Slashdot Mirror
Should Private Companies Be Allowed To Hit Back At Hackers? (vice.com)
An anonymous reader quotes a report from Motherboard: The former director of the NSA and the U.S. military's cybersecurity branch doesn't believe private companies should be allowed to hit back at hackers. "If it starts a war, you can't have companies starting a war. That's an inherently governmental responsibility, and plus the chances of a company getting it wrong are fairly high," Alexander said during a meeting with a small group of reporters on Monday. During a keynote he gave at a cybersecurity conference in Manhattan, Alexander hit back at defenders of the extremely common, although rarely discussed or acknowledged, practice of revenge hacking, or hack back. During his talk, Alexander said that no company, especially those attacked by nation state hackers, should ever be allowed to try to retaliate on its own.
Using the example of Sony, which was famously hacked by North Korea in late 2014, Alexander said that if Sony had gone after the hackers, it might have prompted them to throw artillery into South Korea once they saw someone attacking them back. "We can give Sony six guys from my old place there," he said, presumably referring to the NSA, "and they'd beat up North Korea like red-headed stepchild -- no pun intended." But that's not a good idea because it could escalate a conflict, and "that's an inherently governmental responsibility. So if Sony can't defend it, the government has to." Instead, Keith argued that the U.S. government should be able to not only hit back at hackers -- as it already does -- but should also have more powers and responsibilities when it comes to stopping hackers before they even get in. Private companies should share more data with the U.S. government to prevent breaches, ha said.
Using the example of Sony, which was famously hacked by North Korea in late 2014, Alexander said that if Sony had gone after the hackers, it might have prompted them to throw artillery into South Korea once they saw someone attacking them back. "We can give Sony six guys from my old place there," he said, presumably referring to the NSA, "and they'd beat up North Korea like red-headed stepchild -- no pun intended." But that's not a good idea because it could escalate a conflict, and "that's an inherently governmental responsibility. So if Sony can't defend it, the government has to." Instead, Keith argued that the U.S. government should be able to not only hit back at hackers -- as it already does -- but should also have more powers and responsibilities when it comes to stopping hackers before they even get in. Private companies should share more data with the U.S. government to prevent breaches, ha said.
No, not unless regular people are allowed to do the same.
One of the most BASIC things to do in hacking, is cover your traces by making it LOOK like you're someone else.
So, naturally the best way to harm corporation X, would be to hack corporation Y, but leave lots of evidence that it was corporation X, thus causing Y to attack X.
Some people encrypt by using rot-13 twice. I prefer the more secure method of using rot-1 a total of twenty six times.
Absolutely! We can treat this as an assault, in that the aggressor loses the legal ground and the victim has a reasonable defense. Even when the defense is an offensive response.
s/responsibility/profit center/
Pining for the days when The Glorious MEEPT!!! graced SlapDash with his wisdom.
These guys can't secure their servers in the most basic ways, and they want to be allowed to do their own target id (I'm supposed to believe they won't screw that up?) and then take offensive action?
They'll attack the right target perhaps 1 out of 20 events. They'll attack someone at random every so often and then say 'whoops! We screwed up! Sorry!'.
No, these corporate bozos are not the people we want dealing with such threats.
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
No company should ever be allowed to take the law in to is own hands. Their response to any such issue should be to close the holes and repair the damage. Let law enforcement handle the rest.
That is unless we want a ShadowRun type society where corporations can field their own private police forces and armies. But if this came to pass I doubt we would get the magic that came with it.
I read at +2. If your post doesn't reach that level I will not see or respond to it.
https://youtu.be/b2OYNMO_mNw
I worked for a well-known tech co back in the good days, we hit back often and HARD. It worked great. How would that start war? Everything is war these days. The Govt hits, runs away, and we all have to live with the consequences. And do they help us? NO. They make matters worse. THEY start wars. Oh hey Mr Govt ... how did that last election go 4u?
I practice the art of counter hacking on occasion but do it comfortably behind a slew of different proxies or remote shell accounts that are not registered directly to my employer. That way my employer maintains plausible deniability and cannot be held accountable for anything I do. However, I do have a unspoken agreement with upper management that I am allowed the latitude required to mitigate any and all attacks possible. So if that means knocking off sites with enormous packet floods or even exploiting their weaknesses thru a vulnerability, they will stand by me.
