US Congress mulls first 'hack back' revenge law. And yup, you can guess what it'll let people do Two members of the US House of Representatives today introduced a law bill that would allow hacking victims to seek revenge and hack the hackers who hacked them. The Active Cyber Defense Certainty Act (ACDC) [PDF] amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber-miscreants legal in …
This post has been deleted by its author
this going to go well
I hope it passes, because I reckon the impact on me (several thousand miles away) will be quite limited. But it will be fantastic entertainment to watch from afar. Imagine the bunglers of Target, Equifax, Home Depot and all the rest trying to find and retaliate against their attackers? These corporations were clueless in the first place, so they'll be crap at finding those responsible, and worse at retaliation, and if they attack the wrong guys, presumably they'll be entitled to hit back, causing more chaos.
"Imagine the bunglers of Target, Equifax, Home Depot and all the rest trying to find and retaliate against their attackers?"
Until they start hiring armies of "cyber" mercenaries. Will 2018 be seen from a historic perspective as the beginning of the corporate war?
At least no-one will actually die, just spend the rest of their lives in legal disputes as the mess gets cleared up. oh... was that a hospital system I just wiped?
Some interesting scenarii to consider: find a poorly secured account on the, say, DoJ systems, log in there and use that to chuck whatever mildly worrying connections at a NSA subsystem.
Interesting side effect: as most people in charge have a very hazy understanding of "hacking", care to imagine what absolute mess would be achievable... heck, some network testing tools allow you to spoof the originating IP out of the box, no actual hacking needed...
I will say no more lest it gives Anonymous some "interesting" ideas.
This new law uses the same logic as arming children in order to protect schools from mass shootings. The only possible result is a bloodbath. And the only real motivation is to let the government dodge its responsibility to protect its citizens.
It's not even the same as arming children. /That/ would ensure that the children can shoot back at the time of the attack. /This/ law would still require you to collect evidence to prove who did it, check with law enforcement and compare notes, and then retaliate after everyone is dead.
If we assume that the police will respond to convincing evidence that one US citizen has committed a crime against another, on US soil, we can conclude that this new law would provide no new tools for the victims. Indeed, the lack of a response by the police could be the basis of a case by the accused that there was *not* sufficient evidence and that the so-called victim is the actual criminal here.
Totally fucking bonkers.
(from the article>
"Before hacking back, the IT department would have to submit some homework to the FBI's National Cyber Investigative Joint Task Force so the Feds can make sure national boundaries are being respected and that any action wouldn't interfere with an ongoing investigation."
And I wanted to have a bot do it, automagically. DAMMIT!
This is like "the 2nd ammendment" for cyber-self-defense. Works for me.
A cop cannot be everywhere. Citizens have to take it upon themselves to report and stop crime. I don't know about the U.K. but here in the USA we have "citizen's arrest" laws, where if you catch someone "in the act" you have the right to arrest that person with REASONABLE FORCE [but criminals have black eyes, broken bones, missing teeth, and if he doesn't look like a criminal, the cops won't believe it, heh]. So yeah, if you witness someone stealing, raping, murdering, you have EVERY right to use deadly force in many cases, and that's the point. Citizens are as good as cops at stopping crime.
In this case, it's citizens with computers who could, in theory, do their OWN investigating. But seriously, if you detect an intrusion, putting up a shield may not be enough. You might have to do something to damage the other end, like trick them into downloading a trojan horse that wipes their hard drive or similar. If a bot kicks in a URL re-director that fakes them into going to the wrong web pages [for example], they end up downloading the trojan horse.
I'd be all for THAT. As an extra added bonus, the law contains liability insurance, so if you destroy some innocent person's computer, you have to pay for it. No biggee. It's the same if you shoot the wrong person. You're liable for that, too.
/me gets bumper sticker for PC: This Computer is Protected by Smith & Wesson
I'd be all for THAT. As an extra added bonus, the law contains liability insurance, so if you destroy some innocent person's computer, you have to pay for it. No biggee. It's the same if you shoot the wrong person. You're liable for that, too.
Bob, could you please let us know where you live, so that we all can avoid getting within 200 miles of that place - at least, not without body armour and heavily armed guard?
And shooting or otherwise killing a person is a "biggie" for most psychiatrically healthy people, regardless of whether that person is a criminal or an innocent bystander. Most people who have, or might have to do so require extensive training to be able to do it at all. A large fraction of those who end up doing it in real life do require extensive psychological and psychiatric councelling later on - even when the person they killed has been trying to kill them. It gets much worse when killing is unintended or accidental - many people placed in that situation never fully recover.
"You're making a big assumption about the mental health of the average american gun carrying individual."
Those who think like wildebeasts have a hard time understanding those who think like LIONS. And they're too willing to judge, point fingers, and try to legislate them away. Except, without some who THINK like LIONS [who aren't necessarily lions, but understand them] you're at the mercy of the REAL LIONS. And that's the point.
