CNN Asks "Can You Hack Back?" 207
dboothe writes: "CNN.COM has a somewhat interesting article on whether or not it is okay to fight back when being hacked. In the scenario they bring up with the WTO website, it seems pretty clear that they likely should have steered clear, working on the probable assumption that the IP address used was just a dummy machine that had been cracked previously. But what about other situations where it's more of a grey area?"
Moot (Score:3)
Not Really Hacking Back (Score:2)
No. (Score:2)
This would trigger the same shit as the 1st man/woman who applied violence did.
In reality..hmm one could at least make it impossible for him to continue his activities.
Re:Moot (Score:1)
hrm (Score:2)
If you see someone logged in from an unknown IP (amusing you screwed both tcp wrappers, OpenSSHD and your firewall up), just start ping flooding that IP. Ping first ask questions latter. Don't bother loging the user out, just ping attack the hell out of him and his network (and pray the God it isn't Bob in the next office on the same ethernet segment as you)
Legality of fighting back (Score:2)
So, therefore, while somebody may be attempting to get into your systems, you can't legally break into theirs. There's nothing physically stopping you, but if you were to attack the wrong machine, or their attempt on you was an accident and you (in retaliation) bring down mission-critical systems - you'll get into a nice big legal mess (UK users can face an unlimited fine and 5 years imprisionment - bringing down a system would come under part 3 of the aforementioned Act - IANAL)
Remember - two wrongs do not make a right...
Richy C. [beebware.com]
--
What's the point? (Score:3)
--
I am Reminded of a Proverb... (Score:5)
As tempting as it may be to give them "a taste of their own medicine", the chances are that you're just going to be attacking an innocent bystander whose machine has been cracked, and is being used to launch the attack on yours.
Even if you do hit back at the actual cracker, so what? So you trash his PC and some files; it's not like it's going to put him out of business, or cost him thousands of pounds to restore it.
IMHO, the best thing to do is just find out as much as you can, co-operate with the authorities, and let them deal out any punishment.
Cheers,
Tim
not a good idea (Score:3)
There have long been accepted channels for handling these situations, such as contacting the sysadmins for the ISPs, *cough* the FBI & local police (Okay, I know, they are often clueless, but they arent going to get MORE clueful if we keep going AROUND them!), etc.
Exactly what I want to do (Score:1)
I want to watch for crackers and try to
link back to them. Seems like it would
be fun and educational.
Surely a program could watch for "attacks" and
just let them in. Try to hold thier attention
long enough to trace back to them.
Or am I just crazy?
Hack back? No. (Score:1)
I'd say that hacking back was justice if you could be sure that the system you were hacking back was the hacker's. But you can't. It would be really terrible if (a) somebody started attacking your web site, (b) you found and attacked the source of the attacks, to make that machine cease operations, (c) it turned out that the machine you just blasted belonged to your good friends at Thyme magazine, and had itself been hacked... oops.
Gotta watch out for that friendly fire.
Fighting back (Score:1)
Re:Moot (Score:3)
Tech Journal (Score:1)
Why not (Score:1)
If they correctly identify the attackers and give them a dose of their own medicine, the attack will quickly stop.
If however the attacker is using computers that have been previously taken over, whats the damage? Those computers (more than likely only desktop's in some business or school) cant access the net for a small amount of time. No big deal. No one loses money and some college kid just can't check his email on that machine for a little bit. Big deal.
It looks to me like there is something to gain (the end of these attacks and such) and not very much to lose by striking back. It would be different if we were talkign about shooting at someone and hoping they were the real attacker, but we are talking about internet access.
On the other hand, businesses and the gov are really good at putting figures on damage that come out of nowhere. "Our connection was dos'd for a day and it cost us $10 billion."
-magicsloth
Is this sort of like... (Score:1)
I should write a book... "20 things to look for in your next basement-extract hunchback computer geek 13-year-old security expert..." Lesson #1: DDOS
Spoofing and attacking third parties (Score:2)
A good sysadmin must learn from the experience, harden his computer, report it to an Incident Response Team, and... Well, be prepared for the next time.
I wouldn't. (Score:5)
I use PortSentry [psionic.com] as one line of defense, and if someone scans the box, they just get dropped into a black hole. (Actually, them and their subnet, in case it's a dynamic IP on a dialup.)
PortSentry allows you to run any arbitrary command when a scan is detected, but he warns against retaliatory action:
Sounds reasonable to me...
---
It happens already.. (Score:1)
I would have to say no (Score:1)
Re:Not Really Hacking Back (Score:2)
An automated defense system that attacks back is walking a very fine line. Just because someone does it to you, definatly does not make it legal to do it back.
Though it is interesting to consider what "reasonable force" might consistute. Just as if someone physically attacks you, you can respond with enough force to stop them.
But as the article was warning if the person is faking their IP the analogy would be like being attacked on the street and beating up some 3rd guy for it. You're going to get in a lot of trouble for it.
Re:I wouldn't. (Score:1)
I hate to say it... (Score:2)
That point aside though, I think the view of no couter-attacks just stinks. While I don't like the bandwidth that it takes up, how else are we supposed to defend ourselves? What ConXion did was pretty cool.
