Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hacker vs. Counter-Hacker — a Legal Debate

timothy posted about a year ago | from the shhh-this-is-the-conspiracy-room dept.

Crime 182

Freddybear writes "If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated? Over the last couple of years three legal scholars and bloggers have debated the question on The Volokh Conspiracy weblog. The linked webpage collects that debate into a coherent document. 'The debaters are:

  • Stewart Baker, a former official at the National Security Agency and the Department of Homeland Security, a partner at Steptoe & Johnson with a large cybersecurity practice. Stewart Baker makes the policy case for counterhacking and challenges the traditional view of what remedies are authorized by the language of the CFAA.
  • Orin Kerr, Fred C. Stevenson Research Professor of Law at George Washington School of Law, a former computer crimes prosecutor, and one of the most respected computer crime scholars. Orin Kerr defends the traditional view of the Act against both Stewart Baker and Eugene Volokh.
  • Eugene Volokh, Gary T. Schwartz Professor of Law at UCLA School of Law, founder of the Volokh Conspiracy, and a sophisticated technology lawyer, presents a challenge grounded in common law understandings of trespass and tort.'"

cancel ×

182 comments

Sorry! There are no comments related to the filter you selected.

Retaliation (5, Interesting)

Anonymous Coward | about a year ago | (#42021049)

Is there any way to know if you're retaliating against the correct target?

Re:Retaliation (2)

FriendlyLurker (50431) | about a year ago | (#42021357)

Is there any way to know if you're retaliating against the correct target?

Does "hack back into the system from which the attack originated" == "retaliating against" or is it merely investigation into the perpetrators?

Considering many bot nets are state run (think wikileaks take-downs) Id venture that the answer official will always be "No, do not investigate [our possible] botnet activity"

Re:Retaliation (1)

Onymous Coward (97719) | about a year ago | (#42021505)

Does "hack back into the system from which the attack originated" == "retaliating against" or is it merely investigation into the perpetrators?

If going into another's system is intruding on someone's privacy (regardless if it's a "guilty" party) it is not investigation without impact.

Re:Retaliation (1)

newcastlejon (1483695) | about a year ago | (#42022413)

Is there any way to know if you're retaliating against the correct target?

Does "hack back into the system from which the attack originated" == "retaliating against" or is it merely investigation into the perpetrators?

That depends. Are you only looking?

Re:Retaliation (1)

Anonymous Coward | about a year ago | (#42021561)

Not easily. The commercial botnets typically use a command-and-control structure with various proxies or zombied hosts in between the attacker and the victim. Tracing or cracking one's way back through the botnet can often cause more damange to the intermediate hosts than the botnet is causing.

Re:Retaliation (3, Interesting)

Freddybear (1805256) | about a year ago | (#42021975)

At least some of the argument in TFA assumes that the botnet's toolkit has itself been cracked and exploits are available making it possible to turn the tables on the botnet controllers. That may be a rather large assumption, even just for the sake of the argument.

Re:Retaliation (1)

Smallpond (221300) | about a year ago | (#42021989)

Not easily. The commercial botnets typically use a command-and-control structure with various proxies or zombied hosts in between the attacker and the victim. Tracing or cracking one's way back through the botnet can often cause more damange to the intermediate hosts than the botnet is causing.

BS. What "damage" will it cause?

Re:Retaliation (1)

tibman (623933) | about a year ago | (#42022515)

Damage to the botnet is "good".

Re:Retaliation (2)

Onymous Coward (97719) | about a year ago | (#42022127)

This concern is one of the fundamental issues to consider in discussing philosophy of "violence". Another is what degree of force is appropriate.

Thinking on these things and recognizing that people make mistakes in both action and perception, and that people often have a tendency to perceive malice from others, it seems that there's a positive bias for violence. That is, "violence begets violence".

Similarly to how servers on the net should be conservative in what they do, liberal in what they accept [wikipedia.org] , and how this maximizes smooth interoperation, humans should minimize the appearance or effect of harm to others and maximize tolerance of injury from others to negate the aforementioned spiraling violence bias. Though this philosophy is hard to swallow for people with chips on their shoulders. (Probably already victims of injury.)

Re:Retaliation (3, Interesting)

utkonos (2104836) | about 2 years ago | (#42023043)

10 times out of 10, if you hack into the system where the attack is coming from, you will be hacking into a system owned by an innocent third party that was also hacked. You are then violating that party a second time. Lets take a more concerning scenario: You discover an attack that is originating from a competitor. You hack back into their system. This situation can only end badly. First, if they were responsible you have now spoiled evidence. Second, if they are not responsible and were also hacked as a jumping off point, you now have hacked into a competitor's system and compromised them. You should now have to pay damages because they have not way to tell that you didn't steal their corporate secrets while you were there in their system.

Who cares? (1)

Anonymous Coward | about a year ago | (#42021051)

I mean, really. "Is it feasible" is the question for nerds.

Re:Who cares? (4, Interesting)

Daniel Dvorkin (106857) | about a year ago | (#42021583)

You may not have noticed this (yet) but nerds are not above the law. "Can I do this?" is obviously the first question a nerd should ask in a situation like this. "Will I go to prison for doing this?" should be a close second.

Re:Who cares? (4, Insightful)

Smallpond (221300) | about a year ago | (#42022005)

"...No ethically-trained software engineer would ever consent to write a DestroyBaghdad procedure. Basic professional ethics would instead require him to write a DestroyCity procedure, to which Baghdad could be given as a parameter." -- Nathaniel Borenstein

Re:Who cares? (1)

newcastlejon (1483695) | about a year ago | (#42022465)

You seem to be confusing nerds with lawyers.
*Rimshot*

Re:Who cares? (2)

budgenator (254554) | about 2 years ago | (#42023091)

So if I was checking my Email, and found this phishing email in it specifically asking me to send information like name, address, social security number ect to them; would it be wrong of me to write a program that sends them a tetrabytes of names, addresses, social secrurity numbers, credit card numbers, all sliced and diced into uselessness?

