Comments

David RudlingOctober 23, 2017 7:15 AM

This legislation seems to have implications for the rules of grammar.
Let me see if I understand correctly.

I hack back we hack back
you hack you (all) hack
he/dhe hacks they hack

Ah, yes. Got it.

Dr. I. Needtob AtheOctober 23, 2017 7:51 AM

Did everyone catch that subtle joke about the "ACDC" act?

"I am thunderstruck by how terrible it is."

M. WelinderOctober 23, 2017 8:01 AM

Surely an organization like Equifax with its elite computer security skills should be able to hack back safely.

EvanOctober 23, 2017 8:23 AM

According to the bill’s text, the accused would have to show that they were the victims of a “persistent unauthorized intrusion” directed at their computers.

It's 2017. We are all, perpetually, under “persistent unauthorized intrusion” attacks - from our refrigerators, TVs, phones, neighbors, ISPs, news services, advertisers, emails, and even our own governments, by default. Granted, part of the problem is that we let security get so bad without doing anything in the first place, but the solution is to start requiring and enforcing security standards on device and software manufacturers, not to make the situation even worse.

bigmacbearOctober 23, 2017 9:19 AM

@Dr. I. Needtob Athe: There are also references to "Highway to Hell" and "Hell's Bells" in the article. ;)

AnonOctober 23, 2017 10:17 AM

Just how is "hacking back" supposed to deter, or make any difference?!

Rather like the Governments of various countries, it is just childish.

Besides, any serious attacker won't give a crap, and will probably even attack from a location that isn't theirs, so it won't do a damn thing.

The only thing it might do is create a niché market for hackers.

DanielOctober 23, 2017 10:31 AM

Hacking back is like claiming that the problem with the Wild West in the 1800s was that it simply wasn't wild enough.

THINKOctober 23, 2017 10:57 AM

The only institutions that should be allowed to 'hack back' would be those that are authorized by federal law to do so. I think they already exist.

Many companies do not have any idea that they are even being penetrated and their information exfiltrated.

Attribution of a false flag attack could be problematic and could lead to a chain of escalation involving nation states.

I would conjecture that only those agencies that have the expertise and authority conferred on them by congress should be authorized to accomplish this task.

An elite cyberwar/security team that has the both the intelligence gathered by the other clandestine agencies working on the government's (we, the people's) behalf and its authorization.

A better law would be to require Public Companies to disclose their security spending and risk assessment / mitigation (Security Posture) and to require them to pass a penetration test / security audit performed by an authorized 3rd Party Security Organization. Such a law would help bring many companies up to a higher level.

The law could be modeled on what already exists for accounting regulation and standardization.

Nothing motivates public companies more than the pricing into their stock those risks that have not traditionally been taken into account.

Could you imagine how the price of corporate stock for those companies without a security program or with a minimal security program would fall?

2013:

https://washingtontechnology.com/articles/2013/04/30/insights-hight-cyber-collaboration.aspx

2016:

https://www.dhs.gov/publication/cyber-incident-reporting-unified-message-reporting-federal-government

Now:

https://www.us-cert.gov/

We (as individual's and companies) can each be hit with an attack and not share what we learn. Could you imagine if sick people never went to a doctor and suffered in silence. Doctors never collaborated and diseases were never cured?

If we don't share our experiences and remedies, we will be continuously attacked and our intellectual property (capital) stolen and our identities compromised.


IggyOctober 23, 2017 11:06 AM

A la OJ in Reno? Yeah, while he might have been the legit original vic in that clustercluck, the majority of us have decided what he did in response was vigilantism and the majority mightily resents individuals usurping our self-assigned exclusive power to mete out justice, no matter how sluggish and inconsistent such alleged justice is in fact dispensed.

However.

The author offers no solutions that would inspire the reader to drop the keyboard, grab the phone and demand ACDC disconnect the UPS. All her article does for me is make me shrug and mutter "well, crybaby, since you offer no alternatives, I'm moving on to other news."

When the collective denies the individual the right to defend themselves, then the majority had better fill the void and be 100% effective and accurate (which is the standard the collective demands of the individual). So far, the collective is waiting for a number of the right kind of individuals to in fact die before it will take care of business.

If you think that's hyperbole, you need to review human history.

Back In BlackOctober 23, 2017 11:27 AM

I agree, bad bill to swallow.

It seems like the intent is to give large corporations the confidence that if they 'hack back' to return their data or shutter a persistent threat when exploited, the corporation and its employees won't necessarily be prosecuted for a crime. Right now, corps have no recourse, but to analyze and defend a threat within their networks or partner networks and hand over forensic data to authorities who have no resources to further mitigate a threat let alone investigate all of the breaches that are reported.

