Slashdot Mirror
Hacktivists, Tech Giants Protest Georgia's 'Hack-Back' Bill (threatpost.com)
lod123 shares a report from Threatpost: As Georgia Governor Nathan Deal considers whether to sign a controversial piece of legislation that would allow companies to 'hack back' with offensive initiatives in the face of a cyberattack, companies from across the tech spectrum are lining up to protest the measure. Also, a hacktivist group has targeted Georgia Southern University, two restaurants and a church to protest the bill. Opponents have twin beefs when it comes to Senate Bill 315: Some are questioning whether legitimizing offensive attacks will open the door to a new kind of corporate warfare; and others are concerned that the law will have a chilling effect on cyber-research by criminalizing white-hat activity like vulnerability research and pen-testing.
Google and Microsoft are in the former camp, and have asked Deal to veto the bill, which was passed by the Georgia General Assembly in March and which is nearing its deadline for signing into law. The two giants take issue with a provision in the bill that allows "active defense measures that are designed to prevent or detect unauthorized computer access." In a letter to the governor, the two argued that S.B. 315 "will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions," and that "provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes." They added: "On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity... [B]efore Georgia endorses the 'hack back' authority in 'defense' or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy." Tripwire also filed a letter with the governor's office: "[A]ccording to the wording of S.B. 315, well-intentioned ('white-hat') researchers could be subject to civil or criminal prosecution when following industry best practices in investigating a website for protection from a potential cyber-attack. It is our firm belief that an explicit exception is required to exclude prosecution when the party in question is acting in good-faith to protect a business or their customers from attack. Without this exclusion, S.B. 315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses."
Google and Microsoft are in the former camp, and have asked Deal to veto the bill, which was passed by the Georgia General Assembly in March and which is nearing its deadline for signing into law. The two giants take issue with a provision in the bill that allows "active defense measures that are designed to prevent or detect unauthorized computer access." In a letter to the governor, the two argued that S.B. 315 "will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions," and that "provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes." They added: "On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity... [B]efore Georgia endorses the 'hack back' authority in 'defense' or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy." Tripwire also filed a letter with the governor's office: "[A]ccording to the wording of S.B. 315, well-intentioned ('white-hat') researchers could be subject to civil or criminal prosecution when following industry best practices in investigating a website for protection from a potential cyber-attack. It is our firm belief that an explicit exception is required to exclude prosecution when the party in question is acting in good-faith to protect a business or their customers from attack. Without this exclusion, S.B. 315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses."
is a good guy hacking back.
Or more likely, the IP is part of an outbound load balancing proxy with a bunch of AWS servers sitting behind it.
My UID is prime and so is this number: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.
another example of why we need to have informed legislators in gov't. This won't solve anything but to allow companies to attack proxied hosts who have either been compromised themselves or are sitting in public clouds. The latter is the bigger issue which cloud providers struggle with. It may also be true that companies that avail themselves of fighting back may themselves be targets for violation of US Federal law where it comes to illegal computer access.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
... that this Georgia statute-in-waiting could potentially be held to be superceded by 18 U.S. Code 1030 (the section added by the Computer Fraud and Abuse Act of 1986).
CFAA specifically covers unauthorized access to U.S. government computers and computers belonging to or containing information belonging to a "financial organization" - although that definition, in practice, has been considerably stretched charges brought in a number of criminal cases. That broadening of its applicability could, I suspect, theoretically cause an appeal of any conviction under the yet-to-be-enacted Georgia law to be upheld on grounds that it represents an unwarranted overreach by Georgia.
OTOH, IANAL, and how Federal courts might react is going to guesswork on anybody's part (including actual lawyers, and people who play them on TV), until it's both signed into law and challenged at the Federal level ...
Check out my novel.
As for whether or not they've succeeded... we shall leave that as an excercise for the reader. ;)
Someone willing to break the law can knock innocent businesses and individuals off of the internet with practically zero fear of getting caught or stopped. That's the state of the internet right now. Truly fixing that situation is impossible without a degree of frightening fascism that would be the end of the internet as we know it. I'd love to see a world where there weren't millions of stupidly insecure devices connected to the internet, not to mention the hundreds of thousands of devices with reasonable security still managing to have vulnerabilities that haven't been patched yet. Without a single country controlling what is allowed to connect to the internet (a bad idea,) it's not a solvable problem.
