Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
The Internet

CNN Asks "Can You Hack Back?" 207

Posted by CmdrTaco from the or-should-you dept.
dboothe writes: "CNN.COM has a somewhat interesting article on whether or not it is okay to fight back when being hacked. In the scenario they bring up with the WTO website, it seems pretty clear that they likely should have steered clear, working on the probable assumption that the IP address used was just a dummy machine that had been cracked previously. But what about other situations where it's more of a grey area?"
This discussion has been archived. No new comments can be posted.

CNN Asks "Can you Hack Back" More

CNN Asks "Can you Hack Back"

Comments Filter:

  • Moot (Score:3)

    by ViceClown ( 39698 ) on Friday June 02, 2000 @05:48AM (#1030320) Homepage Journal
    This is a moot point. Any cracker worth their salt is going to be behind so many machines that attacking back will be impossible without some for-real research and tracking. Just my $0.02.
  • If you have an automated defense system, I don't see as how that is "taking the law into your own hands," you are just protecting your system against intuders and ensuring they won't come back. If you wait a while and then go after their server, that seems more like revenge IMHO.

  • No. (Score:2)

    by fr4gg4 ( 52200 )
    Theoretically at least.

    This would trigger the same shit as the 1st man/woman who applied violence did.

    In reality..hmm one could at least make it impossible for him to continue his activities.
  • True, but what about those script kiddies that actually are on their machines? If cracker leaves the door open, should you hit back?

  • If you see someone logged in from an unknown IP (amusing you screwed both tcp wrappers, OpenSSHD and your firewall up), just start ping flooding that IP. Ping first ask questions latter. Don't bother loging the user out, just ping attack the hell out of him and his network (and pray the God it isn't Bob in the next office on the same ethernet segment as you)

  • I know that here in the UK we have the 'Computer Misuse Act' which makes hacking/cracking illegal - I suspect the same sort of thing is worldwide (practically).

    So, therefore, while somebody may be attempting to get into your systems, you can't legally break into theirs. There's nothing physically stopping you, but if you were to attack the wrong machine, or their attempt on you was an accident and you (in retaliation) bring down mission-critical systems - you'll get into a nice big legal mess (UK users can face an unlimited fine and 5 years imprisionment - bringing down a system would come under part 3 of the aforementioned Act - IANAL)

    Remember - two wrongs do not make a right...


    Richy C. [beebware.com]
    --

  • What's the point? (Score:3)

    by Grexnix ( 94113 ) on Friday June 02, 2000 @05:53AM (#1030326) Homepage
    Somebody who's running a DDOS attack - unlike the hapless electrohippies - is going to be IP spoofing and using a multitude of machines. If you bounce all the attacking packets back, all you're likely to hit is a large number of machines belonging to innocent people with bad security.

    --

  • I am Reminded of a Proverb... (Score:5)

    by Tim C ( 15259 ) on Friday June 02, 2000 @05:54AM (#1030327)
    "Two wrongs don't make a right"

    As tempting as it may be to give them "a taste of their own medicine", the chances are that you're just going to be attacking an innocent bystander whose machine has been cracked, and is being used to launch the attack on yours.

    Even if you do hit back at the actual cracker, so what? So you trash his PC and some files; it's not like it's going to put him out of business, or cost him thousands of pounds to restore it.

    IMHO, the best thing to do is just find out as much as you can, co-operate with the authorities, and let them deal out any punishment.

    Cheers,

    Tim

  • not a good idea (Score:3)

    by wrenling ( 99679 ) on Friday June 02, 2000 @05:54AM (#1030328)
    Attacking back is just going to give the government and industries a reason to try and pass more controlling legislation. Its too close to them being able to create a "Wild West" analogy, where they would have to protect the "innocent women and children."

    There have long been accepted channels for handling these situations, such as contacting the sysadmins for the ISPs, *cough* the FBI & local police (Okay, I know, they are often clueless, but they arent going to get MORE clueful if we keep going AROUND them!), etc.
  • When I get my "always on" internet at home,
    I want to watch for crackers and try to
    link back to them. Seems like it would
    be fun and educational.

    Surely a program could watch for "attacks" and
    just let them in. Try to hold thier attention
    long enough to trace back to them.

    Or am I just crazy?

  • I'd say that hacking back was justice if you could be sure that the system you were hacking back was the hacker's. But you can't. It would be really terrible if (a) somebody started attacking your web site, (b) you found and attacked the source of the attacks, to make that machine cease operations, (c) it turned out that the machine you just blasted belonged to your good friends at Thyme magazine, and had itself been hacked... oops.

    Gotta watch out for that friendly fire.

  • I would think that fighting back harshly (ie, not just "returning mail" like the article implies) would make the victim now no better than the attacker. It is pretty obvious the the e-hippies weren't so bright in using one IP (and their home one at that), and that most real crackers would use boat-loads of other systems. The victim in this case was fortunate to be able to trace it back to just one IP. Of course, hopefully DoS attacks will occur less now that security IT professionals know what to look for.

  • Re:Moot (Score:3)

    by josh_freeman ( 114671 ) on Friday June 02, 2000 @05:56AM (#1030332)
    I am a system admin for a lab in an educational institution, and I can say that I'm pretty certain I would be nailed to a tree if I tried this. First, it is probably illegal. Fun, but still illegal. Second, since I am on a subnet, everyone else in my institution would be bogged down because of the increased traffic. Lastly, the previous poster is certainly right that in almost all cases a cracker won't be as daft as to use one IP address to launch a DOS attack. But it's fun to contemplate. . . .
  • That was actually first written in a tech journal that my office recieves, and then CNN stole it. I forget which one.
  • If the webhost believes that they know where the assualt comes from, it can't hurt to try to fight back.

    If they correctly identify the attackers and give them a dose of their own medicine, the attack will quickly stop.

    If however the attacker is using computers that have been previously taken over, whats the damage? Those computers (more than likely only desktop's in some business or school) cant access the net for a small amount of time. No big deal. No one loses money and some college kid just can't check his email on that machine for a little bit. Big deal.

    It looks to me like there is something to gain (the end of these attacks and such) and not very much to lose by striking back. It would be different if we were talkign about shooting at someone and hoping they were the real attacker, but we are talking about internet access.

    On the other hand, businesses and the gov are really good at putting figures on damage that come out of nowhere. "Our connection was dos'd for a day and it cost us $10 billion."

    -magicsloth
  • Kevin Mitnick being forced off the speakers' circut? Is that defense? I dunno... perhaps I'm paralleling free speech / cracking a bit too much, but I dunno... how the hell do you do anything in a neighborhood where there's a billion rooms in each house, and everyone has to make their own keys?

    I should write a book... "20 things to look for in your next basement-extract hunchback computer geek 13-year-old security expert..." Lesson #1: DDOS

  • Spoofing is not a hard task to accomplish. If I was to attack a machine I knew was well hardened, I might have decided to attack an aggressive, less-protected sysadmin pretending to come from that machine. If I tricked him into attacking back, I would effectively trick him into helping me.

    A good sysadmin must learn from the experience, harden his computer, report it to an Incident Response Team, and... Well, be prepared for the next time.

  • I wouldn't. (Score:5)

    by Booker ( 6173 ) on Friday June 02, 2000 @05:58AM (#1030337) Homepage
    There's generally no good reason to hack back, I think. (Unless identifying and reporting the hacker constitutes hacking back...)