My guess is that a .EDU or two, plus a Microsoft, Cisco, or IBM have claimed on more than one occasion that if only hacking back was sanctioned they'd be able to robin hood the criminals and take back what was their's (or their customer's). All of this is hinting at new legalized opportunities for white hats.

I can't see this law protecting the average black hat or a citizen 'actively defending' their photo collection except in very extraordinary circumstances. Most of the cases brought by 'victims' of hacking on either side will rule in favor of existing computer crime laws, because as it's already been stated, attribution is difficult and proving to law enforcement or a court of law that a persistent threat occurred against them for the average citizen is going to be close to impossible. Because of this I don't agree that it will open the door to legalized attacks like some are alluding, but it WILL create a legal mess, that's for sure.

Where the bill completely falls short is in not giving immunity to US citizens for hacking resources in other countries. I mean come on, at least go as far to as to give this silly bill legs?! To say that the US government will allow hacking computing resources on US soil for 'active defense', but may for instance extradite a US citizen to face charges against foreign hacking activity is hypocritical and counter to its supposed cause.

Fredric L. RiceOctober 23, 2017 11:38 AM

I have not read the bill yet, however I can't agree that hacking back is a bad thing.

Also you do realize that many governments globally engage in hack back, including the United States, and if anything the USofA hacks back and commits far more and far worse cyber terrorism against other country's governmental entities than any other country, including Russia (though Russia is gaining market share in cyber terrorism.)

If a bill is introduced in the USofA making hacking back formally illegal, will the cyber terrorism entities within the United States stop committing cyber terrorism globally?

Of course not. So we end up with another anti-American bill aimed at citizens which the U.S. government itself is immune from.

Back In BlackOctober 23, 2017 11:55 AM

@ Iggy

I think it is useful to compare this bill to vigilantism as you say. And it's important that legislators know that this bill is incomparable to self-defense laws. It is more active vigilantism than any kind of defense.

Self-defense laws allow one to actively defend self or family from a life threatening attack by using deadly force for instance. In those cases, it must be clear beyond the shadow of doubt that the attacker was actually a threat, which is largely guesswork in computer security. Self-defense laws would not allow one to track down the accused attacker well after the attack took place and proceed to attack them or their family. It's absurd justice.

fredOctober 23, 2017 12:28 PM

The NSA and FBI have been lobbying for a government / private company alliance for a long time now. Gen. Alexander (former head of the NSA) would bring in CEOs and CTOs to show them the scary stuff to they would work together. This just came at the cost gov putting a tap in your network.

It comes as no surprise that version 2.0 mandates you report your findings to the authorities. If this can of worms is opened and it becomes and all out hack back war, the gov gets their network taps (back doors) everywhere.

There is a good book on the history of cyber warfare in the US “@ War” it puts a nice backdrop to this very subject and how the exemptions has been changed from version 1 to version 2.

Who?October 23, 2017 12:33 PM

I do not think this idea is so bad at a theoretical level, it must be applied —however— with common sense and responsibility. As I see it, "hacking back" may be an appropriate response in some cases because:

  1. U.S. Government agencies (or international partners allowed to deploy cyberattacks as defense) are not allowed by law to operate in, let us say, protection of commercial entities and/or research centers; at least in my country the government has a military agency that is allowed to run defensive cyberattacks, but as other military teams it is only allowed to take offensive actions when military/government installations are attacked (i.e. in case of declared war), these offensive actions can be taken only to protect their own military/government networks, not commercial/research entities; and,
  2. sometimes attacks cannot be stopped by means of patching and closing vulnerabilities, let us say in the case of a DDoS attack.

There is not a free and open Internet opposed to a dark, frightening, one; Internet is dark always. We must assume the reality, Internet citizens should not be denied active defense on a world where they can be shot by bad actors on a daily basis.

As I see it, denying "hacking back" puts people that obey the law in the same vulnerable status as french citizens were twenty years ago when France prohibited strong cryptography even for banking. Criminals will have no concerns breaking the law and attacking their victims, while good citizens will be denied their right to defend themselves.

Clive RobinsonOctober 23, 2017 12:56 PM

Hacking back is actually childishly stupid, and at the end of the day stupid...

It's a form of Cyber-offence not Cyber-defense.

