• United States

Don’t hack back

May 06, 20032 mins

* Reasons why you shouldn’t launch a hacker counterattack

There’s a longstanding debate, mostly underground and informal, about how satisfying it would be to strike back at criminal hackers, industrial spies, saboteurs and other baddies who have the nerve to attack our systems.

People have speculated about counter-flooding, using buffer-overflow attacks, sending “explosive” HTML code that could cause system freezes, and so on. Much of this talk is really just good-natured fun – more along the lines of “wouldn’t it be nice if” than actually serious proposals for corporate responses.

But to be absolutely sure that all of the readers of this column, at least, have a chance to think about it, let me flatly state that any such counterattacks are to be formally forbidden by corporate policy.

Firstly, although I am not a lawyer and this is not legal advice (for legal advice, consult an attorney with appropriate expertise), as far as I know there is absolutely no waiver in U.S. law which would exculpate anyone who gains unauthorized access to other people’s computer systems. In particular, the Computer Fraud and Abuse Act of 1986, the Unlawful Access to Stored Communications Act, and the Electronic Communications Privacy Act of 1986 do not make any allowance for revenge attacks. Investigation of such crimes (the revenge attacks) could involve seizure of equipment as evidence.

Secondly, because IPv4 provides inadequate authentication of packets, it is difficult or impossible to prove the exact origin of denial-of-service attack packets or even of packet streams used in attack sessions. Attacking the wrong target would be an unmitigated disaster.

Thirdly, many attackers subvert poorly secured intermediary systems to launch their attacks; attacking these hosts would damage other victims but cause no direct harm to the real attackers.

Fourthly, unauthorized penetration of anyone’s computer systems and networks can lead to civil lawsuits for damages; even if the lawsuits are unsuccessful, they can rack up expensive attorneys’ fees and also cause expensive computer equipment to be seized as evidence under subpoena.

No, although it might seem like a satisfying tactic that would be the geek equivalent of innumerable Steven Seagal and Jean-Claude Van Damme movies, trying to strike back at attackers through illegal means is a thoroughly bad idea.