Schneier on Security
A blog covering security and security technology.
« Liars and Outliers Ebook 50% Off and DRM-Free |
| Classified Information Confetti »
November 27, 2012
Stewart Baker, Orin Kerr, and Eugene Volokh on the legality of hackback.
Posted on November 27, 2012 at 6:39 AM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I has been told it is quite common law enforcement "practice" here in Russia:
- Get hacked
- Hack back to gather evidence for the police
- You are in deep shit now because less effort is required to prosecute victim than the offender -- and you already confessed.
Baker's arguments seem to be buoyed on scare-mongering and "I wish it were so, so I shall presume it is." His writing style is openly mendacious and he doesn't seem to bat an eyelid when somebody outright demonstrates his previous assumptions were wrong. He simply moves on to the next flawed preposition and fires again.
It's nice when people lay their cards on the table like this. It brings to light just how flimsy some stances actually are.
Law and morality are two not necessarily coincident things. Just because a thing is legal does not make it right, nor does the illegality of a thing make it wrong.
This guy used to sell DDoS counter tools on a Russian hacker forum so if anybody poked around your botnet or hosting too much it'd blast them with a dos from different machines. Problem is ppl figured out this could be useful and so would spoof, fool and trick the dos reaction into targeting whoever they wanted. Max Vision also did this, he'd get his competitors to hack into systems for him by attacking them from the compromised system after he was through looting it as a law enforcement distraction
My conclusion: don't hackback, until there's more case law on the topic. The thing that's clearest from Kerr and Volokh is that neither quotes any significant body of case law that's obviously on this exact topic; they both would if there were.
Malicious hacking - that's what it is, whatever some choose to call it. It's either legalised or illegal, and in the United States and UK it's illegal.
One of the things I find worrying here is none of the debaters have a technical background. They're law people, arguing over the legalities (not the ethics) of 'hacking back'. They don't even address the technical implications of going down the road of retribution.
Moving onto this statement: “The same human flaws that expose our networks to attack will compromise our attackers’ anonymity.”
Well, no. Firstly, it happens because of whatever company's overall attitude to security, hiring practices (especially employee turnover), budgets, etc. Numerous factors. Secondly, skilled attackers are more adept at information security and deception, which means anyone with a reputation for counterattacking (probably against the wrong people) could be used as pawns, manipulated into attacking anything. Without the resources, intelligence and meticulous analysis, it's vigilante behaviour.
Then there's the standard of proof/evidence to consider - unless an organisation can forensically prove x attacked them, they have no right whatsoever to engage in malicious hacking against the accused. By 'forensically', I don't mean evidence on the back of what some undergraduates found - it doesn't work like that. What if the 'attacker machine' they just hacked or uploaded malware to belonged to an innocent party?
I could go on all night...
@Michael, I agree.
There are two obvious points that I'd like to make.
First, as Michael mentioned the attaching system might be an innocent pawn, so simply disabling it would be the most ethical thing to do...maybe after collecting evidence.
Second, the attacker is already unethical, so if *I* attack them and cause damage, it's possible that they might attack back and delete my data, or worse, attach me back in the real world.
Randy - iwontbedoingthat
Michael ( studying for his BSc) wrote, "One of the things I find worrying here is none of the debaters have a technical background.
That alone makes the rest of your statement ignorant.
Volokh graduated from UCLA with a B.S. in math-computer science at age 15, worked for 12 years as a computer programmer, still sells code for the HP3000, and has written many articles on computer software.
Kerr is a nationally recognized scholar in the fields of criminal procedure and computer crime law. Before joining the faculty in 2001, Professor Kerr was an honors program trial attorney in the Computer Crime and Intellectual Property Section of the Criminal Division at the U.S. DOJ . . . He also has written a law school casebook on computer crime law.
Baker is a partner in the Washington office of Steptoe & Johnson LLP, returning after 3½ years at DHS as its first Assistant Secretary for Policy. Hemanaged one of the nation’s premier technology law practices at Steptoe before accepting the DHS post. Described by The Washington Post as “one of the most techno-literate lawyers around,” Mr. Baker’s practice covers national security, electronic surveillance, law enforcement, export control encryption, and related technology issues.
Do your homework next time.
I'd like to understand how you could find out the real target of the attack when somebody is breaking into your/your family dwelling in the middle of the night (unauthorized)? Is it just your property (non-lethal self-defence) or you/your relatives (lethal self-defence)? Criminals by themselves do not often have clear plans unfront of their target, and their intentions /targets/objects/subjects are volatile based of actual circumstances after intrusion. Yeah, that is not technical question, but addresses concept of self-defence generally.