Hey, just had a thought, the Internet is where WW III will be held! Just imagine, country after country attacking each other through DDoS. 'A' defends by sending all those packets at 'B's ally 'C'. Pretty groovy war games if you ask me.
Fight or Flight (Score:1)
I say we develop a protocol for fighting back (self defense and self policing). Part of this protocol should include the education of people to harden their systems. If you system is compromised and used in an attack, because your sysadm did not lock it down then you should not complain when you get "hit back".
If the systems are locked down then at least the wanna be's won't be trashing systems. I know we cannot stop all the crackers but at least let's make it harder for the idiots.
-- Tim
Re:Moot (Score:1)
How do you know the script kiddie is on his own machine? There is no way to know what is going on in "Target" machine's CPU. Maybe it's a script kiddie, maybe it's a zombie setup to look like a script kiddie. The risk of a lawsuit from the counter attacked machine's owner (actually even if he IS the script kiddie since there is no "self defense" clause in computer security laws) is to high to risk it.
An eye for an eye, and a tooth for a tooth... (Score:1)
Most folks here are probably familiar with the "Prisoner's Dilemma" puzzle, and how the simple tit-for-tat strategy is one of the most successful. However, there is a variant of the puzzle that assumes that communication is "imperfect", and that there is some probability that a Prisoner's response will be misread. In that situation, tit-for-tat games degenerate into an endless cycle of retaliation. Of course, I don't see it happening today, but imagine if retaliation is ever automated (Black ICE?).
You gotta be kidding me (Score:1)
second of all, i don't want to hear about how this has the potential to hurt innocent bystanders. i'm sorry, but if your system is so insecure as to allow a hacker to use it as a staging point, then you deserve what you get. perhaps if everyone fought back against DoS's and such, and enough "innocent bystanders" were injured, they would take the time to secure their system the way they should have in the first place.
the only problem is in the case of spoofed IP addresses. in this situation, the person being hurt will have had nothing to do with the problem, and the one at fault (the attacker's ISP) will not be harmed in any way. the only possible fix for this is if enough people bitch and complain, the ISP in question might get its act in gear simply due to user/peer feedback.
Power Corrupts
Re:Not Really Hacking Back (Score:1)
Please don't . . . (Score:1)
Another Age-Old Debate. (Score:3)
The difference here is that in cracking attempts, one can easily find oneself enmired in a situation where attempts escalate as the cracker and defender each try to outdo the other. This isn't the case with breaking and entering, as it usually only happens once, and if someone is killed, they cannot continue the escalation.
What recourse do system administrators have? They can build the best defenses possible, but any system built to connect to another can be compromised. The law may or may not be on their side should they decide to retaliate, but law enforecment is notoriously slow to respond in cases of electronic intrusion.
Perhaps the only viable alternative at this time is to strike back. Who can say?
Some informed opinion on the subject... (Score:5)
Eliminates Any Possibility of Claiming Damages (Score:1)
For a governmental or non-profit organization that cannot claim damages against the hackers, this is a creative way to get even.
NWFusion has a feature on this this week... (Score:3)
Am I missing something here? (Score:1)
But what about DDOS with hijacked servers? The choice is between allowing your own server to be disrupted or disrupting the group of servers who, however unwittingly, participated in the attack. An added bonus, knocking out those servers will stop the attack, as the crackers will lose their launch points.
I am clearly not an expert on the technical side of this issue. I trust the majority of comments I have seen regarding DDOS which state that allowing yourself to become a platform for such attacks is the result of bad server set-up or security. If hosting DDOS attacks doesn't substanially affect a company, they will not invest in improving their systems (unless you want to propose new legislation making them liable - never the best solution). However, if a company is faced with losing their server, they will have the necessary economic incentive to invest in better security and IT personnel. A nice, market based solution that doesn't require gov't intervention. In fact, the gov't should make certain that it doesn't prohibit this course of action by sysadmins.
Now, I'm not endorsing active efforts to disrupt an attacking server (two wrongs don't make a right), but I can't see any problem with bouncing DOS traffic from whence it came - Am I missing something here?
Take responsibility for your own packets.
My box was compromised once... (Score:1)
A random netstat showed a ton of packets going to a domain named after the Soviet Union's tourist agency, and as soon as I went to the page for Ethereal so I could scan the packets, it stopped.
That was too weird for me, so I notified the FBI. Two months later, a computer crimes guy got back to me and asked if Linux was anything like RedHat... =)
Politics of Assassination is the answer (Score:1)
Seems a perfect use for this wonderful mechanism.
Lew
Doing the attacker's dirty work (Score:3)
Let's do the math: we retaliate, and twice as many people (or more) are subjected to a DOS. Hmm, doesn't sound like a good strategy.
Whee...fun with doubleclick (Score:2)
Recursion (Score:2)
You could use this to initiate/provoke attacks! (Score:2)
You could initiate an attack against other machines who are known to "hack back", spoofing your packets to look like they are coming from 'System X.com'.