The net is still the wild west and will always be the wild west, regardless of the words written in law books.
In the same sentence? From the guy who perjured himself in congress? Hackback is a bad idea for those who might get the wrong target, sure. But the crowd that gets our guys, as well as guilty and innocent around the world killed and maimed for obscure ends in the pursuit of the petrodollar...shouldn't be doing that either. Just fix your bugs and holes and let it all bounce off. You need to do that anyway.
Why guess when you can know? Measure!
This is just asking for trouble, in the same way any home-grown attempts to control crime tend to be.
Look, you want to have a gun for self-defense? You can make that argument, but this is like saying you can go hunting the guys who robbed you.
What is this, the laziest application of Betteridge's law of headlines in /. history? Of course not. Vigilantism is _never_ a good idea. It takes years of training and constant surveillance to apply force and violence even as evenly as police do and let's face it, they screw it up all the time. You want some random yahoo who's probably mad as hell their severs just got DDOS'd doing it?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
They should be required to follow the law as any individual would be required. The last thing we need is for businesses to be above the law or rather to have laws applied differently to businesses than they are to individuals. If businesses can hit back then individuals suffering attacks should be able to hit back too.
You can lead a man with reason but you can't make him think.
Aren't their documented incidents of retaliation against hackers harming innocent third party internet businesses? That's why we let law enforcement hand out consequences instead of engaging in vigilante justice. (That being said the guys who chased after the Texas church shooter are awesome!)
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Lets fry their cerebellum. #WilliamGibson
Of course, this power would never, ever be abused, right? That would just never happen, right folks?
And if they accidentally nuke your PC and its data, well..."Oops, real sorry about that. No you can't sue us, it's totally legal! What's that? You want to sue? Great, we'll see your lawyer and raise you 50 lawyers with virtually unlimited funds. See ya in court, sucker."
No, they should not, because we all fucking know exactly what kind of abuse(s) this will lead to.
Just cruising through this digital world at 33 1/3 rpm...
Sharing data with the US government is going to PREVENT breaches?!?
This is akin to saying a gang raped woman should then go out and buy a pack of condoms to prevent an STI. The US government has been the source of more breaches than any other agency. Have we forgotten that it's a non-disclosed zero day vulnerability that the US government found, weaponized, and then let out into the wild that caused the single largest series of ransomeware attacks in history? The idea that the US government is in any way interested in preventing breaches is laughable. Sorry, folks are on their own.
No excuse to be hacked. Hire real security people, keep critial docs and systems air gapped.
Yes
He makes for a bad argument. First, except for N. Korea, every single other country would rather not admit they were behind the cyber attack and given the US's military strength, they will deny deny deny. No way they will admit would EVER hit back with military might.
But while proof of ID is impossible in hacking, suspicion is easy and usually accurate. When it comes to hacking, it's not that hard to tell who did it by examining motives. When the government hits back, everyone knows it's the government. When Sony strikes back, everyone knows it' Sony. Sony would likely publish N Korean secrets, while the NSA would likely try for something more physical like cutting the power to a nuclear processing plant.
As such, the government is more likely to piss off North Korea into attacking militarily. then Sony.
excitingthingstodo.blogspot.com
If I'm attacked by a gunman, I can call police, who will then call military as needed, and my government will defend me. So give me the number of the person I'm to call when my company is being hacked. I'll happily call it. . .a few thousand times a day.
Sony's security was a joke! Allowing such incompetence to attack is as bad an idea as letting those with mental health problems to buy guns.
OMG, what if like, and I know we'd have to get a lot of people really fucking high to get this done, what if like, we created an AGENCY whose role it was to SECURE the NATION against those foreigners that seek to do us harm. And given how big a deal COMPUTERS are these days, what if we let them have that JURISDICTION too?
Yawn.
No. Absolutely not. We do not want corporations to have offensive capabilities that are beyond the legal system. How do we know that the corporation will only retaliate against a real perpetrator? What checks would there be on their paramilitary power?
