Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Government Security United States Politics

Congressman Proposes Organizations Should Be Allowed To 'Hack Back' (engadget.com) 189

Engadget reports: Representative Tom Graves, R-Ga., thinks that when anyone gets hacked -- individuals or companies -- they should be able to "fight back" and go "hunt for hackers outside of their own networks." The Active Cyber Defense Certainty ("ACDC") Act is getting closer to being put before lawmakers, and the congressman trying to make "hacking back" easy-breezy-legal believes it would've stopped the WannaCry ransomware. Despite its endlessly lulzy acronym, Graves says he "looks forward to formally introducing ACDC" to the House of Representatives in the next few weeks... The bipartisan ACDC bill would let companies who believe they are under ongoing attack break into the computer of whoever they think is attacking them, for the purposes of stopping the attack or gathering info for law enforcement.
Friday The Hill published a list of objections to the proposed law from the CEO of cybersecurity company Vectra Networks. "To start with, when shooting back, there's the fundamental question of who to shoot... We might be able to retaliate, weeks or months after being attacked, but we certainly could not shoot back in time to stop an attack in progress." And if new retaliatory tools are developed, "How can we be sure that these new weapons won't be stolen and misused? Who can guarantee that they won't be turned against us by our corporate competitors? Would we become victims of our own cyber-arms race?"

Slashdot reader hattable writes, "I would think a proposal like this would land dead in the water, but given some recent, and 'interesting' decisions coming from Congress and White House officials, I am not sure many can predict the momentum."
This discussion has been archived. No new comments can be posted.

Congressman Proposes Organizations Should Be Allowed To 'Hack Back'

Comments Filter:
  • Alice Bob etc. (Score:5, Insightful)

    by bugs2squash ( 1132591 ) on Sunday June 04, 2017 @10:34PM (#54549261)
    So if Mallory hacks bob, who turns around and mistakenly hacks Alice, who then fights back until Bob and Carol are destroyed. Whom does Carol Sue ?
    • I imagine that depends on the details of how the law is written. Unless it specifies otherwise, I would assume that if they hit the wrong target, then they'd be civilly liable under regular tort laws.

      Though IMO this could be viable if it was restricted to surveillance, and only against foreign targets that don't have any kind of extradition treaty with the US.

      • by Calydor ( 739835 )

        They probably just have to pinky-finger swear they thought it was the right target, just like with the DMCA.

        • by Tatarize ( 682683 )

          There's some cases when you could invoke something like BrickerBot against a DDoS attack coming from a bunch of webcams and other unsecured devices. Would I be allowed to attack back against these devices and brick some random guy's webcam or router simple because it's unsecured and being used in the attack?

          I mean that's the right target right? I should be allowed to use the same exploit used to compromise that system in mass and destroy vast number of webcams or routers or whatever devices are attacking me

          • by Maritz ( 1829006 )

            I mean that's the right target right? I should be allowed to use the same exploit used to compromise that system in mass and destroy vast number of webcams or routers or whatever devices are attacking me right?

            They quite literally do not know what they're doing. Should be interesting if nothing else.

        • What if my attacker is Russia? Can I hack Russia back and with what kind of force? Can I break their government systems, destroy their computer, launch a stuxnet like virus upon them and destroy the computer systems of the Kremlin? Or would such things maybe be acts of war and a bit beyond the pale?

          • Yes. When you are attacked by Russia, feel free to launch a stuxnet-like attack and destroy the computer systems of the Kremlin. In fact, you don't even have to wait. Go ahead and do it now. We'll wait.

            • One would assume you could do so for a few million dollars. The zero days would cost a bit, and it would be like 100,000 man hours. But well within the reach of a Fortune 500 business.

      • by AmiMoJo ( 196126 )

        All that would do is escalate the situation to a state of open (cyber) warfare.

    • by Anonymous Coward

      No one. She's not an organization, she's a peasant.

      Viacom could hack you under these rules for "believing in good faith" that you may be suspected of possibly being related to an attack on them, and do whatever they want.

      You want to defend yourself from this sudden intrusion and figure out who that was, maybe drag them to court over this illegal hacking?
      Yeah no. You're a criminal under the CFAA now.