Lets follow the logoc through with Alice(A) Bob(B) and Eve(E)

Stage 1,

1, B is attacked
2, B assumes it'A
3, B attacks A

Stage 2,

1, A is attacked
2, A assumes it'B
3, A attacks B

Now we loop around to stage 1 again "rinse, wash, repeat" untill some point the childish behaviour stops and sanity starts to appear.

Now to see why it's realy stupid, lets go back before Stage 1 to

Stage 0

1, E gets into a router between B and A.

2, E attacks B so it looks like A.
3, E sits back and watches the fun.

The other thing to consider is that whilst such offence can be easy to do, it's not even doing anything about any other attackers. A good defence however slows down or stops many attackers especially those attacking at similar points in time.

handle_xOctober 23, 2017 1:01 PM

"however I can't agree that hacking back is a bad thing."

So you've never been sued by several large corporations all at once either, eh?
Potentially while facing prosecution from your government at the same time?
None of this is legal. What folks "get away with" is hardly best practice.

What if in "hacking back" you cross 3rd party property, invade/damage non-targets?
What if the attempt is used to justify more attacks that then occur, who is responsible?
What if you don't use 100% best practice methodology as critiqued after the fact?
What if you're lead down a trail of breadcrumbs to a patsy/honeypot/exposure?

If you're a one-man operation defending yourself, likely nobody will ever notice.
If you work for a company this gets complicated very quickly as one can imagine.

Do it with the CEO's knowledge? The board? Then they're all culpable if it fails.
Do it without? Then it's all on you. Not so simple when you get beyond individuals.

" if anything the USofA hacks back and commits far more and far worse cyber terrorism "

You should distinguish between targeting APT blackhat actors and "cyber-terrorism"
Those are not the same concept, intent, execution or target.

IggyOctober 23, 2017 1:21 PM

@Back In Black • October 23, 2017 11:55 AM said:

“I think it is useful to compare this bill to vigilantism as you say. And it's important that legislators know that this bill is incomparable to self-defense laws. It is more active vigilantism than any kind of defense.

I agree that it is what we now call vigilantism IF it is conducted either too early or too late in proximity to the attack.

“Self-defense laws allow one to actively defend self or family from a life threatening attack by using deadly force for instance. In those cases, it must be clear beyond the shadow of doubt that the attacker was actually a threat...”

Defense of self and others is a natural right, under constant threat by attempts to re-define it, and by standard actual attack. In this era of IoT, persons on electronic and computer controlled medical devices would be in actual peril. Now what? Do we require that they exit their rest bed and deal with the hack as it is happening and only then or risk being called the hacker? There is no legal standard for the threat to be clear “beyond the shadow of doubt”, nor can there be. Beyond a reasonable doubt is, and it's a humane and achievable standard. Often the threat in mano-a-mano meat space is undeniable but never doubt that those not there, and who tend to hug thugs, will, most assuredly will, beyond reasonable reason, doubt that the self-defender was justified.

“which is largely guesswork in computer security.”

True, largely because the continuing wild west of software/hardware creation and design has been left to market pressures to produce secure and safe products. What the market will bear worked well when the consumer could easily tell that the rice pot was not fit to buy.

If “only” someone's photo album is hosed (a lifetime of his memories are nothing to you or me), we shrug and say oh well, sucks to be you. I wish I didn't have to rely on my government to step in, but when the product is so complex and sloppy, and can result in so much damage wide and varied, with plausible deniability built-in at every step, that we the consumer can only react to the fallout, usually with no hope of being made whole--flipping through photos of dollar bills won't recall happier times nearly as well--then here we go again, pass a law.

As we all know, a law doesn't keep crime away, it only provides punishment for those we catch.

Especially vis a vis cybercrime, that is the crux.

handle_xOctober 23, 2017 1:26 PM

"There is no legal standard for the threat to be clear “beyond the shadow of doubt”

Actually that resides in the sworn opinion of juries and judges. Convince them, it is.

And that's where these outcomes would be decided - in a high stakes court adventure.

IggyOctober 23, 2017 1:37 PM

@Clive Robinson and @handle_X, if a hack back is like a punch back during mano-a-mano, how in the sam hill is that childish, wrong, dumb, stupid, etc etc?

What both of you seem to focus on is the not being 1000% sure that the vic is punching the perp. If the vic is, in situ, repelling an attack, then sorting out who was the perp will have to be done post-situ. We do that now when investigating meat space crime.

Let's face it, we're all tired of being sitting ducks. Why do we keep relying on the Smartest Guys in the Room to voluntarily fix it, when they are who created the mess and have no interest in "fixing" anything that's making them billions?