'System X.com' then suffers from a distributed denial of service attack originating from those systems where the syadmins think they are "hacking back".
---
Interested in the Colorado Lottery?
sounds kinda dumb (Score:1)
Addendum (Score:2)
Re:Moot (Score:1)
<p>
That's a British English vs. American English difference. In the US it means "not worthy
of debate".
Risky.. (Score:1)
*******************************
This is where I should write something
intelligent or funny but since I'm
Re:I am Reminded of a Proverb... (Score:2)
Hacking back may be the best way to track down the cracker. If you're lucky the cracker will turn out to be a script kiddie that wasn't smart enough to cover his identity. Then you can have the satisfaction of explaining to his/her parents that their little angel has just committed a federal crime and then discuss the best way to remedy the situation.
numb
Crack Backs and Spam (Score:5)
I would not try it from my box,
I would not try it in my sox,
I wouldn't use your subnet,
I despise the cracks and spam and yet,
you ask would I do it if I thought I could,
you ask would I do it whether I thought I should,
The 'puter in the middle is just a little pawn,
They don't like it either, the damage that is spawned.
they are witless, a helpless little lamb,
and so I do not like crack backs and spam!
Re:Not Really Hacking Back (Score:1)
It's a very fine line. The "Zombie Zapper" they mention looks cool. It just tells the zombie to stop sending packets... that is defense. Slamming the attacker with a counter DOS would not be purely defense, you are attacking the zombie as surely as the original hacker did. Since most zombies are in educational institutions, you are basically attacking a university to defend yourself (from what I know of the laws of war, you might have a hard time justifiying that in war time, much less under ordinary circumstances).
Re:Not Really Hacking Back (Score:1)
Of course it is.
Re:What's the point? (Score:1)
c'mon now (Score:1)
An eye for an eye concept is always fun. Kind of like being the Terminator.
But this is the real world, with real implications for actions. If you were to walk into a meeting at work, discussing coding issues and a fellow programmer had stolen a bit of your code, taken the last cup of coffee, parked in your space, would you wack him then and there?
I think not.
So, beyond the hype, the kiddie posters on slashdot and the trolling story-tellers, there is very little reson to justify a counter-strike.
I also believe that the best way to frustrate a hacker is to deny their attack, route them. And then watch them wet their pants when they get caught.
You can't take them down forever... (Score:2)
Yes, you could attack back. However you probably don't want to continue your attack forever, just for practical reasons. Once you stop, the attacker is probably going to like you even less than when you started. You might stop some dumb script kiddies, but you could have stopped them by blocking their IP. Real hackers will just be egged on more.
Personally, I'm for getting people to leave me alone more than I'm for "justice". The only reason I'd consider retaliating is if they do some attack that I can't stop any other way.
Re:I am Reminded of a Proverb... (Score:2)
You leave your car unlocked and running in front of a bank to go cash a check. While in the bank, a bank robber robs the bank, comes out and steals your car to make his get-away. The police, in their pursuit of said robber, shoot out the tires of your car, and otherwise trash it while bringing the robber to justice. Can you, as owner of the car, hold the police responsible for damaging your vehicle that you left unattended?
The analogy is not perfect, I realize, but my point is this: Why should a company under attack from zombies be worried about crashing an "innocent bystanders" computer? There's a reason that zombie is there in the first place: the computer was left wide open by the owner.
Re:Why not (Score:2)
Sure it can. First, off, what if the webhost believes wrongly, and they target an innocent machine.
If they correctly identify the attackers and give them a dose of their own medicine, the attack will quickly stop.
Maybe, but maybe not. Many hackers would simply take the challenge and escalate their attacks back. Any hacker doing anything remotely serious in this regard will be using a staging machine of an innocent third party. Wiping that machine won't help anyone - it will just make the hacker compromise another innocent third party machine to stage a revenge from.
If however the attacker is using computers that have been previously taken over, whats the damage? Those computers (more than likely only desktop's in some business or school) cant access the net for a small amount of time. No big deal. No one loses money and some college kid just can't check his email on that machine for a little bit. Big deal.
Oh come on, get serious. So some poor school teacher comes in to find that his classroom server has been thoroughly trashed, and he's got to spend his lunch time doing restores and explaining to the kids how yesterdays work got lost. Lovely. If, instead of being a gung-ho bastard the original victim had simply emailed the admin of the compromised machine and said 'BTW your box is being used to stage hack attacks on me' the teacher would have been able to do a backup and plan a sensible re-install of the box in an orderly fashion. - Plus may have been more willing to help find the real hacker.
It looks to me like there is something to gain (the end of these attacks and such) and not very much to lose by striking back. It would be different if we were talkign about shooting at someone and hoping they were the real attacker, but we are talking about internet access.
Retaliating against hackers is simply stooping to their level, and innocent people are almost certain to get hurt in the process.
Reactive Measures != Hack Back (Score:1)
Reactive Measures are not always the same as attacking back. Several intrusion detection systems have the capability to automattically update access lists on routers to stem the flow of traffic in case of an attack. This could be useful for some types of attacks.