Vigilante Justice (5, Interesting)

Anonymous Coward | about a year ago | (#42021085)

Is vigilante justice legal? No. Is self defense legal? Yes. What is what? Depends on the judge.

Re:Vigilante Justice (1)

murder_face (2574275) | about a year ago | (#42021371)

I didn't really have time to RTFA, but self-defense sounds good. Or if you were to be charged, is there a such thing as electronic "mutual combat"?

Re:Vigilante Justice (3, Insightful)

Firethorn (177587) | about a year ago | (#42021639)

The problem here is that self defense is legal in context of preventing harm to yourself - typically this means your body. You're not allowed to attack somebody for busting up your car with a hammer, for example.

Except for their lagging behind, as far as I'm concerned any retaliatory measures should be done by the police, or if the attack originates in a country that doesn't cooperate with your police, the military.

IE You're in the USA:
hack comes from within the USA - FBI, ie federal police. If if comes from next door, local police
Hack comes from, say, Australia - The FBI contacts their counterparts there and the investigation continues
From a country without formal legal agreements - Interpol assists
From a hostile country, such as North Korea? Military, maybe.

Re:Vigilante Justice (2)

ILMTitan (1345975) | about a year ago | (#42021861)

That is not true. You are allowed to use degrees of non-lethal force (such as a fist) to defend your property.

From the Wikipedia article on self-defense:
"The ownership and possession of property confer a certain right to defend that possession, [including] a defense of it which results in an assault and battery, and that which results in the destruction of the means used to invade and interfere with that possession."[4]
People v. Kane, 131 N.Y. 111 (142 N.Y. 366, 37 N.E. 104)

Re:Vigilante Justice (1)

Firethorn (177587) | about 2 years ago | (#42023115)

That is not true. You are allowed to use degrees of non-lethal force (such as a fist) to defend your property.

I don't know about you, but I'm not going up against somebody with a hammer with my bare fists. Even then the police recommend calling them over intervening.

Re:Vigilante Justice (1)

ILMTitan (1345975) | about 2 years ago | (#42023233)

What is a good idea and what is legal are two entirely separate things. You are allowed to defend your property with non-lethal force. Whether you should is not something my post attempted to address.

Re:Vigilante Justice (1)

jhoegl (638955) | about a year ago | (#42021873)

I disagree, being hacked is a psychological attack on a person, and therefore can be defended against.

Re:Vigilante Justice (0)

Anonymous Coward | about 2 years ago | (#42023007)

I disagree, being hacked is a psychological attack on a person, and therefore can be defended against.

In that case so is fraud - in fact so is verbally assaulting them...

Not a good argument to make.

Re:Vigilante Justice (2)

Firethorn (177587) | about 2 years ago | (#42023133)

As the AC mentioned, that leads to you being able to use force against a fraudster, which in the real world would land you in prison along with him.

For that matter, robbing your house could be considered a psychological attack compared with hacking a computer system.

My core point was that counter-hacking can't be considered under the same context as self-defense statutes, because generally speaking there's nobody's body on the line.

Re:Vigilante Justice (1)

AK Marc (707885) | about a year ago | (#42022021)

In Texas, if someone is letting the air out of your tires (at night), you may shoot them in the back (some restrictions may apply).

Also, most places (not just Texas) allow for a reasonable response. You are allowed to raise your arms to attempt to deflect an incoming blow, even if that block causes the attacker harm. The attacking the body analogy you used is inappropriate, as you noted they aren't attacking your body, but you aren't attacking their body back. A better analogy is that if someone is smashing up your car with a hammer, are you allowed to insert a sword between the hammer and your car with the attempt of blocking the blow and expecting the collateral damage of the sword damaging the attacker's hammer?

Re:Vigilante Justice (1)

Firethorn (177587) | about 2 years ago | (#42023101)

You misunderstood me. Murderface proposed using self-defense clauses to excuse the counter-hacking. I disagreed - you're only allowed to commit harm, legally, in self defense. This doesn't qualify as self defense, because there's no bodily harm involved.

Thus raising your arms to deflect a blow, or even raising a metallic object to help block at the cost of your attacker's hand is perfectly legal - because blocking the blow is blocking injury, and you're allowed to use force in that case anyways - you'd be allowed to punch back, or even shoot them in some areas/cases.

In many areas if somebody is attacking your property with a weapon, yes, you're allowed to try to make them stop. But this generally involves restraint, and you're really supposed to just contact the police because intervening can result in it becoming a lethal situation(hammer can easily be a lethal weapon).

Re:Vigilante Justice (3, Insightful)

hobarrera (2008506) | about a year ago | (#42022645)

This isn't really self defense; your actions didn't PREVENT harm from ocurring to you, this was rather vendetta: he did X to me, I did it back.
I don't think this should be legal, because it could escalate into cyber-wars. Much like you can't steal something that was stolen from you in the first place - you can't take justice into your own hands.

Re:Vigilante Justice (2)

BronsCon (927697) | about 2 years ago | (#42023421)

If the retaliation occurs after the fact, this is correct; however, if the retaliation occurs while the instigating attack is ongoing, you are preventing [further] harm by putting an end to the offending party's ability to attack. That's textbook self defense [which does allow for use of nonlethal force and destruction of the means used to carry out the attack in cases where one is defending their property].