      • And soon Sony will be able to pull another Root-kit scandal, but this time it will be considered as legitimate defense against the evil pirates trying to hack them (and their DRM).
        Too bad if a few (= tons of) users got their machines nuked by the rootkit too, even if they never attempted to circumvent DRM.
        It's still allowed "hack-back"!

        Nuke all the machines.
        Kill them all and let God sort them out.

    • by Joe_Dragon ( 2206452 ) on Sunday June 04, 2017 @11:05PM (#54549365)

      We are on the highway to hell sue them all!

    • Re:Alice Bob etc. (Score:5, Interesting)

      by Anonymous Coward on Sunday June 04, 2017 @11:10PM (#54549383)

      Or Mallory gets Bob to hack him in a false flag attack so he can hack Alice.... If you're legalizing US companies to attack 'foreign' companies, you're also protecting foreign companies that hack US ones in retaliation.

      IMHO, Google's self driving car tech is underpinning Uber's Yandex's self driving car tech and Baidu's self driving car tech. Courtesy of General Alexander leaving US corporations open to known backdoors.

      How would Google 'hacking back' actually stop that damage?

      And then there's the orange elephant in the room, what if the damage is so egrarious that attacking enemies become best buddies and close allies become targets of attack?

      I'm waiting for Trump's report saying the election was attacked by France, and Russian detection was only inadvertent attempts to secure our networks remotely.

    • by ls671 ( 1122017 )

      Just send your resume to my homepage. You ain't so far from the truth after all.

    • Re:Alice Bob etc. (Score:5, Informative)

      by mwvdlee ( 775178 ) on Monday June 05, 2017 @12:43AM (#54549583) Homepage

      There's this farmer in the Netherlands, who has received multiple legal threats from companies for hacking.

      The reason? His farm is near the centroid geo-coordinate for the Netherlands. Which means that if somebody tries to look up an IP in a GeoIP database and that database does not have more accurate data than "This IP is in the Netherlands", it will report back the centroid geo-coordinate for the Netherlands. If just happens there is an actual building near this centroid.

      Wonder how well such a law would work with dumb companies (i.e. the vast majority) being DDOS'ed with spoofed IP's.

      • Similar for some poor old lady living in central Kansas.
        The state of Kansas is on top of the geocentroid of the continental US, and the same thing happens to her farm there.

        http://fusion.kinja.com/how-an... [kinja.com]

        She's even had "things" delivered to her property from very angry people.

      • There's one of those in many countries. People don't look up a satellite image to see if the market hits a house. Often the co-ordinate is resolvable to a street address regardless of where on property it lands.

      • by cdrudge ( 68377 )

        I feel really sorry for the inhabitants on Null Island [wikipedia.org]. I bet they are harassed everyday non-stop.

    • by tchdab1 ( 164848 ) on Monday June 05, 2017 @02:26AM (#54549855) Homepage

      The bible says a hack for a hack makes the whole world go blue screen.

      • That only works if the second last person is running Windows inside a Linux VM. Otherwise there's no system left to hack back the last person not bluescreened.

    • by MrMr ( 219533 )
      If you ignore the capitalization the answer is Alice, if you don't, the question mark is spurious.
    • Carol could sue Mallory in theory, but she's unlikely to have the logs to prove it.

      Alice and Bob are both protected because they were just responding to that cyber thing.

      I never believed them when they said cybering could make the world go blind, but now I'm starting to understand it.

      • I never believed them when they said cybering could make the world go blind, but now I'm starting to understand it.

        Nah, that's referring to porn. The trick is to stop at the point you only need glasses.

    • What a strange name. I've never heard of a "Carol Sue", and I live in the South.
    • exactly!! This sounds like a great idea as long as the revenge hacking isn't granted indemnification. It'd be like a bar room brawl. I can see the web-ads now "Under attack? click here to fix your network!"

  • Wasn't there something like this that was actually passed into law? Or at least there was something like this that was proposed and got support last season

  • by starblazer ( 49187 ) on Sunday June 04, 2017 @10:36PM (#54549279) Homepage
    let's extend the law so that if someone is breaking into their house, we can break into theirs! gather our own evidence! EYE FOR AN EYE!
    • Well, in California (of all places) you're allowed to do all sorts of things to recover stolen property. Including breaking into the thieve's house to take it back, and if necessary, shooting them in the process.