However, for DoS attacks this might not be useful because my spoofing many address you could cause the routers to become overloaded handling access lists.
Bah! All we need is a full I.C.E. (Score:2)
Re:You gotta be kidding me (Score:1)
Very true. But what about, say, a multiuser system? Sadly, there aren't many of these around anymore, but...
Say you're user ionized on your shell account. You're working on something useful for the community. But unknown to you, user l33thax0r is busy attacking some other site. It's not your fault, because you don't administer the system, and l33thax0r is just using the same system capabilities available to you. Strangely, this type of friendly fire seems less excusable to me than the type you mentioned.
I definitely agree that if you're being attacked, your primary responsibility is to protect your system. And if some idiot forgets to lock down the appropriate things and gets turned into a zombie system, well, sucks to be him. But I still feel sorry for the l^Husers stuck on this guy's system...
The innocent people are already screwed... (Score:2)
That is, the argument that goes "Any DDOS attacker worth his beans would be using innocent people's machines to attack, anyway", although I generally agree with it, has this one hole: Those machines are ALREADY cracked, their network pipe is ALREADY saturated with the attack they're unknowingly doing to you, so they're ALREADY down! You attacking back just ensures that they FIND OUT that they were having problems, no? Personally, if my system was cracked and being used to attack someone, I'd want my system downed right away, even if it had to be done by a counterattack directed at me!
That said, I'm guessing that innocent third-parties getting attacked from both sides won't care who's right and who's wrong, they'll sue whoever they can trace easier - and that will be the retaliating sysadmin.
Use a filtering proxy (Score:2)
Never an excuse for internet vandalism (Score:2)
However, I do not see anything wrong with using such tools as exist to try to determine the identity of any person that attempts to hijack my machine. This isn't illegal, by any definition of the word. And it gives me something more to tell the authorities (when applicable); rather than a "somebody cracked my system," I can tell them "so-and-so cracked into my system, and here's my proof."
My system has been targeted by a couple of brain-dead individuals over the past few years. I've used whatever tools I could find to try to track those people down.
I'm happy that the US FBI takes such things very seriously, and have developed (or otherwise obtained) tools and techniques far beyond what I can do as an individual. I am currently satisified with this, although I had once been the subject of an attack that originated in India. I don't know if a super-jurisdictional legal authority would help here; it might be worth looking into.
I see no need to set up an internet vigilante force to "string 'em up" -- lynch mentality is never something that I think a polite society should strive for.
--
Re:What's the point? (Score:1)
Absolutely....not. (Score:1)
1. Gather your information.
2. Backup your logs.
3. When satisified with logs, and initial investigation, blackhole them at your perimeter.
4. Call your upstream, request blackhole at ingress point.
5. Begin tracking from logs and if your site is high profile enough tracking from all points up the line.
Invest in an opensource honeypot machine. Invest manpower in your choice of NID software.
Choose to take the high road. Customers will understand a downtime due to something like this. Customers won't understand that you decided to attack back at some ISP that didn't have a clue how to manage their machines.
Sure it may seem satisfying at the time to root an attackers server, but guess what... with almost 100% probability the hacker in question does not own that machine. And the person who does probably won't be thrilled that you just rooted his box. Same goes for a DoS retaliation. In these days of misconfigured proxies, IPv4 vulnerabilites, and weak TCP/IP stacks - the chances that you are actually hitting back at the right network are next to nil.
And to sum it all up... Even if you knew with 100% accuracy where the attack was coming from - what kind of moron would you have to be to decide to reverse attack instead of taking legal action against that network?
(Now if you work for some military or federal government agency and this is some suspected foreign power you are being attacked by... well... - disregard I guess.)
Re:Moot (Score:1)
I decided this was unethecial and in general just a bad Idea for the following reasons:
1. Hackers are not bad people they just are curious and good at finding holes.
2. Hacking the hackers would esentially bring the wrath of the computer god on you.
3. You are know better and are breaking the law in exactally the same manner.
But It would be a lot of fun!!!
IRTechnocrat
Re:Legality of fighting back (Score:3)
Anywho, apperently, in Canada, portscans and the type are not illegal. It isn't even illegal to *attempt* to break in... you haven't broken the law until you actually access the machine. The RCMP officer type I spoke with (who was quite accustomed to Linux - I was impressed) likened it to Girl Guides knocking on your door, which isn't illegal (I argued that if they started checking every door and window for days straight, it would be different, but that's another story entirely).
My point? Oh yes... in Canada, unlike other countries, it isn't illegal to portscan or pingflood. So, i guess, that would make the automatic response legal in Canadian airspace too. Just for anyone who is interested. I guess the attitude is that it is *impossible* for the law to go after every single attempt, and that being portscanned/pingflooded/etc. is just a risk you take going on the Internet, and it is up to the end user to set up the approperiate defenses (which was, incidently, what the ISP that hosts both me and my *active* attacker told me.)
I hope somebody gets something out of that. ;^)
-legolas
i've looked at love from both sides now. from win and lose, and still somehow...