    I use PortSentry [psionic.com] as one line of defense, and if someone scans the box, they just get dropped into a black hole. (Actually, them and their subnet, in case it's a dynamic IP on a dialup.)

    PortSentry allows you to run any arbitrary command when a scan is detected, but he warns against retaliatory action:

    I NEVER RECOMMEND PUTTING IN RETALIATORY ACTION AGAINST AN ATTACKING HOST. Virtually every time you're are port scanned the host doing the scanning has been compromised itself. Therefore, if you retaliate you are probably attacking an innocent(?) party. Also the goal of security is to make the person GO AWAY. You don't want to irritate them into making a personal vendetta against you. Remember, even a 13 year old can run a [insert favorite D.O.S. program here] attack against you from their Windows box to make your life miserable.

    Sounds reasonable to me...

    ---
  • I live in an "outback" town In Western Australia. And I've been VERY heavily involved with the ISP's in this town for the past three years.. This stuff used to happen all the time, One service would DOS the other service, then the victim (a freind of mine at the time) Fought back by trshing his solaris annex server, onece a week. It was fun at the time.. but after a while.. money and buissnes got in the way.. you can't maintain a REVENGE IS SCHWEET type outlook if you want to stay in business. It just get too damned expensive.
  • Cracking in retaliation is just a vigilante excercise and shouldnt be encouraged. For one thing, the target may be a machine that has in itself been cracked (and is thus just as much of a victim) or it may be one user at a site that is otherwise harmless. Take down their machine and you remove the resource fro the people using it legitimately. There are laws out there for this kind of thing. If you are SO sure you know who it is, beyond doubt, then take your proof to the police and let them deal with it. Apply the same laws online as you do offline.
  • So if someone breaks into my house and I notice it, is it alright for me to leave at the same time and go to their house to rob it? If a scam artist rips of my grandma is it alright if I call his grandma and rip her off?

    An automated defense system that attacks back is walking a very fine line. Just because someone does it to you, definatly does not make it legal to do it back.

    Though it is interesting to consider what "reasonable force" might consistute. Just as if someone physically attacks you, you can respond with enough force to stop them.

    But as the article was warning if the person is faking their IP the analogy would be like being attacked on the street and beating up some 3rd guy for it. You're going to get in a lot of trouble for it.

  • Except you're then vulnerable to a new DoS attack. If they switch spoofed IPs rapidly, they can fill up your routing table. Whoops!
  • but I submitted this back in April. It's looks like CNN just rehashed the April 17th article [cnn.com] about the same thing.

    That point aside though, I think the view of no couter-attacks just stinks. While I don't like the bandwidth that it takes up, how else are we supposed to defend ourselves? What ConXion did was pretty cool.

    Hey, just had a thought, the Internet is where WW III will be held! Just imagine, country after country attacking each other through DDoS. 'A' defends by sending all those packets at 'B's ally 'C'. Pretty groovy war games if you ask me. :)

  • If you are hit you either run or fight (self defense)

    I say we develop a protocol for fighting back (self defense and self policing). Part of this protocol should include the education of people to harden their systems. If you system is compromised and used in an attack, because your sysadm did not lock it down then you should not complain when you get "hit back".

    If the systems are locked down then at least the wanna be's won't be trashing systems. I know we cannot stop all the crackers but at least let's make it harder for the idiots.

    -- Tim

  • How do you know the script kiddie is on his own machine? There is no way to know what is going on in "Target" machine's CPU. Maybe it's a script kiddie, maybe it's a zombie setup to look like a script kiddie. The risk of a lawsuit from the counter attacked machine's owner (actually even if he IS the script kiddie since there is no "self defense" clause in computer security laws) is to high to risk it.

  • ...will leave us all blind and toothless.

    Most folks here are probably familiar with the "Prisoner's Dilemma" puzzle, and how the simple tit-for-tat strategy is one of the most successful. However, there is a variant of the puzzle that assumes that communication is "imperfect", and that there is some probability that a Prisoner's response will be misread. In that situation, tit-for-tat games degenerate into an endless cycle of retaliation. Of course, I don't see it happening today, but imagine if retaliation is ever automated (Black ICE?).

  • first of all, simply bouncing back any recieved packets can in no way be interpreted as an "attack." it is no different than marking your junk mail as "return to sender;" if someone spams you with so much junk mail that when you send it back they become clogged with it, it is their own damn fault.

    second of all, i don't want to hear about how this has the potential to hurt innocent bystanders. i'm sorry, but if your system is so insecure as to allow a hacker to use it as a staging point, then you deserve what you get. perhaps if everyone fought back against DoS's and such, and enough "innocent bystanders" were injured, they would take the time to secure their system the way they should have in the first place.

    the only problem is in the case of spoofed IP addresses. in this situation, the person being hurt will have had nothing to do with the problem, and the one at fault (the attacker's ISP) will not be harmed in any way. the only possible fix for this is if enough people bitch and complain, the ISP in question might get its act in gear simply due to user/peer feedback.

    Power Corrupts
  • Automated defense systems are typically designed to parry crack attempts, not offer retaliatory strikes. In the case of a spoofed IP address or other concealment methods, it's entirely possible an automated retaliation could strike at an innocent machine rather than the guilty party. Somehow I doubt I'd enjoy being the target of a lawsuit if someone figured out how to make my automated "defense" system knock out a third party.
  • If someone comes into your home and trashes the place, is it okay to go to his/her home to trash the place? If they steal your car, is it acceptable to steal their car? Of course not! that's what we have laws for. This is how turf/gang wars start and continue - people take the law into their own hands. Someone hacks your site, you hack theirs, they hack yours, you hack theirs. When does it stop? Don't let the internet become a big turf war - we're better than that.

  • Another Age-Old Debate. (Score:3)

    by Alarmist ( 180744 ) on Friday June 02, 2000 @06:04AM (#1030349) Homepage
    Really, this is not much different from the arguments regarding the use of force in defending one's home against a burglar. True, the stakes are different (lives versus property), but the story is the same, as are the concerns:

    • There is the danger of injuring innocent bystanders (shooting through the wall and hitting someone else/destroying a hapless innocent's machine).
    • The use of force may deter the individual offender, but won't necessarily stop potential offenders.

    The difference here is that in cracking attempts, one can easily find oneself enmired in a situation where attempts escalate as the cracker and defender each try to outdo the other. This isn't the case with breaking and entering, as it usually only happens once, and if someone is killed, they cannot continue the escalation.

    What recourse do system administrators have? They can build the best defenses possible, but any system built to connect to another can be compromised. The law may or may not be on their side should they decide to retaliate, but law enforecment is notoriously slow to respond in cases of electronic intrusion.

    Perhaps the only viable alternative at this time is to strike back. Who can say?

  • Some informed opinion on the subject... (Score:5)

    by mav[LAG] ( 31387 ) on Friday June 02, 2000 @06:05AM (#1030350)
    can be found at Attrition's page on the subject [attrition.org]. In a nutshell, it's much harder than it looks, legally questionable and more often than not ends up screwing around with innocent third parties.

  • If the site that is getting hacked wants to have any opportunity to sue the attacker for damages or attempt to use the extent of the financial loss suffered to prosecute, then it should not retaliate. If a commercial site retaliates, it opens itself up to a counterclaim from the hackers themselves. It is as if a burgler runs down your electric fence. In many jurisdictions, the burgler has as much right to sue for the injuries he suffered as you do to reclaim the cost of the fence (note: there are exceptions). Even though the fence is merely applying a shock to the burgler in a direct response to his putting pressure against the fence, you are still responsible for his injuries.