I think that right to self-defence of your own life/health/property should be based not on common law or court decision, but should be directly incorporated into Constitution (Bill of Rights). Then, burden of proof should be clearly stated when self-defence involved (person/property).
The point is that Constitutional principle should be basis/starting point for resolution of all cases involved self-defence of property (tangible/intangible, real, moveable, etc.) and person. That is how you get legal beacon when new technology popped up. Just opinion.
Volokh does have a technical background. His first degree is a BS in Math/Computer Science from UCLA.
My background is technical, not legal. That said ...
In regard to trespassing and defense of property, I view here the initial victim's computers and network as their 'land.' In the case of intrusion (trespass onto their 'land' by the initial source attacker), the system owners/sysadmins have the right to non-lethal defensive measures to terminate the trespass. This is simple - they can terminate connections (either through the firewall or simply pulling the plug). This removes the intruder from your property (unless you consider an underlying malware infection, which can be removed without leaving your premises/computer system).
Personally that's the extent of rights I see the initial victim having in response to intrusion. They will have logs of the connections, and these can be reported to law enforcement (just like any identifying information would be given to the police if you were physically breached).
Pursuing the connection further, by connecting to and intruding the (likely most-proximal-hop, not initial or willful attacker) system that touched yours during the intrusion is to me like chasing the thief after he leaves your property and entering property that you don't own and are liable for trespass. This might be analogous to a physical trespasser jumping from your roof to a neighbors, and you following him onto that roof (and in neither virtual or physical cases will you always be sure if that's the attacker's land).
Not having legal expertise, I don't know whether you're allowed/authorized to pursue the thief in that manner or not. What I imagine though is it would be illegal to, while on that adjacent property, destroy any ladders, crowbars or ropes you find that could potentially be used to access your property from that location. Maybe it would be okay to remove a ladder that's laying across the roof of the two buildings back to the source's roof.
But then what? Say the thief continues running - is the initial victim legally justified in pursuing that thief to wherever he goes? And what if the thief actually enters his own home, can you then break into that thief's home (I doubt it) to search for identifying information? Or then destroy any tools he has there that could be used for burglary? And what about extracting from there, after breaking in, the property you think was stolen?
If I were the attacker, I'd use a series of proxies and run the actual control software on a remote computer. If I got hacked back, they would not be able to track me all the way. They'd find just one control server, and that would be all.
@annynomouse, you're quite right about Profs. Volokh and Kerr.
By his writings, Mr. Baker demonstrates a stunning lack of understanding of technical issues. I guess an alternative explanation is that he intentionally misrepresents the technical issues in order to push his policy positions.
That he was at DHS and was general counsel for the NSA (while it was pushing the broken Clipper Chip, no less) is frightening.
I don't get it, Hackback seems like a stupid defense unless you deploy your own Botnet . Creating such a Botnet is not trivial and definitely constitutes a theft of resources from the rightful owners of the Botnet hardware / systems.
Maybe corporations could pool resources and fund a Hackback botnet but such a fixed system would be quickly identified and equally quickly blocked by the original Hackers bots.
like I said I dont get it!
@RobertT: Baker is writing (at least initially) about 'Remote Access Tools' used to compromise an innocent user's system. The paper he refers to states that during the attack, the RAT establishes a connection between the attacker's "command and control" machine and the victim machine, and that the software used is insecure on the attacker's side (so the victim has the opportunity to subvert the attacker).
It doesn't sound like he's talking about responding to a spreading virus, nor to phishing lures and trojans themselves, nor to the bots of a botnet, but rather to an attacker's manually operated privilege-escalation attack once (limited) access has been gained, probably by other means.
His further arguments appear mostly to be predicated on this special case -- that the victim can send things down the attacker's illegal connection while the attacker is online that will compromise the attacker's "command and control" machine, and potentially allow the victim to identify the attacker or learn about the attacker's methods and resources.
Note that in such a case, simply routing traffic through TCP/IP level proxies won't help at all.
"right to non-lethal defensive measures to terminate the trespass"
In the UK, in the case of trespass, you can... call the police. That's it. Even they can't do anything proactive without a court order.
This is why talking about morality and rights is pointless in the modern, highly international, world.
There are as many people in this world who agree with your moral / ethical code as those who hold the completely opposite view.
The only argument relevant is, "What does the law say in the countries concerned and how do those countries arrange arbitration?"
I didn't mean to ask questions about my personal moral/ethical code but about common, case and statue law in the USA (I believe the original articles were concerning hacking back under current law in the USA). That's interesting to know about intrusion in the UK, but I believe we have more rights as property holders in the specific regard of defense of property
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.