My balls are just TOO BIG for me to think like a prey animal.
My balls are just TOO BIG for me to think like a prey animal.,My balls are just TOO BIG for me to think like a prey animal.
The last couple of guys I heard boasting about how big their balls were dropped them PDQ when they realised I wasn't backing down from their threats. Sadly they had the sense to recognise a Tae Kwon Do stance (even though I haven't actually practised in like 20 years!), and left straight away.
The marbles they dropped on the ground as they ran were about the size I expected - something a newborn kitten would be ashamed of.
Afraid, like most who make such boasts, you sound much the same as them! :)
--> Me checking for wallets and valuables amongst the other stuff they left behind (we need a "Captain Runaway" icon!)
"My balls are just TOO BIG for me to think."
Fixed that for you, Zippy.
(Note to the cross-pond readers: Not all of us Yanks are as daft as Zippy, here. He's an unfortunate casualty of a steady diet of taco sauce and Ding Dongs. Probably the best method of dealing with him is as with any other troll ... simply don't feed him.)
"A large fraction of those who end up doing it in real life do require extensive psychological and psychiatric councelling later on - even when the person they killed has been trying to kill them."
not me - I'd make sure they stared right into my eyeballs as I stare into theirs, watching the life drain away. I'm the last thing they'd see on the way to HELL.
[THAT, by the way, makes me a *HARD* *TARGET* - meaning I'm in the house they avoid, or the person they avoid on the street or in a crowd - the one who FIGHTS BACK]
Sorry, I can't by into your "prey animal" kind of thinking. I think like a predator. A self-disciplined predator who doesn't kill without reason. And I spent time in the military, and have been prepared to take a life in self-defense [or defense of others] since then. No problem.
The point is *TO* fight back. Make it hard for the criminal. Even if you're passive-aggressive about it, it's still fighting back. I prefer "active aggressive". And *revenge* is a GOOD thing. enough people do it, and you see crime go WAY down, because their's now a PENALTY [potentially] for the bad behavior.
[this is not how SHEEPLE think. This is how men with BIG BALLS think.]
Cough! Cough! Staring into their eyes as their life drains away is
a GRAVE TACTICAL ERROR! AS YOU WELL SHOULD KNOW,
9mm and 7.62 rounds don't actually work that well at killing people
and said shootees TEND to STILL be able to shoot back even
AS their life EVER-SLOWLY drains away.
Nooooooo! You ALWAYS move off to the side and preferably north of their head
from at least a few feet (3 metres!) away STILL pointing your sidearm or your M4
at their heads. Then you can relax ONLY A TINY BIT! ---- Once they're not moving...
please do remember to pump two or more rounds point blank into the heart
JUST TO MAKE SURE that Dead Means Dead !!!
ONLY THEN can you yourself a REAL MAN WITH BIG JUICY JUEVOS !!!
*Mentally ill man sees someone he doesn't like the look of in front of him in the queue at Walmart, pulls gun, kills with no warning*.
Same man, later: oh, was he a HARD TARGET? Totally my bad. Please make him all alive again.
/You utter twat
But how would they know you were a "hard target" a "house to avoid" until they actually targeted your house?
If we assume some random miscreant, than why would they know anything about you (or indeed the owner of whatever house they were breaking into)?
If we say the miscreant did (in whatever magical way) know you were a hard target, what's to say that although it may discourage some felons, others might be attracted to having a crack at the "hard target" as more of a challenge?
> [this is not how SHEEPLE think. This is how men with BIG BALLS think.]
[Mildly NSFW]: You are Buster Gonad and I claim my £5
Good Grief....I was wrong....
"[THAT, by the way, makes me a *HARD* *TARGET* - meaning I'm in the house they avoid, or the person they avoid on the street or in a crowd - the one who FIGHTS BACK]"
That's the one. Yep. forget my last post.
" And *revenge* is a GOOD thing"
oh sweet jebus....he keeps going further....
So folks, if you want to know what's wrong with America, I give you Bob - AKA Exhibit A. This is how they train their soldiers....
"So folks, if you want to know what's wrong with America, I give you Bob - AKA Exhibit A. This is how they train their soldiers...."
That and USA 'justice' is about "retribution with interest" rather than "repair and reconciliation"
Such policies have always led to escalating cycles of violence.
This is not like the second amendment for cyber security and it's not like "stand your ground" laws. In those cases you are (in theory) not retaliating to the attack, you're just taking action to keep yourself safe from an attack that is still ongoing.
The physical world equivalent of this sort of law would allow you to burgle the houses of people you suspect of being burglars. Utterly bonkers.
Sort of, isn't it rather like the police having to get a warrant from a judge before searching the home and premises of a suspected burglar? Though it reminds of FindMyPhone incidents were the cops, despite being shown specific GPS data decline to intervene and suggest the aggrieved party go there themselves and attempt to get their property back,
"Though it reminds of FindMyPhone incidents were the cops, despite being shown specific GPS data decline to intervene and suggest the aggrieved party go there themselves and attempt to get their property back,"
Yes, that particular issue is one that worries me, because it's effectively the cops _encouraging_ vigilante justice, when in a lot of cases the criminal is armed and has nothing to lose if a victim shows up.
