FBI Waking Up To The Fact That Companies With Itchy Trigger Fingers Want To Hack Back Hacking Attacks
from the dangerous-ideas dept
It’s no secret that some in the computer security world like the idea of being able to “hack back” against online attacks. The simplest form of this idea is that if you’re a company under a denial-of-service attack, should you be able to “hack” a computer that is coordinating those attacks to stop them? More than two years ago, an LA Times article noted that some cybersecurity startups were marketing such services. Related to this, when the terrible CISPA legislation was being debated, one concern was that it would legalize such “hack backs” because, among other things, CISPA would grant immunity to companies “for decisions made based on cyber threat information.” Some interpreted that to mean that companies would have immunity if they decided to hack back against an attacker.
A new article from Bloomberg suggests that companies are still quite eager to get involved in hacking back, and the FBI (which supported CISPA) is investigating some such cases where it may have happened. However, companies like JP Morgan still love the idea:
In February 2013, U.S officials met with bank executives in New York. There, a JPMorgan official proposed that the banks hit back from offshore locations, disabling the servers from which the attacks were being launched, according to a person familiar with the conversation, who asked not to be identified because the discussions were confidential.
The article notes, of course, that such attacks likely violate the CFAA (Computer Fraud and Abuse Act) (which is why some want immunity for hack backs). But, it’s a bad idea not just because it likely breaks the law, but because it’s stupid and dangerous. First, accurately determining who is behind a hack is quite difficult — as we’re seeing lately with all the recent skepticism about the FBI’s claim that North Korea was responsible for the Sony Hack. Launching a counterattack against the wrong party can have serious consequences — even more so when those counterattacks might target actual nation states, rather than just a group of script kiddies.
On top of that, the article notes, the hack back attempt could make the situation even worse:
Efforts to retaliate can make things worse, [Kevin Mandia] said, because attackers who aren?t purged from the network could escalate the assault or ramp up attacks on other companies targeted by the same group.
And, of course, the very real possibility that the wrong party is targeted in the hack back can create all sorts of collateral damage. Remember when Microsoft took down many thousands of sites by mistargeting a court order? Imagine that without any court even being involved.
Finally, think through the obvious consequences of this. If you’re a malicious hacker, it suddenly becomes a great opportunity. Pick two separate targets you want to harm — then attack one and make it appear like the attack is coming from the other. Then sit back and watch the two of them duke it out while you laugh away.
Hacking back is a vigilante Hollywood movie-style idea that pays no attention to the realities of the technology or the consequences of the actions. Hopefully companies are smart enough not to follow through — and lawmakers prevent it from being protected by law.
Filed Under: cybersecurity, fbi, hack back, hackback, vigilantes
Companies: jp morgan
Comments on “FBI Waking Up To The Fact That Companies With Itchy Trigger Fingers Want To Hack Back Hacking Attacks”
Often I am amazed by these companies who want to hack back, to “punish” the hackers. Willing to spend considerable resources to teach the bad guys a lesson… if only they cared enough to pay for basic network security in the first place.
This is a bad idea, the tit for tat just leads to more hacks as each side tried to prove who has the bigger dick. In the end the losers will be smaller players who couldn’t afford better security and were drafted into the original hack without their knowledge.
When the rules are an eye for an eye, everyone ends up blind.
Re: Re:
How to defend yourself from an infrastructure cyber attack:
Step 1: Be a dumbass and connect vital controls to the internet.
Riiiiight.
Re: Re:
Tit for tat is a funny expression when english is your second language. I just refer it to following jewish principles. Disproportionate retaliation for anything (thinking it will shock and awe the other party into never doing it again…which is wishful thinking).
Botnets
Even when not intentionally trying to provoke a hacking war, it’s common practice for hackers to use compromised third party systems as launching points for attacks. It is difficult to determine (by the target) which machines are owned by the attackers, and which are members of a botnet. Collateral damage is a real ongoing concern with counter-hacking.
Re: Botnets
Yeah, but nobody cares about collateral damage to innocents. We just want to appear tough by blowing something (anything) up.
