Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacktivists, Tech Giants Protest Georgia's 'Hack-Back' Bill (threatpost.com)

Posted by BeauHD on from the controversial-legislation dept.

lod123 shares a report from Threatpost: As Georgia Governor Nathan Deal considers whether to sign a controversial piece of legislation that would allow companies to 'hack back' with offensive initiatives in the face of a cyberattack, companies from across the tech spectrum are lining up to protest the measure. Also, a hacktivist group has targeted Georgia Southern University, two restaurants and a church to protest the bill. Opponents have twin beefs when it comes to Senate Bill 315: Some are questioning whether legitimizing offensive attacks will open the door to a new kind of corporate warfare; and others are concerned that the law will have a chilling effect on cyber-research by criminalizing white-hat activity like vulnerability research and pen-testing.

Google and Microsoft are in the former camp, and have asked Deal to veto the bill, which was passed by the Georgia General Assembly in March and which is nearing its deadline for signing into law. The two giants take issue with a provision in the bill that allows "active defense measures that are designed to prevent or detect unauthorized computer access." In a letter to the governor, the two argued that S.B. 315 "will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions," and that "provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes." They added: "On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity... [B]efore Georgia endorses the 'hack back' authority in 'defense' or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy." Tripwire also filed a letter with the governor's office: "[A]ccording to the wording of S.B. 315, well-intentioned ('white-hat') researchers could be subject to civil or criminal prosecution when following industry best practices in investigating a website for protection from a potential cyber-attack. It is our firm belief that an explicit exception is required to exclude prosecution when the party in question is acting in good-faith to protect a business or their customers from attack. Without this exclusion, S.B. 315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses."

82 comments

  1. Because in Georgia... by Zurkeyon3733 · · Score: 0

    2 Wrongs DO Make a right! :-D

    1. Re: Because in Georgia... by Type44Q · · Score: 2, Interesting
      Certain elements in Georgia clearly are anxious to have their state appear savvy, assertive... and most of all, unlike a bunch of dumbass hicks.

      As for whether or not they've succeeded... we shall leave that as an excercise for the reader. ;)

    2. Re:Because in Georgia... by Anonymous Coward · · Score: 0

      I want AWS to open a data center in Georgia now! (In fact, there are probably already regular cloud data centers there!) You can initiate all of your hacking strikes from there and just say "I'm just hacking back".) :-D

    3. Re: Because in Georgia... by Anonymous Coward · · Score: 0

      This is going to be an easy one to get revoked if it happens to pass.

      1) Lookup and type into a .txt file the IP of the states webhost. Name the file securitylog.txt, and anonymously give that to the local news reporters with a claim that the states website is launching attacks.

      1.5) Take a legit snort log or other IDS log and insert a fake line with the above IP, to give the claim more credibility.

      2) DDoS the states website for weeks or months straight.

      We've seen huge botnets with massive amplification attacks that can take down the likes of ebay, amazon, and cloudflare (for a few minutes on that last one)
      Just use 0.01% of that botnet which should be plenty to take down a state operated gov website, then in a couple hours when the attack gets mitigated, switch over to the next 0.01% and so on.

      Watch exactly how quickly the law gets receded and they reassert this type of thing shouldn't be explicitly exempt from the law, and should remain a crime.

    4. Re: Because in Georgia... by Anonymous Coward · · Score: 0

      This is going to be an easy one to get revoked if it happens to pass.

      Your proposed solution is just plain asshattery and does the total opposite of promote democracy, and is just plain anti-democratic. DDoSing somebody's website doesn't make them stop what they're doing, all it does is make it so that the internet becomes more centralized as more services have to move to more expensive hosts that can shrug off these kinds of attacks (and believe me, if your goal is to take down some major company, it won't work: Their bandwidth costs are pennies compared to their overall capex.)

      All hacktivism does is promote censorship and use threats to advance a political endgame, aka terrorism. Anybody who supports it in any way is a fucking twat. You are a fucking twat for promoting it.

    5. Re:Because in Georgia... by mikael · · Score: 1

      You know where this is going to end up. Hackers will attack one retaliatory strike capability network using systems from either another innocent network or one also with retialatory strike capability, then sit back and watch the fireworks. Or even get a network to attack itself like the elite newbie hacker who on a chat forum, used his elite coding skillz to remotely reformat the disk drives of the system at 127.0.0.1

       

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    6. Re:Because in Georgia... by Anonymous Coward · · Score: 0

      All the cyber related laws and regulations can be laid at the feet of the hackers, hacktivist, and juvenile delinquents other wise known as the script kiddies. As the hacks and general mischief becomes more prevalent the laws and regulations become more draconian. And why do we need a bill when everyone is already fighting one another in cyber space. The laws we currently have are applied to anyone stupid enough to get caught. There has been quite a few highly visible cases where someone was arrested for breaking the law and handled by the court system. Governments are already fighting one another. The citizens are fighting each other and the government at the same time. SO why are elected officials wasting time and money trying to create a new bill that the most assuredly don't understand in the first place. The Federal government has ceased running the country and are spending all their time and our money on investigations that are causing more harm to the country than Trump could ever do by himself. I do not support Trump in any way but those politicians, media outlets, and over zealous citizens make Trump look good. How bad do you really have to be to lose to Trump? I guess running investigations keeps his opponents from looking in the mirror and recognize they lost not because Trump cheated they lost because of their actions.

