All We Want Is Whatever's On Your Machine

kubla2000 writes: "A breathless story about how the best defense against [fill in the blank: piracy, virii, hacking] is a good offense at CNet. What struck me most though is that in the midst of the rant from Timothy Mullen (no stranger to hacking the hack as this story from computerworld magazine shows, was a throw-away line justifying the RIAA and MPAA's appeal to Congress to make it legal to do this! It seems the bandwagons have started rolling. Who's next to jump on?"

Measure for measure

If they should be able to run code at our computers, they increase the security risk, since viruses may exploit these programs.

OK, time to fire up the worms...

I seem to recall stories of hackers gaiing access to machines, then closing up all the security holes so the machine would stay 'theirs'....

Who wants to get together and build a worm that does nothing but fix known security problems? We can make it grab all it's data from a chat-room, or web page, so it can stay small, but call upon a large database of known exploits, download them to the machine, and execute them...

Perhaps self modifying? To take advantage of newer exploits as they are found, so it can continue spreading itself? (Again data taken from IRC or Web URL) Perhaps just several variants of the worm...

What fun we could have!

Re:OK, time to fire up the worms...

And what are the consequences if your worm has just one bug?

How would you "recall" a faulty worm? Write another worm to chase it and kill it? Get real.

Blaming the Victims

of a virus attack doesn't sound like good public
policy to me.

This can't be a good thing: just think of
the court cases, and the added burden on the legal system.

Imagine a scenario like this:
Company A, B, and C are infected with viruses.
Company A tells Company B to "santize your systems, and stop infecting us, !". Company B has santizied it's system, and tells Company A to "go pound salt".

Company A, unknowingly infected by Company C but still blaming Company B shuts down Company B's system. Company B is not happy.

Company B manages to bring it's system back up, and shuts down Company A in retribution.

Lawsuits ensue. The courts, which could be ruling on citizen's issues instead, (like, say, overruling the DCMA), become backed up with corporate bickering. The citizens lose. Ugly situation.

And that's not touching on any of the questionable ethics of government sponsored vigilantism. I'll
leave that flamewar to others -- I imagine things will get quite toasty.

BlameGame

We've already seen something akin to this, at least on a small scale.

Working as a telephone tech support person for a non-tech sector company, Klez was particularly annoying as we would get angry telephone calls from our own corporate executives about how our server based antivirus program wasn't working, as they were getting angry emails from people at other companies telling them to stop sending them the Klez virus.

All because the damn thing sent false header information and someone outside both companies had been infected, people would continue to blame the wrong parties when their own antivirus program would point them at the wrong culprit, despite all the media stories explaining the damn thing in clear detail.

We had a number of execs refuse to believe us when we told them their machine was clean, as "obviously" we were wrong according to the people at the other company. Even had one high up try to install her own antivirus program because she didn't trust ours and ended up trashing her computer.

I just loved the whole telephone support deal during the peak Klez season. :P

Re:BlameGame

At the web hosting company I work for, we still get complaints from clients insisting that our mail server must have a virus because people keep sending them mail complaining of Klez attacks from their email addresses. Even explaining to them that their mail account is on a Linux server that can't be infected by Klez doesn't do any good with some of 'em... ;)

The idea of using worms or exploits to fix holes in systems you don't own, now...I think it's a bad one. The intent might be benign, but the results would likely be ugly. A worm that alters a system enough to close a security hole (even using an "official" patch or hotfix) could do some serious unintentional damage to a machine. Bugs in the worm itself, unusual system configurations, obscure software conflicts...the potential for completely breaking the target system is pretty high.

Besides which, I don't believe anyone has the right to invade a system they don't own for any reason, benign or otherwise. I am all for convincing the owners of infected machines to clean them up, but there are ways to do this without cracking their systems. Complain to their ISP, their CEO, or someone else who can pull the plug on them until the problem is fixed, if you like. It may not work in all cases, but it can't hurt, and if it doesn't work..well, that's life on the Internet. ;)

DennyK

Incoherant headline

Time to burn some karma...

Is it me, or is this story's headline totally incoherant? I re-read it twice and still only have a vague clue of what the links are going to be about. He couldn't even take some time to proofread or even close his parenthesis.

Re:Incoherant headline

> Is it me, or is this story's headline totally
> incoherant?

No, it's cut straight out of 'The Slashdot Guide for Guaranteeing your Submission is Accepted', chapter 2 which discusses creating a sensationalist headline that enables people to leap to conclusions about a story before reading it.

