New Bill Would Allow Victims To Hack Their Hackers...

IPVMU Certified

From the Hill

The Active Cyber Defence Certainty (ACDC) Act allows individuals and companies to hack hackers if the goal is to disrupt, monitor or attribute the attack or destroy stolen files.

“While it doesn’t solve every problem, ACDC brings some light into the dark places where cybercriminals operate,” Graves said in a statement.

“The certainty the bill provides will empower individuals and companies use new defenses against cybercriminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders."

Comments?

Reactions:

Undisclosed #2

So it begins...

Reactions:

Undisclosed #1

In reply to Undisclosed #2

IPVMU Certified

turning plowshares into swords?

Reactions:

Undisclosed Integrator #3

Sounds like they are applying a virtual self defense for response with equal or greater force. Anti-Virus software will be able to return the favor?

Reactions:

Brian Rhodes

IPVMU Certified

Summary: A proposed law that permits the law abiding to act unethically but within the permission of the law.

Reactions:

Undisclosed #4

In reply to Brian Rhodes

I agree with Brian...

And on top of the ethical implications, I'm not sure it's wise - nor a very well thought out idea - to legalize attempts to hack the hackers.

What do you think the hackers will do once they see one of their own 'victims' attempting to use their own tactics against them?

I would like to think that hackers are impersonal... i.e. they aren't targeting individuals as some kind of moral crusade, but instead are simply looking to find exploitable entities.

If you attempt to 'hack back', I imagine that at least some hackers might take this as a personal attack - and respond accordingly.

Reactions:

Undisclosed #1

IPVMU Certified

I would like to think that hackers are impersonal... i.e. they aren't targeting individuals as some kind of moral crusade, but instead are simply looking to find exploitable entities.

If you attempt to 'hack back', I imagine that at least some hackers might take this as a personal attack - and respond accordingly.

Naturally hackers are impersonal. They don't know their victims. Though they certainly target their attacks with as much information as possible, whether that be geographic, or particular to equipment, or even "verticals", like LE or the executive staff in large corporations.

But once they are attacking you, it is personal. Do you think that once you attack them back, they will go all out to destroy you?

Maybe, but still I think that it's everyone right to fight back against injustice.

Would it be wrong for to pickpocket your wallet back from someone who just pickpocketed you?

Reactions:

(1)

Undisclosed #4

I am of the personal belief that in most instances when you are 'attacked' that you should respond with an overwhelming response, 10X as destructive as the initial attack - if for no other reason than to send a message not just to that attacker, but to others who may contemplate attacking you in the future that this is a bad move on their part.

However, without equal or greater counter-attack capabilities, 'hacking back' (at least for most, and without federal govt assistance) is not a wise move.

Fighting back against injustice is noble.

Fighting back when you do not possess the capabilities to do so is a dangerous and not well-reasoned plan of action.

Reactions:

(1)

Undisclosed #1

IPVMU Certified

Fighting back when you do not possess the capabilities to do so is a dangerous and not well-reasoned plan of action.

Bit of straw there, as I did not nor would not disagree with that.

I just think you should not be prosecuted if you do hack back.

Reactions:

Undisclosed #4

"Bit of straw there, as I did not nor would not disagree with that."

lol - that's funny... since the first appearance of straw was actually your flawed pickpocket analogy that inserted the assumption that I was arguing against retaliation from attack.

This was why I rebutted that erroneous assumption (straw) and directly stated that I was not against retaliation, but instead, against retaliation plans that lack the resources to be successful.

Reactions:

Undisclosed #1

•Oct 14, 2017

IPVMU Certified

...the first appearance of straw* was actually your flawed pickpocket analogy

You said

I agree with Brian. And on top of the ethical implications...

And Brian said

Summary: A proposed law that permits the law abiding to act unethically but within the permission of the law.

Therefore my pickpocket analogy (whether valid or not) is precisely on target as an ethical justification.

*lol, I once got into an argument with a cliche-challenged girlfriend who was breaking up with me, that exclaimed "Ok, buddy, that's the first straw!". I was like "Sounds reasonable". :)

Reactions:

(1)

Undisclosed #4

•Oct 14, 2017

I saw your mention of 'bit of straw' as an attack and was going to respond with the mentioned 10X retaliation... but since I like your use of rhetorical logic I decided on only a 3 or 4X the destruction of the initial (perceived) attack.

