Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

Hackback, Inc

By aetius3 in Internet
Sat Aug 03, 2002 at 05:25:47 PM EST
Tags: Security (all tags)

Security Focus's Tim Mullen recently wrote this story about his demonstration of a "hackback", or a counterattack against a compromised machine that is attacking his network. Some of the comments posted on the site make pretty much the standard arguments. While I disagree with him that counterattacks of this nature by individuals is a good thing, it got me to thinking.

First, a quick summary of the issues (as I see them)with legal individual counterattacks on compromised machines:

  • There are too many possibilities for abuse. Logs can be faked, counter-accusations made, and we are quickly lost in a mire of global legal action. There are no standards or controls on admins, nothing to prove or disprove any allegations made. This leads to a "Dodge City" of sorts, where all have weapons and the only rule of law is strength and skill. As appealing as this may sound to some people, it is not the internet that I want to live in.
  • The possibility of error is high, especially with inexperienced administrators. Correctly identifying the source of an attack can be difficult. For Nimda, finding the source of the attack is simple; in the future, it may not be. This leads to inadvertent illegal action by the administrator in the event of a "hackback". Worse, if a third party becomes involved due to this "hackback", there could be a cascade effect of attacks and counterattacks that could disrupt service on much larger scale.
  • Even if the attacks were legal in the admin's location, the physical location of a target machine is often in doubt. Thus, the definition of "legal" would have to include most of the countries in the world, which would be a difficult (if not impossible) task. Without everyone's approval, this could become a source of international incidents.

However, I think there might be a solution to this particular problem. I would propose a neutrally based, not-for-profit, open logs, open standards group that actively "counter-secures", preserves evidence, and notifies both the owner and the proper authorities when compromised machines are dealt with. Lets deal with these stipulations one at a time.

Neutrally based: This means, quite frankly, placing said organization in a nation or location where the efforts by the group would not be illegal. Another consideration would be a location that could resist some international pressure, including pressure from the United States. That is no mean feat. Sealand/HavenCo might be an option, except that their Acceptable Use Policy forbids this kind of activity. If an agreement could not be reached, then something else would have to be arranged. A small recognized nation would also be an option; Switzerland would be the traditional choice but they seem to frown on hacking as well.

There are other location considerations beyond local legalities. For example, sea-going piracy laws could conceivably be used against a non-national or semi-national location based in international waters. It isn't hard to imagine that Part VII, Article 109 of the UN Convention on the Law of the Sea could be interpreted to cover hackback activities.

Another issue is Internet access security. If an organization was to engage in "lawful hacking", such as in a hackback scenario, it is almost guaranteed that some people and governments will not see it this way. There are two methods of dealing with this that I can see. One, to make or place the location at a central hub for Internet connectivity, such that a disruption in service to the organization would have impacts on the Internet as a whole, thus discouraging direct attack (either physical or technological). Second , by maintaining the organizations reputation such that there is no justified cause for such an action (see the paragraph on open standards).

The purpose of the neutral base should be obvious. It prevents any hint of governmental pressure, any hint of financial pressure from the surrounding locales, and isolates the organization from legal pressure. In many respects, the reasons for placing this location are the same reasons that apply to a location like Sealand/HavenCo. However, in this case it is even more important for the organization to appear neutral, because there can be no appearance of favoritism; it would drastically undermine the mission of the organization.

Not for Profit: The organization would have to be completely financially independent, and not have any profit motive whatsoever. The best idea I can think of along these lines would be to operate similar to a private college; a large endowment. The proceeds of the endowment would be utilized to actually fund the operations of the organization, while the endowment itself would be invested and managed much like other endowments. Additional endowments could be accepted at any time; however, the key is that utilizing this system, the organization never relies on investors or supporters of any kind for day-to-day operations.

Where the seed money would come from is a tough, tough question. I think the best way to do it would be for the organization to make money itself (by providing secure colocation, etc). That probably wouldn't be enough, so monies from interested 3rd parties would be accepted, on the condition that the donation was fully disclosed. This would prevent all but the most cynical from claiming that any particular supplier has undue influence over the operations; after the donation is made, the donor has little influence over the money supplied from the endowment fund (although they did increase the fund). Should the organization have an issue with the donor in some way, the funds remain with the organization (although the organization would be unlikely to receive more funding in this case).

All financial records of the organization should be public knowledge, preventing any chance of a misrepresentation or any hint of an improper supply of money that could influence the organization in performing its duties.

These financial stipulations are required for the organization to maintain its neutrality. Without open accouting records and non-profit design, the organization would leave itself open to all kinds of accusations about undue influence. Better to avoid that from the start, and lay everything where the world can see and judge for itself.