If nothing else, your commentary is incredibly useful for providing an insight into the way certain individuals think.
Things to note:
- Lumping murder and rape together with robbery
- Using rape and murder as a comparison to copyright infringement / IP theft or other hacking related crimes
- Comparing a "caught in the act whilst physically present to witness" crime to a digital crime for which the thorough analysis of logs is required in order to confirm whether a crime has even taken place. The very quote you chose from the article means that an immediate response is excluded from this law.
Overall you come off very "kill 'em all and let god sort 'em out", even without your S&W bumper sticker. That's just the teflon on the tip.
/me isn't worried about your Smith & Wesson when I'm thousands of 0.62 miles away.
And I wanted to have a bot do it, automagically. DAMMIT!
No problem, you can have your bot submit the paperwork to the FBI at the same time as it launches the retaliatory strike. The whole process doesn't need to take more than a few seconds.
There's no mention of "waiting for the FBI to respond" to your notification.
Bob announces that he will hack back against anybody who attacks him.
So Mallory impersonates Alice and attacks Bob. Doesn't need to be a big or effective attack.
Bob detects the attack and launches a hack-back against Alice.
Alice's network is now trashed, and Bob claims he was retaliating legally.
Congress seems to be a bunch of Chaos Monkeys.
They're an odd mix of throttlingly tight control in some areas (copyright - where money is at risk but lives aren't) and "go get 'em tiger" chaos in others (abhorrently loose gun control - where lives are at risk but money isn't).
This revenge hack thing sits firmly under chaos, the necessity of which is driven by "corporate / IP" psychopathy.
Very plain to see what's important to those who occupy the halls of power in the ol' US of A. Land of the free, so long as you can wrench that freedom from thy neighbour's cold dead hand like the true winner you are!
U! S! A!
U! S! A!
U! S! A!
P.S. If this law passes, the ultimate challenge to a black hat hacker is this:
Create a circle of forever legitimate revenge attacks between Apple, Google, Facebook, and Microsoft.
Not Alice - see "Joe job". Misdirected reactions since 1996.
These things happen all the time in the physical world, especially when one of the actors is going through an acute paranoia phase, and has copious amounts of ammo lying around. Very frequently, they do not even require a malicious, misdirecting agent, and come from either a purely accedental glitch somewhere, or because of a misinterpretation of an innocent mistake. See (among many others) the Tonkin incident and KAL 007 incident.
I am really looking forward to some cowboy "defending" himself by trashing my systems after misinterpreting his logs showing my e-mail arriving 5 minutes before his 15-years old SCSI disk array finally gave up the ghost due to an advanced old age - which will inevitably happen if laws like this one come into force.
most people understand the 'joe job' problem. I've been Joe-jobbed a couple of times. Fortunately the web service that handles domain e-mails added the ability to put the correct MX DNS info records in place to specify which servers are authorized to send e-mail for the domain, and I haven't seen it happen since.
in one joe-job case that I allegedly heard about, the alleged perps allegedly had an alleged server running in an alleged country that is well known for having compromised servers and NOT responding to alleged abuse reports because alleged mail service was filtering the abuse reports as "spam". Allegedly. And it allegedly had the usual "fake rolex" and "fake handbag" web sites on it. And it allegedly got flooded with specially crafted (not illegal) HTTP requests that shut it down for a significant amount of time (allegedly exploiting a bug in the way they were re-directing via the "probably compromised" web server), on multiple occasions, with "stop joe jobbing XXX" allegedly being PROMINENT in the logs, allegedly. Yeah, no retaliation THERE, right?
added the ability to put the correct MX DNS info records in place to specify which servers are authorized to send e-mail for the domain, and I haven't seen it happen since.
Ahh bless. You think anyone takes any notice of that? AOL certainly doesn't (yes, I've had bounces from AOL of spam that's come no-where near my systems and the originating IP isn't even in the same country as me).
In short, like most of SMTP - those domain SPF records are only any use if receiving domains check them. And a large minority don't.
@Bill Stewart
Congress seems to be a bunch of Chaos Monkeys.
"Bob announces that he will hack back against anybody who attacks him."
heh, I wouldn't announce it, just do it.
That's where the liability comes in - if you don't cover your ass and get the right target, you're as bad as the perp [and so YOU get in trouble]. Unless it becomes a ginormous free-for-all, in which case, popcorn please.
"So Mallory impersonates Alice and attacks Bob. Doesn't need to be a big or effective attack."
swap "XYZ state-sponsored attack team" for Mallory, who hacks into Alice, attacks Bob and then disappears into the night, carefully deleting logfiles which might identify them.
Then sit back and enjoy the popcorn.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
