Slashdot Mirror
Congressman Proposes Organizations Should Be Allowed To 'Hack Back' (engadget.com)
Engadget reports:
Representative Tom Graves, R-Ga., thinks that when anyone gets hacked -- individuals or companies -- they should be able to "fight back" and go "hunt for hackers outside of their own networks." The Active Cyber Defense Certainty ("ACDC") Act is getting closer to being put before lawmakers, and the congressman trying to make "hacking back" easy-breezy-legal believes it would've stopped the WannaCry ransomware. Despite its endlessly lulzy acronym, Graves says he "looks forward to formally introducing ACDC" to the House of Representatives in the next few weeks... The bipartisan ACDC bill would let companies who believe they are under ongoing attack break into the computer of whoever they think is attacking them, for the purposes of stopping the attack or gathering info for law enforcement.
Friday The Hill published a list of objections to the proposed law from the CEO of cybersecurity company Vectra Networks. "To start with, when shooting back, there's the fundamental question of who to shoot... We might be able to retaliate, weeks or months after being attacked, but we certainly could not shoot back in time to stop an attack in progress." And if new retaliatory tools are developed, "How can we be sure that these new weapons won't be stolen and misused? Who can guarantee that they won't be turned against us by our corporate competitors? Would we become victims of our own cyber-arms race?"
Slashdot reader hattable writes, "I would think a proposal like this would land dead in the water, but given some recent, and 'interesting' decisions coming from Congress and White House officials, I am not sure many can predict the momentum."
Friday The Hill published a list of objections to the proposed law from the CEO of cybersecurity company Vectra Networks. "To start with, when shooting back, there's the fundamental question of who to shoot... We might be able to retaliate, weeks or months after being attacked, but we certainly could not shoot back in time to stop an attack in progress." And if new retaliatory tools are developed, "How can we be sure that these new weapons won't be stolen and misused? Who can guarantee that they won't be turned against us by our corporate competitors? Would we become victims of our own cyber-arms race?"
Slashdot reader hattable writes, "I would think a proposal like this would land dead in the water, but given some recent, and 'interesting' decisions coming from Congress and White House officials, I am not sure many can predict the momentum."
So if Mallory hacks bob, who turns around and mistakenly hacks Alice, who then fights back until Bob and Carol are destroyed. Whom does Carol Sue ?
Nullius in verba
Wasn't there something like this that was actually passed into law? Or at least there was something like this that was proposed and got support last season
let's extend the law so that if someone is breaking into their house, we can break into theirs! gather our own evidence! EYE FOR AN EYE!
... to launch another Iraq War on fake accusation. Look, IP address is such an indisputable evidence!
The monumental amount of stupi-....one of the first things a 'hacker' does when launching an attack is obscure their origins. They use someone else's machine, like a University's, or a Hospital's, or even one owned by the Department of Defense. And you want to hand people a license to f*ck up what they 'think' (and I use that word broadly here) might be attacking them? How is the DoD going to react to Pfizer launching an all out assault on them because they 'think' an attack is coming from some DoD machines?
It takes weeks, months, possibly more to track down the owners of Botnets, from which Distributed Denial of Service attacks may be launched from zombified machines. That requires investigation, international at times.
And we don't need any laws for what is already an illegal practice.
But is it really going to be any good without Brian Johnson? Can Angus Young fill his shoes?
If not, does that mean when being hacked/spied/wiretapped by a government agency, we can fight back?
When the RNC spams, links to some partisan fake news, and their linked page hosts a malicious ad or simply bad code that resource hogs, we can DoS their ass, since that would impede spread of said malicious code?
Can we go after robocallers too, since they largely use IP networks anyways? Is the FCC fair game if they allow no ring voicemail spamming?
And instead of blocking and rate limiting DoS attacks from bot networks, we can flood everyone's freaking lines in response. And then those networks in turn can respond back. The cascade, the snowball effect would result in one hell of an avalanche.
This is freaking brilliant, and by that, an utterly brain-dead stupid idea.
No one. She's not an organization, she's a peasant.
Viacom could hack you under these rules for "believing in good faith" that you may be suspected of possibly being related to an attack on them, and do whatever they want.
You want to defend yourself from this sudden intrusion and figure out who that was, maybe drag them to court over this illegal hacking?
Yeah no. You're a criminal under the CFAA now.
We are on the highway to hell sue them all!