Terrorism on both sides of the story (Score:2)
Re:I am Reminded of a Proverb... (Score:2)
There is nothing wrong with Self-Defense (Score:2)
If a person is attacked in their home by an intruder most people would be inclined to fight back. If an intruder breaks into a business, many big companies have armed guards and off duty cops as security. It is not wrong to repel an attacker. An attacker may be hurt in the process of being repelled. Most people, and even our system of law, will usually find the attacker asked for it.
So why should computer intruders be different? Why is it OK for a person to fight back bodily but it's hands-off if it's over a computer network? Do computers have more rights in our society than humans? No. Not the last time I checked.
So why not have aggressive firewall software? If some script-kiddie tries to hit your machine and your software turns around and toasts his, you'll be doing him/her a favor in life.
Re:I am Reminded of a Proverb... (Score:1)
You may be right about not putting him totally out of business, but the one time I did this I will say that he never came back to MY network again.
(and yes, i made absolutely sure it was his machine I was logged into.) then again, this wasn't a DDOS attack, he was actually logged into my machine, making the verification much easier.
an appropriate haiku (Score:2)
script kid hacks machine
anger, rage come over you.
hot grits give relief.
Re:Not Really Hacking Back (Score:2)
I think there's a difference if it's a matter of life and death, though. States have different laws on the basis of whether you can shoot to kill someone who is even robbing your house, for example. Cracking attempts like the ones in the article are really more like burglary or vandalism than attempted murder; so just attacking the attacker's machine in the same way isn't really self-defense anymore - it's just vigilante justice.
IMHO, the correct Internet-accepted way of dealing with this would combine instantaneous but temporary IP blackholing (including systems upstream of the victim) combined with quick notification of the responsible sysadmins. I haven't heard yet of a protocol that can do this, but the Internet immune system may develop it in the next year or so if DoS attacks continue to be so prevalent. This solution would follow the tradition of internet systems as separate, sovereign fiefdoms that can choose to exchange traffic or not, but aren't really governed by any laws beyond that. The article is correct that if you wait for the FBI to deal with an attack, you will be waiting a while. Better to have agreements with your upstream providers so that you and they can react quickly and effectively to an attack.
Tred Carefully... (Score:2)
ttyl
Farrell
Re:There is nothing wrong with Self-Defense (Score:3)
When your machine is under attack, and you strike back, you can not be certain that you're toasting the right machine.
Whatever you may think of a person who's machine is so open to attack that someone can successfully use it to launch an attack against yours, they do not deserve to have their machine toasted for it. If you do that, you're little better than the cracker you're trying to hit back at.
I can perfectly understand the desire to attack, but the likelihood of hitting the worng person is just too high for my liking.
We all have a duty to be responsible netizens, after all.
Cheers,
Tim
Re:There is nothing wrong with Self-Defense (Score:2)
Re:There is nothing wrong with Self-Defense (Score:2)
Self Defence is OK, but if we extend the analogy with IRL law, then it has defined limits. Only "Reasonable Force" may be used, and anyone who uses "self defence" also lays themselves open to a charge of assault.
If you're being hammered on offensively by a router that's actually causing a flood, then it's reasonable to retaliate in ways that might reduce the incoming flood. OTOH, it's not reasonable to try to take down their web server, just because they're taking yours down (assuming they're separate machines). A measure that is defensive is reasonable, even if "offence is the best form of defence".
Equally, mail-bombing is not acceptable as a response to an immediate threat. It's a delayed measure that won't stop an ongoing attack and is only there as a means of revenge. If you're under a chronic Spam attack though, email may be a reasonable defence, as it's now a comparable timescale.
There's also the problem of injuring innocents. Defending yourself in the immediate is reasonable, even if it's a compromised 3rd party machine, because you're trying to fight a clear and present danger. Owning it and rm * -r, just because it's an open mail relay that's Spamming you is excessive and should lay you open to as much of a claim for damages as if you'd cracked it of your own evil intent.
If you attack an unrelated box, because a spoofed header made you think that it was the source, then you're liable for the damage you cause. If you shoot back when attacked, then you're expected to be competent enough to shoot straight at the real targets.
Can't fight back with a cable modem... (Score:2)
I had some personal firewall software, and I decided I'd portscan anyone who tried to get into my system since if they had even the most basic defenses, they'd know I saw them.
Either way, apparently, any use of portscanners on systems I don't own is explicitly prohibited in the TOS.
Ah well, it doesn't bother me that they were scanning me for vulnerabilities; it bothers me that one would scan me, then report me when I scan them back. -_-;
Automated reactions could be looped (Score:4)
It gets even better if the mail, seeing that one mailer is overburdened, gets redirected to an alternative host (or something similar for other services)
Just try to imagine that you are the sysadmin who later should sort out the mess, maybe it was even started by some accident or some rampant virus.
