Proposed Active-Defense Bill Would Allow Destruction of Data, Use of Beacon Tech (onthewire.io) 69
Trailrunner7 quotes a report from On the Wire: A bill that would allow victims of cybercrime to use active defense techniques to stop attacks and identify attackers has been amended to require victims to notify the FBI of their actions and also add an exemption to allow victims to destroy their data once they locate it on an attacker's machine. The Active Cyber Defense Certainty Act, drafted by Rep. Tom Graves (R-Ga.) in March, is designed to enable people who have been targets of cybercrime to employ certain specific techniques to trace the attack and identify the attacker. The bill defines active cyber defense as "any measure -- (I) undertaken by, or at the direction of, a victim"; and "(II) consisting of accessing without authorization the computer of the attacker to the victim" own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim's own network." After releasing an initial draft of the bill in March, Rep. Tom Graves held a public event in Georgia to collect feedback on the legislation. Based on that event and other feedback, Graves made several changes to the bill, including the addition of the notification of law enforcement and an exception in the Computer Fraud and Abuse Act for victims who use so-called beaconing technology to identify an attacker. "The provisions of this section shall not apply with respect to the use of attributional technology in regard to a defender who uses a program, code, or command for attributional purposes that beacons or returns locational or attributional data in response to a cyber intrusion in order to identify the source of the intrusion," the bill says.
Sure...no pandora's box here.... (Score:5, Interesting)
I'm guessing that large businesses could get in on this too? If not now, just wait....
And, we've seen how well just take down notices work....often not even justified, but still...the party acted upon is now guilty till proven innocent.
What constitutes a valid victimization? Telling someone you don't like them? They small bad? That allows them to infiltrate your computer, destroy information...etc?
This sounds like a real pandora's box being opened here.
Re:Sure...no pandora's box here.... (Score:4, Insightful)
"What constitutes a valid victimization?" ICMP the wrong port and they can say you're trying to penetrate their services? Mmmm, Beacon.
Re:Sure...no pandora's box here.... (Score:4, Insightful)
Re:Sure...no pandora's box here.... (Score:4, Insightful)
This will not be a move of data from a company direct to a "home" "desktop" computer with some dial up modem.
Once the "owner" detects their data and sends the code?
That data could be sitting on any random fast network around the world without been noticed. Strange computers sending to code to and altering a computer to do something to data on that network?
The resulting intrusion and clean up will be very expensive and disruptive to any third party.
Re:Sure...no pandora's box here.... (Score:5, Insightful)
Re: (Score:3)
They find a US beacon effort in the wild and alter its mission just a bit.
Place it in nations they don't get along with and watch as the US reports "hacking" from a list of other nations flood in.
The US has 100% evidence and proof that "other nations" are evil and the special secure beacon code was running in their networks and ip ranges.
Special citations and commendations for that clandestine service as the USA so
Re: (Score:2)
Large companies like Facebook and Microsoft will just call each other's security departments. The danger will be when foreign companies get involved.
Imagine Facebook incorrectly traces the attack back to some company in China, and starts hacking them. Chinese government notices and decides to destroy Facebook, deploying state level hacking and zero day exploits to wipe them out.
Re: (Score:3)
I agree with you but your example is a bit unfortunate. The problem with this bill seems to me that the counter-attack will be completely illegal in almost every other country in the world. This creates all kinds of legal problems for US companies and also many practical problems for police forces, prosecutors and security companies in other countries. In any case developers of 'counter-attack' software ought not be surprised if they are arrested once they leave the US.
Re: (Score:2)
Black ICE (Score:2)
Mr. FBI Agent sir, (Score:5, Funny)
I was just "destroying my hacked data"
Facebook had hacked my browsing data...
The FCC was hosting my stolen data...
The "agencies" had hacked my communication devices....
Linkedin...
Tumbler...
Myspace...
IRS...
