back to article US Congress mulls first 'hack back' revenge law. And yup, you can guess what it'll let people do

Two members of the US House of Representatives today introduced a law bill that would allow hacking victims to seek revenge and hack the hackers who hacked them. The Active Cyber Defense Certainty Act (ACDC) [PDF] amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber-miscreants legal in …

        1. Anonymous Coward
          Anonymous Coward

          Re: Hacking back against forged attacks

          Please don't judge the military by Crazy Bob's remarks any more than you should judge Americans.

          You will probably have seen a lot of stuff recently on forces mental health, especially Prince Harry's involvement. Actual professionals know that whatever size of balls you have, killing is terrible for the perpetrator, though clearly not as bad as for the victim.

        2. Alan Brown Silver badge

          Re: Hacking back against forged attacks

          > Yes Bob, considering your batshit insane attitude to everything

          It covers why he's ex-military. The Batshit Insane ones generally get weeded out early in their careers.

  1. anonymous boring coward Silver badge

    Very intelligent. Vigilante law. Real victims won't have the resources, so they will turn to a suitable avenger, for a fee of course. Proof that they were wronged in the first place? Details... That can be arranged too.

  2. elDog

    150,000,000 americans plus several million others can hack Equifax?

    Perfect. I'll set my IoT borgs on the task right now. Oh, by the way, I'll spoof the headers to show it comes from the us congress.

    Hey, this is a joke and is covered by the 36th amendment. Parody of absurdity is reality.

    1. bombastic bob Silver badge
      Trollface

      Re: 150,000,000 americans plus several million others can hack Equifax?

      "Perfect. I'll set my IoT borgs on the task right now. Oh, by the way, I'll spoof the headers to show it comes from the us congress."

      works for me. thanks for the idea.

    2. anonymous boring coward Silver badge

      Re: 150,000,000 americans plus several million others can hack Equifax?

      Spoofing headers may fool some typical users. It won't make any difference to NSA however.

  3. AceRimmer1980
    Coat

    ACDC?

    Cyberspace

    Dirty Deeds Done Dirt Cheap

    Dog Eat Dog

    Got You by the Balls

    etc.

    1. KLane

      Re: ACDC?

      How could you forget 'Highway To Hell'???

      1. Roj Blake Silver badge

        Re: ACDC?

        Back in Black (hat)

    2. The Indomitable Gall

      Re: ACDC?

      ...but not Breakin the Rules, sadly.

      1. Omgwtfbbqtime
        Mushroom

        Re: ACDC?

        Time to sell a suite of easy to use hacking tools called Thunderstruck.

  4. Anonymous Coward
    Windows

    At least there is a discussion

    This article made my minute.

    On the face of it a discussion is at least happening somewhere about what happens in a "land" called the internet. It's almost as though the internet has finally become a thing.

    ... mmm beer ....

  5. Magani
    Pint

    Location, Location, Location...

    ... so the Feds can make sure national boundaries are being respected...

    Whose national boundaries? Are they concerned that someone in the US of A is being targeted and want to stop it, or are they really worried about the national boundaries of Burkino Faso or one of the 'stans, or the two largest countries in Asia?

    I'll bet a dead dingo's donger that the Feds are only concerned about one nation's boundaries.

    (No icon for a DDD, so have a beer instead.)

  6. a_yank_lurker

    Congress Critters

    No one every accused Congress critters of being intelligent or ethical. In fact, it is a good assumption to assume that adding up the IQs of all the critters would result in large negative number. And it is a good assumption they have are on someone else's till as well as the US taxpayers. Party affiliation only influences whose payroll they are on.

    1. CrazyOldCatMan Silver badge

      Re: Congress Critters

      IQs of all the critters would result in large negative number

      AKA - they reduce the IQ of an empty room by walking in..

  7. isogen74

    Machine != Hacker

    The main issue as I see it is that most hacks are bounced via other compromised machines first. As noted on the classic movie "Hackers", you don't hack a bank from your house. ... because thats just stupid. If you allow retaliation attacks then really you're in all likelyhood just setting people off against machines owned by other "good guys". The "bad guys" are long gone.