Haiku (Score:2)
Cracked your weak security
Install SSL
Re:Moot (Score:2)
Unless IP is going to start carrying cryptographically secured copies of fingerprint or DNA information, which can then be cross-referenced with that new international database we know they are building, you can never be sure.
my $0.02, which I guess adds up to $0.04 now
Actually not so moot (Score:2)
The laws exist, it's just laws that leftists are uncomfortable with so the available tools and precedents are not taken advantage of because too many of our defenders come from the left tradition. That's not to say that they need to change their voting patterns (or at least it's not germane to this discussion) but they have their own blind spots just like people coming from the right tradition do.
I know, I know, we've invested a lot of capital to have encryption code escape from the munitions designation. But we don't oppose the idea that encryption or other technology can be dangerous, we oppose the law because it's stupid, hindering the good guys while leaving the bad guys with all the technology they need. This also happens to be the argument that the NRA uses on most gun control measures they oppose. Could we have allies we didn't even know about?
DB
Re:I am Reminded of a Proverb... (Score:2)
Never a good idea (Score:2)
* How can you be sure that a) the attacking site(s) are the real attackers and b) that the
attacking sites are _knowingly_ attacking? IP spoofing or using zombies to a ttack are generally
very easy.
* If it's illegal to be hacked, it is illegal to retaliate. You can't steal someone's lunch
because they steal yours.
* It could only exacerbate your problem if you piss off the attacker(s). You don't know who you
are dealing with.
* You are then legally and criminally liable if you, for example, DoS amazon.com because you
detected an attack from them and they sue you or the Fibbies come knocking on your door.
* What if you trace an "attack" to a single IP you assume is a desktop computer and turns out to
be an AOL proxy and you DoS 10,000+ lusers? AOL won't like that nor will their customers.
The people, like the one in the article, who gloat about "hacking back" make my skin crawl. 7h3y
ar3 such 31337 d00dz n 7h3y g07z such ski11z...NOT! *gag*
BTW, I've seen most often people getting IP addresses slightly wrong when they complain about a supposed hacker coming from my Company's network so what if you get the IP or hostname a bit wrong and attack the wrong site?
-core
Re:Not Really Hacking Back (Score:3)
Annoying at worst, and a deterrant to 98% of the skript kiddies. The other 2% are the determined ones, and I just change IP. They'll spend all night looking for the me again, bent on revenge they can't get.
And what if I get the wrong person/box? Whoop. A Windows box froze, or they got an odd popup message. Like that never happens in the course of normal operation...
Hacker vs. Cracker (Score:2)
Sniff, document and prosecute (Score:2)
1. Hitting an innocent bystander - since attacks usually come from hijacked and spoofed locations/addresses.
2. Retaliation against an illegal attack by the same means is also illegal - vigilanteism doesn't solve the problem, it reduces it to a pissing contest.
The suggestion (mine as well as that of respected experts
If we retaliate against a script kiddie, we'll either hit Grandma Smith who gladly gave her AOL password to an 'AOL representative' online, or we DOS the punk - so what?
If we get the law involved, we get him effectively killed in the computer industry - and even have him pulled off the lecture circuit a'la Mitnik.
170th post!!
Practically speaking .. (Score:2)
Tactically, one could say a retaliatory crack against the offender *might* serve as a deterrent. It might also invite further attacks that otherwise would not have happened if the attacker had not been provoked by an intrusion into *his* territory (and don't forget crackers are very territorial creatures..) and the whole episode can easily escalate out of control. Strategically, you have to take the larger situation into account and move into the psychological realm. Since you want to discourage people from playing games with your system, the best response is probably something that takes the fun out of it by denying them the satisfaction of a response. IP/subnet blocking is a good example of this -- they can poke at your host all night long and not have any noticeable effect. A strategy that ties in well with this approach is one I like to call the 'threshold effect' -- anyone below a certain nuisance threshold is ignored, and once they become disruptive enough to be worth going after, they have enough of an attack signature to be traceable. Track them down and identify them first, before they know they've triggered the alarms, then let them know you know exactly who they are and what they're up to and would they please cut it the fsck out?, then go to the cops (net, local, or federal as the case may be) if nothing else works. Depending on how much sense they have, one or the other of these measures is likely to encourage them to play nice
Re:not a good idea (Score:3)
I just finished working with two FBI case agents out of Omaha Nebraska (*cough* SiliCorn Valley) regarding tracking down a UDP packet-storm DCA and a simple web site defacement of our 'honey-pot' machine.
Generally, the FBI is clueless only when you throw your hands up in the air and say "I've been hacked!" and expect them to do all the work. If you can do the major investigation yourself (looking up ISP's with 'dig -x ###.###.###.### soa' and 'whois ###.###.###.###@whois.arin.net' and of course 'whois domainname.com' and 'nslookup ###.###.###.###') and draw them a picture, they follow along and understand very well.
It was fun watching a tense meeting with two 'G-men' melt into laughing and joking. They seemed to understand the 'hacker scene' pretty well: the arms-race, the script-kiddies, and the major web sites you get exploits from. And they were visibly excited when they saw that I had done their footwork for them.
Even if the local FBI agents are somewhat clueless (which these weren't) they have someplace full of very clueful people who can analyze your logs for you. If you come across as knowledgable, they'll recommend you to the analysis people, and they'll work with you.