Reactions:

Undisclosed #1

•Oct 14, 2017

IPVMU Certified

Sounds reasonable :)

Reactions:

(1)

Undisclosed Manufacturer #5

It sounds like an acknowledgement from the government that they are too overwhelmed to fight the problem.

Big companies like Union Pacific already have their own police force with 220 special agents, so why not let similar sized companies fight this type of crime as well?

From the article, the constraints imposed by the law sort of imply it is not a job for amateurs...

requires that someone "hacking back" under the bill's provisions notify the FBI National Cyber Investigative Joint Task Force.

so I am wondering if the bill allows for companies to contract out the "hacking back". If so, perhaps we could see the emergence of a new industry of specialized IT companies that "hack the hackers..." on your behalf?

Reactions:

Undisclosed #4

In reply to Undisclosed Manufacturer #5

this is interesting..... if the feds make you 'partner' with them in order to 'hack back' then I am more inclined to believe that this bill has some merit.

Reactions:

Undisclosed Manufacturer #5

The more I think about it, that is probably what they have in mind, i.e.a small business contracts the "hacking back" to a large specialized well resourced consultancy who understands the legal limits of what they can do, and is big enough not to fear a retaliatory response from a hacker.

It is pushing an aspect of law enforcement on to the private sector, the same way police are no longer the first on scene at a burglary, rather the security companies are. Our industry works the same in many respects.

Reactions:

Undisclosed Integrator #3

Imagine instead of using defensive measures, the anti-virus or defensive products intentionally sent back a destructive program upon recognizing a virus? Bots and bots of action, virus fighting virus, fighting anti-virus.

Reactions:

Undisclosed #4

In reply to Undisclosed Integrator #3

...and if the hackers have spoofed their identity/location at a level above the weaponized anti-virus's ability to detect the subterfuge? Then you end up attacking - and multiplying the list of - innocent victims.

Reactions:

Brian Rhodes

IPVMU Certified

With the difficulty and complexity that courts have defining victims and culpability, it seems to be a nightmare scenario to prove who is the hacker vs the counter-hacker.

Also, who determines 'justice'? If someone throws eggs at my house, do I have cause to shoot them on sight? Of course not. But how do Police/Juries/Judges determine if the damage done by counter hacking is appropriate?

If someone steals my client list, am I able to deface their social media page?

Reactions:

Undisclosed Manufacturer #5

In reply to Brian Rhodes

But how do Police/Juries/Judges determine if the damage done by counter hacking is appropriate?

If someone steals my client list, am I able to deface their social media page?

No. The article states you can only destroy the files they stole from you. Above that you can maybe identify who they are, and perhaps then law enforcement will get involved. From the article:

The bill does not allow counterattackers to destroy anything other than their own stolen files

Maybe they should modify the law to force the hacking to be done by certified individuals/companies to avoid individuals misinterpreting what the law allows them to do.

Reactions:

Undisclosed #4

"If someone throws eggs at my house, do I have cause to shoot them on sight? Of course not."

Maybe you just need some better signage to mitigate your legal culpability...

**IANAL**

Reactions:

Undisclosed Integrator #6

Fighting fire with fire. Law enforcement has been using hackers against hackers for quite some time, usually in a deal to reduce their sentence. The elite amongst them are always a step or two ahead of law enforcement, and can teach them new tricks or the tricks of the trade for the time. The flip side is that hackers learn how not to get caught when they see the other side. My guess would be that there are lobbyists from the business sector that pitched this so that they could get away with employing measures and countermeasures that are less than ethical or illegal. It will be interesting to see capitalism get a hold of this subculture and see what happens. Imagine if you could make six figures as a corporate hacker instead of using your powers for evil.

Reactions:

Undisclosed #1

In reply to Undisclosed Integrator #6

IPVMU Certified

Imagine if you could make six figures as a corporate hacker instead of using your powers for evil.

What if they don't quit their night job?

Reactions:

(1)

Undisclosed Integrator #6

Playing both sides? It has certainly been done before by hackers that have "helped" law enforcement in plea deals. I think for most people the motivation would be not losing their six figure job when they can do well without taking risks.

Reactions:

Undisclosed #1