Welcome back, my rookie hackers!
For some time now, I have been contemplating this issue, can we hack back the hackers? As someone who plays on both sides of the cyber security ping pong match, I've wondered whether I can use my hacking skills in self-defense of my clients. As a result, I put together a somewhat academic article exploring the legalities and justifications for "hacking the hacker." I hope you will bear with me and give this a read, then give me your thoughts and opinions.
With each day dawning comes new cyber attacks. No one is immune from these attacks; national governments, corporations, and individuals are all vulnerable to these attacks and they seem to be accelerating as our world becomes increasingly dependent upon digital means of functioning. In a era where nearly every aspect of our lives has a digital component, this shouldn't come as any surprise.
Despite the fact that our defenses have become increasingly forbidding (next generation firewalls, IDSs, etc.), the number and severity of these attacks continue to increase. Unfortunately, these attacks are likely to continue and accelerate because of the following.
Maybe Its Time for a New Approach
Within the IT security industry, the subject has been breached in recent years as to the legality and legitimacy of "hacking the hacker" during or after an attack. Some argue that this is the legal equivalent of self-defense. In this article, I would like to explore this concept and legality of "hacking the hacker" as the digital equivalent of self-defense.
The Natural Law of Self-Defense
Probably from the very time that humans first aggregated into clans and communities, there has been a recognized natural law of self-defense. In simple terms this law says, "If you attack me or mine, I have the right to defend myself, which may include exacting violence upon you." This natural law has been codified within nearly every culture and legal system around the world. It existed in ancient Rome (in the concept of protecting domus or home) and within the English common law system for centuries. It existed for centuries before being codified as judges simply recognized the inherent "common sense" in this natural law. England's and the English speaking world's most noted and esteemed legal scholar, William Blackstone, wrote in his Commentaries (1765-1769):
"Self-defence, therefore, as it is justly called the primary law of nature, so it is not, neither can it be in fact, taken away by the law of society. In the English law particularly it is held an excuse for breaches of the peace, nay even for homicide itself: but care must be taken, that the resistance does not exceed the bounds of mere defence and prevention."
Note that Blackstone says that this is such a "primary law of nature" that it cannot be "taken away by the law of society."
Outside the Western world, the principle of self-defense has been recognized as well and in some cases, with much more leniency and leeway. In some cases, the right to self-defense may be limited by the minimum amount of force necessary to stop the crime, but in the People's Republic of China in 2009, a case was ruled as justifiable homicide when a robber was killed who was trying to escape. The court ruled that the homicide was justified as "self defense" because "the robbery was still in progress."
It goes without saying then, I believe, that a right of self-defense is a well established principle in nearly every culture.
The question I want to address here then is, "Can we apply this universal and natural law and principles to our digital world of the 21st century?"
The Argument for Digital Self-Defense
Some have argued then that since this natural law is nearly universally recognized, we can apply it to our digital domains and it would have a positive effect on the safety and security of our digital domains.
The arguments goes something like this; if the hackers believed that they might be met with an attack upon themselves, they are more likely to be reluctant and hesitant to attack innocent institutions, individuals, and governments. Just like in the widely held principle self-defense to your person and property, an attacker has to consider not only how self-defense might impact their probability of success, but also whether self-defense might lead to the exercise of violence and damage upon their person and property. In our physical world, self-defense can lead to the manslaughter of the attacker and the victim will bear no legal liability as such manslaughter justified. In some cases, this might give the attacker pause... at least, once.
Let's try to make this more concrete in our physical world. Take for instance the case of a street thief. He is much less likely to attack a very large, muscular victim who appears possibly armed than an innocent, frail, unarmed victim. Why? because of the possibility that he might become the victim. This isn't just an estimation of the possibility of success, but also the possibility that they themselves might become damaged in the attack. Couldn't this same principle apply to cyber security as well as the street?
Some would argue that self-defense only applies to stopping the attack, but if the hackers have entered our property and stolen our assets, then the attack is still "in progress," to borrow the words of the Chinese jurist. As such, self-defense would still be a legitimate defense as long as the attackers are in possession of our property (data).
Application of Self-Defense in Cyber Security
Imagine a scenario in the near future, where our neighborhood cyber crime gang is contemplating an attack upon an innocent institution. They know that that same institution has at its disposal a group of well-armed, "gun-slinging" hackers. That same institution was recently hacked and the self-defense hackers not only responded with their own attack, deleting data on the cyber thieves' hard drives, but also then DoSing them so that they could no longer access the Internet. Would they think twice before going after them?