      Why not extend that to digital theft?

    • It's really not the same thing. Thinking beyond the surface it's not even a good analogy.

  • by hackingbear ( 988354 ) on Sunday June 04, 2017 @10:36PM (#54549281)

    ... to launch another Iraq War on fake accusation. Look, IP address is such an indisputable evidence!

  • *facepalms* (Score:5, Insightful)

    by DivineKnight ( 3763507 ) on Sunday June 04, 2017 @10:43PM (#54549309)

    The monumental amount of stupi-....one of the first things a 'hacker' does when launching an attack is obscure their origins. They use someone else's machine, like a University's, or a Hospital's, or even one owned by the Department of Defense. And you want to hand people a license to f*ck up what they 'think' (and I use that word broadly here) might be attacking them? How is the DoD going to react to Pfizer launching an all out assault on them because they 'think' an attack is coming from some DoD machines?

    It takes weeks, months, possibly more to track down the owners of Botnets, from which Distributed Denial of Service attacks may be launched from zombified machines. That requires investigation, international at times.

    And we don't need any laws for what is already an illegal practice.

    • The monumental amount of stupi-..

      Yes, it's true. That's why I come nearly every day to correct people as monumentally stupid as yourself. Such epic levels of disastrously misguided thought cannot be allowed to stand without challenge from someone with common sense and logic.

      one of the first things a 'hacker' does when launching an attack is obscure their origins. They use someone else's machine, like a University's, or a Hospital's, or even one owned by the Department of Defense. And you want to hand peop

      • It's an IP address.
        It's not necessarily the compromised system anymore, or maybe never was because the IP address in nearly every case is a gateway and not the actual compromised system.
        You've build a vast pile of irrelevant words on your faulty premise.
      • by gl4ss ( 559668 )

        ughh you really think organizations would put the money into doing this to botnet victims or such? fuck no.

        they would be using it to hack back at the eevil chinese or competitors they "think" the attack came from.

        the whole concept in the elected idiots head who came up with this actually depends on "Black Ice" kind of "protection software".

        which doesn't exist really. he does not understand hacking and furthermore there exists already ways to stop an attack you know the IP address for and this new stuff woul

      • Such epic levels of disastrously misguided thought cannot be allowed to stand without challenge from someone with common sense and logic.

        I'll let you know when one comes along.

        Yes it might be a hospital, bank, government, whatever - it's already screwed, bringing down that system does vast amounts of public good

        Wrong. Being used as an attack platform and the ability to perform its intended function are totally orthogonal.

        I know you don't believe in biology because lolwut monkeys, but sensible paras

      • by AmiMoJo ( 196126 )

        Yes it might be a hospital, bank, government, whatever - it's already screwed, bringing down that system does vast amounts of public good:

        You think it's a good idea to bring down a compromised but still functional machine in a hospital?

    • It's like reacting to a live shooter event with cluster bombs. But yay, number one and FREEDOM!

      • by cdrudge ( 68377 )

        I'd say it's more like reacting to a live shooter by potentially days or weeks after you were shot at, you fire either a few shots back or drop a cluster bomb to where the "live" shooter was. By the time you can trace back and launch a counter measure, the actual perpetrator is likely long gone.

        The only way a counter attack helps is if the attack is ongoing and coming from the same source. I'd venture that probably rarely happens in a easily counterattack-able way. It's hard to counterattack thousands or mi

    • by Maritz ( 1829006 )

      The monumental amount of stupi-....one of the first things a 'hacker' does when launching an attack is obscure their origins.

      Lawyers like to think that they're clever. Like most 'clever' people they do not see the gigantic holes in their knowledge. It could be offset by maybe having the odd lawmaker who is not a lawyer, but what do you think the chances of that are? lol. [wordpress.com]

  • AC/DC? (Score:3, Funny)

    by viperidaenz ( 2515578 ) on Sunday June 04, 2017 @10:51PM (#54549327)

    But is it really going to be any good without Brian Johnson? Can Angus Young fill his shoes?