Bonus points are awarded for managing to make it sound like it's an issue of the man against the little man.

Cause yeah, I picked that up too.. the headline and following text had almost nothing to do with the actual story.

I'd suggest the guy submitted before reading the story, but trying to comprehend the lack of thought that would require makes my brain hurt.

Breathless? Not really..

I thought it was fairly well balanced actually. Outlined the problems of "hacking back" in language that everyone can understand...

Right on!

I really hope this catches on. Then all you have to do is send some virified email to your target before you hack it. "Sorry 'bout the thousands of dollars worth of downtime I caused you, but your network was spreading Nimda." It's a great idea, really it is.

What article did Timothy read?

I don't see where Mullen defends the "DOS for the sake of copyright."

What he says on the issue is:

Mullen said his hack-back idea is different because it is designed to improve the security of cyberspace and would not harm any computer systems.

What he seems to be advocating is decriminalization of defending your computer against an active attack. I tend to agree. It's like saying it isn't theft to take a crowbar away from someone who is using it to jimmy your front door.

The author has blurred all sorts of lines, viruses and worms, copyright and attack, defense of ones computer and defense of ones IP.

I'd be interested to hear Mullen's comments on the story.

-Peter

Vigilante justice is not the solution

Vigilante justice is not the solution. When I discover someone has burgled my house, and I have reason to believe I KNOW who did it, that does not entitle me to go break into their house to take my stuff back and avenge myself upon them.

It's important to remember WHY vigilante actions are generally illegal:

• They are highly error prone
• They effectively invalidate all of the accused rights summarily.
• They lead to chains of criminal behavior that can be hard to unravel.

I can only think of one set of circumstances in which our culture and law condone vigilante justice: self defense of a human being against bodily harm.

It is important to remember that computer crime is almost universally property crime. With rare exceptions there is absolutely no danger to the person of a human being posed by computer cracking, and thus no reasonable basis for authorizing vigilante justice.

Re:Vigilante justice is not the solution

In general you have just as much authority to use force to defend another person from violence as you do to defend yourself. Even if you don't know the person.

Sure, no problem there. I don't see anything in my statements that suggested that you didn't have as much right to use violence to defend someone else from bodily harm as you do to defend yourself from bodily harm.

I live in Colorado where I may shoot a person dead if he is both 1. on my property and 2. I have reasonable cause to beleive he is or is about to commit another crime (against a person or property.)

Interesting. In most of the states who's laws I am familiar with the right to shoot an intruder in your home dead is rested firmly on the assupmtion in the law that someone who is breaking into your home if perfectly willing to use lethal force against you, thus reducing it to a defense against bodily harm case. In most states I believe the simple act of them breaking into your home is sufficient cause for you to reasonably believe they intend to harm you. I've never seen any state provide justification for the use of lethal force based on a justification of defense of property. Perhaps Colorado is different.

I think your opinion is based more on your pacifistic world-view than on any actual facts.

I think perhaps I've not communicated to you clearly. You are perhaps the first person I've encountered who has ever accused me of pacifism. I have no problems whatsoever with the application of force within reasonable limits, as proscibed by law. I also happen to believe that the right to use lethal force against an intruder in your home based upon the assumption that they intended to do you harm is reasonable. That is hardly the point of view of a pacifist.

Well, you have really twisted my example around. Someone actively attacking your computer (network) or actively breaking into your house is not related to your vigilante revenge scenario in any way, so I'll dismiss it out of hand.

Ah... I think I see where some of the confusion is now. Please note the tense I used with the word burgled. Someone currently, actively, burgling your home is a direct threat to your person for which you can reasonably respond with deadly force in most states. Belief that someone has, at some point in the past burgled is quite different as it carries no threat of bodily harm.

The point I was attempting to make is this: those senarios in which the criminal conduct of another person are grounds justifying retaliatory action which is normally proscribed by law are generally limited to cases involving the threat of bodily harm to a person. I know of no examples in US law permitting actions normally proscribed by law being justified by crimes or threats against property ( with the possible exception of your assertion with regard to Colorado state law).

Not exactly a suprise

First they attempt to litigate, but they don't get the 100 percent returns they want. Then they try and remove our rights through precedent. After they get tired of precedent they buy off some disney lawmakers. They make it illegal to even teach people how to circumvent technological countermeasures to remove our fair use.

Then through precedent, they make it illegal to link to pages which teach others how to circumvent technological countermeasures which remove our fair use.

They have found the best route to getting their way. Disney politicians who can be bought, as they were bought by enron.