Yes. It Is Legal. (0)

zenlessyank (748553) | about a year ago | (#42021091)

Just like capital punishment is legal. Normally, it is illegal to kill someone, unless that person is a proven murderer. Then, a normally illegal act is legal. Don't really see the difference here. Case closed.

Re:Yes. It Is Legal. (1)

Arancaytar (966377) | about a year ago | (#42021391)

unless that person is a proven murderer. Then, a normally illegal act is legal.

Try getting out of a murder conviction by telling the judge your victim was a proven murderer, so killing the victim was legal.

See how that works out.

Re:Yes. It Is Legal. (1)

PPH (736903) | about a year ago | (#42021501)

Depends on the circumstances (and jurisdiction). The 'proven murderer' isn't the key*. What is important is whether you reasonably felt your life or property (or those of a bystander) to be in immediate jeopardy. If so, open fire, or take whatever measures are necessary to stop the threat. It tends to work out fine in most places in the USA.

*You can't reasonably be expected to know an attacker's state of mind or criminal history.

Re:Yes. It Is Legal. (1)

Smallpond (221300) | about a year ago | (#42022063)

If the guy was in the act of murdering your family I'd say it would work out pretty well. Don't forget that the purpose of the reverse hacking is to stop a crime in progress.

Robber vs Counter-Robber (5, Insightful)

ryanmc1 (682957) | about a year ago | (#42021093)

Just change it to this
""If your house has been robbed, is it legal for you to break into the other persons house and steal your stuff back?"

Re:Robber vs Counter-Robber (1)

Anonymous Coward | about a year ago | (#42021165)

Poor analogy:

*Generally nothing has been taken. Instead, they are using your equipment.
*Even in the case where something is taken, it's just copied, not removed from your possession. You can't break in and 'get your stuff back' because it was never taken away. And you also can't break in and erase it because it's been copied since.

A better analogy is someone breaks into your house, reads all your personal information, and sets up a war dialer on your phone line. Do you have the right to break into their garage and destroy their car so they lack the means to get back to your house again?

Re:Robber vs Counter-Robber (0)

Anonymous Coward | about a year ago | (#42021287)

no , but if they come back i would take a baseball bat to their car!

Re:Robber vs Counter-Robber (3, Insightful)

Anonymous Coward | about a year ago | (#42021341)

No, the analogy is good, you're reading it too literally. The question is not whether hacking equals robbing, but whether being wronged gives you authority to retaliate in the same way against the other party, regardless of the actual way you've been wronged. This is something that most legal systems in the world usually explicitly disallow: if an act is against the law when done against you, it is still against the law if you do it in retaliation against the offending party.

Re:Robber vs Counter-Robber (0)

Anonymous Coward | about a year ago | (#42022479)

Two wrongs don't make a right. Got it.

Control is lost (1)

Sarten-X (1102295) | about a year ago | (#42021381)

Control is taken, and usually cannot be recovered. Control over one's identity is extremely valuable, as maintaining that control allows one to also maintain control over one's finances and reputation, and in turn that affects one's control over the record of their history, which can heavily influence later abilities.

Re:Control is lost (1)

icebike (68054) | about a year ago | (#42021511)

Control is taken, and usually cannot be recovered. Control over one's identity is extremely valuable, as maintaining that control allows one to also maintain control over one's finances and reputation, and in turn that affects one's control over the record of their history, which can heavily influence later abilities.

Clearly.

But counter attacks do nothing toward maintaining said control.
Once your dark dirty secrets are out in the open, all the attacks in the world won't put the Genie back in the bottle.

Re:Robber vs Counter-Robber (0)

Anonymous Coward | about a year ago | (#42021457)

Poor analogy: Generally nothing has been taken. Instead, they are using your equipment. Even in the case where something is taken, it's just copied, not removed from your possession.

What if the hacker has been deleting your files?
What if the hacker gets access to your bank account?
What if the hacker makes you go above your download limit and you get an higher bill from your ISP?
What if the hacker makes your disk spin at a trillion rpm and puts your house on fire?

Re:Robber vs Counter-Robber (1)

icebike (68054) | about a year ago | (#42021487)

*Even in the case where something is taken, it's just copied, not removed from your possession. You can't break in and 'get your stuff back' because it was never taken away. And you also can't break in and erase it because it's been copied since.

There are documents/data items where mere possession constitutes a huge advantage for the attacker.
Not everyone is out to steal your porn collection.
(Trade secrets, bank accounts, computer code, hidden treasure maps, what ever).

In such cases the counter attack is not designed to "take back", but rather identify the attacker such that you can
take steps to prevent the use/sale of such information.

Like unringing a bell, failure to do this very quickly pretty much obviates the need to do it at all. Once your treasure map is in the open, the Streisand Effect will have people with shovels all over your island beach.

Failing to prevent damage, the only other use of a counter attack is to seek judicial revenge. Its doubtful whether any information you find by such methods would be admissible.

Of course one can't rule out seeking raw revenge on a personal level, but in such cases all pretense of legality go out the window.

Re:Robber vs Counter-Robber (-1)

Anonymous Coward | about a year ago | (#42021565)

Poor analogy: *Generally nothing has been taken. Instead, they are using your equipment.

Pardon me while I rape your wife. You weren't using her at the moment anyway.

Re:Robber vs Counter-Robber (0)

xstonedogx (814876) | about a year ago | (#42021811)

This may come as a shock, but some of us actually talk to flesh and blood women. We don't have wives who can be raped via botnet.

