What you have to keep in mind here is the concept of "due process" and "fair punishment". You cannot simultaneously subscribe to the rule of law and autonomously execute punishment measured with your own subjective scale.
If you don't care about rule of law and justice then consider this: the wealthiest individuals and largest corporations will afford to "hack back" mercilessly without any due process while the layman will sit in the middle catching stray bullets from either side.
All that said I hop at the very least,people who support "hacking back" would also support a very strict and heavy punishment for anyone who hacks back the wrong attacker or causes harm to a system that was only being abused post-compromise (as opposed to attacker-owned infrastructure).
The best kinetic warfare comparison would be modern urban warfare. You can't just shoot in the direcrtion of a terrorist who attacked you, if that terrorist is hiding in civilian houses or is holding a hostage. Civilians are not trusted to make that collateral damage risk assesment due to the terrible consequence of getting that wrong
> You cannot simultaneously subscribe to the rule of law and autonomously execute punishment measured with your own subjective scale.
At risk of being pedantic, there exists "Stand your Ground" and "Castle Doctrine" laws in many states that allow one to autonomously execute an assailant, given certain criteria. Wouldn't hacking back be a fairly natural extension of this? Assuming there were a law permitting, it doesn't seem incompatible with rule of law.
There's a very substantial difference between legal self defense and "hacking back". Self defense is an immediate response and an innate human instinct. Hacking back is more like tracking down an assailant attacked you or your family member in the past, breaking into their home, and killing them.
Another analogy: if a store owner saw someone steal $100 worth of goods, would it be legal for that store owner to hire someone to break into the thief's house and steal $100 worth of the thief's property?
Where your analogy breaks is that there is an alternative, semi functioning legal system in the case of a crime committed locally in the US that the police will investigate. In the case of a US victim from a hacker based in Russia or China, there is no realistic legal option, unless you are a large corporation with a massive legal budget and political connections. It’s really the alternative between do nothing or hack back.
[edit] an alternative analogy is that a store caught a masked man robbing it and holds him and forces him to remove his mask while they call the police. Shops have no right to hold someone against their will nor to remove any piece of clothes from their customer by force, but it is acceptable in the context of being victim of a crime. Self defence is not the justification (once the robber has been neutralised he is no longer a threat).
I’d argue that hacking into the attacking server to uncover its identity while the attacker is still online is very similar to removing an attacker’s mask by force after he has been caught.
castle doctrine as I understand it means your home is your castle -- you have no duty to retreat from your own home, if someone has broken into your home, the odds of something going wrong and you ending up dead are high enough that those states have said you can defend yourself with violence in your own home, rather than getting shot in the back or stabbed -- where are you going to retreat to anyway? You're already home.
So, it seems like the logical extension into cyberspace would be that you can do anything you want to the attacker's computer while they are connected to your systems, but you can't pursue them once they've gone, the same as kinetic castle doctrine.
> So, it seems like the logical extension into cyberspace would be that you can do anything you want to the attacker's computer while they are connected to your systems, but you can't pursue them once they've gone, the same as kinetic castle doctrine.
That's more or less what I'm imagining, not after the fact find-fix-finish.
If I come home from work, power on my machine, and find someone is DoS'ing my connection should I be able to route through an alternative connection and take down the offending machine?
Honestly, I don't know how to feel because there is greater potential for collateral than with, say, a man in a ski mask kicking in my door. At the same time wholesale denial of "hacking back" seems the like the wrong[0] approach.
[0] - I realize many an HNer lives in a land with a duty to retreat so this might be foreign to them.
Also, if the victim's 'services' are being hacked (of which they do not host themselves), would it not be more akin to a thief breaking into a rented self-storage locker?
The castle doctrine would definitely not apply in that situation.
> The castle doctrine would definitely not apply in that situation.
This is flat-out wrong, at least in the states I'm familiar with.
Most states' Castle Doctrine applies to home, work, vehicles, and property. If I'm out in the country on land used for hunting, the "Castle Doctrine" still applies assuming the normal criteria are met.
If I'm at the site, I have a right to defense regardless of it being my primary residence or a rented facility.
<You can't just shoot in the direcrtion of a terrorist who attacked you, if that terrorist is hiding in civilian houses or is holding a hostage.
Hmm I don't know why you think this is the case but that's not how it works. If I get attacked I'm going to close with and destroy the enemy by fire and close combat... regardless of where the enemy is.
I think the better thing to focus on is the lack of reliable attribution. For example, during the russiagate hysteria I actually dug into the data, and noticed all the command ips listed where anywhere but Russia, and I found no evidence that tied those command ips to Russia in the past but that's the key factor in the report because crowdstrike claimed "these are all known Russian command ips" but they back that up with nothing.
State level actors are good at pretending to be someone they're not (anyone remember vault 7 attribution manipulation tech?) So the real issue with this kind of hack back attitude is attribution. Otherwise good actors will likely be fooled into attacking the wrong target...
And that's the different between that and mout. When I get shot at, with few exception, attribution is undeniable!
For example, the entire problem with the Iraq invasion was one of attribution was it not? We were lied to about it and it got us into a war we should have had no business in... for example Cheney manipulating Intel reports to push the Yellowcake angle.
Another good example is Iran. I took the time to read all the IAEA reports up until 2007 in about 09, and all indicators were that Iran was not seeking nuclear weapons nor was it seeking 2yr breakout within sub 2035 time-frame... except for the 2007 one where a lot of Intel was found on a laptop... that we later learned was mossad planted evidence in an effort to get us to beat the drums of war against Iran... (this is relevant given this silly recent story from Israel about Iran and Boltons/pompeos appointment...)