Re: Botnets
I would imagine that anyone who actually poses a threat to a properly secured system will always go through compromised third-party computers, networks and systems. Why put their own hardware at risk if they don’t have to after all? As such, the idea of a ‘counter-hack’ is beyond idiotic, as it will cause heavy damage to people who’s only ‘crime’ was not securing their systems sufficiently, while at the same time leaving the actual guilty party completely untouched.
Yeah, I’m sure after something like that a hacker/group would be real hesitant to repeat their actions. /s
Re: Re: Botnets
Its possible to disable botnets remotely, lets imagine that the industry standard is to install a sort of anti-virus on the attacking system first(its seems resumable to me) to see if the attacks stop them. Considering the value of such botnets it would be quite a lost for the hacker and its not the worse thing in the world even if it would be slightly questionable if there are any false positives.
Re: Re: Re: Botnets
There are so many things wrong with this comment that I think the most accurate and succinct thing I can say is “hell no”.
Re: Re: Re: Botnets
You have much greater faith in antivirus programs than you should. I’ve seen reports that the best of them catch only 80% of existent malware, and no antivirus will stop a zero-day. The antivirus industry is selling snake-oil. Actual secured systems don’t need it. Don’t fall for their BS.
Which is why I don’t want people like you anywhere near the decision making process. Yours is a “ready, shoot, aim” mentality. Systems that are part of a botnet are victims too. If those systems are 911, or air-traffic control, or pentagon, or managing other critical systems, you could be causing far more collateral damage to victims even further removed from the original incident.
Please, get over your blind lust for revenge before you start WWIII.
Re: Re: Re:2 Botnets
I agree with your assessment for other reasons. As you state there are no protections for zero days. The vulnerability isn’t yet known to exist or is known but not repaired. Microsoft often goes years without fixing a known problem until they are forced into it by a white hat releasing that data after getting tired of waiting for a long time for them to patch the bug. This has been going on since way back in the days of Win95.
In order for an antivirus to work, the A/V company has to write a signature to find that particular malware. Most malware writers check against the most popular A/Vs to make sure it will pass not being seen before they put it out. Doesn’t make sense to put on out that is not going anywhere. They will usually write 4 or 5 similar versions slightly different so when it is identified and a signature written, they issue a variation that is no longer spotted to keep it going.
There are far too many malwares out for A/V companies to write one for every one they spot. So they wind up working on the ones most widely spread. All the malware writer has to do is keep it below the threshold of being well known and they are good to go.
No matter what you do, they are releasing far more malwares than can be kept up with meaning that the A/V will not spot the majority of them.
So thinking that A/Vs will take care of the problem is foolish.
Re: Re: Re:3 Botnets
A decent A/V relies not only on viruses, but also on heuristics — the detection of a program which is behaving in an unusual way. Signatures are not required.
Indeed signatures are often inadequate, as many viruses are created to morph, and change their strings on a regular basis.
I often worked with a virologist who found the homologous behaviors of organic viruses, and those of the electronic world to be fascinating similar.
Re: Re: Botnets
Yes, think about the issues Sony will have when everyone targets their network.
Re: Botnets
Let them hack back and e forced to deal with the possibility of a law suit if they attack the wrong person .. i see folks gaining a pretty penny if they are the victim of such attacks.
Re: Re: Botnets
I am so fscking sick to death with you Yanquis’ litigious BS. You can’t solve all the ills of the world by throwing lawyers at them! Who do you think you are, MafiAA?!?
You don’t like like drug or arms deals going on in the dark net? Sue! Oh, they’re in Russia, and they don’t give a rat’s ass for US’ tort law. Oops. How about the Somalis, of Afghan Taliban, or Cubans, or Venezuelans, or “Best Korea” (cf. Fark.com), …
How about you/we just stop doing stupid things giving nutbars reason to escalate some corporation’s (Sony!) problems into WWIII?
> Remember when Microsoft took down many thousands of sites by mistargeting a court order? Imagine that without any court even being involved.
I’m not convinced it would be worse if you didn’t involve lawyers.