    For a governmental or non-profit organization that cannot claim damages against the hackers, this is a creative way to get even.

  • NWFusion has a feature on this this week... (Score:3)

    by bemis ( 29806 ) on Friday June 02, 2000 @06:06AM (#1030352) Homepage
    NetworkWorld Fusion [http] (idg.net subsidiary) has a pretty good feature [nwfusion.com] on this this week, and from what i gathered from it most netadmins/sysengineers *wanted* to go back after people in the process of penetrating their systems, but the overwhelming majority *wouldn't* ... they opted for setting up 'honeypots' and the like to lure the criminals in and monitor them (presumably) long enough to confirm identity/ensure enuf info is gathered for conviction... check it out ... good article.
  • Obviously, when you know the attacker, there is nothing wrong, morally or legally, about bouncing traffic back to the source.

    But what about DDOS with hijacked servers? The choice is between allowing your own server to be disrupted or disrupting the group of servers who, however unwittingly, participated in the attack. An added bonus, knocking out those servers will stop the attack, as the crackers will lose their launch points.

    I am clearly not an expert on the technical side of this issue. I trust the majority of comments I have seen regarding DDOS which state that allowing yourself to become a platform for such attacks is the result of bad server set-up or security. If hosting DDOS attacks doesn't substanially affect a company, they will not invest in improving their systems (unless you want to propose new legislation making them liable - never the best solution). However, if a company is faced with losing their server, they will have the necessary economic incentive to invest in better security and IT personnel. A nice, market based solution that doesn't require gov't intervention. In fact, the gov't should make certain that it doesn't prohibit this course of action by sysadmins.

    Now, I'm not endorsing active efforts to disrupt an attacking server (two wrongs don't make a right), but I can't see any problem with bouncing DOS traffic from whence it came - Am I missing something here?

    Take responsibility for your own packets.
  • ...by some weirdo in England, going through somewhere in Virginia (Langley, according to other information I managed to dig up!!!). They did a good job. My Debian box showed nothing with finger, who, or anything similar, and I only noticed it because my net load meter was full up, and I wasn't doing anything.

    A random netstat showed a ton of packets going to a domain named after the Soviet Union's tourist agency, and as soon as I went to the page for Ethereal so I could scan the packets, it stopped.

    That was too weird for me, so I notified the FBI. Two months later, a computer crimes guy got back to me and asked if Linux was anything like RedHat... =)


  • Seems a perfect use for this wonderful mechanism.

    Lew

  • Doing the attacker's dirty work (Score:3)

    by Phaid ( 938 ) on Friday June 02, 2000 @06:07AM (#1030356) Homepage
    The problem with even having this discussion is that it assumes that the victim of the initial attack, and the attacker, are operating in a vacuum -- or at least that they both have direct connections to internet backbones. Most times this is not the case; both parties have upstream ISPs that carry their outbound and inbound traffic to the rest of the world. In the unlikely event that the victim can locate the true source of the attack, and not just an owned machine, retaliating against the attacker will constitute an even greater load on the victim's ISP and probably create a DOS condition at the attacker's ISP.

    Let's do the math: we retaliate, and twice as many people (or more) are subjected to a DOS. Hmm, doesn't sound like a good strategy.
  • I have ads.doubleclick.net pointing at 127.0.0.1 so I don't get the banner BS. The link doesn't work for me, as CNN seems for redirect the page to an ads.doubleclick.net page, which results in a 404 and I can't see the original CNN page. Anyone else that blocks doubleclick in this manner getting the same thing?
  • Someone starts attacking you. You start attacking back, and then they see they are being attacked, have the same idea, and step up their attack on you. You then see that their attack has escalated, so you too escalate your attack. Wash, rinse, repeat, until you're both throwing GB's back and fourth. Not a good plan.
  • Say you wanted to attack 'System X.com', someone who has large pipes and is difficult to flood, etc.

    You could initiate an attack against other machines who are known to "hack back", spoofing your packets to look like they are coming from 'System X.com'.

    'System X.com' then suffers from a distributed denial of service attack originating from those systems where the syadmins think they are "hacking back".

    ---
    Interested in the Colorado Lottery?
  • to just start ping flooding that IP without any other info about the situation. Let's be realistic about what we want when we define security. What we should really be doing is to create a system which could be called "the perfect firewall" because it is impregnable to outside attack; ignoring all those zombie packets and such that DoS-type attacks create would be a great first step. A long term solution (maybe rewriting TCP/IP?)which makes it unappetizing to even bother with this crap would be far more usefull to the computer world than taking a retaliatory stance. I think it's fair to say that if we Ping first ask questions latter then we're no better than *whatever* jerk started the whole thing..
  • Of course you need to make sure you aren't attacking an innocent bystander who's been compromised. I think that's kinda obvious.

  • <em>Moot: adj. 1. subject to argument or debate. Therefore, your use of the word here in wrong.</em>
    <p>
    That's a British English vs. American English difference. In the US it means "not worthy
    of debate".
  • There's a 95% chance that you're attacking the messenger, and 99% of the time that messenger is innocent and just doesn't know what the hell is going on.


    *******************************
    This is where I should write something
    intelligent or funny but since I'm

  • Hacking back may be the best way to track down the cracker. If you're lucky the cracker will turn out to be a script kiddie that wasn't smart enough to cover his identity. Then you can have the satisfaction of explaining to his/her parents that their little angel has just committed a federal crime and then discuss the best way to remedy the situation.

    numb

  • Crack Backs and Spam (Score:5)

    by Gorbie ( 101704 ) on Friday June 02, 2000 @06:10AM (#1030365) Journal
    I do not like crack backs or spam

    I would not try it from my box,
    I would not try it in my sox,

    I wouldn't use your subnet,
    I despise the cracks and spam and yet,

    you ask would I do it if I thought I could,
    you ask would I do it whether I thought I should,

    The 'puter in the middle is just a little pawn,
    They don't like it either, the damage that is spawned.

    they are witless, a helpless little lamb,
    and so I do not like crack backs and spam!

  • It's a very fine line. The "Zombie Zapper" they mention looks cool. It just tells the zombie to stop sending packets... that is defense. Slamming the attacker with a counter DOS would not be purely defense, you are attacking the zombie as surely as the original hacker did. Since most zombies are in educational institutions, you are basically attacking a university to defend yourself (from what I know of the laws of war, you might have a hard time justifiying that in war time, much less under ordinary circumstances).

  • If someone breaks into your house and starts shooting a gun at you, is it OK to grab your gun and shoot back?

    Of course it is.
  • I would tend to think of retaliating against a DDOS attack as similar to what many feared during the Cold War. You fire your nukes at us, so we fire them at you. In no time we have bye bye world. I know that when I first started sysadmining (and had no clue about security esp. NFS on Solaris... yick!) I had a somebody hack my box and use it to hack into other boxes. I am glad nobody retaliated against my site just because some one was using it for unsavory practices. The Internet is a self-balancing decentralized community. "An eye for an eye" would only seek to destroy that community.
  • An interesting concept.
    An eye for an eye concept is always fun. Kind of like being the Terminator.
    But this is the real world, with real implications for actions. If you were to walk into a meeting at work, discussing coding issues and a fellow programmer had stolen a bit of your code, taken the last cup of coffee, parked in your space, would you wack him then and there?