It's bad enough that we have transnational corporations with what amounts to their own private armies. Don't give them more power under any circumstances. If they don't like the response that the FBI, Interpol and other law enforcement agencies are making to attacks on their systems, maybe they could start paying their taxes so law enforcement can improve its response.
You are welcome on my lawn.
Disabling the server that is attacking you is FAR different than harming a human being. So have at it. Hack back. Take them off the air.
in the industry, this would be incredibly stupid and only create more problems than it allegedly solves.
Doesn't stop the cowboys that already do this until it blows up in their face, again.
Let's also do this for people as well. If I get cheated by a bank charging exorbitant bank fees, let me hit the bank back by destroying some of their property!!!! Yay!!!
Dumbest. Idea. Ever.
What is actually happening is that the cyber crime division at government agencies is underfunded. The best approach is to increase taxes (which the corporations would have to spend on their hackers anyway), and have a government function in say the FBI that follows the law (loosely, but better than any corporation ever would) and is answerable to the people (loosely, but more than any corporation ever would) and fund cyber crime investigation.
I can easily imagine such a retaliatory attack to go awry in a big way with all kinds of collateral damage.
CUR ALLOC 20195.....5804M
Attribution is extremely difficult, especially if all you have to go on is forensic artifacts which are easily forged. I don't believe any private organization is going to be in a position to arrive at an attribution that would legitimize a hack back situation. That doesn't mean I don't believe in active defense. Beacons in documents, etc. which let you know if/when/where they have been opened is one thing. Launching a cyber assault based on that is another.
Hell, even most governments, short of corroborating SIGINT or HUMINT is going to be hard pressed to do attribution and it would take a lot for me to agree that a kinetic response were justified -- basically a confesion from the perps.
As I was reading this, I was trying to figure out where Alexander was going with it. Then I read the last sentence - "Private companies should share more data with the U.S. government to prevent breaches, ha said.". I guess "Let us fight back for you" is the new version of "Think of the children" or "Stop terrorists"?
The US government strikes back but sets the NSA bit so that you know the US government is responsible? Of course not. They would conceal their origin just like any other hackers. So as far as NK knows everyone or no one is the US government striking back. So retaliation as a policy is just a bad idea.
If the corporate (ir)responsibility argument is made, which Slashdot-ters are making, it will have a good effect: Corporations will have to protect their networks from friendly fire which will, obviously, protect it from unfriendly fire too.
Yeah, that's a great idea, let's expand it. The government is responsible for car thieves before they steal my car. No, I'm not a corporation attempting to externalize expenses. But I deserve protection under the law, too.
What Hu is really arguing, is the government bullet-proof all (business) computer networks. While Government administration can provide economies of scale and (should it desire) single-buyer advantage, a fluid process, like penetration testing, should not be the responsibility of a government department.
*cough* Afghanistan/Iraq...
"getting it wrong" is the government's job! Don't be steppin' on their toes!
Correct, lots of people are stupid and misappropriate the source of attacks. Many of these people are members of Congress.
Long time ago in the newsgroups. Programmers came into Alt.Cracks (where their programs were cracked) and uploaded Trojans, Virus's and huge text files titled as a book of some sort. The text files were just to waste bandwidth. They read well for awhile (few sentences) then just went south, no matter where one started. I wish I'd of saved one now, the largest piece of nonsense I've come across.
But hey, our entire legal system is based on vile childish revenge against the last-link-in-the-causal-chain scapegoat that can be grabbed most easily, due to "We're more righteous than you!", ... so what do I know?
Just imagine a company like Equifax going on the offensive: I would estimate a 95% chance that they would be utterly ineffective, with a 5% chance of them screwing up something they have not already broken. The black hats would have a field day getting companies to attack one another, vital infrastructure, or - for bonus points - themselves.
The one thing companies need to do right now in this domain is to get serious about practicing good security, and if they do, the issue of retaliation will be moot.
And they never get it wrong ever! Intelligence agencies are perfect and they never get it wrong ever! Armed forces are perfect and they never get it wrong ever! The police are perfect and they never get it wrong ever!
Oh dear?
-- nmap man page
That strategy has been around for a long time in many forms, and has a name:
"Let's you and him fight."
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
What does the "private company" expect to find in 2017?
An ISP ip connected to one user and their own desktop computer downloading files in real time?