    7. Re: Because in Georgia... by Anonymous Coward · · Score: 0

      "promote censorship and use threats to advance a political endgame"

      You mean, like a government does? (The second part is essential, the first situational.)

    8. Re: Because in Georgia... by Anonymous Coward · · Score: 0

      "All hacktivism does is promote censorship..."

      Yeah, well if you know that, the government certainly does. When you know there are going to be agent provocateurs anyway no matter what, may as well do some of your own damage and try to make it meaningful.

      I'd personally like to see someone ransomware Georgia's government. The "fee" for unlocking the systems should be to repeal this bill. I'm really surprised nobody has really used ransomware to further political change, it's always about the damn Bitcoin.

    9. Re: Because in Georgia... by jbdigriz · · Score: 1

      We can maybe pin that down a little more. The Secretary of State suffered considerable embarrassment last year after the Kennesaw State "incident" wherein more than one un-contracted security researcher reported non-earthshaking problems with web-facing systems having to do with the State's voter registration system, which only got reported to him after the press got hold of it. We can't really blame the KSU people for keeping it under their hat, given the way the guy in Kemp's office who earlier accidentally sent out voter registration lists to newspapers in the state, the LoWV, and others got thrown under the bus for what was really an honest mistake, but which technically violated SOS IT protocol, but it seems Kemp is apparently the one who pushed for the original SB 315. We can blame them for not fixing the damn problem, though.

      The "active defense" amendment is more unclear, and I haven't had time to track it down yet, but my bet is an IT/Security vendor, probably a State and/or Federal contractor, possibly, just possibly, an NSA cutout, given the hacktivity in Augusta, and GSU, and the attempt to tarnish the EFF by association, by way of hacktivity on a church website. Read between the lines of Ms. Smith's report: I'll just note that all this activity is centered around the the Augusta "cybersecurity corridor", which includes the Army Cyber Command, a large NSA SIGINT facility, the new State-owned Hull-McKnight Cyber Center at Augusta State, and various contractors. (I'm not sure if the cybersecurity dept of the CS school at the former Armstrong-Atlantic University in Savannah, now merged with GSU, is still extant, but if it has, it's probably in Statesboro now. Note to self, find out!) Anyway, all the hacked websites were managed by the same Augusta web design firm.

      Inside job? Who knows, but it's kinda suspicious to me.

    10. Re: Because in Georgia... by jbdigriz · · Score: 1

      Sorry, got distracted and didn't catch some bad html cut'n'paste while editing. Ms. Smith's article's URL:

      https://www.csoonline.com/arti...

  2. Re: Self defense isn't a 'wrong'. by Anonymous Coward · · Score: 1

    There's a massive difference between self defence of yourself and your property, and state sanctioned offensive cyber attacks. I realise you have an agenda, but honestly, this is less akin to a reaction to an attack and you being able to randomly attack anyone you want because, as the bill shows, you don't need to prove you were underthreat to begin with. How would you feel if you weren't the attacker, but the attacked? How would your business feel if a big rival took action against your systems, without due process or proof?

  3. What is expected by AHuxley · · Score: 1

    An ip will be discovered.
    An ip that can only be connected to one user and their desktop computer.
    Follow the ip back and discover one user with a modem in front of their desktop computer.
    Every ip is only ever given to one user in front of their computer by an ISP. The ISP ip can only end with a modem.
    So every ip can only be a direct connection to one persons desktop computer connected to their modem.
    Once that ip is discovered in the wild follow the ip back to the user's computer.
    Stop that users desktop computer and their one ISP connection from doing bad things in real time.

    Wonder how that will work in the real world with greedy ISP and networks having a lot of users and not wanting to pay for much for fancy "networking"
    Follow the bad ip back and discover a suburb is online using one low cost network?
    That ip in the wild turned out to be the ISP not the user?

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:What is expected by I+kan+Spl · · Score: 4, Informative

      Or more likely, the IP is part of an outbound load balancing proxy with a bunch of AWS servers sitting behind it.

      --
      My UID is prime and so is this number: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.
    2. Re:What is expected by techno-vampire · · Score: 1

      Every ip is only ever given to one user in front of their computer by an ISP.

      You really think so? What happens when the IP belongs to a business that provides free WiFi to their customers?

      --
      Good, inexpensive web hosting
    3. Re:What is expected by Anonymous Coward · · Score: 0

      More importantly, what will happen when the IP is a victim of hacking. What happens when an attacker sets this up to have two universities hack eachother over and over legally for "the lolz?"

    4. Re:What is expected by mikael · · Score: 1

      Or the internet cafe a couple of floors below the dude using a laptop with wi-fi in a New York apartment?

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    5. Re: What is expected by Anonymous Coward · · Score: 0

      And? Secure your fucking network.