Re: Re:
http://selfhelp102.files.wordpress.com/2012/11/tumblr_m4scn5zlm91qztjn5o1_r1_500.jpeg
With a business sector spoiled into getting what it wants (deregulation, legal protection, tax off-shoring, cost externalization, etc.) it shouldn’t be a problem to add lynch mobbing rights. Cue some targeted political contributions.
Re: Re:
Piker. Why not just targeted assassinations? Start with their CEO and systems security staff. “All’s fair in love and war.” Except this isn’t war. It’s just business. No-one wins in war. The “winner” just loses less (ideally).
Anyone promoting this foolishness should be recognized as the sociopaths that they are.
>cant hack back because its illegal
haha, like they care. Banks and the likes of MPAA and others who are in bed with the government can easily get away with much worse things.
The “suicide”s among bankers are hilarious. Someone cut himself up with a chainsaw, other killed himself with multiple shots from a nailgun… Nothing suspicious, officially suicide. Im pretty sure if they were able to hack back they would do it.
Its not a matter of legality.
It's never appropriate
…to respond to abuse with abuse. It inevitably makes things worse for all concerned and quite likely for third parties who have (at most) minimal involvement with the incident. We learned this a long time ago, and it’s truly a pity that those working for these companies haven’t internalized the lesson.
A much better choice, as other commenters have noted, is to strengthen one’s own defenses — preferably BEFORE a major security incident.
FBI
Does the FBI have any credibility whatsoever?
In the Ok bombing, the FBI claimed that traces of explosive evidence were a match for that found in the remains of the truck. Yet the head of the explosives section, Dr. Frederic Whitehurst testified under oath that the testing done by the FBI lab could distinguish between urea found in fertilizer, and that found in urine. Whitehurst also testified that many cases and tests came under extreme political pressure to “show” that the test was positive for a particular person.
Richard Jewel, the actual hero of the Olympic Park bombing, was named as a person of suspicion in that event. Persons of suspicion are not supposed to be publicly named. He won a rather large lawsuit, and of course was innocent.
The anthrax attacks had five people named, one after another, as the guilty party. Again massive pressure and subterfuge was placed in attempts to prove each of these individuals guilty. Ivins was finally pressured into suicide with no real evidence, and the case closed. Ivins was almost certainly not the guilty party, and would have required the help of four or five additional people working for a year to achieve this attack. The NAS (National Association of Sciences) said that Ivins did not have access to the equipment or containment units that would have been required. A bunch of terms, particularly “ultracentrifuge” were bandied about to make it appear as though he was guilty. As a biochemist, I had an ultracentrifuge in my lab section. So did my ex-wife. Big deal, except that it sounds malevolent.
Ivins reputedly used acetaminophen to kill himself. Doing so produces a long and extremely pain full death. Any scientist knows how to commit suicide with little or no pain with common objects found in the home or lab.
How can anyone trust the FBI?
Re: FBI
What part of the Government does anyone actually trust in these corrupt times.
Re: Re: FBI
There is no part of the government I much believe anymore. It’s all corrupt and getting worse. All these three letter agencies have set a new bar for lying.
But they are not the only ones playing dirty tricks. The RIAA, Sony, and others have admitted at some point to hiring third party services to do DoSS, serve malware, and do other little nasties. Which they get away with by the DOJ and crew just refusing to take issue with it.
This is not an original idea by any means. Your computer can be hijacked into a bot net. How you gonna feel when you find out about it when your computer craters due to one of these attacks?
Re: Re: FBI
What part of government did anyone trust in any corrupt time
Re: FBI
And the 9/11 investigation had a bunch of Israeli suspects.
Yes Your government is corrupt and helps terrorists every second day then blames Russia, NK or Iran for everything.
Re: FBI
As a fellow chemist (? I’m simply a chemist, not an engineer or a biochemist, but at least we’ve got work that’s related). When I tell some people that I am chemist they look at me like I’m most likely cooking drugs as a side job. Science = bad, m’kay?
The OKC bombing indicates something that is much stronger than the ridiculous amount of tnt they would have had to fit in that truck…
Re: Re: FBI
There are more types of chemist than just about any other occupation in the world, so there is no such thing as a simple chemist. A general chemist would be an appropriate appellation.