So, now what kemosabes?

ZQOctober 23, 2017 1:52 PM

Of course it's an horrible idea, but it's still going to happen, whether there's a law for it or not. Large organizations are facing massive, focused intrusion attempts, and a few of them are now starting to figure out that fighting back is sometimes actually more cost-effective than the current situation. After all, there are waaaaay less hackers and hacker groups out there than vulnerabilities to manage...

This is the natural consequence of the "Wild West" approach that we have with the Internet. Of course it's a bad idea, but so was keeping the Internet a "Wild West".

handle_xOctober 23, 2017 1:53 PM

"how in the sam hill is that childish, wrong, dumb, stupid, etc etc?"

Illegal intrusion isn't the only available defense, for starters.

Per your analogy, 'fighting' ends in both facing law enforcement if both are caught.
Enforcement only applies inside your country or ally-sphere with extradition treaties.

So in 'punching' back, if caught you are the criminal that can be brought to justice.
The other guy often won't be in your enforcement regime or have assets/liabilities.

Pick your battles applies. Sometimes the necessity outweighs the risks.

IggyOctober 23, 2017 2:06 PM

@handle_x:

So in 'punching' back, if caught you are the criminal that can be brought to justice. The other guy often won't be in your enforcement regime or have assets/liabilities.

Likely the constabulary will have a growing list of knowns and unknowns against which the accused will be compared. They will ask themselves "is this accused likely to be the hacker or the defender?" and go from there. Will they get it wrong sometimes? Yes, just like now. But sitting back and relying on the mess makers to fix it isn't working, now is it.

I argue that if the perp is extra-judicial, then that is precisely the right time to punch back. They get a bloody nose and strongly reconsider a different vic pool.

People who fight back get left alone.

handle_xOctober 23, 2017 2:06 PM

"and a few of them are now starting to figure out that fighting back is sometimes actually more cost-effective than the current situation"

Sometimes the sun goes behind the moon, but I wouldn't count on it every day.

Unless you manage to hack AND END your opponent's offensive capabilities somehow,
all you're doing is escalating. A lot of these are not domestic attacks. Unresolved.

You're not going to get China or Russia to extradite people or seize assets/evidence.
APT's aren't going to forget your attempts either. There's no money in it really.

So you need to ask yourself what the point of your exercise is. "Revenge"?

If you just want the attacks on you to stop, look at where you are vulnerable.
If you can't shut that door you'll be constantly firefighting either way.

handle_xOctober 23, 2017 2:14 PM

"But sitting back and relying on the mess makers to fix it isn't working, now is it."

If you're relying on any company/product with poor security, that's on YOU now isn't it?

Holes exist. You're saying it's easier to attack all attackers than to close them off.
That's quite a security paradigm.

"People who fight back get left alone."

I think what you mean to say is low lying fruit gets picked first. Sure.

How much of a budget do you have for offensive hacking "security" if you don't have the capability to harden or close vulns in your own systems that attackers are using?

It's like fighting the ocean. Your bucket is not so big. Wading out there is a risk.
But if it makes you FEEL better...

IggyOctober 23, 2017 2:53 PM

@handle_x • October 23, 2017 2:14 PM

"But sitting back and relying on the mess makers to fix it isn't working, now is it."

If you're relying on any company/product with poor security, that's on YOU now isn't it?

Just taking up the shorts might work for you but I'm ready to move on. There's a need that seeks filling, not more status quo.

Holes exist. You're saying it's easier to attack all attackers than to close them off. That's quite a security paradigm.

Your strawman needs to stand away from the fireplace. I'm talking about each vic defending themselves, while you continue standing in the vic pool trying to feed the alligators. Unless, you're not in the vic pool. If not, why not?

"People who fight back get left alone."

I think what you mean to say is low lying fruit gets picked first. Sure.

Are you ten feet tall and is hacking that lucrative for you? Now that's some fine public policy you're serving.

People who fight back get left alone. When enough such people fight together, they become the ocean.

It's so crazy, it just might work.

RyanOctober 23, 2017 2:53 PM

This has nothing to do with "active defense", they're misusing (i.e. ruining) that phrase/methodology (the gov is great at that). They're talking about response/retaliation. Active Defense is cyber deception. Active Defense is wasting the attacker's time and resources. Active Defense is increasing the costs involved with slinging packets at an organization in an "active" manner. Active Defense is NOT you attack me so I'm going to attack you. That's retaliation.

handle_xOctober 23, 2017 2:57 PM

" I'm talking about each vic defending themselves " - using offensive illegal techniques.