    I think not.

    So, beyond the hype, the kiddie posters on slashdot and the trolling story-tellers, there is very little reson to justify a counter-strike.

    I also believe that the best way to frustrate a hacker is to deny their attack, route them. And then watch them wet their pants when they get caught.

  • Let's consider a situation where you're being attacked and you can identify where it's coming from and that they are indeed the cause.

    Yes, you could attack back. However you probably don't want to continue your attack forever, just for practical reasons. Once you stop, the attacker is probably going to like you even less than when you started. You might stop some dumb script kiddies, but you could have stopped them by blocking their IP. Real hackers will just be egged on more.

    Personally, I'm for getting people to leave me alone more than I'm for "justice". The only reason I'd consider retaliating is if they do some attack that I can't stop any other way.

  • Point well taken, but look at it another way:

    You leave your car unlocked and running in front of a bank to go cash a check. While in the bank, a bank robber robs the bank, comes out and steals your car to make his get-away. The police, in their pursuit of said robber, shoot out the tires of your car, and otherwise trash it while bringing the robber to justice. Can you, as owner of the car, hold the police responsible for damaging your vehicle that you left unattended?

    The analogy is not perfect, I realize, but my point is this: Why should a company under attack from zombies be worried about crashing an "innocent bystanders" computer? There's a reason that zombie is there in the first place: the computer was left wide open by the owner.
  • If the webhost believes that they know where the assualt comes from, it can't hurt to try to fight back.


    Sure it can. First, off, what if the webhost believes wrongly, and they target an innocent machine.



    If they correctly identify the attackers and give them a dose of their own medicine, the attack will quickly stop.

    Maybe, but maybe not. Many hackers would simply take the challenge and escalate their attacks back. Any hacker doing anything remotely serious in this regard will be using a staging machine of an innocent third party. Wiping that machine won't help anyone - it will just make the hacker compromise another innocent third party machine to stage a revenge from.



    If however the attacker is using computers that have been previously taken over, whats the damage? Those computers (more than likely only desktop's in some business or school) cant access the net for a small amount of time. No big deal. No one loses money and some college kid just can't check his email on that machine for a little bit. Big deal.


    Oh come on, get serious. So some poor school teacher comes in to find that his classroom server has been thoroughly trashed, and he's got to spend his lunch time doing restores and explaining to the kids how yesterdays work got lost. Lovely. If, instead of being a gung-ho bastard the original victim had simply emailed the admin of the compromised machine and said 'BTW your box is being used to stage hack attacks on me' the teacher would have been able to do a backup and plan a sensible re-install of the box in an orderly fashion. - Plus may have been more willing to help find the real hacker.
    It looks to me like there is something to gain (the end of these attacks and such) and not very much to lose by striking back. It would be different if we were talkign about shooting at someone and hoping they were the real attacker, but we are talking about internet access.


    Retaliating against hackers is simply stooping to their level, and innocent people are almost certain to get hurt in the process.

  • Reactive Measures are not always the same as attacking back. Several intrusion detection systems have the capability to automattically update access lists on routers to stem the flow of traffic in case of an attack. This could be useful for some types of attacks.

    However, for DoS attacks this might not be useful because my spoofing many address you could cause the routers to become overloaded handling access lists.

  • We just need some good Intrusion Countermeasueres Engines like in Neuromancer. Something to bake the central nerveous system of script kiddies. Oh wait, they are already mostly baked anyhow. Oh wait, Where am i? Where are my pants?
  • second of all, i don't want to hear about how this has the potential to hurt innocent bystanders. i'm sorry, but if your system is so insecure as to allow a hacker to use it as a staging point, then you deserve what you get. perhaps if everyone fought back against DoS's and such, and enough "innocent bystanders" were injured, they would take the time to secure their system the way they should have in the first place.

    Very true. But what about, say, a multiuser system? Sadly, there aren't many of these around anymore, but...

    Say you're user ionized on your shell account. You're working on something useful for the community. But unknown to you, user l33thax0r is busy attacking some other site. It's not your fault, because you don't administer the system, and l33thax0r is just using the same system capabilities available to you. Strangely, this type of friendly fire seems less excusable to me than the type you mentioned.

    I definitely agree that if you're being attacked, your primary responsibility is to protect your system. And if some idiot forgets to lock down the appropriate things and gets turned into a zombie system, well, sucks to be him. But I still feel sorry for the l^Husers stuck on this guy's system...

  • ...so why not at least stop the attack short?

    That is, the argument that goes "Any DDOS attacker worth his beans would be using innocent people's machines to attack, anyway", although I generally agree with it, has this one hole: Those machines are ALREADY cracked, their network pipe is ALREADY saturated with the attack they're unknowingly doing to you, so they're ALREADY down! You attacking back just ensures that they FIND OUT that they were having problems, no? Personally, if my system was cracked and being used to attack someone, I'd want my system downed right away, even if it had to be done by a counterattack directed at me!

    That said, I'm guessing that innocent third-parties getting attacked from both sides won't care who's right and who's wrong, they'll sue whoever they can trace easier - and that will be the retaliating sysadmin.

  • I use Junkbuster and don't have that problem, I also don't have to look at the banner ads. The problem you're having is that attempting the connection to doubleclick returns an error (due to your box reseting the HTTP connection to localhost), which causes the page to stop loading. A filtering proxy will instead return a 1x1 pixel GIF or some other content, so that your browser is fooled into thinking everything is OK and the ad loaded.
  • I'm sorry, but if something is wrong, it is wrong. Period. End of statement. It would be similar to saying that if I catch somebody shoplifting in my store, I'm allowed to break into that person's house and steal his television. As was pointed out in a previous thread here, two wrongs do not make a right.

    However, I do not see anything wrong with using such tools as exist to try to determine the identity of any person that attempts to hijack my machine. This isn't illegal, by any definition of the word. And it gives me something more to tell the authorities (when applicable); rather than a "somebody cracked my system," I can tell them "so-and-so cracked into my system, and here's my proof."

    My system has been targeted by a couple of brain-dead individuals over the past few years. I've used whatever tools I could find to try to track those people down.

    I'm happy that the US FBI takes such things very seriously, and have developed (or otherwise obtained) tools and techniques far beyond what I can do as an individual. I am currently satisified with this, although I had once been the subject of an attack that originated in India. I don't know if a super-jurisdictional legal authority would help here; it might be worth looking into.

    I see no need to set up an internet vigilante force to "string 'em up" -- lynch mentality is never something that I think a polite society should strive for.
    --
  • True, but how innocent are you if your bad sence of security / lack of knowledge / whatever letts someone use your hardware for these things? When you put up a system you have two options: 1. Make it secure - end of story. 2. Don't make it secure - live with the consequences. This might sound hard, and I for one is not some security expert but this is how it must be. Somewhere down the road ppl will learn that it is worth the time it takes to either learn this stuff yourself or hire someone who knows. It's not a quick fix but it will fix things sooner or later.

  • [simplistic, but worthwhile...]

    1. Gather your information.
    2. Backup your logs.
    3. When satisified with logs, and initial investigation, blackhole them at your perimeter.
    4. Call your upstream, request blackhole at ingress point.
    5. Begin tracking from logs and if your site is high profile enough tracking from all points up the line.