Science = bad only for the ignorant. Most would have never been born were it not for the sciences, and of those that managed to come into the world alive, 2/3 would have left it before age 5.
The living third had horrible lives. Infested by all sorts of parasites and bacteria. Head and body lice alone must have made life miserable. For most, clothes were worn until they fell apart, and were rarely washed. Baths were considered unhealthy (as well as immoral), and a great number of people had two baths. One when they were born, another on their wedding day. I can not imagine the crusts and odors that would have built up. Perfume chemists were (and remain) in high demand.
I could go on endlessly, but those who despise the sciences know nothing of science or history.
Re: Re: Re: FBI
[citation needed] Particularly in Europe, the concept of “wash and be clean” was a major part of both Judaism and Christianity from the very beginning.
Re: Re: Re:2 Still pretty grimy
During the middle ages the most pious were often rather literal in not concerning themselves with worldly matters, including their own hygiene, and were offensive even to their own monatic ilk.
My source is An Underground Education by Richard Zacks. I’d need to find the book to look up his source. Of course, he also suggested that Brigham Young made full use of his cultish influence to seduce women in the form of “God wants you to have sex with me. HELL IF YOU DON’T.” So Mr. Zacks may hold some… unpopular opinions.
Nation states. Every time I see that term, I have to wonder who came up with it and why. A nation is a state, so that’s kind of redundant.
Do you go around calling people “person beings”? What sort of pets do you prefer? Are you a feline cat person being, or a canine dog person being?
Re: Re:
Start here: Peace of Westphalia.
Re: Nations are rather new
The notion that a people can be loyal to a territory or a flag, rather than to a person, rose in the late middle ages during the dawn of enlightenment (and the coffee boom).
Before that, a person’s fealty was to his lord, and then to his lord’s lord, ultimately to the king. (All that I am your LORD crap in the KJV was using the language of the time to articulate that God was supposed to be the top boss.) When a new king rose to power, then everyone had to reinstate their fealty to the new boss, usually on pain of death.
Once we developed the notion of nations, the process was easier. Whoever the king of France becomes is less consequential if your loyalty is to France.
However, this change in thought created some new notions: what if a given king was bad for the country? Is it not then patriotic to vanquish the king and put a better regent in his place?
And this train of thought was a critical step in the development of Democracy, and the modern nations.
Soooo… States are generally nations. But they are not conceptually the same thing.
Re: Re: Nations are rather new
That’s “the party line”, or what history wants us to think (so we’ll be good citizens of The State). I’m still mostly loyal to a person; myself. Others are loyal to family, then extended family, then those you live close to or deal with on a regular basis. Some person half a continent away who I’ve never met and with whose ideas or aspirations I disagree, not so much. Once you get into Louis’ “L’etat, c’est moi”, we’re in serious disagreementland.
Ancient Greece was city states. There was no “nation” then. Rome changed that, or maybe it was rampant tribalism elsewhere and Greek city states were the outlier.
Regardless, nationhood came to be recognized and accepted as the best way to wield power and control over populations, and we’ve been stuck in that downward spiral ever since. I wish humanity could get over this infatuation, but too many others appear to prefer this state of affairs (so far).
Re: Re: Re: Nations are rather new
FTFY
Re: Re: Re:2 Nations are rather new
You’re welcome to your opinion. I don’t share it. Most of the messes I read about daily are directly caused by states bitching between themselves about things states have been bitching about for centuries. Did you appreciate how the Nazis and Soviets (and ChiComs, and Pol Pot, and Japanese Empire, …) “organized their populations productively”? How exactly is a “state” necessary to “build a strong civilization”? I thought that sort of thing was up to people like you and me. What’s a state have to do with it, other than to milk us for protection, er, taxes?
It’s pretty silly that you believe barbarism is the only option. I’m trying to get us out of it.