(And remember: When you're getting DCA'ed, 'tcpdump -n -i eth# | gzip > capture.log.gz' is very very useful evidence. When you get your upstream ISP to filter out the flood traffic, sometimes the originator of the attack will ping you to see how your connection is doing. Those little innocent probes in between major shifts in attack activity make for great evidence.)
Re:I am Reminded of a Proverb... (Score:2)
It matters not how accessible the car was, it was still stolen.
Actually, if you live in Texas, leaving the car unattended with the keys in the ignition will get you slapped with a rather pricy ticket.
Re:I am Reminded of a Proverb... (Score:2)
McDonald's coffee (WAY, WAY OT) (Score:3)
Two facts:
1. The coffee was around 200 degrees.
2. The lady was in the drive-through
Two questions:
1. Why would you serve coffee that is hot enough to cause third-degree burns?
2. Where do you put your drink when you go through the drive through?
I don't believe McDonald's was found guilty of any wrongdoing; rathre, they were found guilty of negligence - a legal term that means "They should have known better." McDonald's should have known that many (if not most) of their customers put their drinks in their laps, and that their coffee would cause third degree burns. Given those two undisputed facts, it is a statistical certainty that someone's crotch would get burned badly.
Keep in mind also that all the woman wanted initially was for McDonald's to pay part of her medical bills. If they has said "We're so sorry" and written a small (to them) check, it would have been over on done with. Instead they said "You STUPID woman! You should have known better!" and promptly launched a propaganda campaign that has clearly had its intended effect, as evidenced by that note in your post. So the woman sued for millions and won.
It's funny, as anti-corporate as the typical
Re:I wouldn't. (Score:2)
Do you have any suggestions for a better way?
I prefer snort [snort.org]. It logs attack attempts, but doesn't do the blocking that PortSentry does. Snort is very configurable, and can log a good deal of information.
The question I have (which I've been thinking of submitting to Ask Slashdot) is what to do with the lists of attacker IP addresses. I'm sure these are mostly just ``innocent'' compromised hosts, but it would be nice if there were some organized way for us to keep track of who those hosts were, so that people who were concerned about security could blacklist them.
Of course, there would need to be a way to ensure that the reported IP addresses are genuinely attackers (otherwise script kiddies could just submit claims that you were hacking them). Maybe Advogato's [advogato.org] method for establishing a trust network could be adapted to the problem?
Here's my personal policy. (Score:2)
Let's assume J. Random Crax0r is trying to get into my system, or DoS it, or jab at it with cyber-doggie-doo-on-a-stick, or whatever. What's my objetctive? The same thing if someone were attacking me IRL: neutralize the threat.
I don't believe that "hacking back" is per se illegal... it all depends on the situation. For instance, if this particular er33t d00d is launching an attack on my computer, I should be perfectly justified in taking whatever actions are necessary to eliminate the threat. If this means simply blocking him out at the firewall, that's nifty-cool by me. On the other hand, if I can disable his computer remotely and stop the attack, that is acceptable as well, in my opinion. Disabling his computer and playing hopscotch with a magnet on his hard disk would not be acceptable, however.
Let's say the attacker had hijacked another machine, and was using it to do his evil deeds. Well, my condolences to the user whose machine was hijacked, but that doesn't eliminate the threat to me now, does it? I still think I would be justified in disabling the attacking machine, if it were necessary to stop the attack. Say someone steals a car, and is trying to run down my car with it. Wouldn't be justified in disabling the other car, even though the attackers don't own it? Of course I would be, because it still poses a threat.
Of course, as in real life, the less force that is used, the better. The important thing is to draw the distinction between neutralizing the threat, and seeking retaliation.
Just my $0.03 CDN.
- Adam Schumacher
Innocence (Score:2)
-----------------------
Physical retaliation (Score:2)
Can anyone find a link to the
Re:McDonald's coffee (WAY, WAY OT) (Score:2)
1. The coffee was around 200 degrees.
---
Yep.
---
2. The lady was in the drive-through
---
Yep. I assume she wasn't forced to go there, either.
---
1. Why would you serve coffee that is hot enough to cause third-degree burns?
---
Because, it would appear, most people don't seem to have a problem with it. People expect coffee to be hot, and if the market has decided that it doesn't mind (people still buy McDonald's coffee, right?), then what's the harm in that?
---
2. Where do you put your drink when you go through the drive through?
---
In a cup holder (which most halfway recent vehicles have - and can be bought 3rd party if desired).
If it's a cold drink, I'll put it in my lap. If I spill it on myself and accidentally crash into a telephone poll, I'll pay the damages myself. I didn't have to put a drink in my lap, and neither did she. I didn't have to go through the drive- through, and neither did she.
---
It's funny, as anti-corporate as the typical
---
Oh yes, the "if you disagree with me, you must be a tool of The Man" argument. Give it a rest.
Second, Slashdot is not a collective. We are capable of having diverse opinions.
Third, some of us may not support the encroaching 'nanny culture' of this country where - instead of taking responsibility for your own actions - you shift the blame elsewhere and possibly make some cash in the process...
