On Hacking Back

Former DoJ attorney John Carlin writes about hackback, which he defines thus: “A hack back is a type of cyber response that incorporates a counterattack designed to proactively engage with, disable, or collect evidence about an attacker. Although hack backs can take on various forms, they are—­by definition­—not passive defensive measures.”

His conclusion:

As the law currently stands, specific forms of purely defense measures are authorized so long as they affect only the victim’s system or data.

At the other end of the spectrum, offensive measures that involve accessing or otherwise causing damage or loss to the hacker’s systems are likely prohibited, absent government oversight or authorization. And even then parties should proceed with caution in light of the heightened risks of misattribution, collateral damage, and retaliation.

As for the broad range of other hack back tactics that fall in the middle of active defense and offensive measures, private parties should continue to engage in these tactics only with government oversight or authorization. These measures exist within a legal gray area and would likely benefit from amendments to the CFAA and CISA that clarify and carve out the parameters of authorization for specific self-defense measures. But in the absence of amendments or clarification on the scope of those laws, private actors can seek governmental authorization through an array of channels, whether they be partnering with law enforcement or seeking authorization to engage in more offensive tactics from the courts in connection with private litigation.

Tags: ,

Posted on November 12, 2025 at 7:01 AM12 Comments

Comments

Privacy November 12, 2025 7:07 AM

I hacked back exactly once, around 30 years ago. I noticed an invader in the network, launched a counterattack that knocked them off the Internet. It was of course symbolic, to let them know they had been noticed.

Ray Dillinger November 12, 2025 3:59 PM

I had never even considered the possibility that “hack backs” as he calls them might possibly ever be illegal.

Trace-and-hack-back has was one of my security SOPs for over 20 years. I could go through a list of tactics but given this article it seems that might be poor judgement. Still, it’s true. And I’m not doing security jobs any more so why not?

I’ve never been particularly destructive. I think the most aggressive thing I did in 20 years was breaking a botnet control node’s router. I found control input packets and couldn’t identify their source behind a Chinese VPN provider. But I could definitely identify the packet destination. I got into the router, verified that that machine’s routing requests had the rapid but steady timing and aggressively random destinations typical of botnet control, and then crashed the router. It needed reset and reconfigured to get working again, but wasn’t damaged.

At a security-conscious data center they’d probably never trust that router again, so I may have cost somebody some hardware. I doubt it because it probably wasn’t a security-conscious data center. It was probably just somebody who reset it and put it back on the line. If I did prompt someone to get rid of it, then good riddance. The CVE I used to break it was six years old at the time and their failure to have already thrown it out was enshittifying network security anyway.

(Side note: Most VPN’s are Chinese, and in China all businesses that use the Internet have to turn over logs to the CCP, decrypted in full, either on a regular basis or on request. Considering China’s adversarial behavior w/r/t information security in other countries and position in the supply-chain via hardware manufacture, realizing that they also have access to everything that goes through most VPN connections makes me worry.)

Kevin November 12, 2025 6:25 PM

The problem with hackback is collateral damage.

What if you ID’d the PC where the attack is coming from, and managed to shut that machine down. Soft kill right? No damage to anything.

But what if that machine was actually not ‘owned’ by the attacker, and simply a compromised middle man. What if that PC was inside a hospital, managing some crucial system? It had minimal security so the attacker got in and routed his attack through it. And you shut the crucial machine down. Now what’s the damage?

Star Chamber November 12, 2025 8:24 PM

@Ray Dillinger

Would you be willing to share why you assumed that they were legal?

For example: if someone breaks into your office and steals a box of documents (all on paper), can you follow him to his lair, enter without his permission, and re-take possession of your documents? How is this any different if the documents were stored electronically rather than on paper, and he hacked into your data storage system rather than physically broke into your office?

@Kevin

The answer to your question probably depends on whether you have permission to do anything to the compromised middle man’s systems. If the hospital doesn’t grant you access, you probably have no greater right to be there than the black hat hacker.

Jon (a different Jon) November 12, 2025 10:00 PM

Yep. @Kevin and at the OP, ‘misattribution’ is a colossal thing.

Spam email since day one has faked their return addresses, and even reverse paths. “Hacking Back” against an innocent bystander is, and should be, fantastically criminally liable.

So be very very careful about that.

J.

(For a literary reference, try Charlie Stross’s novel “Iron Sunrise”, wherein a specific stellar civilization attempts to wreck another and blame it on someone else – so the victim’s doomsday retaliation devices retaliate against someone else.) J.

Ray Dillinger November 13, 2025 12:49 AM

I dunno, really. I assumed they were legal, I suppose, because they were more or less “normal” back when there was absolutely NO law enforcement that ever touched the network, and I never really heard that effective law enforcement had ever actually arrived in Internet space.