Re: Re: Re:3 Nations are rather new
We must be reading about different messes then. Most of the ones I read about daily are caused by small, unaccountable, powerful individuals and groups loyal only to themselves (and occasionally to shareholders, which also mostly falls under “themselves” in most cases) pursuing unchecked greed and attempting to live by the rule of Might Makes Right. You know, barbarism.
I really ought to call Godwin on this and be done with it. But let me point out two things. First, every one of those governments failed, and failed pretty quickly, far faster than the average, and they are no longer with us. Communist China is sort of an edge case; technically they’re still with us, but they’ve changed so much in the last few decades that Mao wouldn’t really recognize the modern Chinese government.
Second, I really do appreciate the way the Nazis organized their population productively. They took a war-torn nation suffering under crippling poverty, debt, and hyperinflation, and in the course of a few short years they managed to turn it into an industrial powerhouse that was the envy of the world. And then they got into a war of conquest, genocide, and all manner of horrible things that have since turned their very name into a synonym for “evil,” but just imagine if they had put that all that potential to a productive use instead!
When’s the last time you built a road, commissioned a police or fire department, established standards for things we use every day to work together, or educated a child? I’ve never done any of those things as an individual “person like you and me,” but as a citizen, I do all of the above and more on a regular basis, by paying taxes and contributing to things larger than myself, which raises my standard of living, and yours, and that of all citizens. That’s what civilization is: a group of individuals working together in an organized fashion to accomplish things beyond the scope of what they could accomplish on their own.
Sure sounds like you’re trying to do away with civilization and revert to a every-man-for-himself society. That is the very definition of barbarism.
Re: Re: Re:2 Devolving back into barbarism
I, for one, like the internet, toilet paper and the year-round availability of food. I also like the notions of social equality applying to the meek, non-majorities and women.
And these all depend on the presence of a robust infrastructure.
Re: Re: Re:3 Devolving back into barbarism
Precisely. This is the point that the sociop^H^H^H^H^H^H Objectivist crowd willfully refuses to understand. High-quality infrastructure and basic services are an investment in one’s own quality of life, and everyone else’s as well, but due to the principle of the Tragedy of the Commons, they’re not maximally profitable investments from an individual’s perspective.
Infrastructure must be managed by society and not by individuals driven by a profit motive, because high-quality infrastructure is unprofitable and attempts to make it profitable inevitably decreases its quality, to the detriment of all. (See: Comcast, Verizon, AT&T, TWC, toll roads, privatization of water supplies, privatization of prisons, and so on…)
Re: Re: Re:4 Devolving back into barbarism
^THIS^
So much this. We need society and a state in which we are citizens so that the one can benefit from the many, and the many from the one. Interdependence is the key here. The idea that we’re all in the same boat is what makes for a healthy society. Problems begin when individuals and groups attempt to exempt themselves from taking their turn at the oars using the “What’s in it for me?” argument.
Subordinating ourselves to a group of any size can and will detract from our individuality but abrogating our responsibilities to the group/society will, by definition, detract from the group/society if enough of us do it. The impact depends on the size of the group and the number of people not pulling their weight.
This is why I can’t abide big L liberarians. They’re too damn selfish. The small Ls I can live with; they don’t live in a fantasy world in which selfishness is a virtue that benefits all.
Re: Re: Re:5 Devolving back into barbarism
I fully agree with the rest of that, but why believe a state has anything to do with it?
I’m trying to do a cost/benefit analysis, and all indications I see show that states and rulers are not worth the price we pay for them. People appear to believe allowing us to benefit from wonders like indoor plumbing demands we accept a ruler to keep us squabbling kids from hurting and stealing from each other. Why, and how’s that working out for us, really? All indications show it’s doing a damnably poor job of it. The rich get richer, the poor get poorer, and war after bloody war decimates innocents in their way. How can this be better than the alternative, except for the privileged, connected few who’ve mastered the machinations of state bribery?
Yes, and what’s a state, or rulers, got to do with that? We give up our autonomy for the greater good, and it’s taken and given to the friends of the state, who in turn use it to enrich their friends instead of all of us as equally deserving partners. Subordinating ourselves to a state has not eliminated those few who use it to divide and conquer us individually. In fact, it empowers them. It creates a point of concentration (a la shopping mart) where they can go to grab (or buy) our power to use against the rest of us.