We have got to change the american political structure. We must mandate 100% disclosure of personal monies and campaign contributions of all politically elected officials.

In the meantime, perhaps autohack-backs on DoS need to start getting spread around.

Who cares if you take down huge portions of the net, at least you'll get back at the RIAA for putting people like Britney Spears out there.

Legal DOS Attacks

Wouldn't any DOS-attack against an alleged "offender" also hit the bandwidth/resources of all the innocent systems along the way? I'm not sure how this wouldn't create lots of collateral damage for people who aren't involved.

Random dead body search...

If these stupid laws were passed, what would stop government agencies from just randomly entering your house to search for just about anything they thought you might have in there?

Nothing would displease me more than waking up at 4am to discuss with a fireman who has a key to my frontdoor, the dangers of not having a smoke alarm.

Seems more and more, you're guilty until you've been proved innocent.

RIAA or MPAA come a knockin on my machine with the 'l33t0 toolz' they have, i'm perfectly within my rights to retaliate... afterall I dont live in the US of A.

The only way to stop hackers

Ninja. Lots of them.

Real life

In real life, if you're suspected of holding illegal copies of something your premises can be raided (with a warrant) and the items confiscated. If you're suspected of carrying a harmful virus that can easily be spread (i.e. your a public risk) then you can be quarantined. They can't treat you with out consent but they can still keep you away from the public.

(you can just tell when your about to be modded down, yet you still cant help posting)

antibiotics arms race

Seems to me that the RIAA and other such groups should think twice before declaring the start of this new arms race.

It's like doctors questioning the overprescription of antibiotics -- the more agressive their weapons become, the more clever we will become in working around them. Increased use of antibiotics and other agressive medicine is creating superbugs. The same is true online:

As the internet becomes more dangerous for p2p networks, only the stronger networks will survive.

what a great idea!

I think we should all have the right to hack the people responsible for all of the stupid viruses we have today!

...and the best part is, Microsoft will never see it coming!

Legally tenuous, surely?

If this article were advocating that people could go on "white-hat" vigilante attacks against people they didn't like, everyone would point out how ridiculous that would be. Well this is really pretty similar, because if you say that it is legal to crack computers causing problems to other computers, then you have all kinds of ways of weasling out of trouble for cracking. Script kiddies would be delighted!

As usual, this just sidesteps the more important issue which is that of secure software. If Microsoft tied up he bugs in Outlook and finally realised/admitted that secure by default is more important than snazzy and integrated by default, we wouldn't have half these problems. And if the software industry in general were really made to be more careful about its security, we could sit back and relax *a little*.

This sort of idea does little to prevent malicious scripts, and does a lot of encourage vigilantism, which is exactly the sort of nonsense that just makes things worse, and opens the legal doors to companies cracking into your computer to check if you've written about their products (y'never know lol).

Use the RIAA's own tools against them...

I'm no UNIX head (I just got Mac OSX a while back), and I recently remember reading about the RIAA wanting to sabotage our computers if they're running XNap, LimeWire, Kaaza, Morpheus [insert your favorite file sharing program here]. Would it be theoretically possible with UNIX/Linux/Mac OS X to take whatever DOS attacks the RIAA initiates, and somehow pipe them through right back at their own machines (using different port numbers, etc...)? I don't think it would be difficult to set up a port scanning program to detect "what was going on" and send DOS attack back right at them. They'd bring their own systems down very quickly that way if it works.

Asking for trouble...

Come on, wake up and smell the coffee/pizza/flowers or whatever you want to smell, but there's no way "self defense" cracking is going to become legal. Without someone drawing the lines, the line between cracking and "self defense" will be very blurred:

"Well, his computer pinged me a few times, so I used a buffer overflow to gain access to his machine, and formatted his harddrive."

As you can see, there are two issues that are left unresolved: what defines an illegal attack, and what defines an appropriate "counter attack".

As for this falling under a self-defense part of the law, I would suggest looking at the goal of self-defense: stopping an attack against you. Self defense does not mean kill someone, does not mean detain someone, or anything else. Although it is possible that those could be necessary in an act of self defense, in most cases they are not.

With all this in mind, take a look at how you can stop the attack on you. The best way would be with a firewall or patching the problem. From there on, you should report the problem to the authorities (ala "real life"), probably being the machine's isp, and possibly the police/fbi.

Vigilanties are not protected by the law, and their best hope is to convince a jury/judge that they were doing the "right thing". Unfortunately, most of them aren't qualified to make that decision :]

Isn't it obvious?

If hacking is illegal, only criminals will hack.