I agree, you're completely unrealistic on this point.

handle_xOctober 23, 2017 2:59 PM

"People who fight back get left alone."

I enjoy lore too, but that's not a fact.

Try and cite it for us.

handle_xOctober 23, 2017 3:01 PM

"When enough such people fight together, they become the ocean."

Start a company that offers your advertised (vaporware?) services, become a billionaire.

Just note that you were informed it would be more complex than you initially thought.

Cheers Iggy, don't do anything "the perp" wouldn't do, right?

handle_xOctober 23, 2017 3:05 PM

" while you continue standing in the vic pool trying to feed the alligators. "

False. Stop paraphrasing using analogies and read what I actually said, thanks.

1. I said stop going in the alligator pit as possible.

2. If alligators are getting into your house, you need to find out exactly how. Fix that.

3. Killing all alligators isn't really feasible and you've killed zero alligators so far.

Paraphrasing is likely easier than hacking blackhats, but even that isn't without pratfalls apparently.

Impossibly StupidOctober 23, 2017 4:31 PM

@Back In Black


My guess is that a .EDU or two, plus a Microsoft, Cisco, or IBM have claimed on more than one occasion that if only hacking back was sanctioned they'd be able to robin hood the criminals and take back what was their's (or their customer's). All of this is hinting at new legalized opportunities for white hats.

The irony is, of course, it is those large organizations that become the biggest targets for hacking back simply because their networks (along with Google, Amazon, etc.) are the source of quite a few attacks. I have extensive logs that show bad actors attacking my servers from their IP address space. When someone at MIT tries to hack me, and they recently did, the idea that I get to go wild on their network as a result should scare all parties involved.

I think I might have to more closely monitor the abusive traffic that hits my server, and if it originates with ISPs in Georgia or Arizona, I might just let them know that their elected representatives are eager to put them first in line for returning the favor.

DavidOctober 23, 2017 4:39 PM

Seems like the article and the discussion here is talking about how bad back-hacks would be, and that there is no one willing to put their name on wanting the new law...however!

What if the law isn't designed for the purpose of allowing "active defense", but rather to carve a hole in the CFAA for something that has been happening all along? Here's my thinking on this:

  1. Humans/corporations are very bad at long-term or complex risk analysis (tragedy of the commons and all that)
  2. Those same humans/corporations are under pressure to "do something" about the (real/imagined) cybersecurity threats out there.
  3. The human thing to do is to hit back. Libertarian-leaning philosophies depend upon it; it's incorporated into existing law in the US (and probably most of the world); and for someone with something to prove (such as a company about to look XX billions in shareholder value), doing something is better than appearing to be passive.

So it's reasonable to think that lots of powerful people, who have felt the need to "do something", have already been doing this.

At the same time (as the article points out), once you go outside your own network, you are probably violating the text of the CFAA (a "long term" threat, in these instances). In the short term, they probably hit back (or hire a white hats to hit back), and then have their corporate lawyers whispering in their ears about the possible liabilities--an annoyance, even in the best of times.

What do you do, oh industry leader with billions of dollars on the line? Why, you get behind an effort to remove that long-term liability by carving an exception in the CFAA. You can't put your name on the effort, because doing so would indicate to the world that you are already violating laws, but for a few million bucks sprinkled amongst your chosen politicians and lobbyists, you might remove billions in liability, as well as looking like the 'merican cowboy that we all love so dear.

Just my inflation-adjusted two cents.

handle_xOctober 23, 2017 5:39 PM

Are we meme dueling or are you going to bring some kind of semi-valid rebuttal, or ?

What can we do for you?

RatioOctober 23, 2017 6:00 PM

@handle_x,

There are no less than 27 comments among the latest 100, including 11 of the 39 here. A mere mortal like myself can't possible absorb all that wisdom at this rate. Please think of us dummies. Thank you.

IggyOctober 23, 2017 6:05 PM

@David

What if the law isn't designed for the purpose of allowing "active defense", but rather to carve a hole in the CFAA for something that has been happening all along?

I wish I could say that's impossible, but, we humans are a pesky lot.

RatioOctober 23, 2017 6:07 PM

Another edit: possiblepossibly. I better lie down for a bit. Wisdom's overwhelming…

IggyOctober 23, 2017 6:12 PM

@Ratio, I, too, am overcome, such that I must slink away and return to subsisting on algae and the occasional kind word.

handle_xOctober 23, 2017 6:28 PM

@Ratio

Ratios are pretty straightforward. Attribution is difficult on the first pass, isn't it?