This is why I can’t abide statism. It’s chosen friends and hangers-on are too damned selfish, and demanding I help them by laying down my arms in favour of the many sacrifices us all to the whims and greed of the privileged, connected few.
Re: Re: Re:6 The necessity of the state
People appear to believe allowing us to benefit from wonders like indoor plumbing demands we accept a ruler to keep us squabbling kids from hurting and stealing from each other.
There’s a couple of things.
The state was established during feudalism as the one that holds the monopoly on force, that if anyone else attacks, invades or breaches the rights of anyone else (including aggressors foreign) that the state intervenes and defends the meek.
And then there’s the matter of standards. Meat inspection, restrictions against lead pipes, regulations on advertising and so on all come from the power of the state.
So far all our iterations of statehood have sucked, but until we can effectively refine it so that it works or find a substitute that works adequately in its stead, it’s going to be a necessary evil. Otherwise, society WILL devolve into natural order (rule of might) until a state, most likely feudalism, is established.
Re: Re: Re:7 The necessity of the state
Good answer. That in itself justifies the state. If only we could get that part to actually work! Instead, we still end up with belligerent states run by greedy and arrogant politicians using that military power for political ends instead of defense or merely upholding sane laws.
One of the things I was hoping for from the Internet was a massive improvement in communications and citizen reporting. If the Streisand Effect can do all the wonderful things we’ve seen it do, then surely masses reporting on-line (Yelp?) that so and so is selling bad meat, yada yada, would negate the necessity for expensive and often ineffectual regulatory bodies (cf. FCC).
I’m hoping that one of these days, we’ll start to get education for the masses right, and people will start to see the need to take their rightful place in seeing how !@#$ gets done, not just continue letting things happen to them because they can’t do anything about it anyway.
Re: Re:
It’s not redundant, and there are nations that are not states, and states that are not nations. That said, it is misapplied in the article.
You could have spent 5 seconds looking up the term and learning why it exists before posting something useless. Perhaps you belong on Slashdot rather than Techdirt.
Re: Re:
Learn to history. Back long ago there was city states. There can be a state with a “nation”. ie USSR, the idea of nation is like that of a tribe and tradition.
There you go.
GO FOR IT
i mean let have the war now when we have the numbers
you will all pay dearly if you begin this……
and the thought “you aint seen noting yet”
Re: "you will all pay dearly"
Such is the nature of warfare. As Bertrand Russel put it “War is not about who’s right, it’s about who’s left.”
The problem is that we’re paying pretty dearly already. And many, many of us are running out of things left to lose.
If you’re not one of them. If you still have life and family and money, then this should be a concern to you.
“for decisions made based on cyber threat information.” Oh boy that just sounds ripe for abuse. Well we had to hack these criminals preemptively they said on the Internet they were “teh 1337 haxorz” and were going to and I quote “hax our tubes”. So that your honor is why we are free of any liability.
Was wondering what would be commented on first...
… the idea of retaliation on hackers, or the retaliation on police.
Let these companies hack each other to death…
Maybe they figure out that the only winning move is not to play…
If a company wants to hack back, they can simply run programs like Evidence Eliminator or KillDisk on their computers and wipe out any evidence of what they did. If the evidence is not there, the do not have a case.
Re: This reminds me of a story.
A friend of mine found love in Canada. The love turned sour before before he established citizenship but after he moved his stuff there (including valuables–love, oxytocin it can make a man do some stupid shit).
The woman in question is now caught up with some colorful characters, and despite prior promises otherwise, isn’t being very helpful in him getting his stuff back. Said colorful characters could be a threat were he to go up alone, and then there’s the logistics of customs.
We were joking around and talking about hiring a contingent of big men with guns to escort him while he collected his belongings. Burning her house to the ground is optional. And the question rose of legal issues that might rise.
On a lark we looked at the cost of hiring a Security Team, say from Xe or Academi or whatever they call themselves now (so many names!). If you can afford mercs, you can afford a legal team that could get OJ Simpson acquitted. Or even a prosecutor to assure there’s no indictment.