    Invest in an opensource honeypot machine. Invest manpower in your choice of NID software.

    Choose to take the high road. Customers will understand a downtime due to something like this. Customers won't understand that you decided to attack back at some ISP that didn't have a clue how to manage their machines.

    Sure it may seem satisfying at the time to root an attackers server, but guess what... with almost 100% probability the hacker in question does not own that machine. And the person who does probably won't be thrilled that you just rooted his box. Same goes for a DoS retaliation. In these days of misconfigured proxies, IPv4 vulnerabilites, and weak TCP/IP stacks - the chances that you are actually hitting back at the right network are next to nil.

    And to sum it all up... Even if you knew with 100% accuracy where the attack was coming from - what kind of moron would you have to be to decide to reverse attack instead of taking legal action against that network?

    (Now if you work for some military or federal government agency and this is some suspected foreign power you are being attacked by... well... - disregard I guess.)
  • I wanted a couple of years ago to start a group called hackthehackers.org. The purpose would have been to hunt down hackers and make them have very bad days using the same techniques that they use against other people. We would take over the #irc destroy there web site, run up there long distance bill, use there calling card, and whatever else we could think of.

    I decided this was unethecial and in general just a bad Idea for the following reasons:

    1. Hackers are not bad people they just are curious and good at finding holes.

    2. Hacking the hackers would esentially bring the wrath of the computer god on you.

    3. You are know better and are breaking the law in exactally the same manner.

    But It would be a lot of fun!!!

    IRTechnocrat

  • Re:Legality of fighting back (Score:3)

    by Legolas-Greenleaf ( 181449 ) on Friday June 02, 2000 @06:20AM (#1030382)
    Hmph... i actually consulted the RCMP [www.rcmp.ca] computer crimes division on this matter, since i was getting attempted DoS/portscan attempts on my home machine for an entire weekend. (attempted. ipchains and portsentry makes me happy).

    Anywho, apperently, in Canada, portscans and the type are not illegal. It isn't even illegal to *attempt* to break in... you haven't broken the law until you actually access the machine. The RCMP officer type I spoke with (who was quite accustomed to Linux - I was impressed) likened it to Girl Guides knocking on your door, which isn't illegal (I argued that if they started checking every door and window for days straight, it would be different, but that's another story entirely).

    My point? Oh yes... in Canada, unlike other countries, it isn't illegal to portscan or pingflood. So, i guess, that would make the automatic response legal in Canadian airspace too. Just for anyone who is interested. I guess the attitude is that it is *impossible* for the law to go after every single attempt, and that being portscanned/pingflooded/etc. is just a risk you take going on the Internet, and it is up to the end user to set up the approperiate defenses (which was, incidently, what the ISP that hosts both me and my *active* attacker told me.)

    I hope somebody gets something out of that. ;^)
    -legolas

    i've looked at love from both sides now. from win and lose, and still somehow...

  • I totaly believe that its ones inate right to slef-defense if being attacked. This right though should be limited to self-defense in a physical manner if that is how you are being attacked. Being attacked on the net and fighting back in this manner just doesn't seem like the correct thing to do. As an ISP/IT company Conxion has a responsibility to handle the attack through the appropriate channels [fbi.gov]. If a US citizen cannot legally do this type of thing then why should the fact that Conxion is a major corporation shouldn't make it acceptable. Especially troubling is this little blurb: "Conxion was so proud of having given the attackers a dose of their own medicine that it issued a press release [conxion.com] about the incident." My first thought after reading the press release was DUH! you just comitted a crime and then made a public announcement regarding your actions. This alone should be enough evidence to take some form af action against Conxion based on thier own admission. One should not stoop to an act of terrorism as a form of retaliation. You would think that a company with such strong Microsoft affiliations ought to be weary (after all the DOJ/monopoly actions) of doing such a thing. Two wrongs don't make a right...no matter how good it feels.
  • But you mised one important point here, it's the cops that shoot out the tires of your car, NOT you. If the the cops catch him and treat the robber roughly due to resisting arrest then they have the right to use force to aprehend the robber, if you were to go after him and beat him up in the process of cathing him then you would also be in the wrong and are likely to be procecuted yourself(sounds stupid but it does happen).
  • Like my parents told me when I was growing up "never start a fight, but if you find yourself in a fight, you finish it."

    If a person is attacked in their home by an intruder most people would be inclined to fight back. If an intruder breaks into a business, many big companies have armed guards and off duty cops as security. It is not wrong to repel an attacker. An attacker may be hurt in the process of being repelled. Most people, and even our system of law, will usually find the attacker asked for it.

    So why should computer intruders be different? Why is it OK for a person to fight back bodily but it's hands-off if it's over a computer network? Do computers have more rights in our society than humans? No. Not the last time I checked.

    So why not have aggressive firewall software? If some script-kiddie tries to hit your machine and your software turns around and toasts his, you'll be doing him/her a favor in life.
  • Even if you do hit back at the actual cracker, so what? So you trash his PC and some files; it's not like it's going to put him out of business, or cost him thousands of pounds to restore it.

    You may be right about not putting him totally out of business, but the one time I did this I will say that he never came back to MY network again.

    (and yes, i made absolutely sure it was his machine I was logged into.) then again, this wasn't a DDOS attack, he was actually logged into my machine, making the verification much easier.

    • script kid hacks machine

      anger, rage come over you.

      hot grits give relief.

  • I think there's a difference if it's a matter of life and death, though. States have different laws on the basis of whether you can shoot to kill someone who is even robbing your house, for example. Cracking attempts like the ones in the article are really more like burglary or vandalism than attempted murder; so just attacking the attacker's machine in the same way isn't really self-defense anymore - it's just vigilante justice.

    IMHO, the correct Internet-accepted way of dealing with this would combine instantaneous but temporary IP blackholing (including systems upstream of the victim) combined with quick notification of the responsible sysadmins. I haven't heard yet of a protocol that can do this, but the Internet immune system may develop it in the next year or so if DoS attacks continue to be so prevalent. This solution would follow the tradition of internet systems as separate, sovereign fiefdoms that can choose to exchange traffic or not, but aren't really governed by any laws beyond that. The article is correct that if you wait for the FBI to deal with an attack, you will be waiting a while. Better to have agreements with your upstream providers so that you and they can react quickly and effectively to an attack.

  • As a security professional (ie, do it for a job), the last thing you want to do is counterattack...as good as that may feel, at best, it will muddy the waters, and at worst, it will hurt innocent, (probably) insecure, bystanders. The most annoying thing you should be doing is contacting the Tech/Admin contact of the domain(s) that are attacking you, and letting them know what is happeneing. And if that is in the middle of the night for the contact person...

    ttyl
    Farrell

  • Re:There is nothing wrong with Self-Defense (Score:3)

    by Tim C ( 15259 ) on Friday June 02, 2000 @06:33AM (#1030401)
    In the case of defending yourself physically, you can be pretty certain that you're hitting the right person. Your life may also be in danger if you don't fight back.

    When your machine is under attack, and you strike back, you can not be certain that you're toasting the right machine.

    Whatever you may think of a person who's machine is so open to attack that someone can successfully use it to launch an attack against yours, they do not deserve to have their machine toasted for it. If you do that, you're little better than the cracker you're trying to hit back at.

    I can perfectly understand the desire to attack, but the likelihood of hitting the worng person is just too high for my liking.