Seriously, imagine me calling up any law enforcement agency anywhere, in 1996, and saying “I have a client who’s getting a botnet DDOS. I’m pretty sure the botnet control node is in Uruguay based on network timing pings, but I can’t trace the perpetrator past a VPN located in China.”

And every police agency in the world – American, Chinese, or Uruguayan – would have told me “nothing we can do, no jurisdiction, nothing to go on, not enough to get a warrant….” Has any of that changed? DDOS attacks via botnets are definitely illegal, but so is spamming. Without any effective law enforcement, illegality never discouraged anybody.

IMO, if there is no effective law enforcement, then it is the civic duty of those who can help to do so.

Effective law enforcement would definitely be better! I’m well aware that there are loads of practical problems with vigilantism, especially when vigilantes don’t have any firm shared agreement on what the law ought to be or what’s a “reasonable” response. And more basic problems such as the lack of access to courts and civic infrastructure (such as jail) for penalizing infractions. These things taken together contribute greatly to vigilantes’ often distorted view of “appropriate response.”

I believed then, and still believe now, that knocking a botnet control node off the net for a few hours, and maybe kicking over a router that was unmaintained and insecure anyway, was not a disproportionate or even an inappropriate response. But then I suppose almost all vigilantes think that about the things they do.

As I said, Effective Law Enforcement Would Be Better! But as far as I know we just didn’t have effective law enforcement then and as far as I know we still don’t have it now.

Clive Robinson November 13, 2025 8:11 AM

@ Ray Dillinger, ALL,

“I dunno, really. I assumed they were legal”

Untill the 1990’s it was neither legal or illegal, because there was no legislation.

If you look back on this blog you will find me relating the story of how UK Prime Minister Margaret Thatcher” tried to have me entrapped and prosecuted.

It was probably not personal, and she probably did not know or care to know what my name was.

All she cared about was the sell off of British Telecom to make money for her to use on “policy” or as a “war chest” for the next election.

But briefly back in the 1980’s there was such a thing as “The BBC Micro” and a series of Television science style shows to teach people about “Home Computing”.

They were so successful that they had a “special event” which was called “The BBC Micro Live” and part of it was a demonstration of British Telecom Gold which was basically a bulletin board for business.

At that time the BBC Computer was made by a company called “Acorn Computers” and the man who was in charge was Herman Hauser known as HH. His Gold account was ACN001 and he had a really easy to guess password.

Two people I “knew from the scene” where I was seen as an “elder” because I was out of my teens were called Oz and Yug because….

Well they guessed the password, logged in uploaded “the hacker song” and modified the login startup file so it would display immediately.

The account was logged into and up it popped on live television in close up to maybe 13 million pairs of eyes, and more importantly a bunch of journalists who had been invited from the more “Grande Papers” like the Times, Telegraph, even Financial Times, because it was expected to be good knews for the prospective share price.

Any way they wrote “the wrong stories” and Gold had to urgantly take out full page adverts to say it was safe and secure really “pinky swear”.

The adverts were basically lies and I knew it, so I wrote a piece for another BT service “Prestel” for the Micronet 800 users. I posted it to a “closed user group” and asked Len Stewart from the ACC if it was OK to put into the open news area. Len was keen but he checked with another ACC senior Vernon Quaintance, who was more cautious and showed it to EMAP employee that in theory was the head of Micronet 800 David Babski a thoroughly repellent individual, as a friend who was his secretary had noted on several occasions.

Any way “The Blabski” was horified and fired it up to the Cabinet Office… Where it apparently created a bit of a problem hence the “will some one rid me of this man” edict was issued by Mad Maggie.

The problem, I’d done nothing wrong let alone illegal… So the Met Police decided to try and get me for fraud by what most would call entrapment. A invite came back down through Vernon to go and give a demonstration… I smelled a rat because I’d put all the details required into what I’d written. So I had a chat with my actual boss Charles Liasidies about it. He nade a couple of points,

1, I should be well paid for my time.
2, To ensure this a letter of engagement or contract should be in place first.

This was a problem for them although I did not know it untill later because such a signed document would show I was “acting on their behalf” not “committing fraud”.

The more they tried to talk me out of it, the more I dug my heels in, so in the end they gave up.

Then a second incident happened BT was getting kids as young as 14 to write software to do “bulk upload” to Prestel for free… To support this they put a machine on line for “testing” that was known as “Pandora” in “the scene”. BT tried to do it on the cheap so just loaded a live system backup on Pandora and modified the login screen to tell the kids how to log in with administrator privileges.