Re:Mr. FBI Agent sir, (Score:5, Insightful)
People are modding it funny, but that's because it's half true.
Sony or the FBI will be allowed to compromise your hardware at will. But if you so much as peep back, they'll drop the legal equivalent of a 10 ton weight on you.
Re: Mr. FBI Agent sir, (Score:2)
Attack Google and Microsoft? (Score:2, Interesting)
So this bill empowers me to attack Microsofts and Googles servers to destroy my data that they have taken?
Re: (Score:2)
No. Because EULA.
Hmmmm (Score:5, Funny)
So I have to tell the FBI that I'm going to hack the NSA to destroy my data?
Re: (Score:2)
i am sure if you don't the NSA will anyway, so in this particular instance it would be necessary.
AC/DC Act (Score:5, Insightful)
Republicans have seen too many Hollywood hacker movies. They want people to believe that after someone steals their personal information, they'll be able to click a big red EXECUTE button on the screen and it will launch a counterattack and steal back their data.
In reality, the people who are victims of this type of data theft aren't going to have access to these "Beacon" tools. But copyright trolls and malware thugs almost certainly will. In the end, this will be just another corporate giveaway.
The cyber is hard.
Re: (Score:2)
the lobbyist that wrote this bill for him probably showed him that movie, however its probably for content providers to destroy computers of people pirating rather than try to bring them to court, since that takes forever and costs money and maynot result in any profits. just wait till they update the TOS to include a missile strike if not in compliance.
Re: (Score:3)
Meh, who cares, mountain out of a mole hill. News at eleven corrupt lobbyists and corrupt politician attempt to write constitutional challenged laws that would empower corporations to enslave and attack citizens, the flaw, something to do with search warrants and how they are carried out, you know, no search warrant, no search, no removal, no nothing. Also affects possession laws, with no proof required of right of possession to denies others the active possession. What could possibly go wrong with writing
Re: (Score:2)
i would only say that this would go hand in hand with the licensing law as in you don't own any property its all just a license. so no stand your ground... also probably not work with stand your ground as this reprisal would require walking to the said office...
Speaking of movies (Score:2)
Republicans have seen too many Hollywood hacker movies.
speaking of movies...
In reality, the people who are victims of this type of data theft aren't going to have access to these "Beacon" tools. But copyright trolls and malware thugs almost certainly will.
Yup, the movies are definitely going to be the thing best protected by this act.
Movie shown in theater tends to be fingerprinted. (the purpose being to try to trace back where a copy was first leaked).
This act basically gives authorization to the industry to install a backdoor (either forced through legislation, or unknowingly deploy in the style of Sony root-kit), that will nuke an user computer if it ever detects such type of fingerprints.
(and make it also report back to the MPAA moth
Foolishness. (Score:5, Interesting)
What this is going to enable people to do is destroy zombie computers and devices under the guise of retribution. While this may seem good at first, it's just going to be the moms and pops of the world losing all their data because they got infected with a virus and somebody unleashed hell on their machine. It seems like it would be far more helpful to require ISPs to detect a DoS in progress and cut off the infected customer. A scorched Earth campaign will do little to change the world.
What could go wrong (Score:2)
We know how BrickerBot works and how bad that can be. This would be much, much worse.
Yup. Indeed.
this time instead of Smart LED bulbs staying dark or showing the wrong color, you're going to have the database server holding the important financial information getting broken.
But hey, at least the infected zombie bot won't disturb *you* anymore.
Re: (Score:2)
Blinking Midnight (Score:2)
The "easy" tools, meant for the people who still have VCR's blinking midnight?
"Alexa, find and destroy all my hacked data!". thank you.
Re: (Score:3)
i think the idea is for you to hire some shadow runners to get your data blocks back by using some ICE.
Re:Blinking Midnight (Score:4, Funny)
"Siri, find and destroy all my hacked data!". thank you.