(Maybe I'm feeding a troll, but I just couldn't resist... ;) )

Re:Robber vs Counter-Robber (1, Funny)

AK Marc (707885) | about a year ago | (#42022037)

So I should disconnect my wife from the Internet-connected Rape-o-tron?

Re:Robber vs Counter-Robber (1)

hobarrera (2008506) | about a year ago | (#42022667)

Ok then, let's put it this way:

"If someone breaks into your house and uses your living room to have dinner, is it legal for you to go over to their house and do them same."?

Obligatory MAFIAA retort (0)

Anonymous Coward | about 2 years ago | (#42022897)

*Generally nothing has been taken. Instead, they are using your equipment.
*Even in the case where something is taken, it's just copied, not removed from your possession.

Try convincing the courts that this is true. The media industries have spent billions of dollars on tens-of-thousands of cases to convince the public and the courts that the above is real, actual robbery.

Re:Robber vs Counter-Robber (0)

Anonymous Coward | about 2 years ago | (#42023015)

> Do you have the right to break into their garage and destroy their car so they lack the means to get back to your house again?
Yes. If I could accurately discover who did this, I would; that person deserves to have their physical things, or even professional lives ruined.

They crossed a line; they crossed and broke social contract. They lose.

Re:Robber vs Counter-Robber (1)

russotto (537200) | about a year ago | (#42021245)

Just change it to this
""If your house has been robbed, is it legal for you to break into the other persons house and steal your stuff back?"

Doesn't help; that's not a simple question either. The answer is sometimes and in some places yes, other times and in other places no.

Personally I'm all for self-help because the courts are useless for actual redress of small grievances; by the time you've gotten through the process, you'll have cost yourself more than letting the issue pass, and likely have lost anyway. Assuming you can get the government interested in doing anything at all, which in the case of stolen property is small and in the case of breaking into your personal computer is miniscule.

Re:Robber vs Counter-Robber (1)

Sarten-X (1102295) | about a year ago | (#42021321)

A question of legality depends heavily on the location, time, and far more other circumstances... let's reduce it to morality, instead.

On the one hand, you have "an eye for an eye", where it's allowed to return in kind any grievance, such as a hack's damage to one's reputation and possible loss of control over one's identity. On the other hand, you have "two wrongs don't make a right", where it's best to let society's authorities deal appropriate punishments to serve justice, and everyone leaves unhappy, but fairly so.

These two viewpoints have been debated for several millenia already, with religions and political systems growing up around various interpretations of each ideal. Throwing a computer into the mix and using new words doesn't change the underlying philosophical debate, and certainly won't ever bring it to an end.

Re:Robber vs Counter-Robber (4, Funny)

Fnord666 (889225) | about a year ago | (#42021963)

Throwing a computer into the mix and using new words doesn't change the underlying philosophical debate, and certainly won't ever bring it to an end.

True, but apparently it does mean that I can patent it!

Re:Robber vs Counter-Robber (1)

grantspassalan (2531078) | about a year ago | (#42022519)

The idea for an “eye for an eye” comes from the Bible. It is given as a limiting condition on the human propensity to escalate a pattern of revenge into a Hatfields versus McCoys perpetual feud. The Bible teaches that humans taking revenge is against God's law. (Romans 12:19) Vengeance never fixes the original wrong. A computer is only a tool and its use indeed does not enter into the equation at all.

Re:Robber vs Counter-Robber (1)

Bengie (1121981) | about a year ago | (#42021443)

A house is just property, a computer can be a proxy of one's self and actually do actions on your behalf. It's more like a person attacking you and fighting back at that person that someone breaking into your house then you breaking into their house.

Re:Robber vs Counter-Robber (1)

Neil_Brown (1568845) | about a year ago | (#42021535)

""If your house has been robbed, is it legal for you to break into the other persons house and steal your stuff back?"

As long as you do not cause damage, it is probably not a criminal offence under English law; it is more likely to amount to trespass, which is a tort. If the thief wishes to sue you, he /she is welcome, and I doubt a court would look favourably on it.

Re:Robber vs Counter-Robber (0)

Anonymous Coward | about a year ago | (#42021699)

Apparently it is
link [tumblr.com]

Re:Robber vs Counter-Robber (1)

DriedClexler (814907) | about a year ago | (#42021783)

Oooh! Analogy refinement! I like this!

He's my first improvement:

"If you detect someone robbing your home, is it legal for you to follow them back to where they came from and place a bad-luck curse on it that residence/business that causes all kinds of things there to go wrong?"

[assuming such curses are possible]

Re:Robber vs Counter-Robber (1)

AK Marc (707885) | about a year ago | (#42022055)

If someone is breaking into your house and you see their car parked outside, and it's otherwise illegal to place a GPS transmitter on someone else's car, can you place a GPS transmitter on their car to help determine their identity and contact information so you can help enforcement against them?

Re:Robber vs Counter-Robber (0)

Anonymous Coward | about a year ago | (#42021997)

No. Just, no. A computer is a tool, a house is a place of residence where someone actually lives. Go through the proper legal channels if it comes down to it.

Jesus, what the hell.

Re:Robber vs Counter-Robber (1)

Turminder Xuss (2726733) | about a year ago | (#42022035)

What if you just leave a nice juicy looking file of credit card details injected with poison on your kitchen table and a robber breaks in and steals it ?

Re:Robber vs Counter-Robber (1)

Zadaz (950521) | about a year ago | (#42022187)

An alternate analogy with a completely different answer:

If you're being physically attacked, is it legal for you to use physical force to defend yourself?

(Or should you only be allowed to use purely defensive measures and call the cops, who will do nothing.)