For those of you who are scholars of the history of the American West (or at least American westerns), you are probably aware that there was a time not too long ago when the American West was a lawless land, often referred to as the "Wild West." If you have seen any American western movies (Butch Cassidy and the Sundance Kid, among many others of this genre), I think you know what I mean.
I don't think it's much of a metaphorical stretch to see our current circumstances in the cyber world as "Wild and Lawless Cyberland" similar to the "Wild West" of the 19th century. At that time, many businesses—most notably the railroads—found it extremely difficult to operate their businesses in such an lawless environment. Eventually, they settled upon a solution: the Pinkertons.
The Pinkertons were a private law enforcement agency that the railroads and others hired to secure their assets and operations. Eventually, these Pinkertons were able to drastically reduce crime in the lawless West. Maybe, it's time we have the cyber equivalent of the Pinkertons. These "cyber Pinkertons" would discourage hackers from attacking our valuable assets and businesses by launching cyber counterattacks.
Attribution for the Attack
Even if the cyber security industry adopts a concept of "cyber security self-defense" where counterattacks are legitimized, there will still be the key issue of attribution. In other words, who and where are the attackers. If you have ever investigated the attribution of an attack, you know what I am talking about. The hackers/attackers often use proxies between themselves and the victim, so tracing an IP address can be problematic. This in itself may be the greatest impediment to the "hack the hacker" self-defense.
What do you think? Should the hacker be subject to a counter-hack?
If nothing else, this might open new employment opportunities for you, my novice hackers.
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
17 Comments
I could envision something like a beefed-up honeypot or IDS that instead of just detecting intrusions would infect or even cause damage. Like ultra cyber booby-traps.
But your scenario crosses the line from self-defense to vigilante justice. It's one thing to shut down an attack in progress. It's another to actively pursue and then punish someone after they've withdrawn. So if someone runs up and shoots my friend, and I grab my gun, drive after them and kill them, I can't claim self-defense. I'll be convicted of homicide.
The Pinkertons are actually kind of a great example of how it can go wrong -- yeah, they provided safety for railroad passengers. But they also spent several decades brutally squashing labor disputes. They were accused several times of planting evidence and inciting violence for their own gain. How long before counter-attackers start crossing their own lines?
I think a better deterrent is to give more resources towards apprehending hackers. The big guy on the cyber street doesn't have muscles; he has resources. If I'm going to hack someone, it'll be my dumb neighbor or some local business, not the NSA.
Unless you're a high profile target, the burden is often on the victim to pursue and investigate a cyber attack. Forensic investigators cost a lot of money. Local LE often don't know how to handle these types of crimes, and it's harder for them to secure warrants and subpoena data.
If I managed to hack into the NSA's network, I know that they will use whatever means necessary to track me down and put me in prison. That scares me, so I won't do that. We just need to give little guys the same shot at protecting themselves, so they can be a little scarier, too.
In my opinion it is the best way to stop for example creators of malware. Hacking spam domains, IRCs that are used to rule the botnet, identity thiefs should be treated as real world CTF for good hackers.
Hey,
You raise there a few interesting questions. And here goes my opinions:
"Can we apply this universal and natural law and principles to our digital world of the 21st century?".
"Would they think twice before going after them?"
"Cyber Pinkertons"?
Should the hacker be subject to a counter hack?
Cheers
*hurt, not hurted. (sorry, i'm a grammar nazi, and that was just irking right there at me lmao.)
Ohhhh go "natzi" on my bytes XD
Thanks and point them out any time, I'm not English native but I care about "my " grammar.
Cheers
Hey, no problem :) I'm more than happy to help out. And also, for your native language not being English, that was some damn fine grammar!
In my limited experience of criminal law I always believed that you were allowed to use reasonable force to defend yourself, family and property during the commission of a crime. The case of the Norfolk farmer Tony Martin is a case in point; despite being alone in an isolated, rural farmhouse that had been burgled several times he was found guilty of murder (later reduced to manslaughter on the grounds of diminished responsibility) after shooting and killing a burglar. The deciding factor of the case was the fact the burglar was shot in the back whilst fleeing the farm.
In the context of OTW's point this raises the question 'at what point does the crime, in this case the hacking of your system, cease?' Can you take active measures to screw over a hacker during the course of their hack, but then be considered the aggressor for using such measures after subsequently tracking them down?
I think it will take a long time for modern legal concepts to be codified in such a way as to apply to digital crime. In the meantime, the comparison to the Wild West seems apposite; just make sure you are the Pale Rider.
