Bill Would Legalize Active Defense Against Hacks

Trailrunner7 quotes a report from On the Wire: A new bill intended to update the Computer Fraud and Abuse Act would allow victims of computer attacks to engage in active defense measures to identify the attacker and disrupt the attack. Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions. The proposed legislation includes the caveat that victims can't take any actions that destroy data on another person's computer, causes physical injury to someone, or creates a threat to public safety. The concept of active defense has been a controversial one in the security community for several years, with many experts saying the potential downside outweighs any upside. Not to mention that it's generally illegal.

Re:

[Joe_Dragon]

Hillary come quick you got to see this.

Re:

[hey!]

No, Pence [indystar.com]. And Pruitt [thehill.com] too.

A giant step ... sideways

[mnemotronic]

victims can’t take any actions that destroy data on another person’s computer, causes physical injury to someone, or creates a threat to public safety

The hackers are quaking in their valenkis.

Re:

[currently_awake]

So DDOS'ing some computer that tried to hack your computer is ok? What if you later find out it was the NSA? Or the police? I assume ignorance is a legitimate excuse, right? Or does this law allow you to knowingly "Respond" against police intrusion attempts?

Re:

[Anonymous Coward]

If you manage to DDOS the NSA, which literally hoovers up the Internet, I don't think you're the sort of person who worries too much about breaking some trifling law.

Re:A giant step ... sideways

[rtb61]

Forget crashing a single computer. This has every oppurtunity of spreading out of control. Think hosted server fasley identifying an attack and then launching it.s own attack against another hosted server, which detects an attack and launces it own attack not against the hosted server but the server hoster and all other servers, who then retaliate. This then spreads to other server hosters who host server from the same network and you get the idea. Utterly moronic and the only purpose, the only true purpose, is to allow corporations to, whoops, sorry we attacked your political activist site by mistake, oh and the police raid and half a dozen people beaten up, well thats you fault for, saying we do bad things. Basically corrupt politicians allowing corporations to use vigilantism to attack anyone they want for any reason they want based upon evidence they self fabricate of an false flag attack, repercussion, zero. Next step corporations being able to send mercenaries to conduct a direct raid ie private police.

So I gather the penalty for a false defence attack is to be charge with a computer crime and imprisonment for the false defence attack, what no it isn't, let me fucking guess, there is no penalty what so ever for a false defence attack (that a solid sign of political corruption).

Re:

[hackwrench]

Morpheus: I've seen an agent punch through a concrete wall. Men have emptied entire clips at them and hit nothing but air. Yet their strength and their speed are still based in a world that is built on rules. Because of that, they will never be as strong or as fast as you can be.
Neo: What are you trying to tell me, that I can dodge bullets?
Morpheus: No, Neo. I'm trying to tell you that when you're ready, you won't have to.

These are the rules they construct. You can use them to protect yourself when you

Re:

[ShanghaiBill]

It will also provide the perfect defense for any hacker that gets caught: "He hacked me first!"

Re:

[mnemotronic]

So DDOS'ing some computer ... is ok?

I merely pointed out that any and all possible actions that would dissuade the perpetrators are forbidden, effectively rendering the law useless.

All the Slashdot threads will focus on the technology. Firewall this, DDOS that. It is not a technological problem -- it's a people problem. Today it's done with computers and networks. Fifty years ago it was telephones and prank calls or postal mail with white dust. The attacker is anonymous and remote, which does not require great physical distances. That v

Re:

[hackwrench]

I merely pointed out that any and all possible actions that would dissuade the perpetrators are forbidden, effectively rendering the law useless.

Depending on how well you think you can persuade the necessary people, the perpetrator and victim become indistinguishable, and all possible actions become allowed with the defense being that an attack originated with the McGuffin being attacked.

Re: A giant step ... sideways

[atofinkelstein .]

I haven't seen _hacker_ stupid enough to crack stuff from his own computer. So active countermeasures most likely will hit just other owned computers or innocent free wifi installations etc...

Re:

[Anonymous Coward]

No, just like shooting a rapist as he's about to stick it in your daughter, when it turns out he owned a badge, you retroactively become a monster and a criminal all along.

