self-defense, especially since even the most ardent "stand your ground" laws don't advocate hot blooded let alone cold blooded pursuit. But, then, that is all about law and not using a company as a smoke screen to try to do the otherwise clearly illegal that could land you personally in jail. Because why would you want to suffer the consequences?
Great idea... why didn't we think of that?
o.0
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
These posts are how we wrap up 2014 and it looks fucking bleak, mate..
Companies need a redphone equivalent to the whitehouse redphone, so people don't start playing thermonuclear war over nonsensical bs like addresses and ssns.