To protect ourselves, we need to make justified hacking legal!

God knows the world doesn't have enough hackers.

Now, seriously... if it's possible to do something nasty, like spreading a virus or disabling a remote system, someone will do it - regardless of what the law says. This is true of all laws, whether we like it or not. There are two important differences in the 'digital' world:

- The Internet is such a hopelessly confused tangle of metaphors that often we have trouble telling exactly how our normal ideas apply.

- The Internet is not like the physical world, and often our ideas don't apply.

Now, the point here is that while laws can help protect the Internet, the actual solution - perhaps the only solution - is for our machines to protect themselves. No - that's the wrong metaphor. There's no reason a computer needs to start running a bit of malicious code just because of a bunch of bytes it happens to read through the network. Our computers can only be hurt by others if they themselves allow it.

I told my wife

Not to clean the mess I make in my computer room.
Leave all those papers where they are,
Don't touch anything, I like my computer room this way.

Now, I should go to my rep. and told him not to touch my computer. If it is full of virus, leave it like that. I like it the way it is. Thanks.

same old script, different character names

this would most likely fall under the category of "those who would give up essential liberties for a little temporary security deserve neither" (and all its variations through history)

Basically, even if you take away the factor of 'trade offs' (of security/privacy vs freedom) and personal freedom in general, the fact is that history has proven that such tactics in the end not only fail to accomplish their goal, but the cost to achieve this failure only adds more injury. What finally adds insult is the fact that the vast majority of time, the problems actually become WORSE, whether from direct or indirect results.

Now the part that pisses me off is people's response to this little historical lesson. Many refuse to actually heed the lesson but only bastardize aspects of it to fit their self centered needs. This is much akin (in many ways) to the situation where a child will justify (instead of reason) with very hand selected 'facts' as arguments simply to get some nintendo game, cd, bike, etc. Any sort of logical analysis and use of reason is only mimicked and faked. When people like this never grow out of this but age chronologically they continue to use such 'thinking' to justify positions in things like politics and lifestyle choices.

Well, either way... even if self labled 'heroes of the people' that are in reality only petty whoring thieves choose to use this fact as an excuse I suppose there is nothing to be done about it. The fact remains, regardless of how the short sighted, greedy, and manipulative sheep refuse to acknowledge that their actions cause more problems form them and others down the road (as if they EVER trully think of anyone else), the problem requires education not FUD or their reactive responsive FUD.

A few questions...

I have a few questions about this article perhaps someone can share some insight.

1. The bill, proposed by Congressman Howard Berman, D-Calif., would protect copyright holders from liability if they place destructive decoy digital files into peer-to-peer networks to penalize users.

Mullen said his hack-back idea is different because it is designed to improve the security of cyberspace and would not harm any computer systems.

Now, First off, putting destructive material on any computer is harming it. Am I mistaken here? I mean lets say I decided to put out a bogus .mp3 file on one of these peer-to-peer networks that is not really a mp3 file, but a program that removes lets say (insert favorite media player here) and deletes all of your mpeg files, divx files and mp3 files. Is that detructive or not?

2. To counter this, Mullen has come up with a way for machines that have been attacked--but not infected--to trace the worm back to the attacking machine and prevent it from spreading the worm to other computers.

Using his technique, the computer that launches an attack is paralyzed and requires an administrator to restart it, but it stays online and is not otherwise harmed, said Mullen, who is a columnist for SecurityFocus.com.


Ok so if the computer that was doing that attacking is now being attacked.. Doesn't that count as a DoS attack? Furthermore, He says it stays online but needs to be restarted... If it stays online, why does it need to be restarted?

3. Jennifer Stisa Grannick, litigation director at the Center for Internet and Society at Stanford Law School, said she felt Mullen's idea may be protected under a self-defense provision.

"This is a type of defense of property," she said. "There is a lot of sympathy for that (kind of action) from law enforcement and vendors because we do have such a big problem with viruses."

Ok so now lets say this happens... (Names have been changed of person(s) to protect thier identities.)
Bob, is out driving his car and stops at a red light. Frank pulls up next to bob in his car at the same red light. Frank gets out of his car and smashes Bob's window... Does that give Bob the right to smash Frank's window, or slash his tires or pour sugar in his gas tank? I don't think so, Last time I checked I could be sued for doing so...

