Dumb Idea Or Dumbest Idea: Letting Companies Use Malware Against Infringers

from the dumbest-ideas-ever dept

We already did a post exploring the ridiculous background and bad assumptions of the so-called IP Commission Report, but we’re going to explore some of the “recommendations” of the report as well. In that first post, we noted that the basis, assumptions and methodology of the report were all highly problematic, so it should come as little surprise that the “recommendations” that come out of it are equally ridiculous.

Let’s start with the one that has received the most attention: the fact that the report recommends a “hack back” legalization, to allow those who feel their (loosely defined) “intellectual property” has been infringed to “hack back” at those who infringe. As Lauren Weinstein summarizes, this proposal more or less is a plan to legalize malware against infringers. Of course, this kind of idea is not new or unique. It’s been around for a while. Almost exactly ten years ago, Senator Orrin Hatch proposed allowing copyright holders the right to destroy the computers of anyone infringing. The specifics here are explained over two “suggestions” that, when combined (hell, or even individually), are somewhat insane for anyone even remotely familiar with the nature of malware. First up, legalizing some basic spyware/malware:

Support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means.

Some information or data developed by companies must remain exposed to the Internet and thus may not be physically isolated from it. In these cases, protection must be undertaken for the files themselves and not just the network, which always has the ability to be compromised. Companies should consider marking their electronic files through techniques such as “meta-tagging,” “beaconing,” and “watermarking.” Such tools allow for awareness of whether protected information has left an authorized network and can potentially identify the location of files in the event that they are stolen.

Additionally, software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account. Such measures do not violate existing laws on the use of the Internet, yet they serve to blunt attacks and stabilize a cyber incident to provide both time and evidence for law enforcement to become involved.

Basically, malware/DRM-on-steroids. As if that will work. Anyone who had even a modicum of experience with DRM or watermarking knows that these things aren’t difficult to get around, and are basically a huge waste of time and money for those who employ them. The idea that they might then lock down entire computers if an incorrect file gets onto one seems even more ridiculous. Given how often DRM causes problems for legitimate users of the content, you can imagine the headaches (and potential lawsuits) this kind of thing would lead to. A complete mess for no real benefit.

So, then, they take it up a notch. If bad DRM/watermarking isn’t enough, how about legalizing the pro-active hacking of infringers? No, seriously.

Reconcile necessary changes in the law with a changing technical environment.

When theft of valuable information, including intellectual property, occurs at network speed, sometimes merely containing a situation until law enforcement can become involved is not an entirely satisfactory course of action. While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.

Notice how that recommendation gets even more insane the further you read. “Retrieving” info? Okay. “Destroying info on an unauthorized network”? Yeah, could kinda see where someone not very knowledgeable about computers and networks thinks that’s a good idea. “Photographing the hacker”? Well, that’s going a bit far. “Implanting malware in the hacker’s network”? Say what now? “Physically disabling or destroying the hacker’s own computer or network”? Are you people out of your minds?

This isn’t just a bad idea, it’s a monumentally dangerous idea that will have almost no benefit, but will have tremendously bad and dangerous consequences. Hell, today we already have to deal with a plethora of bogus DMCA takedown notices. Imagine if that morphed into bogus malware attacks or destroying of computers? It makes you wonder how anyone could take anything in the study seriously when you read something like that.

To be fair, the authors of the report say they don’t recommend legalizing this stuff yet, but immediately make it clear that something like this is going to need to happen in the future, because “the current situation is not sustainable.” Based on what? Well, as we explained in the first post about this report, that’s mostly based on the authors’ overactive imaginations, rather than anything fact-based.

Filed Under: , , , , , , ,
Companies: national bureau of asian research

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Dumb Idea Or Dumbest Idea: Letting Companies Use Malware Against Infringers”

Subscribe: RSS Leave a comment
81 Comments
Tim K (profile) says:

including actively retrieving stolen information, altering it within the intruder?s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system?s camera, implanting malware in the hacker?s network, or even physically disabling or destroying the hacker?s own computer or network.