    1. bombastic bob Silver badge
      Devil

      Re: Machine != Hacker

      well, if you do things properly on YOUR end, researching the hack/crack, it becomes obvious when a web site is being used as a "pure re-director". A little research may lead you to the REAL web site (or person doing the shell access cracking, whichever), especially for things _LIKE_ when the POST transactions in a fake web page reveal exactly where that is [for getting your credit card info, for example]. If your server is the re-director, then you study the logs to see where everything is going, and go from there. That kind of thing. Or if it's someone else, you can often determine where it REALLY came from through various means.

      From that point, the lazy coder's or incompetent script-kiddie's ass is YOURS. Just "follow the money" (or in this case, the IP address of the server doing the credit card stuff or intrusions). Notifying the credit card companies along the way is an extra added 'bonus'.

      (I would normally expect crack attempts to come in via web site requests as a vector, unless you allow ssh access for more than 1 or two obscure user names with either proper pass-PHRASES or cert-only, or both)

  8. Anonymous Coward
    Anonymous Coward

    What if it's the NSA probing my network?

    This won't end well...

  9. Will Godfrey Silver badge
    Unhappy

    Pah!

    Against man's politicians' stupidity the gods themselves, contend in vain.

    1. Commswonk

      Re: Pah!

      I just had to log in for the sole purpose of giving that an upvote.

  10. Anonymous Coward
    Anonymous Coward

    Such a "law" already exists in some countries

    I know that where we are, we're legally in the clear if we mount a DDoS on networks that seek to hack our infrastructure, provided we preserve the evidence. However, the problem is that traffic is easy to fake, either at IP level if you're not concerned about return traffic, or via proxy through a hacked resource like a breached WP site, so we could end up being used to zap an innocent entity who just has rubbish security. You may consider that deserved, but that's not how we tick.

    The funny thing is that if other countries implement such a measure, the US will get blasted from all over the place given how often US companies and government get breached.

    The recipe is thus:

    1 - re-hack OPM and install a proxy

    2 - hack whitehouse.gov

    3 - as bonus, maybe hack trump<anything>.com

    4 - point them at each other

    5 - buy popcorn and watch the show.

    Where did all the smart people go? Canada?

  11. jake Silver badge

    A "law bill"?

    https://www.youtube.com/watch?v=Otbml6WIQPo

    It's not only a good idea, it's the law ;-)

  12. Anonymous Coward
    Anonymous Coward

    Femto-poll

    Is the word 'cyber' dead or not? Is it terribly undignified to try to use it since maybe a generation ago? I think so. Convince me otherwise (please!) so I needn't facepalm every time I hear someone say it as though it's a meaningful, professional term. I would prefer to be wrong, and merely be reminded about how I was wrong, each time... it would be Significantly Less Horrible™

    1. Jamie Jones Silver badge

      Re: Femto-poll

      When your digital doppelganger is regularly surfing the information superhighway, and conversing with good netiquette with people in this virtual playground, it's easy to forget what's happening in meatspace. As such, who knows if words like 'cyber" still used out in the wild?

      1. The Indomitable Gall

        Re: Femto-poll

        Who let all those cats out onto the information superhighway? There's going to be a pretty messy accident...

    2. Destroy All Monsters Silver badge
      Alien

      Re: Femto-poll

      No, and additionally we are now moving to ICE (Intrusion Countermeasure Electronics),

      No signs of demons in the slot-in cartridges yet, sadly. The real world stays boring.

    3. Anonymous Coward
      Meh

      ...

      Been trying to think of an answer to the obvious question: what not-horrible term, or ordinary term with not-horrible common usage, should everyone be using instead?

      Maybe techno-? (ignoring the bucket of electronic music) I couldn't think of one with roughly the same coverage. Sheeit. So what is my problem? Do I hate the word, or its use, or its abuse, or something else-- such as the way its users seem to be trying to manufacture the sound of knowing WTF they're talking about? Not sure... of course that last one would be the irritating one only because it proves to me that I CAN recognize that pattern, forces me to admit I've seen it before, and burns off any hope of using ignorance as an excuse.

      Maybe that's all there was.