It seems to me that this is kind of like this situation. Burglar breaks into house, He gets bit by a nice big dog that is "protecting" his territory. The owners of the house and dog, are now being sued because the thief was attacked by the dog. The dog in return, because the thief won his case, is now being put down. How fair is this?

my head hurts

This made no sense whatsoever. The only coherent point I read was reply about how hackers break in and then patch the system. Whats so bad about that? Lets look at facts Pat.
o -- Lazy System Administrator is paid $75,000 dollars a year to secure a server.
o -- Over worked and under paid factory worker is paid about $15,000 dollars a year and spends his leisure time chating on IRC and hacking unsecure systems.
o -- The later, takes time and helps the aforementioned secure his system. While he spends some quality time at the fairway play 18 holes of golf.
I don't see no problem. I concur that they need to switch jobs.
Back to you Pat.
In other news.. Scientists have unravaled the mysteries of how chocolate pudding will prevent cavaties and reduce heart disease.....

A Possible method to Twart the RIAA...

I've been cranking on this idea for a while and it may be possible to thwart the RIAA. Some really smart encryption heads/programmers could tweak the current file sharing protocols to switch port numbers, route the data to dead end/non-existent IP addresses using some complicated algoerithm. Yeah, it might take a little longer to get your file (MP3, let's be honest), but the DOS attacks wouldn't be able to go through since your IP address would "flicker" in and out of existence. From the perspective of the network, there would be periodic and unpredictable breaks in the network. A LimeWire-type P2P would be pretty cool, switching port numbers, and periodically breaking connection (for a finite amount of time, then reconnecting). With everyone's computer running this program, the network would be a virtual Christmas Tree of flickering IP addresses and port numbers. It would even be cool if a series of virtual or decoy IP address existed, making life very complicated for the RIAA DOS attacks. Gah-ah-lly, my imagine runs wild, I just wish I had the programming knowledge to make his work. It sounds so fun. Of course, this assumes that the stupod law passes through Congress. Is Joe Smith transferring files illegally or not? I'm sure some Ivy-League Geek will figure this out. The RIAA doesn't have a chance.

I wonder what effect this would have, really...

Using his technique, the computer that launches an attack is paralyzed and requires an administrator to restart it, but it stays online and is not otherwise harmed, said Mullen, who is a columnist for SecurityFocus.com

Requires an administrator to restart it? Do they mean it basically crashes and has to be rebooted? How does that do anything to solve the virus? Sure it temporarily disables it, but if it's a 9x/ME box there is no "administrator" and if it's NT/2K/XP there may be many people with admin rights. Furthermore, your average grandmother-using-aol-on-her-emachine would have no idea what to do, or that she has a virus, or what a virus is. Temporarily disabling machines doesn't do anything to solve virus problems. The only thing that will solve virus problems is educated computer users, and that is unlikely to happen anytime soon.

Problem with this...

Disclaimer: I'm probably going to burn more krama with this post since my ideas don't jive with some of the current moderators. I guess that's the price of being honest and an individual thinker.

I don't think anyone has the right to be mucking around with anyone elses system. To quote from the article:

"It is the DoD's policy not to take active measures against anybody because of the lack of certainty of getting the right person," Chassot said."

I agree with this since you cannot always get the right person. Furthermore, why even attack another machine when you can go about it in more civilized ways. The internet is not the wild west, rather it [was] a place where individuals could be trusted. Unfortuantely, with the boom of the cyberworld we get the not-so-good citizens. But what defines our character? It's the fact that we stick with our civilized ways even when dealing with those who are uncivilized. I don't want my machine to be disabled or attacked just because someone spoofed my IP. That would piss me off and then they would be protected under this law they want to propose.

TO further quote: "This is a type of defense of property," she said. "There is a lot of sympathy for that (kind of action) from law enforcement and vendors because we do have such a big problem with viruses."

I'm sorry, but just because someone pee'ed on your lawn from my lawn doesn't mean that you rip up my front yard. Viruses are written and we will always have to deal with that. The people who should be paying for it are the ones who use the virus for malicious purposes. We shouldn't be targetting the virus writters since one man's virus is another man's utility/shortcut/etc.

As for copyright holders putting decoy files on networks... they can do that all they want. People will just adapt and write software to counteract the flood of this crap. Back in the days of audiogalaxy, people used to rename MP3's and put them online under a new name. But it was easy to spot the crap files since they would be coming from a couple specific hosts. When it got really bad, I just moved on to another network.

If you value your rights...

You'll do just as i did. Write your representative and tell him to vote NO on the bill.

If we let them get away with this, pretty soon there will be no more rights.

if we had enough good sysadmins

Maybe it is a good idea to deal with lots of infected sites trying to attack your system... But, if we have so many vulnerable sites, how many clueless sysadmins do we have? And what if all these sysadmins start shutting down computers that they *think* are causing some kind of problem???