Re:Robber vs Counter-Robber (1)

r1_97 (462992) | about 2 years ago | (#42023359)

Brings to mind OJ.

"Take em' down", I say! (2)

patchouly (1755506) | about a year ago | (#42021095)

I look at it as using "reasonable force" to end an attack. If someone is hacking your computer, you have the right to get in there a mess up their computer, to protect yours.

Re:"Take em' down", I say! (2, Informative)

Anonymous Coward | about a year ago | (#42021135)

That's not reasonable force when the alternative is to block the act through some other non-aggressive means. And as the AC poster above suggests, you don't know you are retaliating against the correct target.

Re:"Take em' down", I say! (1)

AK Marc (707885) | about a year ago | (#42022067)

You can end the attack at any time by pulling the plug on your computer (Ethernet or power, either works). So attacking someone else is not required to end the attack.

Re:"Take em' down", I say! (1)

hobarrera (2008506) | about a year ago | (#42022693)

This is too extreme. That's like saying "I can prevent people from stealing my golden watch by leaving it at home".
Closing the appropiate ports may be saner.

Re:"Take em' down", I say! (1)

hobarrera (2008506) | about a year ago | (#42022679)

Closing the port they're using to access your computer(s) is way easier. Attacking them is actually aggressive.

....on the gripping hand (4, Funny)

russotto (537200) | about a year ago | (#42021119)

How can I possibly be responsible if conflicting botnets are duking it out through my thoroughly pwned computer? That's my story and I'm sticking to it.

Is it legal for you to steal your stuff back ? (0)

Anonymous Coward | about a year ago | (#42021129)

Is it legal for you to steal your stuff back from a robber?
Can you carjack a carjacker if (s)he is driving your car?
Same applies here

Re:Is it legal for you to steal your stuff back ? (1)

Anonymous Coward | about a year ago | (#42021209)

Is it carjacking to carjack your stolen car?

0.0 -.- 0.0 -.- 0.0

that's not a rhetorical question, I really don't know. If I where on the jury, I think my response would be "good for you, acquitted."

Re:Is it legal for you to steal your stuff back ? (1)

FatdogHaiku (978357) | about a year ago | (#42021415)

Is it legal for you to steal your stuff back from a robber?
Can you carjack a carjacker if (s)he is driving your car?
Same applies here

Doesn't this concept validate everything the *IAA does in attempting to control use of their "IP"?
If MY 0's and 1's are steal-able stuff then THEIR 0's and 1's are the same...
Not real wild about that idea.

Re:Is it legal for you to steal your stuff back ? (1)

Neil_Brown (1568845) | about a year ago | (#42021497)

If MY 0's and 1's are steal-able stuff then THEIR 0's and 1's are the same...

The difference, to my mind, is that theft applies to property (at least, it does under English law), and I'd argue [slashdot.org] that a 0s and 1s are not capable of being property. Their order may be capable of protection, as copyright, but, in this case, it is the copyright which is owned, not the underlying sequence of bits.

Re:Is it legal for you to steal your stuff back ? (1)

FatdogHaiku (978357) | about a year ago | (#42022003)

I would tend to agree with you about the theft issue. But it still leaves the whole "ownership of information" in the murk. If I had the right to pursue someone digitally back to the system used to copy "my" data (i.e. "my IP") and then possibly take action against what I deem to be the offending system, what kind of power would that convey to any commercial rights holder seeking the source of, say, shared files? To my mind, the concept of justified retaliatory action is not even a slippery slope, it's a cliff...

Re:Is it legal for you to steal your stuff back ? (1)

Neil_Brown (1568845) | about a year ago | (#42021463)

Is it legal for you to steal your stuff back from a robber?

Under English law, you cannot steal something which belongs to you — theft [legislation.gov.uk] is the dishonest appropriation of property belonging to another with intention to permanently deprive.

Re:Is it legal for you to steal your stuff back ? (1)

Daniel Dvorkin (106857) | about a year ago | (#42021635)

But I'll bet breaking and entering is still illegal, even if the only reason you do it is to get your stuff back.

Re:Is it legal for you to steal your stuff back ? (1)

Neil_Brown (1568845) | about a year ago | (#42021715)

But I'll bet breaking and entering is still illegal,

I am not aware of a crime of "breaking and entering" under English law — it's possible that there is one which I have not come across, of course.

The nearest I know is the crime of burglary [legislation.gov.uk] — which is, in effect, trespass plus theft (or a number of other crimes, including rape and criminal damage, depending on whether the relevant intention is there). However, if the only act upon entering the premises is the removal of one's own property, the second part is not made out, so it remains just trespass.

It's a grey subject (0)

Anonymous Coward | about a year ago | (#42021219)

Your computer is infected with ransomware, all your documents are encrypted which can only be recovered if you pay out $40. You visit the attackers payment web page, notice it's based on an open source CMS that you're familiar with. You try the default admin credentials and they work, you can now get the decryption key free. Did you just break the law? What if you modify the site to give out all decryption keys for free? What if you remotely decrypt an uninstall the malware from all victim computers?

Someone sends your boss a PDF file infected with a virus. The antivirus catches it, but you want to know who sent the attack, you run the PDF inside a virtual machine with some infected PDFs of your own that are configured to beacon back to a server you control. The attack downloads one of your PDF files and you start receiving beacons from a competitor. Did you just hack them? What if the PDF had an EULA for the malware in it? If you embed MP3 files in the PDF can you send the RIAA after them?

co3Fk (-1)

Anonymous Coward | about a year ago | (#42021227)

Legal? Probably not. (1)

roc97007 (608802) | about a year ago | (#42021259)

Moral? An argument could be made.