Open Logs: Everything the organization does on the internet is logged in detail, and exposed to the global public at large. The public should be able to see that the machines targeted do, in fact, meet the requirements specified in the open standards established by the organization, and that only the necessary steps were taken to disable the compromised machine. This step is required to keep things honest and above board.

Now, when you have a bunch of security experts working day in and day out cracking into actively compromised machines to disable them you're going to have an issue with how to log reliably and in a trustworthy manner. Redundant logs, both local and remote, is only the beginning. There would have to be an overwatch organization of some sort, to actively monitor the logging process for tampering of any kind; sort of a "checks and balances" type of situation. How this would exactly work I don't know. Perhaps any interested third party would be free to monitor the logging process at any time, and to examine the software and process for any hint of tampering. Alternatively, maybe an oversight organization of some sort, separate and different from the group doing the "ethical cracking".

Open Standards: This is the really tricky part. How would you set up standards for oversight? For target machine identification? For dealing with political issues? For dealing with the inevitable mistakes?

There would obviously have to be some sort of consensus on what the rules would be. What constitutes "ethical cracking?" Entering through an installed backdoor and disabling the vulnerable services? Probably okay. Cracking into a machine suspected of being a launching point for further cracking attacks? Not too likely as an ethical target. What about cracking machines that are being utilized as part of a DDoS? What about cracking machines that are known warez servers?

Could the group even accept complaints? How would it deal fairly with them? How would one make the procedure for dealing with large-scale problem like Nimda fast enough to avoid serious internet issues? What about responding to RIAA complaints about warez or p2p servers? Would such an organization serve the purpose of the recent proposed law? What about copyright violations in general?


This is an interesting idea to me, and one that doesn't seem to have been fully explored. Nothing that I read during a bit of research on the subject suggested that this had ever been tried, at least openly. I think the key issue revolves around what rights the owner of a compromised machine has. If someone is using your house to store smuggled weapons, it reduces your rights versus the police, both American and others. Could the same argument be made for a supranational, independent Internet Police? Maybe so. Could an "internet endangerment" charge be used against people who legally control compromised servers? Would something like this work?


Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


Related Links
o this story
o Acceptable Use Policy
o frown
o Part VII, Article 109
o Also by aetius3

Display: Sort:
Hackback, Inc | 23 comments (22 topical, 1 editorial, 0 hidden)
A police force (4.00 / 2) (#1)
by QuickFox on Fri Aug 02, 2002 at 08:04:29 PM EST

What you're proposing sounds like a kind of hackback police force.

The police has a monopoly on violence and is controlled by society. Without this monopoly on violence we'd get violent vigilantes and escalation of violence.

Similarly, if everybody should hack back we'd get a sort of vigilante situation with escalating attacks. Your proposal sounds like a hackback police force controlled by society with a monopoly on hackback. An interesting idea.

But to make it legal, the solution isn't to put it somewhere outside national laws, like Sealand. That's just sidestepping laws and must lead to controversy. You can't have a police force that is unbound by laws.

One solution for making it legal might be to have people explicitly permit the hackback on their machines by subscribing to hackback services that they trust. In return they get some protection and help when their machines have been compromised. Another solution might be to have the regular police get permission to do this sort of thing in machines that are within their jurisdiction.

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fi

Re: A police force (3.00 / 1) (#2)
by aetius3 on Fri Aug 02, 2002 at 08:30:25 PM EST

"One solution for making it legal might be to have people explicitly permit the hackback on their > machines by subscribing to hackback services that they trust. In return they get some protection and help when their machines have been compromised. Another solution might be to have the regular police get permission to do this sort of thing in machines that are within their jurisdiction."

The only problem with this is that these are the people who already don't take the time to secure their machines, so it is unlikely they would take the time and money to subscribe to a hackback service.

The restraint on the group would be provided by their complete openness, and dependence on ISP connections to the outside world. If they got out of hand, the world (as individual ISPs) could simply cut them off.

UN sanctioned perhaps? With UN oversight? I hate to even bring it up.

[ Parent ]
escalation of violence (3.00 / 1) (#9)
by tps12 on Sat Aug 03, 2002 at 10:49:28 AM EST

I want to point out that the "escalation of violence" scenario is far from an established effect of a police-free society. Many people believe that a modern society based on personal responsibility could be self-policing. Indeed, the Internet seems to police itself quite well.

[ Parent ]
Sadly, there are too many counterexamples (3.00 / 1) (#11)
by QuickFox on Sat Aug 03, 2002 at 02:40:50 PM EST

In any large group of people there will be a few who are really vicious. Just think of football hooligans and wife beaters.