But I would be glad to shutdown some spammers...

----------------
this message has been espeled.

Okay...

It's been noted before, but... What's the point of attacking back? A lot of finger-pointing will ensue and "trace backs" will occur... But does anyone remember the when the WANK worm hit NASA? C.H. Chassot is right. You can't put a finger on the originator as being the perp; oftentimes, they may have been hacked, cleaned up, and used as a launch point when the real perps were out of the thick of it. Just like the US had a hard time, and "traced" the WANK worm back to a server in France, in the end it's not always going to be black-and-white. If you don't know about WANK, I'd suggest reading a nice tale [sourceforge.net] that documents it quite nicely.

A simple way ...

If what we want to do is stop viruses and worms and the like, there's a simple thing we could do that would eliminate over 99% of them.

Just ban all Microsoft systems from the Internet.

The remaining handful of viruses and worms wouldn't be enough of a problem to get the media's attention. We'd want a mop-up operation to stop them, of course. But that would be a minor technical project that the media wouldn't find interesting.

We should have done this five years ago, when it was becoming clear that Microsoft had no intention of fixing the security holes they were building into their systems, and their customers were too clueless to demand fixes.

Dangerous Worms

It is illegal to attack a machine that is attacking you. It's illegal to release a worm/virus into the wild. However, its NOT illegal to participate in its distribution simply because you're too inept to keep your machines patched. Those who are indirectly causing all the damage will suffer no liabilities as a result. And perhaps punishing them isn't the answer.

However, look at it from the worm's perspective. It seeks only to invade and to reproduce. It doesn't care about legalities or consequences. It will do what its designed to do, and will do so indefinitely until its means of propagation has been eliminated. The vulnerable machines are out there. They will always be out there. And as long as they're out there, there will be breeding grounds for worms.

We need to meet halfway on this one. If we can't attack the machines that are already attacking us, we should at the very least be able to stop the problem. In fact, it makes sense to stop the problem before it even starts. If someone is running an unpatched system, they're going to be the participants in a worm redistribution program eventually. If it has to happen, let it be a benign worm that hits it. Invade the machine, fix all known holes, then propagate to a set range of addresses, then die. No more worms for that host, and in a matter of hours, that exploit will have been completely removed from the world, or at least as well as the worms could find it.

Perhaps at least with XP's automatic updates, these patches might be implemented on a regular basis. However, what about all the people that don't allow themselves to use the automatic update features? There are plenty of pirates and security wary but otherwise legitimate users who won't use the automatic update features. Those machines are just as vulnerable. IF the user isn't willing to patch them, then let someone legitimately be allowed to do so. Or at least look the other way when it happens.

-Restil

Use the law?

Consider. Anything you write is protected by copyright automatically.

Let's suppose you write an email. While it shouldn't be necessary, perhaps you might include an explicit restriction in the body of the email, or at the bottom like lawyers often do: "This material is copyright by the sender and may not be reproduced in whole or in part by any means, including but not limited to reproducing on paper via a printer, forwarding to any other mailbox, storing on punch cards, paper tape, magnetic tape, optical media, or any other machine-readable form of reproduction. If you wish to reproduce this item, licenses are available from the sender for a nominal fee."

Let's suppose you sent your email to the RIAA. They are entitled to exactly one copy, which will end up in the mailbox of the receptionist. This will pose a dilemma, which will probably be solved by violating your copyright.

You might find it necessary to take steps to protect your intellectual property.

I've alresystem ady done this...

I wrote a script on my server web server (that constently gets hit over and over by nimda... about 300 times a day it seems) to use the vonrobility against them.

It uses nimda vonrobility to hit them back and gives them hundreds of popup messages thruout their system, telling them to apply the patch and get some type of security (then the scripts delete themselves).It also applys an "at" command to launch a vbs file on their system to remisystem nd them to get a patch.Just anough to anoy them.

It work seems to work. I impliment this because I work at a very small ISP here in town hosting dsl lines. Our lines are always getting eatten up by nimda, even still. This way it saves on our bandwidth for everyone else to use. The funny thing is that it works. Traffic used by nimda on the network has gone down dramaticly because of it. We applied the program to all the gateways (since they are all linux boxxes). Just added Apache with my scirpt to fish out as many people as possible.

I love it. We get calls from customers yelling and screaming that they didn't have nimda and we prove it to them by emailing them the log file. Some are even thankful. Zac Bowling

Did they throw away the throw-away line?