  • by Anonymous Coward

    If not, does that mean when being hacked/spied/wiretapped by a government agency, we can fight back?

    When the RNC spams, links to some partisan fake news, and their linked page hosts a malicious ad or simply bad code that resource hogs, we can DoS their ass, since that would impede spread of said malicious code?

    Can we go after robocallers too, since they largely use IP networks anyways? Is the FCC fair game if they allow no ring voicemail spamming?

    And instead of blocking and rate limiting DoS attacks from b

    • Back in analog times, the equivalent of modern robocallers was call centers (typically staffed by young women) who would call you to pitch something.

      There was a game that people who had some spare time would play to abuse them in the hope of getting on "do not call" lists that got documented on USENET. Wasting their time cost the company who paid them money so the basic scoring was based on how long you could keep them on the phone, or even better their supervisors who were paid more.

      Cruel misogynistic pla

  • by gweilo8888 ( 921799 ) on Sunday June 04, 2017 @11:15PM (#54549399)
    The big issue isn't the question of who to shoot (what's it matter if you take a while to get them, so long as you get the right people?). It's also not "How can we stop the tools being misused", because the simple truth is that we can't, and that they'll get their hands on tools like this even if we don't pass this moronically-named act.

    The real concern is that we're trusting big business to use this appropriately. I can guarantee that it won't. The RIAA and MPAA are probably wetting their pants in anticipation of this so they can start hacking internet users to get their identity and extort money out of them, for example. I'm sure they can manufacture some evidence that they were "hacked first". Companies will also be using it against each other. (Microsoft: "No, honest guv. We saw a hacking attempt from both Google and Amazon simultaneously, with an assist from Apple too. We totally had to hack them back. It's just a coincidence that our subsequent product launches seemed almost to have anticipated our competitors' products." Etc., etc.

    Big business can't even be trusted with the tools it already has. It sure as hell doesn't need this one too!
  • by alzoron ( 210577 )

    Wouldn't this give us the authority to hack all those government agencies that have been hacking us for decades now?

  • Since we know, thanks to various whistle-blowers, that the NSA and other US government organizations have hacked most is not all US citizens, this bill would now give any citizen a reasonable belief they were hacked, therefore a legal right to hack back. Where do I sign?

  • by AHuxley ( 892839 ) on Monday June 05, 2017 @12:50AM (#54549611) Journal
    Most interesting people would just hop to a nice fast, open staging server.
    From that they would use the network speed to move a lot of plain text unencrypted US data.
    Clean up the logs, drop some really fake code litter, move the data around a few more servers and finally move the data to a safe location.
    What is the USA going to see? The ip range of that first staging server...
    A totally unrelated set of networks and computers will feel the full force of US cyber "fight back"?
    That nation will tell the tech media of the deep penetration efforts by the USA on some vital/special/ISP/commercial server and network.
    Most governments also use their other nations domestic ISP networks ip ranges to look around the "internet" and do spy things.
    Could be a home user on a modem downloading plain text data from a wide open US server again, or it could be the last hop by some other very distant gov/group.
    Does the US want to "fight back" on some ISP in an unrelated nation? To find the next hop to another ISP and nation?
    Keep on hacking back and hope the next hack is the real person trying to get the data in front of their own home computer?
    The "fight back" won't find the destination, it will just damage some ISP/network/university/brand used in some random nation. Or some easy network in some nation that got hacked for its speed and unexpected ip ranges.
    Its not the 1980's with one user, a dial up modem and their home computer entering advanced US networks directly. Even in the 1980's most smart people used a few different educational and private sector networks around the world before their final US network of interest.
    A lot of work for brands, companies, educational, medical networks and ISP will have to clean up after the USA attempts another "fight back" as they saw the ip, the network connection and attempted to "stop the attack" with some clicking around on some contractor's GUI.
    • tl;dr version:

      Hack company A with a notoriously bad security rep (i.e. with poor to nonexistent logging)
      Use company A to hack company B. Make sure you leave enough material to tell them who did it.
      Enjoy the show.