    6. Re:What is expected by Monster_user · · Score: 1

      Such is my primary concern with this proposed bill and "solution".

  4. "well-intentioned" researchers by Anonymous Coward · · Score: 0

    Well, I guess they'll just have to post, Anonymously... BWAHAHAHA!

    I'm just a soul whose intentions are good
    Oh please, don't let me be misunderstood...

  5. Legal Right to Defend by Anonymous Coward · · Score: 0

    Basically what is happening here is that a legal right to defend yourself is being considered. However these companies opposing the measure are doing it for a very particular reason, under the covers they are engaging in what would be called hacking on a massive scale against the american population. What they do not want is that if uncovered it would be open season upon them with no legal consequences. They do not want an organized attack against them whereby social media fuels it, it grows and it becomes a national or international past time to take pot shots at the big names.

    Scared little guilty bastards

  6. The only thing that can stop a bad guy hacking by olsmeister · · Score: 2

    is a good guy hacking back.

    1. Re:The only thing that can stop a bad guy hacking by Pseudonym · · Score: 1

      This applies if the government is doing it too, right?

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
  7. myopic by Virtucon · · Score: 4, Informative

    another example of why we need to have informed legislators in gov't. This won't solve anything but to allow companies to attack proxied hosts who have either been compromised themselves or are sitting in public clouds. The latter is the bigger issue which cloud providers struggle with. It may also be true that companies that avail themselves of fighting back may themselves be targets for violation of US Federal law where it comes to illegal computer access.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:myopic by Anonymous Coward · · Score: 0

      another example of why we need to have informed legislators in gov't.

      Southern crackers will NEVER stop getting fleeced by northern carpetbaggers. It's in their nature to be stupid and gullible, the proof is in the pudding.

    2. Re:myopic by AmiMoJo · · Score: 1

      Brianna Wu is standing and seems pretty tech savvy.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:myopic by Anonymous Coward · · Score: 0

      >the mentally ill will save us!
      That's what you just proposed.

    4. Re:myopic by Anonymous Coward · · Score: 0

      Being tech savvy doesn't mean being "informed", which was what GP asked for

      Trump is very tech savvy (with Twitter)
      Your average teenager is tech savvy enough to use their smart devices and might even be adept script kiddies, but I wouldn't trust them to be in charge of legislation

      Just being tech savvy isn't enough.

    5. Re:myopic by Anonymous Coward · · Score: 0

      It could solve more than currently is available. Most companies are already being attacked (i.e. the corporate warfare already started), and said corporations are currently legally forced to sit there and take it. The Georgia bill gives them some ability to actually stop the threat (DCO-RA).

      I'd wager most of the naysayers haven't sit in on a US Govt meeting where the details of this have been described in humbling / sobering detail, nor fully understand the resource requirements and risk differences between the COA's currently available and those that are possible with the bill

  8. It seems to me ... by thomst · · Score: 2

    ... that this Georgia statute-in-waiting could potentially be held to be superceded by 18 U.S. Code 1030 (the section added by the Computer Fraud and Abuse Act of 1986).

    CFAA specifically covers unauthorized access to U.S. government computers and computers belonging to or containing information belonging to a "financial organization" - although that definition, in practice, has been considerably stretched charges brought in a number of criminal cases. That broadening of its applicability could, I suspect, theoretically cause an appeal of any conviction under the yet-to-be-enacted Georgia law to be upheld on grounds that it represents an unwarranted overreach by Georgia.

    OTOH, IANAL, and how Federal courts might react is going to guesswork on anybody's part (including actual lawyers, and people who play them on TV), until it's both signed into law and challenged at the Federal level ...

    --
    Check out my novel.
  9. Re: Self defense isn't a 'wrong'. by Anonymous Coward · · Score: 1

    Obviously Georgia's answer is that you, the victim, should stop feeling sorry for yourself and go on the offensive.

    How is this even a serious proposal?? If you have the resources to "hack back" how is it you don't have the resources to protect your network in the first place?

    A more reasonable law would be something like... Build a great firewall of Georgia, and make the Russians pay for it!!

  10. Re:Self defense isn't a 'wrong'. by Anonymous Coward · · Score: 0

    Cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access

    So, basically, I can claim my ransomware attack on the Georgia legislature is an "active defense measure designed to prevent unauthorized computer access",
    and I'm golden....

  11. The Hatfields and McCoys ... by PPH · · Score: 1

    ... visit Georgia.

    --
    Have gnu, will travel.
  12. Dumb knife - Not - Dark Knight by Anonymous Coward · · Score: 0

    So they want to give vigilante attack powers to entities that are already known for misusing and abuse other less violent forms of activity where they tend to use the shotgun in the room approach without even decent target verification...
    Just look at how companies abuse the DMCA and attack innocents already using the law, you give them cyberassualt authority and it will only get much worse for everyone else!

  13. Re:Self defense isn't a 'wrong'. by Anonymous Coward · · Score: 0

    I've never seen a rightist who thought that "stand your ground" rules should apply to encounters with the cops. Outside of the far-right militia movements, that is.