    We all have a duty to be responsible netizens, after all.

    Cheers,

    Tim
  • The problem with defending yourself is that other networks will be affected by your retaliation. How many routers will your defence cross?? That's why you don't see armed guards in a shopping mall. Guess who's responsible when your guard harms/kills an innocent bystander while defending your store! Don't get me wrong, I'd love to lock up a hacker's PC if he's attacking me but I don't want to bring down an ISP's router in the process.

  • Self Defence is OK, but if we extend the analogy with IRL law, then it has defined limits. Only "Reasonable Force" may be used, and anyone who uses "self defence" also lays themselves open to a charge of assault.

    If you're being hammered on offensively by a router that's actually causing a flood, then it's reasonable to retaliate in ways that might reduce the incoming flood. OTOH, it's not reasonable to try to take down their web server, just because they're taking yours down (assuming they're separate machines). A measure that is defensive is reasonable, even if "offence is the best form of defence".

    Equally, mail-bombing is not acceptable as a response to an immediate threat. It's a delayed measure that won't stop an ongoing attack and is only there as a means of revenge. If you're under a chronic Spam attack though, email may be a reasonable defence, as it's now a comparable timescale.

    There's also the problem of injuring innocents. Defending yourself in the immediate is reasonable, even if it's a compromised 3rd party machine, because you're trying to fight a clear and present danger. Owning it and rm * -r, just because it's an open mail relay that's Spamming you is excessive and should lay you open to as much of a claim for damages as if you'd cracked it of your own evil intent.

    If you attack an unrelated box, because a spoofed header made you think that it was the source, then you're liable for the damage you cause. If you shoot back when attacked, then you're expected to be competent enough to shoot straight at the real targets.

  • I have the @Home cable modem service through Shaw (a cable carrier in western Canada,) and I almost lost my account for portscanning someone who was looking for trojan horse programs. (In the case that got in in trouble, I believe it was SubSeven.)

    I had some personal firewall software, and I decided I'd portscan anyone who tried to get into my system since if they had even the most basic defenses, they'd know I saw them.

    Either way, apparently, any use of portscanners on systems I don't own is explicitly prohibited in the TOS.

    Ah well, it doesn't bother me that they were scanning me for vulnerabilities; it bothers me that one would scan me, then report me when I scan them back. -_-;

  • Automated reactions could be looped (Score:4)

    by gotan ( 60103 ) on Friday June 02, 2000 @06:48AM (#1030412) Homepage
    It's a bad idea to set up something that 'automatically hacks back' e.g. launches an attack back at the attacker. The reason is, that now the hacker doesn't even need to launch his own attack, he only needs to tickle a system in the right way to provoke a reaction, if that reaction acts against another host with the same system installed: wonderful, we have a loop.

    It gets even better if the mail, seeing that one mailer is overburdened, gets redirected to an alternative host (or something similar for other services) ... now all we need is the routers in between reacting to the enhanced network traffic for a nice chain reaction (did you ever see the video with the room full of tabletennisballs on moustraps).

    Just try to imagine that you are the sysadmin who later should sort out the mess, maybe it was even started by some accident or some rampant virus.

  • Haiku (Score:2)

    by 575 ( 195442 )
    Juvenile weenie
    Cracked your weak security
    Install SSL
  • I agree completely. Just based on information gained from the packets/messages coming to your site (ie the ip address of the packets mentioned in the article), you really have nothing in the way of SOLID proof. That takes more work and generally a face-to-face confrontation (at some point).

    Unless IP is going to start carrying cryptographically secured copies of fingerprint or DNA information, which can then be cross-referenced with that new international database we know they are building, you can never be sure.

    my $0.02, which I guess adds up to $0.04 now
  • The government wants to have its cake and eat it too. It has had a decades old policy of counting encryption technology as munitions so why doesn't the 2nd amendment come into play? Just because our arms are electronic doesn't mean that the penumbra of the 2nd amendment doesn't cover them. Self defense does apply with all the benefits and risks associated with it. It's just that human shield situations (zombie computers) exist much more frequently in electronic fights than in physical ones.

    The laws exist, it's just laws that leftists are uncomfortable with so the available tools and precedents are not taken advantage of because too many of our defenders come from the left tradition. That's not to say that they need to change their voting patterns (or at least it's not germane to this discussion) but they have their own blind spots just like people coming from the right tradition do.

    I know, I know, we've invested a lot of capital to have encryption code escape from the munitions designation. But we don't oppose the idea that encryption or other technology can be dangerous, we oppose the law because it's stupid, hindering the good guys while leaving the bad guys with all the technology they need. This also happens to be the argument that the NRA uses on most gun control measures they oppose. Could we have allies we didn't even know about?

    DB
  • Exactly what law of the United States prevents one site from sending loads of traffic to another site? And if such a law exists, why isn't Slashdot being prosecuted under it? And what if the owner of a server experiencing the Slashdot Effect redirected all that traffic back to /.? Would that be a crime? Please cite the specific Act of Congress, if you can.
  • It is never a good idea to "hack back" for many reasons:

    * How can you be sure that a) the attacking site(s) are the real attackers and b) that the
    attacking sites are _knowingly_ attacking? IP spoofing or using zombies to a ttack are generally
    very easy.
    * If it's illegal to be hacked, it is illegal to retaliate. You can't steal someone's lunch
    because they steal yours.
    * It could only exacerbate your problem if you piss off the attacker(s). You don't know who you
    are dealing with.
    * You are then legally and criminally liable if you, for example, DoS amazon.com because you
    detected an attack from them and they sue you or the Fibbies come knocking on your door.
    * What if you trace an "attack" to a single IP you assume is a desktop computer and turns out to
    be an AOL proxy and you DoS 10,000+ lusers? AOL won't like that nor will their customers.

    The people, like the one in the article, who gloat about "hacking back" make my skin crawl. 7h3y
    ar3 such 31337 d00dz n 7h3y g07z such ski11z...NOT! *gag*

    BTW, I've seen most often people getting IP addresses slightly wrong when they complain about a supposed hacker coming from my Company's network so what if you get the IP or hostname a bit wrong and attack the wrong site?

    -core

  • Re:Not Really Hacking Back (Score:3)

    by technos ( 73414 ) on Friday June 02, 2000 @07:38AM (#1030442) Homepage Journal
    I have to admit, I have been known to retaliate. But I draw the line at actual harm; If they've portscanned me or played funny with my mailserver, I'll sent them the compliment of malformed packets likely to halt their Windows box. If I see NT on the other end, they get a nice popup 'Touch the box and die' courtesy of Windows Messaging and SMB. If they've ICQ spammed me more than once, they get a few hundred spoofed messages, randomly sent on a crontab.

    Annoying at worst, and a deterrant to 98% of the skript kiddies. The other 2% are the determined ones, and I just change IP. They'll spend all night looking for the me again, bent on revenge they can't get.

    And what if I get the wrong person/box? Whoop. A Windows box froze, or they got an odd popup message. Like that never happens in the course of normal operation...
  • I'd like to point out that the approximate number of uses of "hack" vs. "crack" (in about 165 messages) is around 2 to 1 in favor of "hack". (~75 vs. ~40). I thought we were all trying to change the usage of "hack"? How on earth are we going to do this if we don't use it correctly ourselves?
  • The article makes two good points against counter-attack:

    1. Hitting an innocent bystander - since attacks usually come from hijacked and spoofed locations/addresses.

    2. Retaliation against an illegal attack by the same means is also illegal - vigilanteism doesn't solve the problem, it reduces it to a pissing contest.