What struck me most though is that in the midst of the rant from Timothy Mullen (no stranger to hacking the hack as this story from computerworld magazine shows, was

a throw-away line justifying the RIAA and MPAA's appeal to Congress to make it legal to do this!

Did they change the original article online? 'Cause I don't see anything like that in the news.com article now.

Yes, do it!

A breathless story about how the best defense against [fill in the blank: piracy, virii, hacking] is a good offense at CNet.

Yes! CNet is the root of all these evils for publishing stuff like this! A good offence at CNet would surely be in the best intrest of the public.

Take Action through your representitve

Gentlemen

I'm e-mailing you today in my capacity of New Yorkers for Fair Use and as President of NYLXS, the New York GNU Linux Scene

Guy's, you have a Congressman down there who is co-sponsering the Bill to allow the MPAA and the RIAA to hack into our computers and steal our files.

I'm starting a letter writing campaign up here in NY to local representitives on the House Judiciary Committee, but your guy is the CHAIR.

How about some political Action Guys. We can come down and help if you think it would be worth while.

I'm sending a copy of our announcement today and my personal letter. Let's get to work or tomorrow there might not be any Free Software to protect!

Ruben

______
NY Fair Use

Your next Political Action has come upon us.

In this article: http://news.com.com/2100-1023-946316.html , there is a misrepresentation of the basic facts of the Berman Bill. The Berman Bill would approve the theft of our computers by authorizing Breaking and
Entering of our computers in our homes if copyrighted material is discovered on our computers. The bill gives Police Powers to the RIAA and the MPAA, but here is being discussed as if it somehow is a computer security issue with viruses.

This is misinformation on the part of the RIAA.

Everyone is to right Congressman Weiner, who is on the same Sub-Committee as Berman, and inist for assurances to vote and lobby against this bill which authorizes Breaking and Entering without a warrent by the Copyright Monopoly Holders.

Also write your local representitive and Senator Schummer and Senator Clinton.

Send a Copy to the NY FairUse list, and send 5 copies to someone in your address book asking them to also write. Send these letters by Fax to Weiners Office. Let's see if we can get a real chain reaction working.

Ruben

_______

Dear Congressman Weiner

Congressman Berman of California's 26th District is proposing a Bill which would steal the private property of every computer owner in America. The bill, designed to prevent peer to peer sharing of files, would give the Movie and the Music Industry police powers are normally assigned only to the state. It assigns them to these private industries by allowing them to invade our homes and enter into our computer systems without a wararnt, to remove our files, or to prevent our lawful use of these files. In theory this would help protect protect copyright monopolies. But a Copyright Monopoly doesn't give a business the right to perform breaking and entering.

This amounts to theft and an invassion of personal property. Some in the press are representing this bill as some form of virus or security bill. The Bill has nothing to do with computer security at all accept that it will create less security for everyone who owns a computer.

I'm asking you to ask that this bill does not leave the Subcommittee on Courts, the Internet, and Intellectual Property even though Mr Cobble, the Chairman, is a Co-Spounsorer. We need you vocally object to the intrussion that this bill asks for on the public, and question it's constitutionality.

My vote depends on your action on this matter. This kind of legistlation is something to expect our of the Peoples Repulic of China, not a free Society like the US. If we can't protect our private property from invassion of people like
the RIAA and the MPAA, then how are we different from a Communist Dictatorship?

This bill is asking for the legalization of Breaking and Entering be a bunch of GOONS.

Ruben Safir
President of NYLXS and Co-Founder of New Yorkers for Fair Use

Berman's Bill

I found it funny that when I wrote quite a long email letter to Bill Berman about his bill and he or his office wrote back saying 'thanks, but I won't respond to anyone not in my district'. I cannot conceive as to how this can be anything but a violation of the 4th amendment. The Government's hackers can violate your machine and not let you know (which is worse than having the police search your house with a warrant), and if they cause any damage to anything, you must file a complaint and be given permission to take them to court. Of course, since you don't know the government was in your computer in the first place since they didn't tell you, it's hard to know if a file corruption is the result of a hack or a piece of ill-written code or whatnot. And even if you can prove that it was the government, and they caused damage, you can only sue if they did more than 250$ worth of damage. Hollywood now dictates policy on your right to privacy. Anyone in Berman's district, please send him a nasty letter for me.

That throwaway line is there, though

Okay, our /. lead-in is a mess, and the article itself is all over the dang map. The content isn't that imbalanced; it's just badly edited. It's not any sort of "bandwagon," either way. (The headline calls this approach "Vigilante hacking." That's hardly sympathetic.)