The big issue isn't the question of who to shoot (what's it matter if you take a while to get them, so long as you get the right people?). It's also not "How can we stop the tools being misused", because the simple truth is that we can't, and that they'll get their hands on tools like this even if we don't pass this moronically-named act.
The real concern is that we're trusting big business to use this appropriately. I can guarantee that it won't. The RIAA and MPAA are probably wetting their pants in anticipation of this so they can start hacking internet users to get their identity and extort money out of them, for example. I'm sure they can manufacture some evidence that they were "hacked first". Companies will also be using it against each other. (Microsoft: "No, honest guv. We saw a hacking attempt from both Google and Amazon simultaneously, with an assist from Apple too. We totally had to hack them back. It's just a coincidence that our subsequent product launches seemed almost to have anticipated our competitors' products." Etc., etc.
Big business can't even be trusted with the tools it already has. It sure as hell doesn't need this one too!
The monumental amount of stupi-..
Yes, it's true. That's why I come nearly every day to correct people as monumentally stupid as yourself. Such epic levels of disastrously misguided thought cannot be allowed to stand without challenge from someone with common sense and logic.
one of the first things a 'hacker' does when launching an attack is obscure their origins. They use someone else's machine, like a University's, or a Hospital's, or even one owned by the Department of Defense. And you want to hand people a license to f*ck up what they 'think' (and I use that word broadly here) might be attacking them?
Here's where you went full idiot. Never go full idiot.
The attacking system is ALREADY COMPROMISED.
Are you really so stupid you think the proposal is about attacking the actual attackers system? Apparently so.
But no, that's not what the proposal is about. It's about being able to hack the ALREADY HACKED SYSTEM to stop it from attacking you. Yes it might be a hospital, bank, government, whatever - it's already screwed, bringing down that system does vast amounts of public good:
1) No more attacks on you - AND on other systems it may have been attacking.
2) Reducing danger to the org with the infected box because now it's not a portal to attack other internal systems (which sadly are already compromised, but it might be a proxy for the control mechanism so still good).
3) Protects the users of those system from possible further spread of viruses or malware.
4) There is a more massive indirect benefit that if systems start going down because of hacking, more companies will take IT seriously, thus over time fewer systems would be compromised to begin with. Currently it does not SEEM like there is much of a problem, because an intruder wants the system to stay online and appear to be working - even as the intruder harms others and gains deeper access.
Any IT department SHOULD *cough*BA*cough* be able to bring up a backup system if the compromised one is taken offline. So while there may be some small outage as a result the overall good to be done is WAY more than the harm you are causing by taking a compromised system offline. You can of course tell a company you are about to take a system offline and let them do something about it if you are kind, but then again they really were not letting themselves get compromised and not detecting it so...
How is the DoD going to react to Pfizer launching an all out assault on them
With gratitude when they find out why. Even if begrudging.
Also of course, while such a law would just allow you to attack compromised system every company would look at where the attack was from and decide if trying to take down the system was a good idea from a legal standpoint - you can be pretty sure a lot of people would be running CYA messages up the flagpole about taking down a system in the military or a hospital. Did you even consider that just because people CAN do something, does not mean they WILL?
That's what I do not get about you state control fanbois, you think because you have no self control it applies to everyone else - including large companies which are the very definition of cautious with any risk.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Since we know, thanks to various whistle-blowers, that the NSA and other US government organizations have hacked most is not all US citizens, this bill would now give any citizen a reasonable belief they were hacked, therefore a legal right to hack back. Where do I sign?
ATTACK DETECTED FROM 127.0.0.1!!!!
Proceed with nuclear launch to coordinate?
--sf
Most interesting people would just hop to a nice fast, open staging server.
From that they would use the network speed to move a lot of plain text unencrypted US data.
Clean up the logs, drop some really fake code litter, move the data around a few more servers and finally move the data to a safe location.
What is the USA going to see? The ip range of that first staging server...
A totally unrelated set of networks and computers will feel the full force of US cyber "fight back"?
That nation will tell the tech media of the deep penetration efforts by the USA on some vital/special/ISP/commercial server and network.
Most governments also use their other nations domestic ISP networks ip ranges to look around the "internet" and do spy things.
Could be a home user on a modem downloading plain text data from a wide open US server again, or it could be the last hop by some other very distant gov/group.
Does the US want to "fight back" on some ISP in an unrelated nation? To find the next hop to another ISP and nation?
Keep on hacking back and hope the next hack is the real person trying to get the data in front of their own home computer?