An interesting person is going to use a staging server with a fast connection and the secure storage to compress, sort, decode, look, compress encrypt the files gathered.
The files will then be passed onto a fourth party and become harder for a later investigation to connect back to any sites, people, ISP, ip.
The days of a 56k modem, a desktop computer, a user risking their own ip to enter and download from some protected network are over.
Any smart person able to enter a site would be able to do so commanding a third party computer to do the networking for them.
That ip looking around some protected network is going to be some other random nations fast "networked" university account, private sector, random ISP account that got taken over for some time..
Reach out and mess with that other nation and their systems in a world of "hacking back"?
That other nations ISP, university, private sector will try and hunt down the "been hacked" event...
Just two big internet pipes pushing packets with the interesting person moving to a new server to try again.
The mythical 56K modem on an exact ip direct to a persons home with their computer is not part of this decades of cyber security thinking.
The "hack back" might work for a stolen laptop with owner installed software that broadcasts it new location.
Turn on the mic and cam? But thats for a well understood stolen computer on a new network.
Not some random computer network that looks like it is doing "things" due to "ip".
If consumer grade malware had a set 'encrypted" ip expected to stay secure for its command and control that was discovered?
That might be a more isolated computer system that could be looked at.
The idea that anyone with skills looking deep into secure network did not use a staging server or any other distant network to cover their activities would not be the best random ip to go looking around in.
Work with other nations, experts, networks, don't just reach out to a long list of ip's in real time.
Domestic spying is now "Benign Information Gathering"
I feel completely certain that given this ability that corporations would never use this ability to hurt critics, business rivals, individuals who they think might be violating their terms (even if unpublished) or any other person or piece of equipment that is internet connected. Corporate entities never do any wrong and always respect the law and the right of others.
Why is Snark Required?
Private companies should share more data with the U.S. government to prevent breaches, ha said.
How does THAT sound like a good idea? The NATIONAL SECURITY AGENCY can't even keep it's own data secure, let alone other government agencies with other data. The only thing sharing more data with them will do is encourage more hacking of the government because it is easier than hacking the actual companies
a kind of reverse dna hack is actually an interesting idea given a specific attack vector received, ergo the reverse specific to the payload would be consistent to responding with some sort of surrounding container and alert. we do that today with all our monitoring both self and 3rd party..
i have had this algorithm for years that would solve the problem; it's a properly equated active response to a communication; aka.. an auto cease and desist based on an ids/ips on steriods with fail2ban in hand, and auto-slow to confirm source by triangulation.. we have all the big data and the sensor net and threat mapping....
it's not a government or law enforcement issue. they are technically the protect and serve, unfortunately, they can't be everywhere all the time before the shot is fired, so we must be allowed to arm and defend ourselves...
the internet is bigger than any one government. the Internet AUP has always superseded governments though some countries prefer to say they invented the bloody thing.. actually, some really cool science folks did... the politicians just tried to take credit for it...
enjoy.. happy monday..
Are you fucking nuts? You want to hand the same corporations that sue grannies that don't even own a computer for downloading death metal songs the right to hack anything they want with impunity?
Isn't it bad enough that they can abuse the legal system that way?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Using the example of Sony, which was famously hacked by North Korea in late 2014, Alexander said that if Sony had gone after the hackers, it might have prompted them to throw artillery...
Except 'someone' did gone after the hackers (not specific target but North Korea) and DDoS their internet. Still no artillery thrown, so better use a different example.
It's funny though, this article wanted you to pick yes or no, but you can't pick yes. That's because if they can hack back, they wouldn't have gotten hacked in the first place. So we're left with no, not because they aren't allow but because they don't know how to hack back.
And stop taking legal action against the people who tried to help you in the first place. Give them a reporting system and free stuff instead and all your security problems will be located in about 10 minutes.
My ism, it's full of beliefs.
Nobody should be allowed to do that, neither private companies nor law enforcement. It's called due process under judicial oversight.
"Alexander said that if Sony had gone after the hackers, it might have prompted them to throw artillery into South Korea once they saw someone attacking them back"
Throw artillery? That would be a good trick. I have a mental image of brawny NK soldiers hefting howitzers over the DMZ into South Korea.