  • The problem with allowing corps to hack back is that you've only got their word that someone hacked them first. What constitutes a hack attempt and what constitutes an appropriate response comes entirely down to individual interpretation.
    I can imagine many if not most companies would use that ruling tactically rather than honestly.

    • by dbIII ( 701233 )

      The problem with allowing corps to hack back is that you've only got their word that someone hacked them first.

      True - a good example is the Australian Census "hack" that turned out to be allocating less resources than Slashdot has to a site that was expecting around five million hits around 7pm on a Tuesday night when everyone had been told to log in.
      There were loud screams of "hack" to try to pretend that it hadn't been mismanaged.

    • They did a port scan. Fire up the LOIC!

  • by whoever57 ( 658626 ) on Monday June 05, 2017 @01:13AM (#54549671) Journal

    This comes from the old mindset that a good defence is a good offence. That may be true in traditional warfare, but not in "the cyber" [ironic quotes].

    A good defence is a good defence. That's the end of it. But these out of date fossils don't or won't learn that.

    • ...not least because the story is a dupe.

      As I said on the other version of it - hacking is hard. I know the basics, and yet for me to hack a vulverable webcam would probably take me days of dedicated work. I could of course buy suitable tools to do it automatically, or I could enlist the help of a company to do it for me.

      The problem with that is of course that only the rich will be doing the 'hacking back'. You and I simply won't have the resources, and so we're at the mercy of the big corps who 'have reaso

  • In real life, hacking back does work in minutes or hours, but if it works at all days, weeks, months or years. And that assumes that it works at all, that you hit the right system and that the system is in possession of the institution you actually want to hit (and not just a hacked system).

  • by imidan ( 559239 ) on Monday June 05, 2017 @02:37AM (#54549885)

    I feel like what they're getting at is some version of the Letter of Marque, which in old sailing days allowed a privateer vessel to go around attacking enemy ships with the blessing of the government. With some modern version, the government could authorize certain security firms to go after hackers, and businesses could contract with these firms to protect them from attack and/or retaliate against attackers. I can't see most businesses, even large corporations, setting up their own retaliation corps--the expertise is rare, expensive, and would probably go mostly unused.

    I'm not saying that's a good idea, but it's certainly far more realistic than giving, say, Colgate-Palmolive carte blanche to hack anyone who they thought hacked them first. That just seems like it would lead to chaos. At least with Letters of Marque, the chaos would be contained to some smaller group of security-related companies that maybe would have to go through some certification to get that status. That way leads to digital Blackwater, though, and is that really that much better?

    • What makes you think that certain companies don't already have that? This would just legalize using it domestic.

  • by DrXym ( 126579 ) on Monday June 05, 2017 @04:14AM (#54550111)
    Hackers generally attack through innocent 3rd parties, either compromised machines, bots or whatever. So what exactly do you hack back against? And what if there is collateral damage?
    • I run a self hosted website that is constantly being probed by cable modems, and compromised home and business hosts behind those modems. Some of the compromised PCs are not necessarily the owner's fault either, plus they have no clue to how to secure an ISP provided POS cable modem / router. Allowing these folks to be 'hacked back' will lead to endless grief for the wrong people. I believe that vastly more wrongly suspected 'hackers' will be attacked that the real culprits. Ans also what happens when the
  • by SuricouRaven ( 1897204 ) on Monday June 05, 2017 @04:18AM (#54550123)

    1.Hack your target covertly.
    2. Use your target to send a very non-covert attack against any major organisation with a reputation for active defense
    3. Sit back and watch the retaliation.

  • Dear Mr. Graves (Score:2, Interesting)

    by Opportunist ( 166417 )

    It is illegal for me to pretend I am a lawyer and act as if I knew something about legal processes. For some odd reason it's still legal for you to pretend to know something about computers or that newfangled thing called "the internets" or something like this, despite your absolute blatant display of total ignorance.

    On behalf of the people who know a thing or two about it: Please, do the world, and your reputation, a favor and shut the fuck up. Please don't talk about things you have about as much knowledg

  • So, given a few articles ago [slashdot.org], I wonder if Putin could claim ACDC legitimized retaliation against the CIA.

  • why things in the Middle East are so fucked up. American leaders' current obsession with instantaneous retribution at almost any cost, is an object lesson in how that kind of insanity comes into being.