  14. Hacking shouldn't be illegal-period- f' hack back by Anonymous Coward · · Score: 0

    When you go online you open yourself up to data being sent from whoever. This is how the internet works! If you don't like that don't go online. If you don't want data from certain regions, people, etc, or in certain circumstances it's up to you to discard that data. It's up to you not to run buggy software. Your security is up to you. Nobody else. You may be able to thrust your beliefs on a lot of the world. But good luck thrusting your beliefs on everyone everywhere. It's just not going to happen and there is simply no way to secure the internet. You however can secure your own computer and internet via various means not excluding not running proprietary buggy shitware- and having servers setup behind DDoS systems.

  15. Swatting v2.0 by Anonymous Coward · · Score: 1

    So, I spoof the source address of a port scan against a bunch of Georgian companies with some innocent victims address, and being "attacked" they attack innocent victim.

    Popcorn time.

    Maybe call it cyber swatting :)

  16. Kinda want to see it by argumentsockpuppet · · Score: 3, Insightful

    Someone willing to break the law can knock innocent businesses and individuals off of the internet with practically zero fear of getting caught or stopped. That's the state of the internet right now. Truly fixing that situation is impossible without a degree of frightening fascism that would be the end of the internet as we know it. I'd love to see a world where there weren't millions of stupidly insecure devices connected to the internet, not to mention the hundreds of thousands of devices with reasonable security still managing to have vulnerabilities that haven't been patched yet. Without a single country controlling what is allowed to connect to the internet (a bad idea,) it's not a solvable problem.

    People think that securing your own systems is sufficient to protect your company, but it isn't. In order to protect your business from malicious activity you need control of the fabric outside of your company. A typical small company can't protect the ISP routers that connect them to the internet, and so can't protect themselves against a DDOS. How many hops are between your customer and your website? Unless you're running your website through CloudFront, Azure, or Google; you won't have the resources to absorb the attack without losing business. I remember watching Microsoft get DDOS'd off of the internet, and Google. Even Amazon has had outages, so no matter what you do, your website isn't bulletproof.

    The internet gives freedom, enormous freedom, to people, but it's disproportionate. Malicious attackers who don't have to follow the law have more power than people and companies required to do things legally. Bringing balance to that equation, by allowing victims to fight back, could have huge repercussions. They could be great or terrible, but I believe most organizations and people would do less harm than the current law breakers, if they had the freedom to fight back.

    I understand the arguments against legalizing fighting back, but honestly the "innocent" people likely to be harmed are the people who were negligent in securing their own equipment. I have a hard time feeling bad for those people.

    Some ISP is going to have routers with insecure firmware. Those routers are going to be roped into a DDOS attack that takes some sleezy spamming company's website down and the spammer company is going to kill thousands of innocent consumer routers, who couldn't have secured their routers even if they'd been interested in security and knowledgeable of their options. But what's the result of that?

    It's evolution. The free market can solve this problem, but not if the government is so focused on protecting innocents that they protect the law breakers at the expense of those who have to follow the law. The criminals have freedom. I am in favor of giving law abiding people a limited subset of that freedom.

    I can argue either side of this argument, but I choose this side to represent. See my user ID.

    1. Re:Kinda want to see it by AmiMoJo · · Score: 1

      I'd love to see a world where there weren't millions of stupidly insecure devices connected to the internet

      It's an impossible dream and probably wouldn't help, I'm afraid.

      We need to re-engineer the network to distrust the clients. Most of early protocols were built on trust, e.g. DNS wouldn't lie to you, return IP addresses were genuine and all requests made in good faith. That legacy is slowly being undone.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Kinda want to see it by Monster_user · · Score: 1

      Spam filtering rules/systems often distrust client IPs already. However a DDoS is a horse of a different color. DDoS typically uses protocols which the clients would use, as such the differences between a DDoS and the "Slashdot Effect" are likely indistinguishable from the ISPs perspective. And without digging heavily into packet captures, one would have a hard time distinguishing between them on the victim's side as well. The main difference being whether there was an increase or decrease in revenue around the time of that event, as botnet attacks typically don't generate ad revenue nor make purchases while preventing legitimate customers from doing the same.

  17. Weirdly Written by rtb61 · · Score: 3, Insightful

    The law itself looks as strange as. I did not know it could be considered a criminal offence to disclose a password, seriously, what twit put that in there. Freedom of speech means, you are fully entitled to release passwords not necessarily keep your job but certainly claims of a criminal offence are insane. Also you can only access a computer for business purposes, like WTF, social media not allowed, workers social contacts a criminal offence. Let alone an empty 'active defence measures' without defining what an active defence measure are and what are acceptable and what are not and clearly the law is tied to one state. No matter how nuts they try to get with location of the crime, tying it to the residence of the business, regardless of the location of the attack, apparently anywhere in the world or the source of the attack anywhere in the world but it only refers to counties and not states or nations.

    You can claim legal what ever you want in what ever crazy state of the US but it will get interesting when it affects other states and countries and whose law applies when, regardless of silly claims about the residence of the owner of the network and ignoring location of the network under attack and or the location of the attacking network.

