First, a quick summary of the issues (as I see them)with legal individual counterattacks on compromised machines:
- There are too many possibilities for abuse. Logs can be faked, counter-accusations made, and we are quickly lost in a mire of global legal action. There are no standards or controls on admins, nothing to prove or disprove any allegations made. This leads to a "Dodge City" of sorts, where all have weapons and the only rule of law is strength and skill. As appealing as this may sound to some people, it is not the internet that I want to live in.
- The possibility of error is high, especially with inexperienced administrators. Correctly identifying the source of an attack can be difficult. For Nimda, finding the source of the attack is simple; in the future, it may not be. This leads to inadvertent illegal action by the administrator in the event of a "hackback". Worse, if a third party becomes involved due to this "hackback", there could be a cascade effect of attacks and counterattacks that could disrupt service on much larger scale.
- Even if the attacks were legal in the admin's location, the physical location of a target machine is often in doubt. Thus, the definition of "legal" would have to include most of the countries in the world, which would be a difficult (if not impossible) task. Without everyone's approval, this could become a source of international incidents.
However, I think there might be a solution to this particular problem. I would propose a neutrally based, not-for-profit, open logs, open standards group that actively "counter-secures", preserves evidence, and notifies both the owner and the proper authorities when compromised machines are dealt with. Lets deal with these stipulations one at a time.
Neutrally based: This means, quite frankly, placing said organization in a nation or location where the efforts by the group would not be illegal. Another consideration would be a location that could resist some international pressure, including pressure from the United States. That is no mean feat. Sealand/HavenCo might be an option, except that their Acceptable Use Policy forbids this kind of activity. If an agreement could not be reached, then something else would have to be arranged. A small recognized nation would also be an option; Switzerland would be the traditional choice but they seem to frown on hacking as well.
There are other location considerations beyond local legalities. For example, sea-going piracy laws could conceivably be used against a non-national or semi-national location based in international waters. It isn't hard to imagine that Part VII, Article 109 of the UN Convention on the Law of the Sea could be interpreted to cover hackback activities.
Another issue is Internet access security. If an organization was to engage in "lawful hacking", such as in a hackback scenario, it is almost guaranteed that some people and governments will not see it this way. There are two methods of dealing with this that I can see. One, to make or place the location at a central hub for Internet connectivity, such that a disruption in service to the organization would have impacts on the Internet as a whole, thus discouraging direct attack (either physical or technological). Second , by maintaining the organizations reputation such that there is no justified cause for such an action (see the paragraph on open standards).
The purpose of the neutral base should be obvious. It prevents any hint of governmental pressure, any hint of financial pressure from the surrounding locales, and isolates the organization from legal pressure. In many respects, the reasons for placing this location are the same reasons that apply to a location like Sealand/HavenCo. However, in this case it is even more important for the organization to appear neutral, because there can be no appearance of favoritism; it would drastically undermine the mission of the organization.
Not for Profit: The organization would have to be completely financially independent, and not have any profit motive whatsoever. The best idea I can think of along these lines would be to operate similar to a private college; a large endowment. The proceeds of the endowment would be utilized to actually fund the operations of the organization, while the endowment itself would be invested and managed much like other endowments. Additional endowments could be accepted at any time; however, the key is that utilizing this system, the organization never relies on investors or supporters of any kind for day-to-day operations.
Where the seed money would come from is a tough, tough question. I think the best way to do it would be for the organization to make money itself (by providing secure colocation, etc). That probably wouldn't be enough, so monies from interested 3rd parties would be accepted, on the condition that the donation was fully disclosed. This would prevent all but the most cynical from claiming that any particular supplier has undue influence over the operations; after the donation is made, the donor has little influence over the money supplied from the endowment fund (although they did increase the fund). Should the organization have an issue with the donor in some way, the funds remain with the organization (although the organization would be unlikely to receive more funding in this case).
All financial records of the organization should be public knowledge, preventing any chance of a misrepresentation or any hint of an improper supply of money that could influence the organization in performing its duties.
These financial stipulations are required for the organization to maintain its neutrality. Without open accouting records and non-profit design, the organization would leave itself open to all kinds of accusations about undue influence. Better to avoid that from the start, and lay everything where the world can see and judge for itself.
Open Logs: Everything the organization does on the internet is logged in detail, and exposed to the global public at large. The public should be able to see that the machines targeted do, in fact, meet the requirements specified in the open standards established by the organization, and that only the necessary steps were taken to disable the compromised machine. This step is required to keep things honest and above board.
Now, when you have a bunch of security experts working day in and day out cracking into actively compromised machines to disable them you're going to have an issue with how to log reliably and in a trustworthy manner. Redundant logs, both local and remote, is only the beginning. There would have to be an overwatch organization of some sort, to actively monitor the logging process for tampering of any kind; sort of a "checks and balances" type of situation. How this would exactly work I don't know. Perhaps any interested third party would be free to monitor the logging process at any time, and to examine the software and process for any hint of tampering. Alternatively, maybe an oversight organization of some sort, separate and different from the group doing the "ethical cracking".
Open Standards: This is the really tricky part. How would you set up standards for oversight? For target machine identification? For dealing with political issues? For dealing with the inevitable mistakes?
There would obviously have to be some sort of consensus on what the rules would be. What constitutes "ethical cracking?" Entering through an installed backdoor and disabling the vulnerable services? Probably okay. Cracking into a machine suspected of being a launching point for further cracking attacks? Not too likely as an ethical target. What about cracking machines that are being utilized as part of a DDoS? What about cracking machines that are known warez servers?
Could the group even accept complaints? How would it deal fairly with them? How would one make the procedure for dealing with large-scale problem like Nimda fast enough to avoid serious internet issues? What about responding to RIAA complaints about warez or p2p servers? Would such an organization serve the purpose of the recent proposed law? What about copyright violations in general?
This is an interesting idea to me, and one that doesn't seem to have been fully explored. Nothing that I read during a bit of research on the subject suggested that this had ever been tried, at least openly. I think the key issue revolves around what rights the owner of a compromised machine has. If someone is using your house to store smuggled weapons, it reduces your rights versus the police, both American and others. Could the same argument be made for a supranational, independent Internet Police? Maybe so. Could an "internet endangerment" charge be used against people who legally control compromised servers? Would something like this work?