  • Congress loves to pass laws regarding "cyber security" without understanding a thing about it. Forget that most attacks are through compromised devices anymore, or via cloud hosts. Most companies that get "hacked" are that way due to poor security in the first place. To think they would be smart enough or robust enough to turn around and hack the people who hacked them, is pure stupidity. Recall that FISMA was suppose to stop the government PC's and networks from being hacked, but it did not, nor did i

  • by TheOuterLinux ( 4778741 ) on Monday June 05, 2017 @07:34AM (#54550675) Homepage
    You can't defend something you don't own. There was a time in which the Internet was treated much like a highway driven by cars leased from our ISP's and the desktop like our homes, but Google changed that, Micro$oft is making it worse, and the FCC is bringing their own tyranny into the mix. No one in the U.S. has to hack you or even get a warrant, they can just legally purchase your browsing information. There are too many laws and ways of thinking that would have to be changed as a result of this for those in power that need them for their Muslim witch hunt excuse for the digital fingerprinting of everyone or companies that need the capitalistic advantage for this to happen. I honestly can't remember the last time a bill that made sense was passed that had no twisted ulterior motive in the end. Would we have an "NRA" for computer self defense? This would never happen in the "UKGB."
  • Aside from all the other issues people have already mentioned with this bill, this seems like a great way for the government to do an end-run around those pesky warrant requirements. It's such a chore for law enforcement to go to a judge and have to offer a valid reason for breaking into somebody's property to collect evidence. With this bill, you simply let the victims gather the evidence, completely unbound by law, and have them turn over any findings - whether related to the hacking or not.

    I'm sure this

  • It's called a honeypot [wikipedia.org]. Put a server on your system with valuable-looking but fake data. If a hacker goes for it, you are (1) wasting his time, (2) corrupting the trustworthiness of all the data he's collected, and (3) helping expose him via monitoring tools you've placed on the honeypot.
  • Like escalation always works right? I can just see the mini-wars getting started the cyber "gods" need to contain the skermishes. One thing about war that is universally true: it's the bystanders who are the first and generally biggest casualties.
  • Hay Tom Graves, R-Ga., what if my business thinks you're an enemy of the state? How about we consider the ramifications of ignoring the DOJ? Better yet, how's your Russian? Sounds like you're a politician in the wrong country?
  • This is vigilantism, which outside of 90s arcade beat'em ups is not a good thing. The rule of law says force should only be used by the government and then is very, very, very tightly controlled and regulated. Notice I said 'force' not violence. There's a difference. The government only uses violence as an act of war. A cop uses just enough force to subdue; more is excessive and gets the cop fired and possibly prosecuted (yeah, I know the practical reality isn't always the same but we're talking principles
  • Laying waste to rival corps' data, exposing their internal emails and phone conferences.
    Wasn't there an RPG like this?

  • If anyone for a single moment thinks this wouldn't be abused to the extreme and leveraged for corporate espionage and corporate cyberwarfare, then you're extremely naive. Companies would be hacking their competitors 24/7, claiming they're 'counter-attacking because they detected being hacked', and totally fabricate the evidence of said hacking. It would turn the Internet into something out of a cyberpunk novel, but in the worst sort of way. You think the Internet is dangerous NOW? Just wait until the MPAA a
  • First, it assumes that most companies have *real* hackers on staff, or on call, and not script kiddies and other wannabees, who, say, don't know what a munged address is.

    Second, yeah, about that, so if Russia's intel agencies decide to hack you, or Saudi Arabia's, or, for that matter, the NSA does it, you're really going to hack back? I can hear the real agencies saying, "gee, this kiddie wants to play out of their league...."

    Guy's A. Idiot.

  • And use your teams systems to attack my teams systems, and my team turns around and owns your whole team, I win. Or maybe it's your team and their team? I guess everyone else wins.

    I better hurry up and finish my distopia future novel while I can still publish under fiction.

  • ...otherwise we'll finally get "The Year Of Linux (and BSD) On The Desktop"... because that'll be all that's left.

It is clear that the individual who persecutes a man, his brother, because he is not of the same opinion, is a monster. - Voltaire

Working...