    The suggestion (mine as well as that of respected experts :) ) is to log everything, look into it to try to identify the culprit conclusively, prove fiscal loss and/or denial of service - a.k.a resource theft; and then take the nice report to the authorities.

    If we retaliate against a script kiddie, we'll either hit Grandma Smith who gladly gave her AOL password to an 'AOL representative' online, or we DOS the punk - so what?

    If we get the law involved, we get him effectively killed in the computer industry - and even have him pulled off the lecture circuit a'la Mitnik.

    170th post!!
  • Another poster made the comment that the whole point of security is to make the cracker go away.

    Tactically, one could say a retaliatory crack against the offender *might* serve as a deterrent. It might also invite further attacks that otherwise would not have happened if the attacker had not been provoked by an intrusion into *his* territory (and don't forget crackers are very territorial creatures..) and the whole episode can easily escalate out of control. Strategically, you have to take the larger situation into account and move into the psychological realm. Since you want to discourage people from playing games with your system, the best response is probably something that takes the fun out of it by denying them the satisfaction of a response. IP/subnet blocking is a good example of this -- they can poke at your host all night long and not have any noticeable effect. A strategy that ties in well with this approach is one I like to call the 'threshold effect' -- anyone below a certain nuisance threshold is ignored, and once they become disruptive enough to be worth going after, they have enough of an attack signature to be traceable. Track them down and identify them first, before they know they've triggered the alarms, then let them know you know exactly who they are and what they're up to and would they please cut it the fsck out?, then go to the cops (net, local, or federal as the case may be) if nothing else works. Depending on how much sense they have, one or the other of these measures is likely to encourage them to play nice .. Needless to say, a) being sensitive to being port/IP scanned and b) making sure your hosts don't respond to any ports you don't run services for will help too ..
  • The FBI isn't always clueless.

    I just finished working with two FBI case agents out of Omaha Nebraska (*cough* SiliCorn Valley) regarding tracking down a UDP packet-storm DCA and a simple web site defacement of our 'honey-pot' machine.

    Generally, the FBI is clueless only when you throw your hands up in the air and say "I've been hacked!" and expect them to do all the work. If you can do the major investigation yourself (looking up ISP's with 'dig -x ###.###.###.### soa' and 'whois ###.###.###.###@whois.arin.net' and of course 'whois domainname.com' and 'nslookup ###.###.###.###') and draw them a picture, they follow along and understand very well.

    It was fun watching a tense meeting with two 'G-men' melt into laughing and joking. They seemed to understand the 'hacker scene' pretty well: the arms-race, the script-kiddies, and the major web sites you get exploits from. And they were visibly excited when they saw that I had done their footwork for them.

    Even if the local FBI agents are somewhat clueless (which these weren't) they have someplace full of very clueful people who can analyze your logs for you. If you come across as knowledgable, they'll recommend you to the analysis people, and they'll work with you.

    (And remember: When you're getting DCA'ed, 'tcpdump -n -i eth# | gzip > capture.log.gz' is very very useful evidence. When you get your upstream ISP to filter out the flood traffic, sometimes the originator of the attack will ping you to see how your connection is doing. Those little innocent probes in between major shifts in attack activity make for great evidence.)

  • It matters not how accessible the car was, it was still stolen.

    Actually, if you live in Texas, leaving the car unattended with the keys in the ignition will get you slapped with a rather pricy ticket.

  • Yeah, but if somebody tries to steal my car I can use lethal force to stop them.

  • McDonald's coffee (WAY, WAY OT) (Score:3)

    by dillon_rinker ( 17944 ) on Friday June 02, 2000 @09:46AM (#1030478) Homepage
    If I spill hot coffee on myself at McDonalds and burn my lap
    Two facts:
    1. The coffee was around 200 degrees.
    2. The lady was in the drive-through

    Two questions:
    1. Why would you serve coffee that is hot enough to cause third-degree burns?
    2. Where do you put your drink when you go through the drive through?

    I don't believe McDonald's was found guilty of any wrongdoing; rathre, they were found guilty of negligence - a legal term that means "They should have known better." McDonald's should have known that many (if not most) of their customers put their drinks in their laps, and that their coffee would cause third degree burns. Given those two undisputed facts, it is a statistical certainty that someone's crotch would get burned badly.

    Keep in mind also that all the woman wanted initially was for McDonald's to pay part of her medical bills. If they has said "We're so sorry" and written a small (to them) check, it would have been over on done with. Instead they said "You STUPID woman! You should have known better!" and promptly launched a propaganda campaign that has clearly had its intended effect, as evidenced by that note in your post. So the woman sued for millions and won.

    It's funny, as anti-corporate as the typical /.er seems to be, they sure buy the corporate propaganda, hook, line, and sinker.
  • Well, I realize that's a risk, but I'm just protecting my personal box [with PortSentry]. It's not like I'll inconvenience my users (I don't have any). I figure that my box will look unintersting enough that they'll go away. Whenever an IP is dropped, I get an email, so I'm aware of what's going on, and I can fix it if I need to.

    Do you have any suggestions for a better way?

    I prefer snort [snort.org]. It logs attack attempts, but doesn't do the blocking that PortSentry does. Snort is very configurable, and can log a good deal of information.

    The question I have (which I've been thinking of submitting to Ask Slashdot) is what to do with the lists of attacker IP addresses. I'm sure these are mostly just ``innocent'' compromised hosts, but it would be nice if there were some organized way for us to keep track of who those hosts were, so that people who were concerned about security could blacklist them.

    Of course, there would need to be a way to ensure that the reported IP addresses are genuinely attackers (otherwise script kiddies could just submit claims that you were hacking them). Maybe Advogato's [advogato.org] method for establishing a trust network could be adapted to the problem?

  • Let's assume J. Random Crax0r is trying to get into my system, or DoS it, or jab at it with cyber-doggie-doo-on-a-stick, or whatever. What's my objetctive? The same thing if someone were attacking me IRL: neutralize the threat.

    I don't believe that "hacking back" is per se illegal... it all depends on the situation. For instance, if this particular er33t d00d is launching an attack on my computer, I should be perfectly justified in taking whatever actions are necessary to eliminate the threat. If this means simply blocking him out at the firewall, that's nifty-cool by me. On the other hand, if I can disable his computer remotely and stop the attack, that is acceptable as well, in my opinion. Disabling his computer and playing hopscotch with a magnet on his hard disk would not be acceptable, however.

    Let's say the attacker had hijacked another machine, and was using it to do his evil deeds. Well, my condolences to the user whose machine was hijacked, but that doesn't eliminate the threat to me now, does it? I still think I would be justified in disabling the attacking machine, if it were necessary to stop the attack. Say someone steals a car, and is trying to run down my car with it. Wouldn't be justified in disabling the other car, even though the attackers don't own it? Of course I would be, because it still poses a threat.

    Of course, as in real life, the less force that is used, the better. The important thing is to draw the distinction between neutralizing the threat, and seeking retaliation.

    Just my $0.03 CDN.