    --
    Chaos - everything, everywhere, everywhen
    1. Re:Weirdly Written by sabbede · · Score: 1
      It refers to counties because it is a State law defining, among other things, which county will have jurisdiction. If you're in Minnesota, and you hack into a network in Fulton county (much of Atlanta), then the Fulton county sheriff's department will be the one to charge you and file for extradition.

      And no, releasing passwords is not a free speech issue. If I stole your email password and posted it here, would you say, "well, that's your right"? Let's assume that I know you're on vacation and won't be checking /. or your email for a while.

    2. Re:Weirdly Written by jbdigriz · · Score: 1

      A lot of the idiosyncratic weirdness is due to the fallout from the Kennesaw incident with the state's voter registration system last year. Among other things, election worker passwords were publicly available. Lawsuits are still in motion, I believe, including one against the SOS, I think. The bill in a lot of respects is an attempt to close the barn door after the horses left a different barn altogether. WABE has a good timeline here:

      https://www.wabe.org/two-georg...

      Politico has some good info as well here:

      https://www.politico.com/magaz...

      Otherwise it's the usual shoot-the-messenger stuff governments all over are well known for.

  18. Re: Self defense isn't a 'wrong'. by Calydor · · Score: 3, Insightful

    This bill is essentially having you walk through a crowded square, blindfolded, and if someone grabs your butt you're allowed to pull out a pair of uzis and start firing at random.

    Yes, I feel that is an accurate description of hacking back against a network of zombie machines owned, often unwittingly, by innocent people around the world.

    --
    -=This sig has nothing to do with my comment. Move along now=-
  19. What problem does this solve? by Anonymous Coward · · Score: 0

    This will just clog the larger infrastructures who will happily pull the plug on the lot of you.

    The major transporters already protect their networks from DDoS, etc.

  20. "White hat hacker" bullshit must end by Anonymous Coward · · Score: 1

    If you're a supposed "White hat hacker" doing "research" than "best practices" or what I might call "common courtesy" might be that you notify a company of your intentions so as to not raise "undue alarm".

    If your intentions are pure than being rebuffed may be disappointing but not alarming or really negative. And with the proper approach you may find that a lot of companies won't mind provided your doing it for no charge, won't publish their names and give them an early viewing of your findings before publishing...after all if you're only doing "research" and you're a "good guy" (white hat hacker) you have no monetary incentive to lie, be cagey or otherwise negatively exploit your findings...right?

    Of course this is a fairy tale. Supposed "white hat hackers" are in it for the money (or fame leading to money) and if they happen to find a vulnerability in a "big name" company (for sufficiently large values of "big") I have no doubt they'll exploit that knowledge for their better outcome not the target.

    The only difference between "White hat" and "black hat" hackers is their clothing (how they present themselves) and the company they keep.

    Could you imagine the idea of a "white hat burglar" breaking in to your company without being hired or at least announcing their intentions for "free" under the guise of "research" or "testing your security", they'd be laughed out of the courtroom as they are carted away for jail time.

    1. Re: "White hat hacker" bullshit must end by c6gunner · · Score: 2

      Of course this is a fairy tale. Supposed "white hat hackers" are in it for the money (or fame leading to money) and if they happen to find a vulnerability in a "big name" company (for sufficiently large values of "big") I have no doubt they'll exploit that knowledge for their better outcome not the target.

      You have no doubt of it because you're the kind of cunt who would do that. You shouldn't project your own values onto other people, though.

      I haven't "hacked" anything in well over a decade, but back when I was interested in that stuff I would regularly run scans for common volnurabilities and then send anonymized email to the administrators of vulnerable hosts letting them know what I found. Did I sniff around their networks a bit first? Sure. Did I ever blackmail anyone or use their resources to get "fame" for myself? Fuck no. Not all of us are fame and money hungry twats like you. I certainly could have used the cash back then, but I considered my morals to be rather more important.

      Back then I also had a fun time hajacking botnets and using them to DDOS the original owner for a bit of well earned schadenfreude. After which I would set them free. There's this little thing called "empathy" which normal people have; it leads us to identify with the poor bastards whose computers have been exploited so that we want to help them rather than taking advantage of them. I'm sure that's a difficult thing for you to understand, but it exists nonetheless.

  21. Letter of Marque and Reprisal? by Hunter-Killer · · Score: 1

    Once upon a time, I used to reach out to US-based hosting providers that spammers used. In the unlikely event I received a response back, it was to inform me they won't do anything about Canadian Pharmacy websites unless you can prove that they sent that spam email--being a mere beneficiary of spam is not enough. It took being one of the world's largest spamming operations for McColo to be shut down, and it was done by the upstream service providers. Feds don't have time for this. I propose we take a page from colonial-era maritime law and let private individuals petition the government for the right to seize equipment from bad actors. McColo wouldn't have lasted a week if you could round up about 20 guys to break in at 3 AM and start hauling off servers. Oh, you dealt with that spammer earlier? Take it up with the government when they have the award hearing. This changes the balance from removing spammers whenever someone finally compels you to, to accepting a considerable amount of liability for tolerating a spammer/leaving your infrastructure poorly secured.