Not really surprising. And I’m sure it would be 100% accurate and not accidentally do that to innocent people ever…

That One Guy (profile) says:

Funniest bit? With all their suggestions about hacking computers to place malware/spyware, and retrieve info on potential infringers, they don’t seem to realize that would make any evidence they might present completely and utterly useless in any legal case it might be brought up in, as the person who’s computer was hacked could just say they planted the ‘illegal’ files.

Of course given that lot’s aversion to anything and everything involving the legal system that isn’t using it to pass laws to protect themselves from having to adapt, I’m sure they consider that a feature, not a bug. ‘This is a copyright case, which means the accused is presumed guilty until they can prove their innocence, and since the only evidence they can present is inadmissible due to both parties having had access to it, it’s down to our word versus theirs, which is an automatic win for those making the accusations’.

Also of note, if it suddenly becomes legal to plant malware/spyware on the computers of anyone suspected of having pirated files, companies around the US are going to go absolutely nuts hacking their competitors, as all they’d need to do to justify it would be to claim that they thought the other company had pirated files on their servers.

Anonymous Coward says:

Re: Re:

they don’t seem to realize that would make any evidence they might present completely and utterly useless in any legal case it might be brought up in, as the person who’s computer was hacked could just say they planted the ‘illegal’ files.

You’re laboring under the assumption that anything the “find” would be used in a law enforcement action.

After all, if you have the legal right to act as judge, jury, and executioner, why would you bother with a trial?

Moreover, this has nothing to do with actually stopping “piracy” – it’s real purpose is to stop competition. You wanna silence the TPB movie? Claim that it infringes your copyright, upload a copy with a virus and destroy the computer of anyone who downloads it. Wanna “get back” at someone who criticizes you? Hack the computer of anyone who downloads “Homeland”.

Jesse (profile) says:

Re: Re:

“Also of note, if it suddenly becomes legal to plant malware/spyware on the computers of anyone suspected of having pirated files, companies around the US are going to go absolutely nuts hacking their competitors, as all they’d need to do to justify it would be to claim that they thought the other company had pirated files on their servers.”

Better yet, it would basically legalize the activities of “organizations” like anonymous. Everyone infringes copyright at some point, especially the copyright maximalists. I can only imagine the hilarity of anonymous LEGALLY pulling apart all the IAAs byte by byte.

weneedhelp (profile) says:

Where do the malware vendors go

Interesting to see how say Symantec can differentiate between the bad malware and… Good malware?(No such thing) And if they do find a way; Doesnt that then kill their credibility in the Virus/Malware arena? Why would I want to use a product that selectively allows spyware? What a 3 ring circus of clowns our lawmakers have become.

Dreddsnik says:

Re: Where do the malware vendors go

Symantec and McAffee already do this. There are Windows hack tools to bypass WPA that are in no way harmful to anyone. These are marked as ‘malware’ simply because microsoft doesn’t like them. Many of the smaller AV companies are doing the same thing ( Comodo, AVG, Kaspersky ). Yes, this does call their credibility into question.

Jessie (profile) says:

Well, it’s obvious what we should do then, in the name of copyright. The government should set up massive servers that everyone logs into from dumb terminals and uses government approved software to view and manipulate files. We would, of course, have to outlaw owning personal computers that can operate in any way outside that network, and all file storage would be on their servers as well. That way they can view our files and computing habits accordingly. You would then pay a fee based on what software packages you or your business would be allowed to access.

See, I’ve just solved the copyright problem, since nothing could exist in digital form that was not approved. In fact, all data could be government approved. Wouldn’t that be dandy.

Anonymous Coward says:

Many people and entities fought and are still fighting really hard against all sorts of malware and viruses that cause real damage.

Botnets, that rely on computers infected with malware, are used daily in DDOS attacks, spamming, phishing and many other evil activities.

Now these idiots want to flush all that hard work down the toilet, and green-light the use of malware?

The idiot that proposed this should be SHOT for proposing legislation that intentionally makes the world less safe.

Seegras (profile) says:

Re: Re:

.. and your nation. In which case your gouvernment (were it any good) would promptly replace those people on ground of endangering national security.

I mean, private people can advocate anything, but if they’re officials, proposing ideas like this in an official role at least warrants immediate dismissal, if not an investigation for high treason (trying to subvert national security etc…).