I asked for a valid counter-argument and do not profess wisdom, just obvious logic.

If you had something to say on the topic (or any really) I'm happy to read it. Do you?
(and if not, what are you doing?)


@Iggy

Riddle me this : what? Seriously I'm having trouble finding your core argument.

You want to hack blackhats, you don't need my permission right? By all means.

You be you, Batman, catch and back-hack "da perps" to your heart's content.

Who am I to question the legitimacy or palpability of it all?

WaelOctober 23, 2017 9:07 PM

@David Rudling,

Let me see if I understand correctly [...] I hack back we hack back...

I think so...

Old Josephine had a farm, E-I-E-I-O
And on on her farm she had a Wolff, E-I-E-I-O
With a “howl, howl” here and a “howl, howl” there
Here a “howl” there a “howl”
Everywhere a “howl, howl”
Old Josephine had a farm, E-I-E-I-O

Old Josephine had a farm, E-I-E-I-O
And on on her farm she had a female dawg, E-I-E-I-O
And her dawg’s name was “Attribution”, E-I-E-I-O
With a “woof, woof” here and a “woof, woof” there
Here an Attribution, there an Attribution
Attribution is biatch
Old Josephine had a farm, E-I-E-I-O

Old Josephine had a farm, E-I-E-I-O
And on on her farm she had a hacker, E-I-E-I-O
With a “hack, hack” here and a “KRACK, KRACK” there
Here a “hack” there a “hackback”
Everywhere a “hackback, hackback”
Old Josephine had a farm, E-I-E-I-O

Old Josephine had a farm, E-I-E-I-O
And on on her farm she had a dumb Oracle, E-I-E-I-O
With a “glimpse, glimpse” here and a “POODLE, POODLE” there
Here a prediction, there a prediction
Old Josephine had a farm, E-I-E-I-O

I hack back we hack back
you hack you (all) hack
he/dhe hacks they hack

@albert,

Sleeping at the wheel, Mr. “. .. . .. --- ....” ? You snooze, you lose!

ModeratorOctober 24, 2017 1:52 AM

@handle_x, you've been commenting here less than a week and in that time have proceeded to dominate the conversation with increasingly pointless arguing. Please move along.

Clive RobinsonOctober 24, 2017 2:03 AM

@ iggy,

if a hack back is like a punch back during mano-a-mano, how in the sam hill is that childish, wrong, dumb, stupid, etc etc?

Because a hack back is not like "a punch back during mano-a-mano".

If you want an analogy it's more like,

    You, find a stone has been thrown at your door, you then get riled up and go charging down the road and start kicking in the door of some kid you think threw the stone.

It's a rework of the school yard "My dad is bigger than your dad" argument that "might is right". We all know the size of your dad argument is both childish and stupid, even though politicians and diplomats resort to it quite a bit.

The problem with the cyber world is it does not map conveniently onto human activities.

In essence any malware attack on any IT system is a Trojan Horse attack,

    If you don't bring the horse inside your gates the attack won't work. Likewise if you do bring the horse inside your gates and take the proper precautions the attack won't work.

Thus for argument sake you get sent malware for MS Windows, if you run windows but do not execute the malware it's not going to do anything other than sit there as a file object. Likwise the malware, is probably not going to do much if anything if you tried to execute it on an OpenBSD box. But if you do run MS Windows in a Virtual Machine system that is correctly set up and execute the malware it will only damage the Virtual Machine not the system it is running on.

Think of it if you must in analogies as being like a bar with a door keeper. The door keeper can prevent a thug entering the bar. If however they let a thug in, the thug may or may not start a fight. If they do then the bar security staff can evict the thug into the street. Aside from taking legal action against the thug, that is the limit of what they are legaly alowed to do in most jurisdictions. Thus the bar security staff can not go around to the thugs house and smash it up in retaliation, which is what "hacking back" is all about.

HmmOctober 24, 2017 3:29 AM

@Bruce

I've been here for 5+ years, you asked me to pick one name recently.

I appreciate what you're saying and I don't like petty arguments, so I tried to keep everything to the merits of the discussion. It appears ratio and iggy were less constrained to avoiding ad hominem and I apologize for reacting to it.

It's beneath me and this forum which you so graciously provide for discussion.

GrauhutOctober 24, 2017 4:52 AM

@Clive: I dont think your analogy works in all cyber cases.