The "fight back" won't find the destination, it will just damage some ISP/network/university/brand used in some random nation. Or some easy network in some nation that got hacked for its speed and unexpected ip ranges.
Its not the 1980's with one user, a dial up modem and their home computer entering advanced US networks directly. Even in the 1980's most smart people used a few different educational and private sector networks around the world before their final US network of interest.
A lot of work for brands, companies, educational, medical networks and ISP will have to clean up after the USA attempts another "fight back" as they saw the ip, the network connection and attempted to "stop the attack" with some clicking around on some contractor's GUI.
Domestic spying is now "Benign Information Gathering"
This comes from the old mindset that a good defence is a good offence. That may be true in traditional warfare, but not in "the cyber" [ironic quotes].
A good defence is a good defence. That's the end of it. But these out of date fossils don't or won't learn that.
The real "Libtards" are the Libertarians!
It's an IP address.
It's not necessarily the compromised system anymore, or maybe never was because the IP address in nearly every case is a gateway and not the actual compromised system.
You've build a vast pile of irrelevant words on your faulty premise.
True - a good example is the Australian Census "hack" that turned out to be allocating less resources than Slashdot has to a site that was expecting around five million hits around 7pm on a Tuesday night when everyone had been told to log in.
There were loud screams of "hack" to try to pretend that it hadn't been mismanaged.
I feel like what they're getting at is some version of the Letter of Marque, which in old sailing days allowed a privateer vessel to go around attacking enemy ships with the blessing of the government. With some modern version, the government could authorize certain security firms to go after hackers, and businesses could contract with these firms to protect them from attack and/or retaliate against attackers. I can't see most businesses, even large corporations, setting up their own retaliation corps--the expertise is rare, expensive, and would probably go mostly unused.
I'm not saying that's a good idea, but it's certainly far more realistic than giving, say, Colgate-Palmolive carte blanche to hack anyone who they thought hacked them first. That just seems like it would lead to chaos. At least with Letters of Marque, the chaos would be contained to some smaller group of security-related companies that maybe would have to go through some certification to get that status. That way leads to digital Blackwater, though, and is that really that much better?
Hackers generally attack through innocent 3rd parties, either compromised machines, bots or whatever. So what exactly do you hack back against? And what if there is collateral damage?
1.Hack your target covertly.
2. Use your target to send a very non-covert attack against any major organisation with a reputation for active defense
3. Sit back and watch the retaliation.
There's some cases when you could invoke something like BrickerBot against a DDoS attack coming from a bunch of webcams and other unsecured devices. Would I be allowed to attack back against these devices and brick some random guy's webcam or router simple because it's unsecured and being used in the attack?
I mean that's the right target right? I should be allowed to use the same exploit used to compromise that system in mass and destroy vast number of webcams or routers or whatever devices are attacking me right?
It is no longer uncommon to be uncommon.
Congress loves to pass laws regarding "cyber security" without understanding a thing about it. Forget that most attacks are through compromised devices anymore, or via cloud hosts. Most companies that get "hacked" are that way due to poor security in the first place. To think they would be smart enough or robust enough to turn around and hack the people who hacked them, is pure stupidity. Recall that FISMA was suppose to stop the government PC's and networks from being hacked, but it did not, nor did it stop stolen devices from being compromised. SIPR and NIPR were suppose to be separate, but in many cases they run on the same network gear. Congress should get a real CISO in there, to help teach them what security is, before they try anymore laws regarding it.
You can't defend something you don't own. There was a time in which the Internet was treated much like a highway driven by cars leased from our ISP's and the desktop like our homes, but Google changed that, Micro$oft is making it worse, and the FCC is bringing their own tyranny into the mix. No one in the U.S. has to hack you or even get a warrant, they can just legally purchase your browsing information. There are too many laws and ways of thinking that would have to be changed as a result of this for those in power that need them for their Muslim witch hunt excuse for the digital fingerprinting of everyone or companies that need the capitalistic advantage for this to happen. I honestly can't remember the last time a bill that made sense was passed that had no twisted ulterior motive in the end. Would we have an "NRA" for computer self defense? This would never happen in the "UKGB."
It's called a honeypot. Put a server on your system with valuable-looking but fake data. If a hacker goes for it, you are (1) wasting his time, (2) corrupting the trustworthiness of all the data he's collected, and (3) helping expose him via monitoring tools you've placed on the honeypot.
Laying waste to rival corps' data, exposing their internal emails and phone conferences.
Wasn't there an RPG like this?