The correct solution to the problem this supposedly addresses is for companies to get their security act together. Until they can do that, they cannot be considered competent enough in security to 'hack back' anyway, and instead of hiring specialists to do it for them, they should be hiring specialists to fix their security.
And exactly none of that stops them from wiring a monthly fee to a PO box in Ethiopia to pay an "offense as a defense" service that's running out of an office in the Ukraine.
The possibility of having a public disclosure to the tune of "on $date $company was hacked, we were contracted to get to the bottom of it employing offensive tactics as necessary....blah blah..." followed by a write up covering attribution and a pen-test of whoever it's attributed to would dissuade a lot of actors.
Would you risk your botnet and C&C infrastructure by hacking a company knowing that they'll pay someone to try their best to figure out who did it and hack them back?
> Would you risk your botnet and C&C infrastructure by hacking a company knowing that they'll pay someone to try their best to figure out who did it and hack them back?
You are asking the wrong person, but my guess is that you are exaggerating the efficacy of this retribution, while at the same time regarding botnet operators as being uniquely responsive to the threat of deterrence, in comparison to other criminally-minded groups.
>You are asking the wrong person, but my guess is that you are exaggerating the efficacy of this retribution
Probably to some degree. Obviously you can't assure anywhere near 100% success rate but you don't need one. People go the speed limit in the left lane even though the cops don't ticket everyone who speeds.
I'd love to live when you live. In my area (and in every other motorized place on the planet that I heard about so far), people always go above the speed limit, precisely because cops don't ticket everyone.
Banks are allowed to hire armed security to shoot at potential robbers. They could require better vetting (maybe requiring the use of a debit card before the doors are unlocked, metal detectors, etc). But instead they're allowed to skimp on less draconian security measures and go straight to guns. How is back hacking any different?
Your example is one of intrusion prevention. The appropriate analogy for hacking back would be giving banks the power to conduct their own search and seizure operations. While lenders are permitted to repossess publicly-accessible property in certain circumstances, they cannot independently authorize and perform intrusions for that purpose.