"Think of it if you must in analogies as being like a bar with a door keeper. The door keeper can prevent a thug entering the bar. If however they let a thug in, the thug may or may not start a fight. If they do then the bar security staff can evict the thug into the street. Aside from taking legal action against the thug, that is the limit of what they are legaly alowed to do in most jurisdictions. Thus the bar security staff can not go around to the thugs house and smash it up in retaliation, which is what "hacking back" is all about."

Its often more like someone continuously orders pizza in the name of someone else and after some time the pizza security decides to rip out this basterds phone line in order to stop him placing fake orders, because officials didn't. :)


Full disclosure: In the good ole days of code red and nimda i personally did some "firebackwalling", non-destructive. I was simply fed with the continuous attacks and i don't feel guilty for slowing down these worms.

Even today, i like to auto tarpit spammers and scanners and automatically "nmap back" guys that scan some networks under my supervision. Its imho a good thing if they feel monitored. If its not targeted they usually look for easier prey, if its targeted they will demand more from those paying them, if an attacking box was hacked it increases the chance that someone will look at it and kick the attacker...

And of cause, it doesn't make much sense to answer to an udp ddos this way. :)

HyderOctober 24, 2017 9:46 AM

Considering the CIA leaked some wonderful tools that shows just how easy it is to obfuscate the identity of the hacker, the idea that people want to retaliate is just ridiculous. I think your better off using your fingers to plug the dyke, than getting into a fight someone else wanted you to start... thanks Eve!

DaleOctober 24, 2017 10:36 AM

I completely disagree with the statement "Hacking back is a terrible idea that just will not die". Active defense is an amazing concept and I love it. If someone is hacking me, i strongly am into the concept that I should hack the hell out of them. I have no idea why anyone would think otherwise.

all inOctober 24, 2017 10:50 AM

" I have no idea why anyone would think otherwise. "

Because you didn't read anything in this topic above?

Lorin RickerOctober 24, 2017 1:30 PM

"...allow companies to access computers that don’t belong to them in the name of self-defense or, as the bill calls it, “active defense.” (Active defense, for those not familiar with cybersecurity euphemisms, is the polite term for offense. It’s meant to convey that you’re just protecting yourself, not attacking anyone, even though, of course, you are attacking someone—that’s what makes it so “active.”)"

The poli-correct phrase "active defense" strikes me to be as false/hollow as the main-stream news media's insistence on saying "active shooter." I've always wondered: Is there such a thing as an "inactive shooter"? Or now, an "inactive defence"? Inquiring minds want to know.

AnuraOctober 24, 2017 1:49 PM

@Lorin Ricker

"Shooter" is often used in the past tense with news articles; there is nothing wrong with extra clarification, even if the context is enough.

DavidOctober 24, 2017 1:50 PM

@ion,

Interesting concept. So, if I were to infiltrate Company X, do you suppose it's possible to turn that software around and tell the security system "nothing going on here" while I scrub/corrupt/replace their data? A common movie-plot scenario, but I'm specifically thinking of the cameras in the original "National Treasure" movie...

@all,

My apologies for the bad grammar/spelling last time. I usually try to be more careful, but it was a long day without enough caffeine...

handle_xOctober 24, 2017 3:18 PM

"strikes me to be as false/hollow as the main-stream news media's insistence on saying "active shooter."

That's a police incident response team term, it has nothing to do with the media except being repeated by them when they report on it.

An active shooter means someone who is still in the area with weapon potentially able to continue shooting. Yes the alternative is an inactive shooter, dead/disarmed/disappeared, not continuing to shoot at the scene.

As you can imagine the distinction is important for first responders.

Clive RobinsonOctober 24, 2017 10:31 PM

When hack-back does not work and the harm it does

Most readers here remember Stuxnet and the Iranian centrifuges. However few remember that for the US the real target were the AQ Khan customer countries that he sold enrichment and other designs to including North Korea.

AQ Khan is seen as the father of Pakistan's nuclear weapon capability, and it appears much of his work was based on technology he had in effect stolen whilst working in Europe. The reason Pakistan developed it's nuclear capability was that India had not just developed a nuclear capability but had actively threatened Pakistan with it, thus the escalation was assured under the rational actor model.

The problem for the countries involved was that the ability to make nuclear weapons was only half the problem, the other half was a delivery capability. Both Russia and China have rrasonably advanced missile capabilities and have sold some missile systems to other countries. North Korea gained it's initial missile capability this way and proceaded to develope it into it's current capabilities.

As a result of A Q Khan and US policy both Iran and North Korea entered into a technology swap arangment, thereby cutting their own development costs.