  22. This is interstate commerce nature in true form by Khyber · · Score: 1

    Thus this state law is not legal, and the power for authorizing this sort of behavior falls to the Federal Government.

    Unless the bill explicitly states that it works only within the state's borders and where all entities involved are within said jurisdiction, this will get struck down on any reasonable challenge.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    1. Re:This is interstate commerce nature in true form by sabbede · · Score: 1

      Read the bill. It's short. It defines "unauthorized computer access", four kinds of access that don't count (including "cybersecurity active defense measures"), and which county will have jurisdiction.

    2. Re:This is interstate commerce nature in true form by Monster_user · · Score: 1

      What about foreign powers? Forget fighting back against Texas, Florida, and Maine, there is also the rest of the world to worry about. What if this leads to an international incident and World War III?

      One has to wonder what usefulness of this bill would be if limited to within the state's boundaries. Is there a remote possibility that the increased amount of hacking attempts resulting from botnet infections would improve the security situation and thus harden Georgia's infrastructure from outside attack, and with corporate spending on security training being required to remain in business, the state could end up with a greater number of knowledgeable personnel, lowering the cost of experts for smaller businesses. If the businesses within the state could survive long enough to generate enough revenue to pay for the additional training and software and hardware for defense purposes. Otherwise foolish leadership would just return the state to the dark ages as companies vacate the state for legal protection, and ISPs begin taking preventative actions allowed after the loss of Net Neutrality restrictions.

  23. Re: Self defense isn't a 'wrong'. by c6gunner · · Score: 0

    Actually, if it were "perfectly" sensible, then there wouldn't be a non-zero number of innocents killed in self-defense incidents

    Retarded argument is retarded.

    "Hurrr durrr if fighting back against Nazis in WW2 were sensible them there wouldn't have been a non-zero number of innocent civilians killed"

  24. Re: Self defense isn't a 'wrong'. by Anonymous Coward · · Score: 0

    Well, you're not allowed to own a zombie machine on the net. It is negligence, similar to hanging a loaded gun on your outer wall.

    In either case, someone else is to blame, but you practically gave them the tool.

    Having the zombie destroyed in a counterattack is fine with me - it was ruined already but now you know.

    I worry more about attackers using forged from-addresses. Tricking an IPS is old hat - now they can trick a hack-back system to attack its own organization - or innocent third parties. Then some of the third parties retaliate, so they get 'allies' in their attack.

  25. Re:Self defense isn't a 'wrong'. by Anonymous Coward · · Score: 0

    Can "stand your ground" be used by blacks too? Or illegal immigrants? pesky lefties?

  26. Tar Pits by Anonymous Coward · · Score: 0

    Shit you not, tarp pit firewall rules are common but apparently some folks have landed in trouble because of it. I got booted off an ISP because someone attempting to brute force my port 22 complained to my ISP. Too 2 weeks and emailing their hacking attempts to explain the situation. Always remember the criminals have more rights then the victims.

  27. Re: Self defense isn't a 'wrong'. by jbdigriz · · Score: 1

    Mr. Kemp would tell you "make the DNC and a former administration pay for it." ;-)

    Look, Georgia Code 16-9-93, which SB 315 modifies, like a far greater percentage of Georgia law than anyone cares to admit, is completely boneheaded to start with. (Not that US law is really any better, and in some cases much worse). Computer security by fiat is a totally asinine concept. It exists simply to pass the buck for suits and good 'ol boys, (sigh, yes, of all genders, races, ethnicities, creeds, etc, not just the Sons of Eugene Talmadge and the Cackling Hen Auxiliary) . The medium is not the message. Extract any actual crimes, ie. theft of confidential information, trade secrets, malicious damage, denial of service, election tampering, so on, and deal with them in the code appropriately, though I'm sure they're mostly already covered. Junk the rest of it. Leave security where it belongs, with IT management, system administrators and network operators, and users, not legislators, lawyers, cops, prosecutors, and clueless reporting.

    As for SB 315, I don't have any a priori objection to a little tactical offensive defense, if truly warranted. You better know what the fsck you're doing, though, and if you know what the fsck you're doing with your systems, you will rarely have the need. and if you do actually need it, that knowledge will more than likely fly right over your head. So you should likely be thanking anyone who points it out to you, not shooting the messenger. Look, they're YOUR computers, not the State's. YOU take responsibility for them, or least stop whining about welfare deadbeats looking for gubment cheese. Please.

    IANL, but SB 315 looks like bad law regardless. Vague, and seeming to say, "Well, if it's for business, why, that's alright. Go right ahead" Oh, so if you portscan that network in Ukraine that's been running distributed SSH attacks on your hosts for months, just out of idle curiosity, that's sure to trip a wire somewhere. Are you then guilty of "unauthorized access"? After all, the way I read it, I'm in violation even if the target is in another jurisdiction. If so, on all counts, damn the law, I say. Or setup a new corp. A co-op for security researchers, say. Leave no opening for prosecutorial discretion. Use the damned system against itself.