The only ones this amendment will help are companies making use of the various abuses and loopholes to brick firmware when they detect various programs they don't like, or even after having gotten bad reviews. People like you and me will have no recourse to this, as we are either "the perp" or "insignificant collateral damage"

Backward

[s.petry]

This would allow vigilantism and encourage anti-competitive attacking. "We thought they were the ones trying to hack us, see our logs? (cat log | sed -e 's/someip/theirip/g'

As much as I hate big Government, I would rather see an easy to interface with government agency with law enforcement capabilities handling this. In fact, isn't that what the NSA is supposed to be for?

Re:

[mysidia]

"We thought they were the ones trying to hack us, see our logs? (cat log | sed -e 's/someip/theirip/g'

I would suggest formal Licensure for Cybersecurity professionals requiring Passing a practical Examination, also a Test, and committing
to a code of conduct including No Espionage, Theft, or Disclosure of Data --- requiring any item of data unrelated to an attack be kept confidential and not shared, even with a boss, employer, or co-worker.

Then have the bill so the Active Defense argument is ONLY v

Re:

[s.petry]

Interesting ideas, but passing a test does not ensure morality. Morality is the problem, and I can tell you quite plainly that the immoral and moral in today's society are pretty evenly numbered. Even if you required 3rd party defensive action, there is no way to prevent or prove collusion.

Re:Numbered vs matched

[hackwrench]

I think the term you might have preferred to use would have been matched. But then you have people whose ethics range from leaving people to their own devices, helping "true seekers", helping everyone, ensuring a level playing field among others, so the whole ethics/morality thing isn't that simple.

Re:

[mysidia]

but passing a test does not ensure morality. Morality is the problem, and I can tell you quite plainly that the immoral and moral in today's society are pretty evenly numbered.

It's not about 'ensuring morality'. It's about Restricting the population who can do it to a population that will not have Plausible deniability for improper actions, And then By making sure the people who can do this have something of Value which can be taken away for a long time as a consequence for abuse ---- providing a maj

Re:Backward

[ShanghaiBill]

I would suggest formal Licensure for Cybersecurity professionals

Licenses mean compliance with a bureaucratic checklist, which is very different from actual competence. In a fast evolving field like computer security, the checklist will lag actual best practices by about a decade. Most existing formal computer certifications are widely considered to be negatively correlated with competence, so the track record is not good.

Re:Backward

[professorguy]

So what you're saying, a well regulated militia should be the only ones able to wield these weapons?

Re:

[DeVilla]

Sounds to me like he wants a TSA for the internet.

Re:A giant step ... sideways

[hey!]

Well, according to TFA the "active defenses" consist of "consisting of accessing without authorization the computer of the attacker to the victim’ own network to gather information in order to establish attribution of criminal activity."

So it sounds innocuous, but I do see a problem: it's a bit like pulling yourself up by the bootstraps, isn't it? You get permission to poke around on the attacker's network... to prove he's the attacker. It's not hard to dream up a lot of squirrely corner cases for that.

Also "active defense" of this sort provides the perfect cover... for hacking. You infect a competitor's computer network to launch an ineffective attack on your own, and then you invade his network with legal impunity.

It's not impossible to do a law like this right, but what are the chances?

Re:

[buck-yar]

Or you just fake a few logs and you're off hacking with legal invulnerability.

Re:

[DeVilla]

- fire up TAILS
- create a free tier node in AWS
- attack one of your own systems
- being 'legal active defensive' probing of Amazon's network
- ???
- profit

Finally!

[Anonymous Coward]

I got me a product to do just that. It's about time! So tired of fake news and politically correct hampering our life.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:The meaning of "is" is.

[hackwrench]

Well when people try to conjugate is without "Dr. Dan Streetmentioner's Book of 1001 Tenses", they are just asking for trouble.

eHolocaust

[Roger W Moore]

Way too vague, neither "disrupt" or "continued unauthorized activity" not defined; this'd very quickly result in these so-called victims in just using DDoS against anyone who they disagree with

Even a strict interpretation will lead to an eHolocaust. Attacker hijacks a machine in company A and uses it to attack company B. Company B retaliates against the machine in company A. Company A detects attack from company B and returns the favour. Multiply that by all the machines in a botnet and you can kiss goodbye to the internet.

Re:

[gmack]

Even more fun: What if the attack involved spoofed packets?

Illegal?? HaHaHa

[zenlessyank]

I didn't get that memo. He who doesn't hack back deserves a lot of flack.

What about government hacking?