I think we should be incredibly careful about anything to do with legality and cyber security. People in office and people who work in law often have a big fear for those who have somewhat superpowers in hacking; and thus prosecute harshly. You'd be better of just retaliating anonymously and being glad that you did a good deed. They would unlikely pursue a lead where somebody rings up 911 and says "I run a botnet that ciphens money and DDOS's large corporations and somebody hacked me. Help!"
-As a common point that fame out of this discussion, I also think that hacking back shouldn't be legale as self-defensez because it does not stop the attack nor protects you. But if it did, why not?
-This might work with people that can afford it. There will always be some poor target that can't fight back.
I have never thought about this as self-defense. Always open new horizons and never stop asking I guess.
That'll teach those blackhats a lesson !!;);)
Very interesting reading
I think it depends on if you have the money to pay somebody to trace the intruder, or trust the authorities to do it for you.
If you don't, but have the ability yourself, why not?
As others have stated above; they're probably not going to call the authorities on you if you do hack back.
This might be the only option you have to get your stolen data back.
blackhat are dangerous not just virtually but physically too(except those fighting against government claiming for freedom or any other reason), they got criminal mind and equipment(power,guns,employees(murders and so on), its ok for them when we just stop them from a successful hacking in our clients company, but i think if we start to hack back(deleting files,ddos and so on) we might be in a situation where we will be exposed as victims in the real life, they will search for us, coz hackin them back will piss them off...
This is true, and I agree in full. Hacking can be a very very dangerous game.
Speaking from a current victim of relentless hacking- no it's better described as stalking. It has caused me an enormous amount of anger, pain, depression, anxiety, fear.... My job is at stake now and my college degree I was getting close to finally obtaining is now rubbage. I am a single working mother of a terrible twos toddler. The time I lost with her i can't live with it any longer. I need professional hacker level advice. No tech around here sees it. This person had full access of my machine
And it's been over 6 months! I am trying to learn I know it is remote and coming through some kind of tunnel adapter. He has taken full access of my PC well 2 of them at least as owner and has all permissions under his user id. Heck even my antivirus I paid for has a fake icon, it does not let me control anything and my online degree is counting on this to get fixed. I wanted a life for my daughter and I. I've lost over 7 months of pictures of my baby. I think my anger has made me this revengeful but enough is enough and I have suffered emotional trauma from this experience that will take years to recover from! I am a fighter I want my life back and I need help from people on his level. My job is about to demote me... Things can't get worse so f it! I want to hunt this hacker and start fresh. Please anyone with time to send me some suggestions or advice. It's not detectable to the average wanna be techs. They over charge and don't know jack. So here I am wanting to hunt the hunter or hack my hacker... Well really I want to just put an end to my nightmare
Say these stinky e-pinkertons knew the best defense was being offensive. What would that look like? Could they have a way to be alerted that a orginization is being cased for vulnerabilities? Then maybe is it easier to identify a proxy and hone in on the source as it is occuring or fire a shot over the bow of the proxy its self? Sinking the battleship and yahtzee and all that? I don't know much I am just spitballing. Perhaps as Watson has come up with ways of profiling and flagging potential rapists there is a way to create a most lilkely to be wanted to be wanted if ever found out list and just send the fear of god into their digital lives they are so wound up in chasing a phantom that they don't carry out attacks.
It always confounded me that law enforcement did not do potential victim profiles as well as offender because one without the other is absurd! There has to be some statistical analysis cause people love that shit.
Then, what could these attack victims do to show they have adapted aggressive responses to e-boundaries being violated will be met by an e-cock knocking like they have never known. I doubt that is a color scheme that indicates venomous cookies. What if we did to catch a hacker set ups, or fake scared straight public shamings where people are shown paraded through the streets who got caught ddos their high school get feces thrown at them while a cutaway to a discord with all their most respected hacker icons are loling and also secretly shaking in their boots then all take out the kali linux usb and throw it in the trash and pick up a bible instead? I'd love to brainstorm with anyone with the technical knowhow to get shit accomplished wants to join my stinky e-pinkerton goon-squad and come up with a power point and go out and find us some victims pre profiled and show em what e-vigilanteism looks like on the digital western front. Now I gotta go see a man about a horse and mosey on out. Yee haw little doggies.
Is there no present company that employes "white hat" hackers that can save me from learning a new skill set that I probably can't afford and will probably be infiltrated by these bastards with nothing better to do than cause chaos? No offense to anybody btw.
Share Your Thoughts