    - Adam Schumacher

  • I have read most of the comments on this article, and noticed a disturbing trend. A vast number of people have stated that "if your machine is insecure enough to be cracked, you deserve the retaliation." This is ludicrous. Since when are computers sold with the stipulation "You must secure this if you put it on-line, or be subject to retaliation for a crime you did not commit"? That would stop the computer revolution dead in its tracks. Remember, not everyone has the ability to secure a system when they start out, and cannot get the ability without buying a computer and learning how to secure it. The stance of many of the comments i have read are hypocritical beyond belief. There is no legal nor moral obligation to secure a computer just because it allows a bunch of zealots to lash back at anyone they percieve as attacking them.

    -----------------------

  • There was a Slashdot article about a year and a half ago linking an IDG article [idg.com] about sysadmins going to crackers' homes and destroying their equipment or beating them up. Personally, I thought the article was either a fabrication or a joke being played on a gullible reporter.

    Can anyone find a link to the /. discussion?
  • ---
    1. The coffee was around 200 degrees.
    ---

    Yep.

    ---
    2. The lady was in the drive-through
    ---

    Yep. I assume she wasn't forced to go there, either.

    ---
    1. Why would you serve coffee that is hot enough to cause third-degree burns?
    ---

    Because, it would appear, most people don't seem to have a problem with it. People expect coffee to be hot, and if the market has decided that it doesn't mind (people still buy McDonald's coffee, right?), then what's the harm in that?

    ---
    2. Where do you put your drink when you go through the drive through?
    ---

    In a cup holder (which most halfway recent vehicles have - and can be bought 3rd party if desired).

    If it's a cold drink, I'll put it in my lap. If I spill it on myself and accidentally crash into a telephone poll, I'll pay the damages myself. I didn't have to put a drink in my lap, and neither did she. I didn't have to go through the drive- through, and neither did she.

    ---
    It's funny, as anti-corporate as the typical /.er seems to be, they sure buy the corporate propaganda, hook, line, and sinker.
    ---

    Oh yes, the "if you disagree with me, you must be a tool of The Man" argument. Give it a rest.

    Second, Slashdot is not a collective. We are capable of having diverse opinions.

    Third, some of us may not support the encroaching 'nanny culture' of this country where - instead of taking responsibility for your own actions - you shift the blame elsewhere and possibly make some cash in the process...

    - Jeff A. Campbell
    - VelociNews (http://www.velocinews.com [velocinews.com])
  • I think it's a matter of intent.

    Do you intend to bring the server down? Then that's computer resource abuse. Are you pointing to a web site? That's an intended use, and if it goes down it's not your fault. Big difference.



    - Jeff A. Campbell
    - VelociNews (http://www.velocinews.com [velocinews.com])
  • Yeah, well... but ICE, as Gibson defined it, stands for Intrusion Countermeasures Electronics. Gibson describes it in more detail in Count Zero than he did in Neuromancer. And, in Gibson's book, only Black ICE, (which was illegal), had the capability to strike back and trash the attacker's nervous system.

    Interestingly, there is a software program called Black ICE that a friend of mine runs on his cable-modem connected NT 4 box. He sees a LOT of portscans and similar low grade attacks. As far as I know, BlackICE doesn't do any counter-attacks though!


    Torrey Hoffman (Azog)
  • ---
    I note you haven't cited the law.
    ---

    I'm not a lawyer, and am too lazy to look around. It's not like it hasn't been prosecuted before.

    ---
    "Computer Abuse"? What the hell's that?
    ---

    Computer resource abuse. If I recall, that's justification they used in Operation Sundevil to prosecute the offenders (those that weren't innocent bystanders at least).

    My point still stands: Intent is a major part of the law. Run over someone on accident, and run over another person on purpose. The former may require you to pay someone's doctor bills, the latter will land you in jail.



    - Jeff A. Campbell
    - VelociNews (http://www.velocinews.com [velocinews.com])
  • Yep. I assume she wasn't forced to go there, either.

    No, but it's reasonable to assume that food they serve won't cause you physical damage. You wouldn't expect their meat-like burgers to contain discarded hypodermic needles, either. If the coffee was normal hot-coffee temperature, I'm sure she would have taken responsibility for it.

    This particular MacDonald's had gotten many complaints about their scalding hot coffee, and had refused to do anything about it.

    It's funny, as anti-corporate as the typical /.er seems to be, they sure buy the corporate propaganda, hook, line, and sinker.

    Oh yes, the "if you disagree with me, you must be a tool of The Man" argument. Give it a rest.

    No, he's just saying that you're buying into this corporate propaganda that MacDonald's spread so effectively. I used to believe this coffee lawsuit was ridiculous too, until I learned the details about it. (I do agree with you that Slashdot has diverse opinions.)

    Third, some of us may not support the encroaching 'nanny culture' of this country where - instead of taking responsibility for your own actions - you shift the blame elsewhere and possibly make some cash in the process...

    I agree that our lawsuit process is often abused. But sometimes there is no other recourse. What would you do if Mickey D's served you a hamburger with used needles in it? Would you still consider yourself "responsible for your own action" of buying and eating the burger? Or what if your employer or client withheld thousands of dollars of payment from you for no good reason? What would you do?

    Lawsuits in our culture have a bad reputation, often deserved. BUT be careful about condemning them as a whole, because one day you'll wish you had the option when someone screws you over. The source of most anti-lawsuit PR these days large corporations who want to screw over the public and not get sued-- think of HMO's, insurance companies, etc. They've manipulated the public's mistrust of lawyers (again, often deserved) into a general condemnation of lawsuits.

    Like it or not, lawsuits are a fundamental element of the US legal system; they're how our civil code (as opposed to criminal code) is enforced. A lawsuit should only be used as a last resort after all other negotiation fails, but without that option, many basic rights we take for granted would be effectively lost, because they would be unenforceable. I used to loudly condemn lawsuits and anyone who would bring them, until I had a couple of eye-opening experiences that made me realize the critical part they play in our legal system.

  • ---
    As for your being too lazy to find the law, gee, why should anyone take your comments about it seriously?
    ---

    Will you reread my comments? All I said was that intent could very well have something to do with it.

    ---
    In fact, you admit you do not know what it is.
    ---

    Perhaps you'd prefer talking like you know something and yet not admitting that you're not a lawyer?

    ---
    These are quite different from "illegal" acts, which are created by criminal statute.
    ---

    Let's put it this way: there have been people arrested for intentionally fucking with people's systems. Is that 'illegal'? I don't know - but I do know that they were arrested.

    It's occuring to me that your original post was nothing more than bait.

    - Jeff A. Campbell
    - VelociNews (http://www.velocinews.com [velocinews.com])
  • Oh, and before you respond again... I'll quote my original reply:

    "I think it's a matter of intent."

    Emphasis mine.


    - Jeff A. Campbell
    - VelociNews (http://www.velocinews.com [velocinews.com])
  • The rights written about in the US Constitution are rights of the people granted by God. The rights do not cease when crossing boundaries. It is just the government's respect for such rights which may change.

    Rregarding your question of a declaration of war, if some drunk idiot fires a potshot across the border, does that mean that the US and Canada are at war? Of course not, since it was not a conscious act of the state. They tend to call these things 'border incidents'. But states do have their relationship suffer if there is an increase of such cross-border incidents without reaction from the source state's government or if the source state isn't taking reasonable precautions to minimize such incidents at all.

    The point is to raise the seriousness of attacks and to fit cyber acts into existing law framework. Take a look at militia statutes and you will find some very good law on the subject, frankly it's the only body of law that covers such things.

    DB

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close