The cheaper option is to hire the local constabulary force to “enforce the law”, e.g. make sure you get to take all you want.
I suspect when the big companies start counter-hacking and crashing innocent go-between computers, they’ll never get prosecuted because they can afford to stay above it or quagmire the courts for decades.
So yeah, hack A to set up a false flag on B and watch the storm from a safe distance.
Re: Re:
all the FBI would have to do is claim that the evidence is secret because of national security and therefore it cannot be shown. Boom, they say they have evidence that convicts their victim, and said victim is not allowed to see said evidence. Then the courts take the FBI on their word alone and the victim is convicted.
Re: Re: Re:
But if you use KillDisk or Evideence Eliminator on your machine before the Feds come, how are they going to get anythin?
Re: Re: Re: Re:
If you’re already refusing to make public the evidence due to ‘National Security: Because Terrorists!‘ reasons, at that point it’s not much of a jump at all to just make up whatever ‘evidence’ you care to.
After all, the number of judges that will call you on it could be counted on a single hand, so the odds are fairly good that you’d get away with claiming whatever you wanted to.
What would solve these problems would PERHAPS be if Sony stopped using passwords like ‘sony12345’ to protect root access to their servers and if Apple stopped the 10s of thousands of employees with access to iTunes to not use the same login details for their systems such as Bomgar and their CRM system…
Hell some of the OSX systems use apple as a username and apple as a password and this is used whenever someone ‘forgets’ their primary password!
What happens if data goes "missing"?
I can see it now: some American company claims to have hacked a (say) Bolivian competitor, because evidence linking them to a hack attack was found. Unfortunately, however, in the time between the hack-back and the Bolivian company reacting, the data that shows what exactly happened was corrupted. There are lots of companies I can see doing this.
Which is probably why they want to do it offshore. Large corporations are experts in jurisdictional arbitrage. If they want to do something illegal, and can’t get it legalized, then, like the NSA, they’ll find some lawyer to invent a theory by which it’s already legal.
Re: Re:
And if they can’t argue that it’s already legal, then they just do it anyway and pay the fine as part of the cost of doing business. The way we punish companies for lawbreaking is not just ineffective, it actually encourages lawbreaking.
I think the ethics of counter hacking depends on how it is done. If the goal is to destroy any net the attack is coming from, as others have pointed out that can just harm innocent victims, who have unwittingly become part of a hacker botnet. But what if the goal of the counter hack is not to harm the botnet target in any way, but to embed detection ability and counter hacking ability there so you can find out the ultimate director of that botnet. Then just keep going up the botnet chain until you reach the system that ultimately directs everything, and destroy them. That way, you are not actually denying any service to any innocent 3rd parties, and are only destroying legit targets.
Re: It's a very fancy model.
And it suffers from the same problem of torturing “only terrorists”; botnets are not built on a linear infrastructure but a chaotic one. A new order is tossed out to one at random and it disseminates to others at random (which do in turn as well) until all (or most) of the botnet is updated with the new directive.
It’s also possible that the botnet master looks identical to the rest of the botnet when looking from the botnet.
So you’d be trying to figure out in a swarm of flies which is the master fly.
I suspect the big companies will get frustrated and just choose to kill everything in the botnet.
Re: Re:
“what if the goal of the counter hack is not to harm the botnet target in any way, but to embed detection ability and counter hacking ability there so you can find out the ultimate director of that botnet.”
In my view, that doesn’t change the ethics of it at all. If I have a machine that’s been coopted into a botnet, having a company “counterattack” by injecting their own code onto my machine means that I’ve been illegally and unjustly attacked by two parties instead of just one. I think anybody who does such a thing, regardless of their intention, is acting in an egregiously bad manner.
“That way, you are not actually denying any service to any innocent 3rd parties, and are only destroying legit targets.”
For this to make any sense, you have to have believe that the only attacks that are worth objecting to are ones that cause a denial of service. Attacks the result in a denial of service, however, are the ones that are the least worrisome, not the most.