No (2)

dcollins117 (1267462) | about a year ago | (#42021363)

"If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated?"

Heavens, no. It is not. Next question.

The trouble with analogy (3, Interesting)

Animats (122034) | about a year ago | (#42021475)

The legal arguments are interesting. It's amusing to see lawyers struggle with reasoning through analogy. They're trying to hammer property law, trespass law and assault law into covering this, and it's not working.

In almost all modern online attacks, the immediate source of the the attack is a machine owned by an innocent third party. While this is common online, it is a rare situation in the physical world. It can come up in auto repossessions where the repossession was not legally authorized, the repossession agent reasonably believed that it was, and the vehicle owner resisted. Most states have specific laws in that area, and repossession agents are limited in what they can do. [westcoastbk.com]

Let's do some comparisons (2)

davidwr (791652) | about a year ago | (#42021555)

If someone steals your car and drive it to land they own, do you have the right to trespass onto it to get your car back? If you see them driving it away in a tow truck, do you have the right to shoot out the tires of the tow truck if you can do so without causing losses to third parties? Do you have the right to shoot the driver of the tow truck? If the car thief is driving your car away, do you have the right to shoot out the tires if it won't damage third parties? Do you have the right to shoot the driver if third parties won't be hurt?

Perhaps a more important question: Should you have these rights?

Re:Let's do some comparisons (1)

Neil_Brown (1568845) | about a year ago | (#42021589)

If someone steals your car and drive it to land they own, do you have the right to trespass onto it to get your car back?

Perhaps a fussy point but, if you have a right to be on the land, you cannot be trespassing. Even if you did trespass on the land, what is the likelihood of a court finding that you were trespassing and, even if it did, what would the likely measure of damages be?

Re:Let's do some comparisons (2)

RobertLTux (260313) | about a year ago | (#42021803)

thats when you flag down the nearest Disco Car and explain things quickly then they can have more Disco Cars help as needed so the guy can be fitted for nice Shiny Bracelets.

Self Help (0)

Anonymous Coward | about a year ago | (#42021617)

The concept of self help in law is that one can not apply self help. The idea is that one is supposed to go through the proper complaint process and let the law and the courts dtermine the validity of the claim and the degree of remedy. The exception is immediate danger of death or great physical harm. One can defend against an attack in progress by a person using violence. But preventative or retaliatory actions are usually criminal acts. So the history of law would be against allowing someone to hack to punish or track a supposed violator.

Re:Self Help (1)

tibman (623933) | about a year ago | (#42022567)

So, where are the internet cops?

...What a Stupid Question. (5, Insightful)

bistromath007 (1253428) | about a year ago | (#42021621)

Of course it isn't. The only time something that's normally a crime isn't is when violence is self-defense. Absolutely nothing else in our system of law has a "he started it" defense. Leaving aside that no judge is going to accept that hacking is violence without legislative action that will never happen, the normal standards of self-defense could still never apply. Given that you can't know you've been hacked until after it's done, it would instead be retaliatory, which is naughty.

Some people above are debating whether stealing stolen stuff is a crime. The answer is: it's not stealing. That is still your stuff. If somebody grabs your shit right off your person, that's also assault, so you're free to tackle them to get it back. If they steal it off a table or something, you might have more of a problem; you're still not stealing, but depending on where you live and whether the prosecutor's got a bug up his ass, using force to retrieve your stuff might get you in trouble. Same for carjacking your stolen car, and if you don't somehow do it the same time it happens to you, I imagine using a gun like that would at least get you arrested anywhere, in court anywhere but Texas, and convicted anywhere north of the Mason-Dixon line.

The larger point here: hacking is not exactly the same as assault, theft, or trespass, and applying the same logic to it is something almost any good judge would refuse to do for fear of unintended consequences. For instance: since you don't know who's hacking you until you've checked them out, if you counter-hack them, you might wind up hacking the police. That's kind of a good thing from a civil rights standpoint, as it means they are on the same level as us, bound by the same natural consequences of their actions, but hacking the police would only be legal in a goddamn utopia. Furthermore, counter-hacking might theoretically lead you to the wrong person if you're not as skilled as your attacker. While this is not the reason trespass is illegal, one can easily imagine trying to steal your stuff back and getting the wrong house, and that's when you're looking for a physical location which you know is associated with a specific person. With counter-hacking, you're looking for a computer somewhere which may or may not belong to your attacker which may or may not have PID stored that is legitimately associated with said bastard.

So, the whole argument boils down to this: hacking is hacking. It is not other activities, and cannot be usefully treated as similar to other crimes. The closest other thing is wiretapping, and nobody asks if it's okay to do that in a retaliatory fashion. Because of historical computer culture stuff, it might be argued that hacking shouldn't always be illegal, but currently it is, so that is the very obvious answer to the original question of this article. They should've been asking "should counter-hacking be legal," and because of the potential for harm to uninvolved third parties, I am kind of surprised to find myself saying that it should definitely not be. Counter-hacking should never happen without a warrant, and evidence gathered by it needs to be scrutinized very closely to make sure the right guy is caught.

Re:...What a Stupid Question. (-1)

Anonymous Coward | about a year ago | (#42022363)

Let me start with, you seem well read, and IANAL.

But you're still an idiot. And you're still materially wrong. In almost every analysis.

The grace is you aren't wholly wrong. You're just an idiot because you're a true believer in pacifism.

Absolutely nothing else in our system of law has a "he started it" defense.