    Finally, do you clowns pwning, or claming to pwn, Augusta, GSU, etc. realize you are only being used to scare up support for this idiotic bill? If you don't, please get a damn clue. If you do, well. here's a big FU.

  28. Please allow this to fly by Opportunist · · Score: 1

    If this becomes law, it gets fairly easy to eliminate the competition. Here's how:

    1. Find out IP address(es) belonging to your competitor.
    2. Find a company that uses "offensive security" to defend itself.
    3. Spoof it ip of rival from 1. and attack company from 2.
    4. Watch rival go down in flames from the counter attack.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Please allow this to fly by dkman · · Score: 1

      Step 1: hack into Georgia's power grid
      Step 2: attack networks
      Step 3: those networks attack back, taking down Georgia's power grid
      Step 4: hilarity ensues

      --
      I refuse to sign
    2. Re:Please allow this to fly by Opportunist · · Score: 1

      I was proposing a fun game, but you had to take it way out of proportion.

      That's what you do when they don't get smart after the first few demos. Didn't you see your Batman, you don't start with the face, the victim doesn't feel anything afterwards anymore.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  29. Re: Self defense isn't a 'wrong'. by AmiMoJo · · Score: 1

    Back in the 90s I hacked someone back.

    I noticed that the lights on my modem flickered about once every 5 seconds, despite me not generating any traffic. I checked the logs and saw someone was sending ICMP pings, which were bouncing harmlessly off the firewall. I wanted them to stop doing it anyway for some reason...

    So I tried to telnet to the source IP address, and it worked. I found myself with a prompt and no idea what I was talking to. Tried a few random commands like HELP and LS, but none worked. Eventually typed "REBOOT", the connection dropped and I didn't get pinged any more.

    I was young and foolish. I dread to think what someone who knew what they were doing and was being pressured by their boss to do /something/ would get up to.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  30. What would you do if you were in my place? (GA) by sabbede · · Score: 1
    I am a network admin in the Atlanta area. If this passes, what should I do?

    What sort of " Cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access" would you consider?

    If you could legally strike back at attackers, would you? How would you do it?

    1. Re:What would you do if you were in my place? (GA) by Monster_user · · Score: 1

      It is not clear that DDoS is allowed, as DDoS is not detection, nor is it entirely unauthorized access. This does appear to legally allow a third party entity access to another party's entire network and data for the purposes of remediating an infection or stopping an attack.

    2. Re:What would you do if you were in my place? (GA) by Anonymous Coward · · Score: 0

      What sort of " Cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access" would you consider?

      Look up "Network Intrusion Detection System" or "Intrusion Prevention System", both well-established technologies. The IDS discovers "bad activity". It may instruct the firewall to block that stuff, then it is an IPS. Now you may add strike-back capabilities as well, look up "script kiddies" for that.

      If you could legally strike back at attackers, would you? How would you do it?

      With good old violence. Nothing like legally hitting them hard with a crowbar, and zap their computers with 50000 volts. And vice-versa. Or torch the building and fire RPGs at anyone trying to escape? Hack back with (snail) mail bombs?

      Oh, and telemarketers can be considered 'hackers' when they spoof the caller id, no?

  31. I can see this going well. by nimbius · · Score: 1

    CEO: we were recently hacked and our customer data was exposed to the world due to our terrible security practices, so we hacked back and DDoS'ed the attackers website!
    Media:: that sounds scintillating enough for a front page story, what happened next?
    CEO: We're being sued by a hosting provider for the DDOS, and the hackers managed to switch my wifes insulin order with carfentanil, killing her instantly. But hey! hacking back right?

    --
    Good people go to bed earlier.
  32. Re: Self defense isn't a 'wrong'. by jbdigriz · · Score: 1

    This bill is essentially having you walk through a crowded square, blindfolded, and if someone grabs your butt you're allowed to pull out a pair of uzis and start firing at random.

    Reckless endangerment and possible manslaughter for what might even have been accidental, nope, not warranted. Now if someone tries to pen-test your butt, I hope that you can discriminate the real offender and that have good aim. :-)

    Yes, I feel that is an accurate description of hacking back against a network of zombie machines owned, often unwittingly, by innocent people around the world.

    Oh, I do get your point, but I think the real problem if this bill is signed is that it will be used as cover for deliberate network abuse and break-ins under merely the pretext of "active defense". "Oh, excuse me, I dropped my cell and grabbed your butt trying to catch it."

  33. Not DDoS, but investigative hacking. by Monster_user · · Score: 1

    Reading the current wording on the current bill, SB315, states that access without authority is illegal, except when actively attempting to detect and/or prevent unauthorized access.

    Basically it is saying is that a third party can access your network without authorization to shutdown a PC infected with malware (ie. a botnet), or trace the malware back to the point origin.

    1. Re:Not DDoS, but investigative hacking. by mileshigh · · Score: 1

      Basically it is saying ...

      No, you can't do that with the law!

      Instead, try for "the maximum that a creative lawyer could stretch this to mean..." and then double it.