You can't expect a group of volunteers policing the neighborhood to know how to deal with the really vicious people. And, more importantly, some such people would love to be volunteers in a group policing the neighborhood, so they get an excuse for berserk activities. You can't give them free reign in such a group.

I'm sure most people are good and want peace and friendliness. But there will always be a few vicious people among us. Sadly, this is part of human nature. Look at how Jews were persecuted and murdered in Nazi Germany, how black people were persecuted and murdered in some American states long ago, Native Americans earlier, witch hunts in Europe earlier still, and so on, and so on, and so on... unfortunately the list of examples is endless.

Most people are good, but a few are vicious, and those persons must be dealt with, and the effort to deal with them must be organised and controlled.

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fi
[ Parent ]

not necessarily "escalation" (3.00 / 1) (#15)
by tps12 on Sun Aug 04, 2002 at 07:43:54 PM EST

While I agree that history is littered with examples of evil being done by a few vicious people, I don't think that implies that responding to such actions in an ad hoc manner will bring about an escalation of violence.

If I shoot a man who tries to break into my home, it is highly improbable that my act of (justifiable, IMO) violence will drive other, unrelated members of society to violent behavior. If violent defense of oneself is justified, and targetted appropriately, then we needn't fear any kind of large scale backlash.

The idea of a police-free society should not make you think of a lynch mob imposing order on everyone else. Imagine instead a society consisting entirely of off-duty police officers, a small minority of whom may be corrupt. That small minority is exceedingly unlikely to gain control.

[ Parent ]

Sometimes it won't escalate, sometimes it will (none / 0) (#21)
by QuickFox on Mon Aug 05, 2002 at 04:45:24 PM EST

If I shoot a man who tries to break into my home, it is highly improbable that my act of (justifiable, IMO) violence will drive other, unrelated members of society to violent behavior.

You said it yourself: In your opinion shooting him is justifiable.

The burglar may have parents and children who feel that you used excessive force and want to avenge his death. He may belong to a Mafia group that decides to make an example out of you. When they're done killing you, maybe you have relatives who decide to avenge your death. Or maybe your neighbors decide to show that such killing will not be tolerated. And so it escalates.

Myself, I'd prefer to confront policemen who have to get a warrant and speak of Miranda rights and accept that I want a lawyer. If you prefer to confront the guns of the bereaved family and Mafia thugs, fine with me, but I hope you won't insist that everyone must do the same.

(Well, to be precise, here in Sweden they don't exactly speak of Miranda rights, the arrangement is different, but you get my drift.)

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fi
[ Parent ]

Mafia (none / 0) (#22)
by tps12 on Mon Aug 05, 2002 at 05:02:00 PM EST

Well, obviously the violence will escalate in the situation where the criminal is part of an extensive crime family. And I also agree that in today's society (or in most segments of it; in the American South it is to a much lesser extent) there is an idea that deadly force is almost always unjustified, because there is the perception that deadly force should only be exercised by officers of the law. However, in that case, the mere fact that family members and friends would find deadly force inexcusable is likely to restrain them from retaliating in kind.

[ Parent ]
Another metaphor (3.00 / 2) (#3)
by hamsterboy on Fri Aug 02, 2002 at 08:51:29 PM EST

Likening this service to a police force (e.g. QuickFox's comment) doesn't quite work out. Police forces are arms of individual governments, and are limited in jurisdiction. They are also publically funded and are prone to bureaucratic bloat and red-tape.

Instead, think of a personal security agency. A client basically outsources their self-defense rights (i.e. the right to cause physical harm to somebody else in order to prevent physical harm to themselves) to somebody else. This concept is scalable; corporations can legally outsource their self-protection as well.

A single entity will almost inevitably become corrupted (example: ICANN), and no longer function as originally intended. Perhaps a market dynamic could operate here, with several companies competing for clients. The problem here is that there is no incentive to increase quality-of-service without a profit motive. Perhaps the non-profit part of the original idea would have to be thrown out. This idea has its own problems, however; profit motive sometimes leads to underhanded tactics.

Just a thouht.


Self Defense (4.00 / 1) (#4)
by DarkZero on Fri Aug 02, 2002 at 09:55:57 PM EST

A client basically outsources their self-defense rights (i.e. the right to cause physical harm to somebody else in order to prevent physical harm to themselves) to somebody else.

The problem with the idea in the Security Focus article and just about all of the ideas stemming from it is that it relies on a metaphor involving the legal right to self defense. However, the laws of most countries (first world ones, anyway) do not allow you to apply this to anything else. You cannot vandalize someone else's house because you're pretty sure that they vandalized yours. You can't rob someone because you're pretty sure that they robbed you. These and other matters that aren't immediately life threatening are matters for law enforcement, not personal retribution.