- Except for the existing docrine of fighting words.
- Except for historic, but no longer existing doctrines permitting dualing, or the concept of 'reasonable courage'
- Except for the thing you cited right before that... self defense, which necessitates reasonable force. Sometimes. In some states.
- Except for in defense of others.
- Except for in defense of your own property, or your neighbor's property in some states.
- Except for pretty much any state with a stand-you-ground law.
- Except for the ...I think 42 odd states with castle doctrine, when on your property
- Except for at least 600 years of common law, where all I have to show is that there was nowhere to retreat to, or that they were armed with a ranged weapon

Okay, so we've established you're a liar or a fool. I'm betting on the latter, but I'm still willing to concede you might be a liar.

If someone grabs stuff off your person, it is not assault. Necessarily. It probably came with assault --but the grabbing shit off of you ... is not.

Assault is (basically) when I do something that would cause a reasonable person to fear for their safety of body, and posess the means to carry through with it. Basically -- it's when I draw my fist back threatening to punch you, but not the actual punch itself -- although if I do punch you, you almost certainly reasonably fear for your safety.

And half the idiots that toss the word assault around don't have the first clue what it actually is.

Also -- if you're an LP person, and you tackle me, in most states you're going to be fired on the spot, and the amublance chasers will be checking to see if your employer or yourself missed a single training course indicating never to do that... because they'll lose everything they have. If the employer screwed up -- I'm rich! If you screwed up, you're fired, and your wages garnished...forever.

For the record, "stealing" isn't a legal term I've ever seen codified in anything I've ever reviewed, going back to...'recent antiquity' -- but it might be out there somewher.

Hacking isn't the same thing as "assault, theft, or trespass"...yes, there's some progress at last ijn that reasoning. It's not needed though.

"Stealing" isn't the same thing as "mugging", "carjacking", "burgling", "robbery" or.... Any of the other crimes that get correlated with them such as battery, assault, breaking and entering, possession of burglar's tools, home invasion ...

Consequences happen when applying analogies poorly, sometimes they're the best we can do.

Hacking isn't at all like wiretapping, unless you're just putting a keylogger into things, and even then it's substantially different -- a court authorized wiretrap has a chain of custody. My keylogger on your desktop probably doesn't.

The notion of a warrant is frankly... insane. And irrelevant. Once you've broken into the computer you've already irrevocably damaged any sort of chain of custody unless you're implicitly trusted and take steps to maintain it. If you could break into it, it's proof that anyone else could have too -- so now you have to establish you're the only person in the computer. In general, this is...provably impossible from a computational perspective -- but the law wouldn't want to catch up with that proof.

Everyone but Volokh overlooked some of the fairly obvious cases (and risks).

Suppose I counterhack and take down a hospital computer...

But similarly -- let's take a very real example with pacemakers--they're computers, they can be hacked. It's been demosntrated. So have insulin pumps. Okay, we've established a computer hack has the capability to KILL.

If I know beyond a doubt that someone down the hall is hacking my pacemaker, attempting to deliver a lethal voltage -- would I be justified in use of lethal force to stop them? If I would be justified in shooting them, how could I *not* be justified in merely hacking them?

If I had the capacity to do both, I might even be required by law to do so -- given that would be the minimal force necessary to remove the threat.

And while you are correct in being concerned about the innocent being harmed -- it's immaterial. Whether the computer belongs to the attacker or not is ... specious.

If somebody ransoms your kid and to get him back you have to break into my place -- I can still shoot you. You might get some sympathy in the trial if you live. Similarly, if your computer is hijacked and it's coming at my pacemaker... I don't care if it's acting as a proxy for a criminal or not. In some states your computer is already forfeit to me if I catch you. Your computer is a witness to a crime. It's evidence.

The most you might have is that by counterhacking, I risk destroying evidence. But...since it's a counterhack, my actions are to prevent imminent harm, possible loss of property or life... Sucks to be you--should've ran better AV.

Really, what it's going to come down to is... we have laws for this. The computer parts should be codified a bit better because it is *SO* trivial to impersonate stuff... but even those parts are handled.

If someone is shooting at me, I can legally shoot back. If they impersonate you, and I shoot back at you -- I'm in a lot of trouble. So are they if they get caught. For that reason you might desire policy against it -- it's hard to find originators on the internet. But it's not...impossible. Particularly in the cases of RATS and exfiltrated data, it's far more likely that I am firing back at a proxy or agent than an innocent, but impersonated party.

And if you're acting as a proxy or agent, even unwittingly... you really aren't all that innocent.

Re:...What a Stupid Question. (2)

bistromath007 (1253428) | about a year ago | (#42022509)

Your ability to not-read what I wrote and still read a whole bunch of extra words into it is a truly astonishing talent. I can tell that you didn't really read it due to one simple error: when I talked about self-defense, you failed to notice that I said nothing else has a "he started it" defense. With the exception of "fighting words," which is a very weak defense where it exists, and defense of property, which is explicitly not a defense in more backward locales, everything you mentioned in your tirade was a sub-set of self-defense. So, my statement stands. There is nothing criminal, except for violence, which becomes legal when somebody else does it to you. The fact that I addressed some entirely morally defensible uses of force which would, in some areas, be illegal, should've tipped you off that I'm on your side of that debate, which remains largely irrelevant to the issue at hand.

Perhaps people who are actually pacifist idiots would listen to you more often if you weren't such a zealot that it impaired your reading comprehension.

Re:...What a Stupid Question. (0)

Anonymous Coward | about a year ago | (#42022677)

too many line breaks.
tl;dr

Re:...What a Stupid Question. (0)

Anonymous Coward | about a year ago | (#42022615)

Do you really think that your ramblings off the top of your head, as a non-lawyer, are better than the research the 3 experts in the article have been doing for years? Anyone in the legal community would know that Eugene Volokh and Orin Kerr are not as dumb as you think they are.