    2. Re: Not DDoS, but investigative hacking. by Monster_user · · Score: 1

      "Active" means doing something. It is not just reactive, it is active. It means taking preventative measures. Pre-emptive strikes are a defensive measure. Weaken the opponent to reduce their offensive capacity.

      Unauthorized access is plain and clear. There is an exception where a third party can take action, "for defensive purposes", to gain unauthorized access to a "suspect" system.

      This is the cybersecurity equivalent of "probable cause", and there is no limitation of it to law enforcement entities only.

  34. Law crafted to stop embarrassment by Anonymous Coward · · Score: 0

    This law crafted to stop embarrassment after last year's public leaks of Georgia voting information over a public internet website.
    The way it is written, changing https --> http would be considered an illegal attack.
    There will be 50B illegal uses and 1-2 selective prosecutions after someone outside GA points out that some company based in GA left something unintentional on their public-facing servers.
    * Equifax
    * Cox
    * Home Depot
    * UPS
    * Coca-Cola
    * Aflac
    * Delta Airlines
    * NCR
    * Spanx
    * Zaxby's
    * many others

    We know that Equifax will sue first and ask questions later after their screw-ups are public. Same for the State of Georgia and the City of Atlanta. They will leak data, unintentionally, and blame others.

    Stopping embarrassment, that is what this law is about.

    1. Re: Law crafted to stop embarrassment by Monster_user · · Score: 1

      There is nothing in the law that would indicate changing a URL is unauthorized access. Any such interpretation is subject to the rulings of other cases on whether changing URLs constitutes unauthorized access. But this law makes no judgement one way or the other.

  35. Re: Self defense isn't a 'wrong'. by Anonymous Coward · · Score: 0

    This bill is essentially having you walk through a crowded square, blindfolded, and if someone grabs your butt you're allowed to pull out a pair of uzis and start firing at random.

    Yes, I feel that is an accurate description of hacking back against a network of zombie machines owned, often unwittingly, by innocent people around the world.

    Exactly! This is just like using uzis in a crowd! I can definely see why you got modded insightful.

    I'm worried about all the people that will now think it's ok to use uzis in crowds after this bill passes

  36. Re:Self defense isn't a 'wrong'. by JackieBrown · · Score: 1

    What the hell are you talking about? Stop projecting so much.

    Of course it can be used by anybody in a "stand your ground" situation.

  37. WTF? by Anonymous Coward · · Score: 0

    All of you morons are doing the equivalent of telling a rape victim to just lay back and enjoy it.

    And that Bullshit about White Hat Hackers? If you are a "White Hat Hacker", whatever the fuck that means, you will be working on conjunction with the target.

    Breaking into someone's home and intending to just leave a note saying, "Hey, you better lock the side door", is still fucking breaking and entering and the home owner is still entitles to shoot your ass.

  38. Re: Self defense isn't a 'wrong'. by Anonymous Coward · · Score: 0

    It's more like setting up surveillance to figure out who keeps breaking into your place of business, then following them back to their place and caving their face in.

    While not optimal, it's better than just taking it.

    If you are breaking into someone's computer without their permission and not under the color of law, then you deserve to have your face to caved in.

  39. Re: Self defense isn't a 'wrong'. by Anonymous Coward · · Score: 1

    Retarded argument is retarded.

    Fallacious rebuttal is fallacious.

    "Hurrr durrr if fighting back against Nazis in WW2 were sensible them there wouldn't have been a non-zero number of innocent civilians killed"

    Quick fulfilment of Godwin's law, eh? But actually, yes, the practice of war-making is yet another example of abusiveness rearing its ugly head, showing why it is not perfectly sensible as well.

    Interesting that you left out that key modifier though, did you just not realize how that adjective renders the claim faulty?

    It matters. So does how warmongering defends itself by claiming persecution as the Nazis did(and Japan and Italy), and as how the Allies, both American, UK, Chinese, and especially the Soviets justified their many abuses. Even the US has admitted to the wrongs of say, the internment of Japanese-Americans as part of the war.

    What is writ large is also applicable to the small. Or perhaps the small leads to the large. Sorry, but it is nowhere close to perfectly sensible.

  40. William Gibson was prescient. Again. by mileshigh · · Score: 1

    This bears the seeds of Gibson's dystopian vision of never-ending corporate cyber-warfare. Hard to see how companies could resist using this as a pretext for gaining commercial advantage.

  41. Re: Self defense isn't a 'wrong'. by c6gunner · · Score: 1

    Interesting that you left out that key modifier though, did you just not realize how that adjective renders the claim faulty?

    It's a useless adjective; there's no such thing as perfection. I was being charitable and assuming you had included it by accident. If you're actually concerned with perfection then you are a far sillier man than I had thought.

  42. hacking across state lines is federal jurisdiction by brainchill · · Score: 1

    So people are making a huge deal out of this but the reality is, no matter what Georgia state authorizes in terms of retaliatory action, etc, most attacks originate from outside of the state or outside of the country and if a company launched a retaliatory attack across state lines or even country boundaries it would be in federal jurisdiction not state, so this bill would be a moot point.