FIFY
Re: (Score:2)
I have this ugly feeling that by "people" this bill means "corporations", not us ugly-bags-of-mostly-water.
The Physical Analogy (Score:5, Insightful)
The analogy is if you suspect someone of stealing your wallet, you are allowed to break into their house, search through it to find and take back your wallet, destroy a few things here and there to prevent them from pickpocketing in the future, and then call in the police to arrest the guy.
Oh, but if you made a mistake and destroyed some random person's stuff, well, you were still acting within the law.
Re: (Score:2)
For an attack in progress, I'd say it's more like you're being mugged and the attacker has managed to grab your wallet by the time you start fighting back.
You have a right to self-defence in the physical world, usually with a limit of 'reasonable force' (Texas excluded). To extend that to the digital world, if your system is attacked you should have the right to damage the attacking system to the point it can no longer continue its assault... and you should be able to take back your data if you can do so.
A
Re: (Score:1)
Except, a more effective self defense is just telling your network to stop accepting the guy's packets.
Anything else is unnecessary use of force.
Kind of like rendering the mugger harmless and then kicking him and maybe his family and friends while he's down.
And the mugger you are going after may be some harmless smuck who got his computer hacked.
Re: (Score:2)
Alright, lets play pretend.
1) You have webserver with say a JBoss deserialization vulnerability.
2) I get remote code execution and set myself up some persistence but otherwise leave your site alone, you don't know anything is wrong.
3) I use your system as pivot to attack Bob's network. I break into Bob's systems and start dumping data.
4) Bob spots the attack and sees its coming from you. Oh did I mention outbound connections from the server I compromised don't leave from the same IP that servers inbound o
This idea is so full of wrong (Score:5, Insightful)
Re: (Score:2)
It's probably more akin to breaking in to a bank to get your wallet though. Kicking someone's door in to gain entry isn't that hard, and I'll bet about 80% of the population could do it if they really needed to. But breaking into a computer is well beyond 95+% of the population - I know technically what's required, but it would still take me an awful lot of dedicated time and effort to do. Thus, I'd need to hire a pro - and they don't come cheap (unless you're a big company, in which case you already hired
Re: (Score:2)
That special US data sends out a secure fully encrypted beacon message about the ip and type of computer its has been downloaded to.
The US tracks down that home computer with one hard drive, a consumer OS and a connected modem.
The data then has no value after the US has fully "disrupted" that computer.
The once rare and advanced 1980's dial up network and expensive desktop computer is now a globa
Re: (Score:2)
A solution that expects a home computer with a modem to be direct downloading a "file" that reports back the ip.
That users computer is then "disrupted".
Active Bacon (Score:2)
Create a fake beacon? (Score:2)
Automated or will some US gov worker have to click a gui everytime to allow a beacon to be respond to?
Hope that the user is on a desktop computer, has one hard drive that has the OS, has the data, is connected to the net, has the same ip for a while?
How perfect is the "techniques to trace the attack and identify the attacker" going to work in every computer network before someone with skills finds something in the wild?
Or does the beacon encry
You need a bill for this? (Score:1)
So... use a foreign computer? (Score:2)
Since the US doesn't have jurisdiction outside the US, attacking any foreign computer will likely remain illegal under foreign law. If the US courts protect them they'll become modern day privateers, state-sanctioned thugs. Like a loose cannon version of the NSA, this will not end well.
Re: (Score:2)
If the US courts protect them they'll become modern day privateers, state-sanctioned thugs. Like a loose cannon version of the NSA
So more constrained then.
Who bought the beacon? (Score:2)
The "beacon" exception is interesting. Someone went to the extra trouble to pay somebody to add that. Who did it and why? What's the imagined scenario?
The quarantine of the Darwin Station (Score:2)
must be maintained forever
I remember watching the episode [wikia.com] and thinking Gee--it would be great to be one of the people with the active immune system.
Of course it would suck for my neighbors, friends, and family--but that's their problem.
Right?