Congressman Introduces Bill That Would Allow Victims To 'Hack Back' After Attacks

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
38,743
Tech dirt has the, well, the dirt, on some very early stage legislation working its way through congress. It would give victims of hacking legal protection to hack their attackers back.

When I first read this article, I got a bad vibe from it, as it sounded like vigilante justice, but apparently the law would ban revenge attacks. Hacking your attacker back would only be allowed in order to collect evidence and identify them. I'd have to wonder, would this evidence even be admissible in court? I'd imagine not.

"Empowering individuals" through federal law can go sideways in a flash. The second half of Graves' statement is better. A conversation does need to take place about responses to security breaches and attacks. But that conversation shouldn't start until those wishing to speak up start doing a much better job locking down their digital valuables. Offense is more fun to play than defense, but defense is where it all should start.
 
Oh I can see this going very very wrong.

So I attack some schmo from Pocono cause I spotted him bragging here on the [H] how he was going to hack the shit out of any script kiddies that came sniffing around his shit.

But I make my attack look like it came from the NSA ........... :sneaky: :whistle:
 
It should be noted that evidence gathering during an attack is very time sensitive and If anyone here even thinks a competent it/security employee doesn't try to track down an attack with whatever tools they have at hand then they are fooling themselves. It seems to me that this is more a legislative tool to allow evidence from this process to be introduced as evidence.

The only real concern I have is (1) whether the person really is competent enough to identify the real culprit and (2) whether the court is competent enough.
 
The irony in this law is 99.95% of the people who are hacked, don't have the technical know how to track back their attackers and attack them back.

I mean how many people once they realize they might have been hacked, have tools like fiddler, of regChange to examine IP packets and registry changes? And that's only on the standard web. If they hide on the dark web, it's that much more worse.

You could do a spear/fishing attack. But the offender has to leave a valid email he might use that would subject to spear attacks. Personally I still use old command line linux "mail" when reading some emails. That's just a binary dump of text that isn't subject to MIME/HTML/Adobe exploits.

I'm not saying it can't be done. But if you can hack back, you're likely doing this for a living.
 
Last edited by a moderator:
It should be noted that evidence gathering during an attack is very time sensitive and If anyone here even thinks a competent it/security employee doesn't try to track down an attack with whatever tools they have at hand then they are fooling themselves. It seems to me that this is more a legislative tool to allow evidence from this process to be introduced as evidence.

The only real concern I have is (1) whether the person really is competent enough to identify the real culprit and (2) whether the court is competent enough.


You are correct and what lawyer won't tear this guy's evidence up in court? If the guy doing the "counter-hacking" investigation isn't a serious bona-fide IT pro, his evidence is garbage so this legislation is mostly garbage.
 
You are correct and what lawyer won't tear this guy's evidence up in court? If the guy doing the "counter-hacking" investigation isn't a serious bona-fide IT pro, his evidence is garbage so this legislation is mostly garbage.

And even a step further. Frank hacks Dave. Dave counter hacks Frank to collect evidence, Frank knows better and data of the breach is well recorded. Dave cannot prove he was hacked by Frank, but Frank is able to prove the counter attack and files charges.
 
You are correct and what lawyer won't tear this guy's evidence up in court? If the guy doing the "counter-hacking" investigation isn't a serious bona-fide IT pro, his evidence is garbage so this legislation is mostly garbage.


Even if the counter-hacker is an IT pro, collecting evidence by hacking without a warrant? I'd think that would be thrown out in a hurry.
 
What could possibly go wrong? This will simply be used to justify hacking by making the victim appear the one who started it. This is tantamount to, and encourages, planting evidence. Edit: one too many be's around simply
 
Last edited:
"Cool can hack back CIA and NSA, FSA, and Mi5, etc, really cool idea."
 
Putin-Balloon-Animal.gif
 
Even if the counter-hacker is an IT pro, collecting evidence by hacking without a warrant? I'd think that would be thrown out in a hurry.


Umm, private citizens don't need a warrant for anything ever. Warrants protect citizens from the man, not from each other. Laws do that, and this one is supposed to be a hall pass.
 
"Cool can hack back CIA and NSA, FSA, and Mi5, etc, really cool idea."


Na, they have that angle covered.

The laws don't actually call it hacking. The laws call it unauthorized access, etc.

Those 3 letter agencies are doing authorized work. See it's not you and I that decide what is and isn't authorized.
 
Kind of reminds me of "Why don't we let American citizens sue countries that carry out terrorist attacks on them"

What it won't allow is retribution and revenge, which may come as a disappointment to those who have been brutally breached.

(ii) does not include conduct that—
(I) destroys the information stored on a computers of another;
(II) causes physical injury to another person; or
(III) creates a threat to the public health or safety

For the most part, doesn't that describe the initial hack?

Don't forget we already have basic laws that deal with hacking, just no one enforces them:

18 U.S. Code § 1030

Sub Section (5)

  • (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
  • (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
  • (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss
 
Doesn't go far enough. I'd prefer drone strikes on hackers :nailbiting:
 
Umm, private citizens don't need a warrant for anything ever. Warrants protect citizens from the man, not from each other. Laws do that, and this one is supposed to be a hall pass.


True, but if you as a private citizen - say - record someones phone conversation with you without their knowledge and consent, that is typically inadmissible in court.
 
True, but if you as a private citizen - say - record someones phone conversation with you without their knowledge and consent, that is typically inadmissible in court.

I can't say. And if it is true/accurate, I don't know the reason why?

But if we go 80 years with this being the case, and then pass a new law explicitly allowing this activity. It stands to reason the courts might have to take another look that the legal standing of such evidence.

Things change.

And sometimes they don't. You could be right, it wouldn't be the first time "feel good" legislation got crushed by reality.
 
True, but if you as a private citizen - say - record someones phone conversation with you without their knowledge and consent, that is typically inadmissible in court.

Depends on the state. Some states have laws where both parties must consent to the recording other states only require one party's consent.
 
Maybe we can also make it legal to rob a robber?
Maybe banks can go track down thiefs, go to their house and clean them out?
 
Even if the counter-hacker is an IT pro, collecting evidence by hacking without a warrant? I'd think that would be thrown out in a hurry.
Police need warrants, not private citizens.
True, but if you as a private citizen - say - record someones phone conversation with you without their knowledge and consent, that is typically inadmissible in court.
If a state allows single party consent then recorded conversations would be allowed. Many states require both party's consent, however, so the evidence isn't allowed in to the courtroom because it's *illegal.* If you have Congress clarifying something as legal the courts would let it in.
 
Maybe this would allow "privateers" legally. Like back when the US was a fresh young county without much of a Navy. Think of the possibilities. Black water style IT companies
 
Considering all the CIA's tools to basically frame someone else as the cyber attacker have been released for a while now, this makes perfect sense. Someone can fake being attacked by you and they go to town Scott free. Or frame you for attacking some banks and sick them on you.
 
Back
Top