Anonymous Coward says:

“the current situation is not sustainable.”

It’s not sustainable for the current plutocracy. The current plutocrats want to be able to continue to make money and do little to earn it while forcing laws that are unfairly enforced on everyone else. They have gotten away with it for this long but people are catching up and their business model is not sustainable. They may have to actually work for a living instead of relying on bought laws (ie: 95+ year copy protection lengths and retroactive extensions, a one sided penalty structure, govt. established broadcasting and cableco monopolies for private and commercial use, govt. established taxi cab monopolies, etc…).

Anonymous Coward says:

Awesome idea!!

Give hackers a free method of malware that will most likely be prevented from being labeled as malware.
Give hackers access to what could potentially become the largest botnet in history.

Give people who infringe a perfect defense to fight back.
Give people who have equipment destroyed a perfect case to sue because they have the perfect defense to say they were set up.

Sounds like a damn good plan to completely destroy any means of fighting copyright infringement.

Anonymous Coward says:

Re: The main malware today is javascript, mainly by Google.

Dumbass.

Google doesn’t need Javascript to track you.

Every resource you load from the internet can be used to track you.

This is just one way to do it:

https://en.wikipedia.org/wiki/Web_bugs

Want to stay hidden? Bury yourself in a concrete bunker on the bottom of the ocean.

Anonymous Coward says:

Hmm, where to begin.

First off rootkits are hidden from the OS discovering it. Doesn’t mean it’s gone, only that it isn’t visible to detection through the OS. If you can discover what the rootkit folder is named, as in the first letter or digit or two, you can add to the rootkit whatever it is you like, say like more malware. By trying a series of digits and letters you can find what it is, say like a* or $*. It won’t show you it took it but you will know by the absence of an error. So any hack with a few hours work at best will be able to access it and use this rootkit for their own purposes.

As far as permission to use malware, lots of companies are unofficially already doing this under the table., The RIAA has a long history dating back to the Gnutella networks of using malware methods. The first one off the top of my head is the old Loudeye that was hired to serve up malware on file sharing networks. It started out returning bogus search results in file sharing networks and expanded beyond that. Loudeye opened up a second branch called Overpeer.

http://www.theinternetpatrol.com/mpaa-contractor-infects-downloaders-machines-with-adware-spyware/

While the article only mentions the MPAA the RIAA was up to it’s eyeballs in it as well.

So being given official permission would only bring it out in the open, what is already and has already been being used.

Votre (profile) says:

Shall we play a game?

The only thing a move like that would accomplish is to start a full scale war of attrition on the Internet. I hope they table this for the utterly stupid idea it is before killer bots, drive-by malware and DDoS exchanges become the norm.

Cowboy style “justice” may appeal to our baser instincts. But anybody can assemble a posse. And the people who are asking for a blanket authorization of vigilante responses might want to consider that any number can play that game if you abandon good laws and decent behavior.

And when it comes to that sort of technology and creativity, I think the ‘court advantage’ is squarely with the “rest of the world” rather than corporate security and IT departments

Anonymous Coward says:

Wow we would enter the age of trolling. No one would ever have to learn how to hack to destroy another computer.
Example on a soundmixing forum:
Guy: “Does anyone have a good recording of birds singing?”
Troll: “Sure no problem.”
*Sends recording to guy named Birds_01.ogg*
*Guy opens Birds_001.ogg and discovers that it is really a copyrighted song*
Computer of guy: “You have been deemed guilty of copyright infringement and your files are now locked. Please report for public execution at your nearest MIAA center.”

That is gonna be “sooo fun” for the rest of us (not trolls).
And to think that at one time not too long ago, I had an almost childish excitement for the future. I seem to have lost that in the last couple of years due to morons like this.

Red Rackham says:

Re: Am I becoming a conspiracy nut???

I find the same thing increasingly hard. It would seem that the US government (among others) is riding the “property” part of “intellectual property” in order to shut people up, by stuffing the free speech genie of The Internet back into the lamp. Since property rights are generally stronger then free speech rights, making every idea into “property” allows us to hand off enforcement of property rights to some police-type administrative organization, and thus administratively effectively censoring a lot of speech.