Re:...What a Stupid Question. (0)

Anonymous Coward | about 2 years ago | (#42023361)

Of course it isn't. The only time something that's normally a crime isn't is when violence is self-defense. Absolutely nothing else in our system of law has a "he started it" defense.

Your first point is wrong. You might get away with stealing a car if you needed it to get to the hospital after you had been shot - not violence. You would probably have to pay for the car somehow, but you could avoid criminal prosecution. You can also use violence as a defense of others and non-lethal force in defense of property. Another time when something that is normally a crime is not, is if you are declarred temporary insane. The list goes on.

Simple question (1)

Todd Knarr (15451) | about a year ago | (#42021683)

"If someone breaks into my computer system, is it legal for me to break into his?". OK, rephrase it: "If someone breaks into my house, it is legal for me to break into his?". Answer the second, you've answered the first.

Re:Simple question (1)

Neil_Brown (1568845) | about a year ago | (#42021743)

If someone breaks into my house, it is legal for me to break into his?

Illegal, no, but potentially something for which the aggrieved party could sue you if s/he could prove damage? (From an English law point of view.)

Re:Simple question (1)

AK Marc (707885) | about a year ago | (#42022199)

The fuzzy issue is that his break-in into your house was burglary, but your break-in is not. Why not? Because part of the definition is that you must be doing something otherwise illegal, or else it's just simple trespass. And simple trespass isn't so simple if you remove the breaking-in component to clarify the situation.

If you followed the burglar home and he placed all your stolen items in his back yard, behind an unlocked gate with a "no trespassing" sign on it, is it illegal for you to enter the yard to retrieve your belongings?

irrelevant in the most cases (2)

allo (1728082) | about a year ago | (#42021713)

in most cases you do not have a chance to successfully "hack back" anyway. The typical hacker victim is much more vulnerable than the typical hacker himself.

MITM (1)

gmuslera (3436) | about a year ago | (#42021883)

The one in the middle with no clue on security will be used by the bad ones and destroyed by the good ones? Odds are high that you will hit an innocent (or at least, clueless) bystander. From his point of view, both sides are evil ones.

In the other hand, **AA may not hack, but instead sue those people serving as proxy, maybe attacking them will prevent far bigger economical damages if they get sued (and that, without going to the "intelligence" agencies that could attribute to such proxies as originators of cyberterrorism in a near future).

I Stole From The Hulk (0)

Anonymous Coward | about a year ago | (#42021923)

Curious - Say I (the attacker) steal a piece of gum from the Incredible Hulk (the victim). I run away through a crowded shopping mall (a web server belonging to a financial service organization). The Hulk gives chase, destroying stores and injuring bystanders (millions in damages, downtime), while I cleverly dash through maintenance back routes and such. I escape, but the Hulk indeed discovers my wallet (evidence) left at the scene.

How much can the mall sue the Hulk for? And if the wallet was but a fake wallet, does the Hulk smash more stores? Show your work. (Just kidding, but I do enjoy the many issues addressed here)

How about a case study from the early 2000s (2)

dpidcoe (2606549) | about a year ago | (#42022249)

Back when highspeed internet wasn't as ubiquitous as it is today, I remember a friend on IRC who owned a computer shop telling me some stories of counter hacking. I have no idea how legit the following story is since I wasn't actually there for any of it, and I'm fuzzy on a lot of the details since it was related to me nearly 10 years ago. Despite all that, I think it has some relevance in that it's an easy target to pick specifics from and discuss them, rather than having to rely on sketchy car analogies

He had been doing a virus removal on a customers PC on a slow day, and decided to run some network monitoring tools on it first. He instantly noticed traffic to an IRC server, recorded the details, then attempted to connect to it. It wouldn't let him in at first, but eventually he got around that by changing the version string on his normal IRC client in order to mimic what the virused computer was replying to. He found some hundred or so zombie machines sitting in a channel, renamed himself to something similar to the naming convention of the rest of the zombie machines, then let it sit for a few days.

Eventually he checked his logs and saw the hacker logging in to the server and running various commands on the botnet. Upon closer inspection, he realized that the hackers IP address matched that of the IRC server. That made him think that the guy must have been dumb and was hosting it from his own connection (definitely a possibility in the early 2000s), so he scrolled through his logs some more and found instances of the hacker giving commands to ddos various targets. At that point my friend claims to have directed the botnet to ddos the IP of the IRC server they were connected to. It subsequently went down, leaving the hacker with no way to control the botnet anymore.

Again, I have no idea how much of that story is true, however it still makes a good example to pick at in regards to legality of counter hacking. I would argue that up until he ordered the botnet to attack its controller, everything was perfectly legal.

Re:How about a case study from the early 2000s (0)

Anonymous Coward | about 2 years ago | (#42023107)

Again, I have no idea how much of that story is true, however it still makes a good example to pick at in regards to legality of counter hacking. I would argue that up until he ordered the botnet to attack its controller, everything was perfectly legal.

Yeah. Afterwards, though... isn't saying something in IRC protected speech? :3

A more relevant question (0)

Anonymous Coward | about 2 years ago | (#42023071)

Q: Is it legal to steal someone's grow op?

A: No, but they'd have to be incredibly stupid to report you to the police.

Seriously, if you report a hacking attack, you're going to have your computers inspected to gather evidence. Personally, if I were running a botnet, that's the last thing I'd want.

So I can retaliate? (0)

Anonymous Coward | about 2 years ago | (#42023375)

Sony put a root kit on my computer.
EA sold me a crappy game with crappy DRM that screwed with my computer.

So I can retaliate?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>