[hawguy]

Do people get the right to disrupt police/FBI hacking of their devices as well? That's probably the only hackers that would actually be disrupted by this new law, since criminal hackers use someone else's computer to hack you -- if you hack back, you're only hurting some innocent third party that had *his* computer hacked.

Re:

[AHuxley]

The NSA and GCHQ can do what they want as granted by a gov or what ever section of a gov they work for or got established by.
Different US law enforcement agencies working in the US have to respond to Congress as that is who has oversight and can demand all paperwork over any policy, funding or staffing issue. Government lawyers redacting internal documents that go to Congress is not the best policy to hide issues.

So the way around Congress for equipment interference is usually from third party staging

NRA

[BenBoy]

Because if 'sploits are criminal, only criminals will have 'sploits? Discuss.

Danger Will Robinson!

[Anonymous Coward]

What constitutes an attacker [house.gov]? Warning: PDF

(C) the term ‘attacker’ means a person or an entity that is the source of the persistent unauthorized intrusion into the victim’s computer.

If you want to be able to legally counter-hack a large group of people all you need to do is spread a virus that will first infiltrate a lot of machines, then use those machines to start attacking your machine's IP. This allows you take countermeasures, easily accomplished via a vulnerability that the existing virus leaves open. So let's take a look at some scenarios and the implications.

I can imagine the RIAA and MPAA and their goons drooling over this capabilit

Re:

[Anonymous Coward]

Well, as written, the draft of the bill doesn't prohibit unauthorized access of a government system if the system is "attacking" the victim's computer.

ACDCA? - It should be CUT-THROAT

[Overzeetop]

I mean, sure, it's a palindrome, but real, working Americans can't even spell palindrome, much less know what one is. In fact, palindrome is the kind of work you only hear from those faggy intellectuals.

They need a better acronym, like Cyber Undermining Threat-Tactics for Heaping Righteous Offensive Action on Terrorists. Now That's a bill with balls. Big. Fat. Hairy. Balls. That you can shove down the throat of those bastard attackers of your computer systems.

Wrong Term

[Anonymous Coward]

A Defense is not the same as a Counter-Offensive. Apparently few people know this.

Better define "Attack"

[Nkwe]

An attempt to create a TCP connection to an Internet connected machine is not an attack, or I at least hope not. I would hate to click on a link, be taken to a site that considers a regular connection as an attack, and be subject to legal retaliatory hacking. How about a ping? It would be bad if packets blocked by a firewall are considered an attack...

Re:

[mysidia]

An attempt to create a TCP connection to an Internet connected machine is not an attack

One attempt is not. But many attempts to create a TCP connection including randomized or incrementing destination attempts
can be viewed as an attack. Either as a flood, or as an obvious invasive "probe" to attempt to gain reconnaissance for hacking the system.

Re:

[Plus1Entropy]

Copied from an AC above [slashdot.org]:

the term ‘attacker’ means a person or an entity that is the source of the persistent unauthorized intrusion into the victim’s computer.

So I don't think any of your examples would apply, but I understand your underlying concern. I also wonder how much effort must the "victim" put into identifying the true source of the attack before launching a counter-offensive.

Obligatory

[JustAnotherOldGuy]

Obligatory "Nothing could possibly go wrong with this plan".

What could possibly go wrong?

[Gravis Zero]

This was inadvertently make DDoS for hire a legitimate business model. "Being attacked? Defend yourself and DDoS your foes into the afterlife!"

Internet,,

[Sir Lurkalot]

Is getting to look like C.B. radio in the mid '80"s

Proposed by Rep. Tom Graves (R-Ga.)

[PopeRatzo]

The cyber is hard.

What will be found?

[AHuxley]

What will be found at the end of such private sector tracking?
A home computer in another nation? Fully infected with malware that runs at 2am from some advanced wifi router?
Some site that offers free wifi? Can the company can ask for the log and CCTV?
The logs show the access but the CCTV shows nothing at the times. More investigation shows a wifi extender was used to stay away from all CCTV.
The person knows high quality CCTV is now kept for months.
A computer network in a small nation with lots of f

You can do it

[AndyKron]

So what? I would have done it anyway if I could regardless of the law. I have a right to protect myself and my property.

What happens if you DDOS somebody

[rsilvergun]

because they've got a network Zombie and they DDOS you back? Also, since when is vigilantism a good idea?