- Jeff A. Campbell
- VelociNews (http://www.velocinews.com [velocinews.com])
Re:I am Reminded of a Proverb... (Score:2)
Do you intend to bring the server down? Then that's computer resource abuse. Are you pointing to a web site? That's an intended use, and if it goes down it's not your fault. Big difference.
- Jeff A. Campbell
- VelociNews (http://www.velocinews.com [velocinews.com])
Re:Bah! All we need is a full I.C.E. (Score:2)
Interestingly, there is a software program called Black ICE that a friend of mine runs on his cable-modem connected NT 4 box. He sees a LOT of portscans and similar low grade attacks. As far as I know, BlackICE doesn't do any counter-attacks though!
Torrey Hoffman (Azog)
Re:I am Reminded of a Proverb... (Score:2)
I note you haven't cited the law.
---
I'm not a lawyer, and am too lazy to look around. It's not like it hasn't been prosecuted before.
---
"Computer Abuse"? What the hell's that?
---
Computer resource abuse. If I recall, that's justification they used in Operation Sundevil to prosecute the offenders (those that weren't innocent bystanders at least).
My point still stands: Intent is a major part of the law. Run over someone on accident, and run over another person on purpose. The former may require you to pay someone's doctor bills, the latter will land you in jail.
- Jeff A. Campbell
- VelociNews (http://www.velocinews.com [velocinews.com])
Re:McDonald's coffee (WAY, WAY OT) (Score:2)
No, but it's reasonable to assume that food they serve won't cause you physical damage. You wouldn't expect their meat-like burgers to contain discarded hypodermic needles, either. If the coffee was normal hot-coffee temperature, I'm sure she would have taken responsibility for it.
This particular MacDonald's had gotten many complaints about their scalding hot coffee, and had refused to do anything about it.
It's funny, as anti-corporate as the typical /.er seems to be, they sure buy the corporate propaganda, hook, line, and sinker.
Oh yes, the "if you disagree with me, you must be a tool of The Man" argument. Give it a rest.
No, he's just saying that you're buying into this corporate propaganda that MacDonald's spread so effectively. I used to believe this coffee lawsuit was ridiculous too, until I learned the details about it. (I do agree with you that Slashdot has diverse opinions.)
Third, some of us may not support the encroaching 'nanny culture' of this country where - instead of taking responsibility for your own actions - you shift the blame elsewhere and possibly make some cash in the process...
I agree that our lawsuit process is often abused. But sometimes there is no other recourse. What would you do if Mickey D's served you a hamburger with used needles in it? Would you still consider yourself "responsible for your own action" of buying and eating the burger? Or what if your employer or client withheld thousands of dollars of payment from you for no good reason? What would you do?
Lawsuits in our culture have a bad reputation, often deserved. BUT be careful about condemning them as a whole, because one day you'll wish you had the option when someone screws you over. The source of most anti-lawsuit PR these days large corporations who want to screw over the public and not get sued-- think of HMO's, insurance companies, etc. They've manipulated the public's mistrust of lawyers (again, often deserved) into a general condemnation of lawsuits.
Like it or not, lawsuits are a fundamental element of the US legal system; they're how our civil code (as opposed to criminal code) is enforced. A lawsuit should only be used as a last resort after all other negotiation fails, but without that option, many basic rights we take for granted would be effectively lost, because they would be unenforceable. I used to loudly condemn lawsuits and anyone who would bring them, until I had a couple of eye-opening experiences that made me realize the critical part they play in our legal system.
Re:I am Reminded of a Proverb... (Score:2)
As for your being too lazy to find the law, gee, why should anyone take your comments about it seriously?
---
Will you reread my comments? All I said was that intent could very well have something to do with it.
---
In fact, you admit you do not know what it is.
---
Perhaps you'd prefer talking like you know something and yet not admitting that you're not a lawyer?
---
These are quite different from "illegal" acts, which are created by criminal statute.
---
Let's put it this way: there have been people arrested for intentionally fucking with people's systems. Is that 'illegal'? I don't know - but I do know that they were arrested.
It's occuring to me that your original post was nothing more than bait.
- Jeff A. Campbell
- VelociNews (http://www.velocinews.com [velocinews.com])
Re:I am Reminded of a Proverb... (Score:2)
"I think it's a matter of intent."
Emphasis mine.
- Jeff A. Campbell
- VelociNews (http://www.velocinews.com [velocinews.com])
Re:Actually not so moot (Score:2)
Rregarding your question of a declaration of war, if some drunk idiot fires a potshot across the border, does that mean that the US and Canada are at war? Of course not, since it was not a conscious act of the state. They tend to call these things 'border incidents'. But states do have their relationship suffer if there is an increase of such cross-border incidents without reaction from the source state's government or if the source state isn't taking reasonable precautions to minimize such incidents at all.
The point is to raise the seriousness of attacks and to fit cyber acts into existing law framework. Take a look at militia statutes and you will find some very good law on the subject, frankly it's the only body of law that covers such things.
DB