Doesn't anyone now know how artillery works? I think the submitter meant "fire artillery".
I'm not a fan of the Stand Your Ground laws, but it seems to me, in cyberspace, that it should apply.
It really depends. Yes and no. It's largely not a problem for me, although even I can still make mistakes. Usually, if you break it, you pay for it. If you're counter hacking it's more liability where as hacking with malicious intent would be genuinely criminal. The law might not necessarily reflect this however as it tends to consider all hacking as criminal with intent merely a matter for sentencing.
A minor problem that can be managed is people using it as a shield for malicious hacking. A major problem is that half the people out there who think they know about security and hacking are Dunning-Krugers. I can speak for my own strengths and weaknesses fairly well especially as they are empiracle measured over time but I don't see others as equally capable in that regard. I've seen a lot of people float into security failing sideways when they didn't cut it to be developers. Some very well established top security researchers have been in the press as well as security companies that have released publications but I have found them to be incorrect, wanting or sometimes completely idiotic or otherwise wanting. In many cases because they've ended up really doing PR for companies that get hacked or are so exclusively focused on security they don't understand anything else around it and take things out of context doing things like assuming any inexplicable traffic must be something nefarious. Many do not know how the internet really works and can't tell the difference between badly written software and malicious software which happens if you focus on the theory part (software should not behave like this, but in the real world, things are a hell of a lot more chaotic). Others rely too heavily on unreliable evidence, for example, if an IP address came from Spain, then the hackers must be from Spain. As in increasingly more technical fields today, a lot of these people are not particularly talented at what they do. They have simply taken that path, studied it, specialised in it where are other people invest their time and personal growth elsewhere. These are increasingly the average member of the security community and the average person can't tell those who have merely accumulated knowledge that they can recite from those who understand. If a good portion of the so called specialists are frauds then I'd have little faith in the average company having a clue what it's doing.
On top of that you have all kinds of special cases to consider like what happens when a hacker hits a competitor, you counter hack and now you're accidentally committing inductrial espionage.
Personally, as much as I like counter hacking, I can't see it as something that is at all easily enabled widescale.
You're incoherent.
This sounds the same as a pro gun controller arguments.
If my neighbor pisses on my laws, do I have a right to go piss on his?
No.
That's called vigilantism. We do not have a system of vigilante law in the US. We are better than that, at least we are supposed to be.
I do think private companies are more competent than any government, and know better how to secure their assets. So, hacking back is fair game[ and governments should be glad for it].
"you can't have companies starting a war. That's an inherently governmental responsibility" I would argue that it's the government's responsibility to prevent war when possible and never to start one!
"That's an inherently governmental responsibility"
And governments sure don't hesitate or hold back at being good at having them. How many last century? With how many dead . . . wasn't it 150+ million? What was the cost? As long as the leadership knows it is safe and making more $'s, why not have another?
Not promoting wars between companies, but companies hacking companies, bad as it may be would be much smaller and more subdued.
Some half-wit multinational tells their new hire with a cert in security to hack back... and the fool doesn't begin to have the experience to distinguish between a direct malicious actor and someone's grandparent's infected home computer, and the fry it, along with all their pics of their kids and grandkids, and they have lost everything, and don't know why. Certainly, they won't know who to sue for that action....
And double Fuck No!
This is a laughably bad introduction chapter to a cyberpunk dystopian hellscape where corporations employ their own hit-squads, hackers, and armies.
There's no real difference from breaking into a hotel lobby at night and trashing it, peeking a the guest registry, and robbing the cash drawer. Should corporations be able to break into a person's home, trash it, peek at their mail, and rob their wallet? Just because they suspect you might have been the one to throw paint around in their lobby? No? Then this too is a bad idea.
I guess you don't know much, or you are not from here. In civil matters attorneys go after the biggest pockets that can be argued to be responsible in some way, and sometimes it does get ridiculous. In a criminal case, the prosecutors go after the people on whom they have the most solid case and best chance of conviction , because they don't have time to waste on maybes, and they only get one chance because of our double jeopardy prohibition.
See subject: Says it all, 100% fact/truth, period...
APK
P.S.=> Hence my creating APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ vs. it. It works... apk