The system had a plain text password file including users real names…

In there was HRH Prince Philips account (not that it had anything in it of interest). The scene elders decided this needed to be reported as it was a major security issue. Another person who worked for EMAP as “the bug hunter” in what we jokingly called “Acorn (Ab)user” magazine against my and a couple of others decided to speak to Dave Babski to find out who should be contacted.

Que reload for Maggie… Despite advice Robert schifreen and Steve Gold went ahead and demonstrated it and got arrested for impersonation which was fraud but got charged with forgery as the prosecution told the police fraud would not succeed in court.

It went to court and Robert and Steve were found guilty… It got appealed all the way to the House of Lords who told the “commons” Government not to be so bloody stupid and they should make proper legislation not bend existing legislation way beyond it’s intent.

You can read more at,

https://en.wikipedia.org/wiki/Robert_Schifreen

But note there is a major error in it it first talks of the “Gold” service, which is not true but a little later correctly talks about Prestel. There are also some other minor mistakes (username and password for instance).

I do not know who started the stupidity of conflating to entirely separate incidents into one, but they have managed to “pervert history” in oh so many articles and books where nobody has done actual research…

I was working at a University in the 1990’s and one of the senior “Business School” academics published a book repeating the mistake. I told him it was wrong and why and what happened… But he took the “pompous” high ground and basically said I was wrong because he had researched and thus my opinion did not matter… He shortly there after decided to become an elected politician, lucky for all of us the voters “Said NO”. And every time we both attended a University Board Meeting he used to give me the “stink eye” I guess because I had a minimum of an equal vote and sometimes a deciding vote. I guess in his eyes someone he thought of as a pleb effectively out ranked him and other academics was “Oh so…”.

iAPX November 13, 2025 2:03 PM

“Hackback” is as old as hacking is 🙂

First movement, do a ping, then a nmap. Just for the fun.
I automated that decades ago: want to see mine? Show yours!

BCS November 13, 2025 3:35 PM

If a carve out is added, I’d think that the legally should bare some resemblance to the laws about self defense.

  • It should be an affirmative defense (the burden of proof it is justified and within the exception is on the accused).
  • It should not require prior authorization.
  • The attacker needs to be doing something criminal.
  • The threat needs to be imminent (no proactive first strike based on suspicion).
  • The response must be proportionate.
  • The objective must be protective, not punitive.
  • The responding party is liable for collateral damage (at least any that they should have reasonably expected).

Outside that, actions quickly get into the realms that should be handled (or at least managed) by law enforcement and national defense.

Clive Robinson November 13, 2025 8:23 PM

@ iAPX,

With regards,

“want to see mine? Show yours!”

I already have here years ago.

Though it was more of an enumeration tool for intelligence gathering (Digital-ISR) rather than attacking.

Back then shared hosts were rare except when making “Honey Nets” to trap attackers and catch their exploits to put under the microscope.

So as say a person with a nice new shiny Zero Day, how could you keep it out from under the spotlight. But also how could you identify real hosts at the motherboard level to see if you could slide in under one service container and attack another service container on the same hardware. As in Engineering Depts and services on the “shared hosting” of the time.

The answer was,

“Find a common component that could not be easily faked and importantly be remotely fingerprinted as unobviously as possible.”

The answer was “one of the clocks and thermal drift in time/frequency”

As a general rule computers have two clocks one is a “Real Time Clock” chip that is battery backed up, they other is the CPU Clock that acts as the “master heart beat” for the whole motherboard.

Both get their “timing” from “frequency counting” a quartz crystal (AT-cut in the tens of MHz for CPU, B-cut for RTC at ~32kHz).

As mechanical components their behaviour is effected by their environment. In this case, of interest is Delta-temp or the change in frequency due to the change in temperature inside the case the motherboard is mounted in.

This gets reflected in any “time stamps” and most importantly their transition points.

The easiest timestamp to monitor remotely was that of the network stack. And you could see it with a succession of pings.

With out going into a deep dive you can use the pings to detect transitions and thus graph out delta-temp from delta-freq.

Thus compare two supposedly independent network systems. If the delta-freq graphs are the same one or the other is true,

1, They use the same motherboard.
2, They use the same external reference.

Thus what looks like a “script kiddy” run “ping attack” to the target Security Admin is actually a way to spot Honey Pots covertly and thus take that IP address range out of consideration for an attack with your nice new shiny zero day.

Your turn 😉

KC November 15, 2025 1:34 PM

I tried to post something on John Carlin’s article, but it’s being held in moderation.

So just to add:

Another truly excellent read in this Aspen Digital series if you like lawyers, and I fall here, is “On the Same Page.

The essay defines the qualities of offensive cyber actions that make them effective, while mitigating the risks of escalation. These deterrent actions should be persistent, proportional, and credible. Laying a foundation and a framework to respond to cyberattacks across public and private sectors will be immensely beneficial.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.