Hmm, not a fan of this idea. Feels like it's encouraging vigilantism and 'taking the law into your own hands', which is not something a well run society should be incentivising. I mean, it seems like someone who hacked another person or organisation's systems to remove private data could end up wrecking a bunch of other things, which wouldn't be good for anyone.
And then what if its a case of mistaken identity? You don't really have proof the data you're trying to erase is on the other party's system until you break into it, which could then leave the other party extremely annoyed and wanting to do the same back...
Eh, just feels like companies and individuals wanting to become internet vigilantes if you ask me.
>Feels like it's encouraging vigilantism and 'taking the law into your own hands', which is not something a well run society should be incentivising.
No, citizens acting on their own and society's behalf should always be incentivized versus infantilizing everyone into helplessness and dependence. A home intruder being summarily despatched by an armed homeowner, for example, is a far superior outcome than the homeowner suffering whatever the intruder subjects him to while hoping the "authorities" intervene on his behalf. Not to mention the improbability of any true justice being delivered via the legal system.
Nothing wrong with self defence, but there's a difference between fighting against/potentially killing an intruder who was going to hurt you/did hurt you and hunting them down once they'd stolen the goods and blasting their head in with a shotgun.
Hacking back feels less like the former and more like the latter (ala vigilante lynch mob going after someone who'd done wrong in the past).
I agree that the police and justice system in the US feels slow, ineffective, and biased, but I think that trying to fix it so that everyone can depend on it is the opposite of helplessness.
Companies could just pay a government organization to do the hacking for them, in a legitimate way.
In fact, it's a bit strange that law enforcement doesn't work that way. If my car is stolen, the police takes little to no action; but what if I could pay them to give the case more priority?
So, if somebody "stole" your identity, and was able to drain your bank account and credit card, would you no longer be able to report that your car is stolen, since you lack the funds to do so?
Or, do you ask your family and friends to borrow money, so you can file a police report?
So what happens if a hacker hacks company A and uses their server as a jump box to hack company B? Is company B allowed to hack A since their machine was used in an attack?
Or even worse, what if company B is mistaken as to who attacked them? If they "hack back" as advocated, but against the wrong target, are they liable?
Seems like quite a likely outcome to me also, I imagine most serious attackers understand the concept of covering their tracks and aren't exactly going to be sending packets straight from their home computer without protection.
Just take a look on any of the numerous cybercrime forums at any one time there are hundreds of "VPS"s available for rent which are are just compromised PCs of innocent folk.
Thinking there is this idea on this thread that you are committing violence or harming systems by "hacking back," when really you are following a trail and picking up crumbs of identifying data the attackers left behind, through systems that were neglected in the first place.
In regard to the idea that you need the law to "punish," people and that defense is against the "rule of law," that concept only applies to violence, and almost exclusively to the monopoly on violence we grant the state as part of that rule of law.
Is it undermining the rule of law to chase a thief across private property? In some pedantic universe sure, but not by any standard of reasonable conduct.
Shrill objections to vigilantism are not applicable to collecting counter intelligence on people who have attacked your business and property. No doubt there is legal risk from agencies and institutions who are rightly humiliated by their own powerlessness, but moralizing about vigilantism on this issue is un-serious.
If you thought that Nation-State hacking looked bad wait until Private Sector hacking reaches Blackrock levels should only take a few weeks...then it will be who can afford the biggest stick.
It's a difficult balance to strike. On the one hand, people who feel sufficiently righteous to decide what the appropriate response is to something like a cyberattack are rarely the people we'd want in that role.
On the other hand, this sort of impromptu duelling adds so much risk to being a bad actor and there are so many benefits to standing up to bullies that I suspect we do want some of this activity.
I suspect the process may be self-correcting. A society that rewards someone for tying up a scam company's phone line will also punish someone for doxxing the wrong target. Perhaps the next decades will see us move from mob justice to crowdsourced justice. I feel it could be done...
> While there, he was struck by the power of digital weapons: military jets routinely flew overhead, using electronic pulses to detonate hidden bombs before they could kill American soldiers.
Anyone have more details about this? I know there's some current research into portable EMPs but never heard of them being used in 2011. A quick search didn't turn anything up.
I have always wondered if these folks really want to know someone who is living in Belize or something. It seems that setting up an 'active defense' relationship with a third party not encumbered by the CFAA would be a useful strategy.
I agree with the premise that if its "safe" to hack the US then people will continue to do it.
It's the hallmark of free people in every age that they have the right to defend themselves.
We've been disarmed, so we're not free. Those who have disarmed us seem to think that the most important thing is that we not interfere with their work, even as we continue to be attacked. Not only that, they will more zealously guard their turf than defend us against aggressors, since we're easy to target and fit within their competence. They will essentially join in the attack to protect their turf.
It's all for our protection, though. We just need to trust them that eventually they really will protect us. Any day now. Just you wait.
All is fine an good until someone hacks back and created an even bigger problem. Although at this point the FBI needs Microsoft’s help to fix big messes that cracking causes .
If you don't care about rule of law and justice then consider this: the wealthiest individuals and largest corporations will afford to "hack back" mercilessly without any due process while the layman will sit in the middle catching stray bullets from either side.
All that said I hop at the very least,people who support "hacking back" would also support a very strict and heavy punishment for anyone who hacks back the wrong attacker or causes harm to a system that was only being abused post-compromise (as opposed to attacker-owned infrastructure).
The best kinetic warfare comparison would be modern urban warfare. You can't just shoot in the direcrtion of a terrorist who attacked you, if that terrorist is hiding in civilian houses or is holding a hostage. Civilians are not trusted to make that collateral damage risk assesment due to the terrible consequence of getting that wrong