Both North Korea and Iran feel threatened by the US and it's policy and in Iran's case especially so due to the US-Israel link. Israel has both nuclear weapons and delivery systems and have shown their willingness to committ "first strike" actions agains any nation it thinks is a threat to it's military domination of the region. This first strike action is actually "war crime" behaviour by Israel and the US has been extreamly complicit in it.

Thus under the "rational actor" model those countries A Q Khan sold technology too are behaving quite rationaly to the significant threat the US and Israel represent.

On the face of it the US and to a lesser extent Israel are not behaving as rational actors unless you consider that both countries might have been captured by a subset of actors.

The defence industry or Military Industrial Complex (MIC) in the Super Powers and West play on this sort of US and Israeli behaviour to sell advanced weapons to nations that feel threatened. Thus the US MIC in particular drives this very profitable spiral, which can be seen as the driver for the otherwise irrational behaviour of the US.

In the late 1940's unrest between two super powers, Russia and the US gave rise to a proxie war in the Korean Peninsula which Russia under Stalin dropped into the lap of the ill prepared Chinese. As was pointed out by China the US could not win the Korean war as they did not have the manpower which China had. As a result the then US Commander in the field having killed an estimated one third of the Korean population in the north by bombing called for the single advantage the US had to be used, which was it's nuclear capability. Those back in the then US administration rightly baulked at the idea and the end result was the division of Korean Peninsula into North and South Korea and a ceasefire agreement that is still in place today. Thus from the North Korean perspective the US has in the past, effectively all but destroyed the people and would have progressed to nuclear eradication of the rest of the country. Worse the US has since then shown every intention of doing so and still does currently and will most likely to continue to do so in the future as well. Thus North Korean behaviour is that of a rational actor defending it's self against an irrational actor of the US. In this behaviour North Korea has been assisted by both Russia and China, who will almost certainly continue to do so as long as the US behaves in it's otherwise irrational actor way.

As far as North Korea was concerned Stuxnet was intended for them and they made it abundantly clear that this is what they thought. In this view they were correct as since then it has come out during the previous US administration that this was indeed the case. As far as the US were concerned the technology exchange between Iran and North Korea was the only way to get at the North Korean nuclear and missile developments (which as Kaspersky blew the gaff on Stuxnet may account for the current US behaviour towards them).

Thus North Korea again behaved as the rational actor in developing not just it's own OS and software industry but a cyber-capability as well in response to US behaviour. Whilst the OS has it's faults, it is free of the US software industry's somewhat plentiful "backdoors".

But unlike the US, North Korea has gone several steps ahead in protecting it's self from US Cyber-attacks including "air gapping" not just the military but just about the rest of the country even library and university systems. Which makes the ability of the US to harm North Korea by cyber attack very difficult.

Thus the US hacking North Korea has resulted in North Korea not just protecting themselves but going on the offensive as not just a deterant but also as a policy. Which is something the US and West's ICT industry is exceadingly ill prepared for.

Wired has an article which gives further reading.

https://www.wired.com/story/cyberattack-north-korea-nukes/

tyrOctober 25, 2017 2:29 AM


@Clive

One thing you can see from the historical
records is that those who begin as rational
actors can become entrapped in a cycle that
forces them to behave as a nonrational.
The real danger of considering others as
the enemy locks you into an imitative
loop and you become more and more like
what you identified as your enemy.

The case of USA hoping to find some moderate
Taliban to stuff into the puppet government
now that they realize no military solution
exists shows how hard it is to change from
a bad course. Korea would have settled its
own problems years ago without the USA
DMZ troops in the way. As it is hope for
a magic outcome seems as far away as it
was in 1953.

AnonOctober 28, 2017 7:30 AM

@Back in Black:

Hacking back to "retrieve" the data tgat was stolen is completely illogical! We are not talking about breaking into a thief's premises to take back the TV they stole - data can be copied, and as a result once the data is taken from a company it can't possibly be "taken back".

Assume you broke into the attackers systems, where they stored the stolen data, there is no guarantee whatsoever that there isn't at least one other copy in their possession somewhere else, such as on a USB stick sat on the desk.

The whole idea that you can hack an attacker and fix the situation is just absolute nonsense!

Peter PeterOctober 30, 2017 10:52 AM

“We are clearly giving new meaning to words”. Hack has to do with limits and improvement. Hack back has to do with misuse of words when combined. This leads to confusion which leads to an inability to determine intentions leading to conflict due to fear. While conflict without violence is a system update; an update that takes us back is not an update, is ephemeral conversation done by officials...”forgive us our trespasses” .

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.