      Might use Greasemonkey to change it to sighber or derper or whatever, something fun.

    4. Seajay#

      Re: Femto-poll

      https://xkcd.com/1573/

      Case closed

  13. Red Bren

    American Logic

    If we all have more guns, there will be less shootings.

    If we all have hacking tools, there will be less hacking.

    Perhaps the US government would be get better results by insisting that software must be fit for purpose before being sold?

    1. HieronymusBloggs

      Re: American Logic

      "Perhaps the US government would be get better results by insisting that software must be fit for purpose before being sold?"

      That would be of limited value, considering the amount of software that doesn't need to be bought to acquire it. Or was that your point?

    2. hplasm
      Facepalm

      Re: American Logic

      Zeroth Law:

      If we all have more stupid, there will be less intelligence.

  14. Version 1.0 Silver badge

    Cool!

    So we can all hack the US Government back now without worrying about getting extradited? Milud, I was just hacking them back as permitted under the US Active Cyber Defense Certainty Act.

    Case dismissed.

    1. bombastic bob Silver badge
      Devil

      Re: Cool!

      "So we can all hack the US Government back now without worrying about getting extradited?"

      you have MY permission, if they're invading your computer without probable cause, and without any kind of legal approval in the UK. They should get a UK warrant first. Then it would be _legal_ in the UK to do that. Or let the UK gummint do it on the US gummint's behalf. Then it's all above-board diplomatically.

      But invading your computers? bad idea. hack 'em back. [if you don't mind the legal fees associated with defending yourself, anyway, and IANAL so my legal advice is probably worthless]

  15. handleoclast
    FAIL

    An analogy

    I came up with an analogy to explain to the politicians why this is such a very bad idea. It goes like this...

    The Las Vegas mass shooting was terrible.

    Maybe everyone should be armed.

    And legally permitted to shoot back in retaliation.

    That way, when a crazed gunman starts firing, everyone will fire back at him.

    Problem solved.

    Of course, a moment's thought shows this to be an astoundingly bad idea. Most people are very bad at handling guns. Couldn't hit the side of a barn at two paces. There will be bullets flying everywhere. Somebody is going to get hit accidentally, causing his friends to return fire at somebody who was trying to hit the crazed gunman but instead hit a spectator. His friends are going to retaliate. Pretty soon everybody is shooting at everybody else, and the crazed gunman shits himself from laughter.

    That, privileged white gentlemen, is exactly how your cyber-retaliation will play out. It isn't just ineffective, it actually makes matters a lot worse.

    To which the response is "I cain't see nothing wrong with arming everywun like the saycond amendmunt sayes. Freedumb!" and they pass the cyber-retaliation bill too.

    1. Terry 6 Silver badge

      Re: An analogy

      Yep. The NRA would go for it.

    2. Destroy All Monsters Silver badge

      Re: An analogy

      Well, I don't think we will know until we have tried it,

      Best case, it will work.

      Worst case, less people dead than there would be otherwise.

    3. Laura Kerr
      Thumb Up

      Re: An analogy

      "Pretty soon everybody is shooting at everybody else, and the crazed gunman shits himself from laughter."

      Taking that to its ultimate conclusion, the gunman wouldn't even need a gun. Just to let off some firecrackers, stand well back and watch everyone slaughter each other.

      Anyone remember the film Hopscotch?

  16. allthecoolshortnamesweretaken

    Sure, go ahead with this.

    We all know that the best defense is a preemptive attack, right?

  17. Anonymous Coward
    Anonymous Coward

    Oh my. What. How. No way. Yup, totally okay with this - can't see how it could possibly go wrong.

    F**k.

  18. Nolveys
    Mushroom

    Whelp...

    ...time to figure out how to get Fail2ban to call Metasploit. But what should I use for a payload? Maybe the payload should be Fail2ban and Metasploit.

    1. bombastic bob Silver badge
      Happy

      Re: Whelp...

      "time to figure out how to get Fail2ban to call Metasploit"

      I call that "a good start" - heh. Unfortunately, con-grab wants gummint in the loop. DAMMIT.