People think that securing your own systems is sufficient to protect your company, but it isn't. In order to protect your business from malicious activity you need control of the fabric outside of your company. A typical small company can't protect the ISP routers that connect them to the internet, and so can't protect themselves against a DDOS. How many hops are between your customer and your website? Unless you're running your website through CloudFront, Azure, or Google; you won't have the resources to absorb the attack without losing business. I remember watching Microsoft get DDOS'd off of the internet, and Google. Even Amazon has had outages, so no matter what you do, your website isn't bulletproof.
The internet gives freedom, enormous freedom, to people, but it's disproportionate. Malicious attackers who don't have to follow the law have more power than people and companies required to do things legally. Bringing balance to that equation, by allowing victims to fight back, could have huge repercussions. They could be great or terrible, but I believe most organizations and people would do less harm than the current law breakers, if they had the freedom to fight back.
I understand the arguments against legalizing fighting back, but honestly the "innocent" people likely to be harmed are the people who were negligent in securing their own equipment. I have a hard time feeling bad for those people.
Some ISP is going to have routers with insecure firmware. Those routers are going to be roped into a DDOS attack that takes some sleezy spamming company's website down and the spammer company is going to kill thousands of innocent consumer routers, who couldn't have secured their routers even if they'd been interested in security and knowledgeable of their options. But what's the result of that?
It's evolution. The free market can solve this problem, but not if the government is so focused on protecting innocents that they protect the law breakers at the expense of those who have to follow the law. The criminals have freedom. I am in favor of giving law abiding people a limited subset of that freedom.
I can argue either side of this argument, but I choose this side to represent. See my user ID.
The law itself looks as strange as. I did not know it could be considered a criminal offence to disclose a password, seriously, what twit put that in there. Freedom of speech means, you are fully entitled to release passwords not necessarily keep your job but certainly claims of a criminal offence are insane. Also you can only access a computer for business purposes, like WTF, social media not allowed, workers social contacts a criminal offence. Let alone an empty 'active defence measures' without defining what an active defence measure are and what are acceptable and what are not and clearly the law is tied to one state. No matter how nuts they try to get with location of the crime, tying it to the residence of the business, regardless of the location of the attack, apparently anywhere in the world or the source of the attack anywhere in the world but it only refers to counties and not states or nations.
You can claim legal what ever you want in what ever crazy state of the US but it will get interesting when it affects other states and countries and whose law applies when, regardless of silly claims about the residence of the owner of the network and ignoring location of the network under attack and or the location of the attacking network.
Chaos - everything, everywhere, everywhen
This bill is essentially having you walk through a crowded square, blindfolded, and if someone grabs your butt you're allowed to pull out a pair of uzis and start firing at random.
Yes, I feel that is an accurate description of hacking back against a network of zombie machines owned, often unwittingly, by innocent people around the world.
-=This sig has nothing to do with my comment. Move along now=-
Of course this is a fairy tale. Supposed "white hat hackers" are in it for the money (or fame leading to money) and if they happen to find a vulnerability in a "big name" company (for sufficiently large values of "big") I have no doubt they'll exploit that knowledge for their better outcome not the target.
You have no doubt of it because you're the kind of cunt who would do that. You shouldn't project your own values onto other people, though.
I haven't "hacked" anything in well over a decade, but back when I was interested in that stuff I would regularly run scans for common volnurabilities and then send anonymized email to the administrators of vulnerable hosts letting them know what I found. Did I sniff around their networks a bit first? Sure. Did I ever blackmail anyone or use their resources to get "fame" for myself? Fuck no. Not all of us are fame and money hungry twats like you. I certainly could have used the cash back then, but I considered my morals to be rather more important.
Back then I also had a fun time hajacking botnets and using them to DDOS the original owner for a bit of well earned schadenfreude. After which I would set them free. There's this little thing called "empathy" which normal people have; it leads us to identify with the poor bastards whose computers have been exploited so that we want to help them rather than taking advantage of them. I'm sure that's a difficult thing for you to understand, but it exists nonetheless.