Bad editing leads to abrupt transitions. Here we go from "Striking back against a computer that is attacking you" with a worm to this:

The defensive strategy of "strike back" is gaining some support among politicians, who will be voting on a bill backed by movie and music studios that would allow retaliation to help thwart Internet piracy.

Whah? Then we back off and contrast that approach (placing "destructive decoy digital files into peer-to-peer networks to penalize users") with the hack-back the story was really written around.

It's almost like the editor wanted to nod in the direction of the latest legislative "anti-hacker" move, whether or not it really had anything to do with his story. That's all. No "bandwagon." Just bad editing. Given the state of /.'s stories, we should relate.

Has DoD suddenly developed a conscience?

"It is the DoD's policy not to take active measures against anybody because of the lack of certainty of getting the right person," Chassot said.

Did this strike anyone else as funny? Since when does the Department of Defense care about "collateral damage"?

hmmm what about machines in other countries?

ok , so it gets made legal in the US , does that mean that it then becomes legal to 'disable' machines in say.... China as well, how do you determine the machines physical location (machine location not IP address) and which countries law is actually applies.

Liability to high

Going down this road will be too dangerous and expensive. The liability for hacking/crashing the wrong computer (or in some cases even the right computer) are to high. Take hospitals for example. Some systems are running medical applications that are critical for patient care (monitoring, diagnostic, etc...). If these systems were to be shut down, that would be very bad. If the hospital network they are attached to is attacked (yes, doctors reading their email are just as gullible as anyone else) it could also affect these patient critical systems.

Hell, even hacking these systems to verify they are the source of the problem, be it mp3 trading or virus propagation could be illegal. New HIPAA regulations (Health Insurance Portability and Accountability Act) will make unauthorized access to any patient records/information a crime.

There are to many variables and unknowns for this to be enacted. Hopefully the old men on the hill will realize this as well. If not it will surely be ammended after someone f*cks with the wrong system.

"What do you mean I'm in trouble for hacking? The email containing the virus said it came from the pentagon! It was self defense, I swear!"

Al Quaeda Records

"Hi, I'm from Al Quaeda records, and I'm here to hack your computer!"

Enough said.

Defense against Victims

A lot of the discussion is about the allowabilty of defending your machine by hacking an attacker. But what M. actually talks about is attacking another _victim_ to minimize your own losses. Just because you know how to do it. Robert Nozick once asked if it was moral to use a ray gun to vaporize an innocent victem who had been thrown at you at 10m/s squared. Sortof. Damn, I love that idea. Well, this is more like having innocent victims thrown at your front lawn and vaporizing them to protect the imported roses. Because you have a ray gun. -jon

DIB:S

I can understand the desire to defend against worms, but there are other methods. Check out this worm detection system that the Institute for Security Technology Studies is working on:

http://www.ists.dartmouth.edu/IRIA/projects/dibs/ [dartmouth.edu]

Buzx

Great quote.

It is the DoD's policy not to take active measures against anybody because of the lack of certainty of getting the right person.

Great. I guess we might as well get rid of the Department of Defense, if they're not going to bother to take any active measures. I guess that whole Afghanistan thing with the "unavoidable civilian casualties" was just a figment of our imagination.

How about tying up their TCP connection?

Most of these attacks are coming over TCP connections. If you want to impede someone else who's spreading their worm across the Internet, you could use the underlying TCP protocol to tie up their connection by simulating a very, very slow, error-prone connection that stays just under the threshold of timing out, drawing out their connection as long as possible and lying to the worm machine about packets having gotten lost en route. This means that one of your ports and processes (or at least threads) would be tied up dealing with the whole mess, just as one of theirs would be on spreading it, but it would slow down the spread of the attack by that amount.

It's not as effective as attacking their machine in response, but it's completely legal.

Re:Hack THIS!

I've started hacking in the early 80s when I aquired an old 80486 compute

Prior to that, you acquired a time machine, I believe...

Re:its viruses not virii

Language was created by those with the vazeptitude to invent new words. ;)

Re:its viruses not virii

It's not it's not its, its it's, it's it's not its, it's it's.

If you're going to be a grammer Nazi Nazi, at least get it right right.

Oh God, I'm confusing myself myself. Easy to do, I know...

Re:its viruses not virii

actually in computer speak, it is also acceptable to refer to viruses are virii

Re:vote with your wallet

Yah I've been on my one man boycott for a while :\