  19. W. Anderson

    stupider and stupider

    Those two members of US Congress and many others in both House (of Representatives) and Senate are just as daft as their President to put forth such stupid, unenforceable Bill.

    THE US CIA, FBI, Department of Defense, European and Asian security agencies, nor any of the top technology companies in the world cannot prove - without question and with full verification - who hacked them, how in God's name is an individual or and other entity going to bring about a legitimate counter-hack result.

    The idiocy of Donald Trump is apparently rubbing off very quickly and completely onto Republican law makers.

    1. bombastic bob Silver badge
      Devil

      Re: stupider and stupider

      "how in God's name is an individual or and other entity going to bring about a legitimate counter-hack result."

      it's been done before [locating the perp]. An enterprising and intelligent operator of a router system did it once, back in the 90's. I can't recall his name, but he got the FBI involved because he was seeing some really unusual activity... and as it turned out, it was someone trying to crack into gummint computers, if I remember correctly.

      Someone at an ISP could assist a company in doing the same thing, or if you have your own routers [that can display the right kind of info], you could do it yourself.

      even WireShark can be very helpful.

      auto-redirect routing to a honeypot server - even better. make it nice and sweet. download that trojan, yeah! let it phone home, and we'll see who you REALLY are! back-door THAT machine, looks for back doors already there, and keep digging until you find the perp. chances are, he's not protecting himself very well... thinking "TOR" will anonymize him. Uh, huh... and then you examine his facebook cookie, his twitter cookie, his microsoft login cookie, ...

      1. handleoclast

        Re: stupider and stupider

        @bombastic bob

        it's been done before

        The only thing I can think of remotely similar to your account, in that timeframe, was Clifford Stoll and he wrote a book about it called Cuckoo's Egg.

        It was in 1986 rather than the 90s. And he was monitoring dial-up modems not routers. My increasingly-unreliable memory tells me people were tromboning dial-up systems to get to his, not using the nascent Internet. And the on-line world was a much smaller place back then. And he was lucky. And his opponents weren't too clever. Apart from all that, it's a perfect match.

        Oh, and Stoll is very, very clever. Even if his youtube videos give a completely different impression (like the one where he accidentally started a fire in his kitchen).

        It's not as easy as you imply to track these people down and retaliate. If only because they're using botnets so all you're likely to do is trash thousands of computers belonging to innocent people without ever hitting the person responsible (other than by diminishing the size of his botnet).

        Dramatization of Stoll's story (probably uploaded in violation of copyright, so don't watch if you're squeamish about that sort of thing) here.

  20. razorfishsl

    It is a stupid idea,

    from morons with a 1 dimensional thought process.

    since most hackers with any brains , use other peoples systems, where does that leave retaliation?

  21. Blotto Silver badge

    THE IT-TEAM!!!

    "In 2017, a crack commando unit was sent to prison by a military court for a hack they didn't commit. These men promptly escaped from a maximum security stockade to the Los Angeles underground. Today, still wanted by the government they survive as soldiers of fortune. If you have a problem, if no one else can help, and if you can find them....maybe you can hire The IT-Team."

    1. hplasm
      Devil

      Re: THE IT-TEAM!!!

      ...if you can find them....maybe you can hire The IT-Crowd.

      Reality bites...

  22. Mikey

    What you really need to remember is...

    ...That the average US internet connection is about as fast as a crippled snail on morphine, so the actual utility of this word-embellished piece of bog roll is diminished to the point of utter uselessness anyway.

    Plus most ISPs would either block it or charge you more for a premium 'Retaliation Plus' service which coincidentally is only available as an upgrade to our Platinum Service and would you kindly sign here for only $74.99 a month extra....

  23. Alexander Hanff 1

    So they would be able to hack the NSA, CIA and other TLAs now? Or did they include an exemption for security services hacking you?

  24. Wolfclaw

    Should be good for laugh, US says it's OK for a US company to hacks EU computer, illegal in EU, who gets prosecuted, the dude who did it, the boss that ordered it, CEO and would they ever get extradited?

    EU geezer hacks back against a US company, that wrongly hacks him, illegal in EU but justified in the US, oh but wait, US company goes crying to FBI and asks for help ... oh what a can of worms !

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like