Shmerl says:

To be fair, the authors of the report say they don’t recommend legalizing this stuff yet, but immediately make it clear that something like this is going to need to happen in the future, because “the current situation is not sustainable.

Which translates to the authors of the proposal not smoking enough crack yet to push for implementation of insane Big Brother DRM, but enough to come up with such lunacy. In the future, when their smoking efforts will progress so sustain their growing appetites, they can get to pushing the idea into action.

Shmerl says:

Re: Re: Alternative OS

OS can be defended against malware, but the sneaky problem is that if such malware becomes legal, DMCA will make defending against it illegal! I.e. security measures will be rendered “circumvention tools” and will be banned from legal application distribution. These lunatics know what they are doing, that’s why it’s important to repeal this legal pile of garbage.

Anonymous Coward says:

haven’t read all the replies so may have been posted already. the freakin idiots that come up with this crap always leave out the thing that is going to harm the most. that is when the ‘back doors’ are opened by those outside the USA. what is going to happen then? what is the USA going to do when all the ‘foreign’ software does something similar? do these idiots think that the only people to get ‘unauthorised’ copies of something are outside the USA? give me strength!!

Anonymous Coward says:

Does anyone in their right mind think that real people who pirate would be calling the cops for the key? Please. The key would be all over the internet in a day. Barring that, reloading the OS would eliminate the issue.

The people sharing files would take about 2 minutes after it was discovered to spread the word, ensuring that almost no one got this malware.

It’s obvious it hasn’t been well thought out. But then idiots don’t tend to think very deeply.

Anonymous Coward says:

Here’s a fair compromise:

Anyone attacked by a copyright group can send a notice of infringement claiming that they were wrongly attacked.

The offending group must not only cease all cyberterrorism attacks (let’s call it what it is), but disable all firewall and protective capabilities for a set period.

They can appeal, but are forbidden from reactivating their protection in the meantime.

If the RIAA and their ilk want the “right” to commit acts of cyberterrorism, they should have to take the maximum risk of retaliation when they’re found to be in the wrong, as they inevitably will be.

btr1701 (profile) says:

Weapon

> The idea that they might then lock down entire computers
> if an incorrect file gets onto one seems even more ridiculous.
> Given how often DRM causes problems for legitimate users
> of the content, you can imagine the headaches (and potential
> lawsuits) this kind of thing would lead to.

This would be a helluva weapon for disruptive groups like Occupy that hate big corporations and banks. They could easily send one of these protected files to the entire corporate email list, and every secretary, mail boy, and assistant will then try and open it, resulting in a huge percentage of the company’s computers locked down for a day or so.

Daemon_ZOGG (profile) says:

"disabling or destroying the hacker?s own computer or network"

This would lead to all out cyberwar against the organization involved in the illegal detruction of other peoples stuff. If they attacked/destroyed your network or computer by mistake, wouldn’t you be wanting their heads mounted on somebody’s wall. Yeah.. I thought you might. Corps acting in this manner, would destroy themselves in very short order. From a public affairs view, it would be the final nail in the coffin.

John85851 (profile) says:

No way this could backfire

“That One Guy” stole my idea. 😉
What would happen if anyone (rival companies, evil hackers, hacker-activists, etc) decided to watermark and plant fake files on people’s computers? Then what happens when the real company sends a malware attack onto these computers?

But most of all, what ever happened to the idea of due process of law? There’s the fact that the company should prove the file is infringing, then they should prove you did it on purpose. Like we’ve seen with false takedown notices, will there be any repercussions for false malware attacks? I don’t think the RIAA can just say “oops, my bad” when they take down a college’s network because one person named their class project with the same name as a Hollywood movie.
However, it would be beyond hilarious if the automated takedown company (which so many companies seem to use) attacked NBC’s own website for “illegally” hosting its own shows.

But, as usual, there are no technical details to back up this plan: just some vague ideas about what “should be done”. What would happen if some IT guys (or any IT guys) were to explain that none of this is actually feasible? Or like some other posters are saying, does anyone care about the feasibility as long as they look like they’re “doing something”.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...