[ Parent ]

Re: Self Defense (4.00 / 1) (#5)
by aetius3 on Fri Aug 02, 2002 at 10:19:04 PM EST

I think the reasoning runs more along the lines of "in the absence of any other recourse or law enforcement, I have the right to protect myself." It is a reasoning that is much more common in the international arena, since there are far fewer rules for conduct between nation-states. It isn't illegal anywhere I know of to allow your server to be compromised and used to attack someone else. However, it is illegal to make the kind of counter-attack he's talking about, unless you aren't in that jurisdiction or one that will extradite you.

[ Parent ]
Re: Self Defense (4.00 / 1) (#6)
by DarkZero on Sat Aug 03, 2002 at 02:34:10 AM EST

I think the reasoning runs more along the lines of "in the absence of any other recourse or law enforcement, I have the right to protect myself."

Wouldn't that be "... I have the right to protect my stuff"? Or more accurately "my really, really easily replaceable software"? I understand the reasoning and all. I can see the motivations behind it, the reasoning within it, etc. But I still think it's absolute crap that's based on a crazy self defense metaphor that shouldn't apply to anything but physical bodies, and in the realm of the law (at least in the US, which was what Tim Mullen's original proposal was for) very conspicuously DOES NOT apply to anything but physical bodies.

Your explanation was great and all, but it was still explaining a ridiculous idea.

[ Parent ]

Re: Self Defense (3.00 / 1) (#7)
by aetius3 on Sat Aug 03, 2002 at 06:40:05 AM EST

Sure, you have the right to protect your "stuff". You have the right to preserve your customer transactions for the day so you aren't accused of credit card fraud when someone cracks your machine. You have the right to protect your user's private information from those would like to ruin their lives by impersonating them. You have the right to preserve the bandwith that you pay for from being overrun by someone competing with you in business.

We're also not talking about shooting someone, but rather shutting off their really, really, easily replaceable software that is causing the problem. Since their machine is already compromised, their "stuff" is already endangered; you're almost doing them a favor by disabling the vulnerable software. The physical self defense analogy is perhaps overly serious, but the same kind of "rules" would seem to apply. There are many examples of international and national negotiation, maneuvering, fighting, and diplomacy that involve "eye for an eye" expectations and platforms, but don't involve life and limb. Restitution laws and sending people to jail for property crimes are two examples where force is used to protect "stuff". Such laws are common in every country I've been in, and I don't think that computers and communications are somehow exempt from that. Having 3rd party enforcement of various rules and regulations also has a long tradition -- for example, the "law of the sea" as well as traditional police forces.

[ Parent ]
Anybody in favour of hackback approaches... (2.00 / 2) (#10)
by haflinger on Sat Aug 03, 2002 at 11:55:15 AM EST

... should read this book first and then think: is that the world I want to live in? Aggressive IC are beginning to be used, and it's not a good idea.

Did people from the future send George Carlin back in time to save rusty and K5? - leviramsey
Programming society, not hardware (5.00 / 2) (#12)
by xee on Sat Aug 03, 2002 at 10:55:11 PM EST

You fail to realize that transparancy of procedure will not protect anyone from lies and deceit. An organization like this would be mostly political. There would be, perhaps, a small network operations room where a systems/network administrator sits executing attacks when he is told to do so. The procedures which initiate, plan, then execute the attack must not only be transparant -- they must be failsafe. Checks and balances must be used to the effect that it would be unreasonably difficult to bribe or influence those persons who make up this counterattack agency. An agency like this could turn into a rogue police force, attacking whomever they want. A third party could be created to claim an attack by a corporate or political enemy, thus instigating a legal counter attack against the third party's adversary. The only "real" attack would be that which knocks out the third party's enemy. We would be, in effect, creating both a very large canon, and a law that says we are the only ones allowed to have such a large canon. This does nothing to stop anyone from actually having such a large canon. I think that effort should instead be put into developing new protocols that would hinder a DDoS attack.

Proud to be a member.
Re: Programming Society, not hardware (none / 0) (#16)
by aetius3 on Sun Aug 04, 2002 at 10:42:34 PM EST

Actually, the idea would be to make the organization as apolitical as possible -- hence the neutral location, and possibly the inability to accept complaints. Transparency of procedure, as well as secured and transparent logs, would make it pretty difficult to propagate any deceit. The idea would be that the group, as a rule, does not communicate with governments and other interested entities. If the group did get out of hand, the oversight group (probably ISPs) would simply cut them off. The group's ability to continue would be based on reputation -- any serious damage to that reputation would probably end them as an entity.

Also, bear in mind that this would not be a willy-nilly attack on anything that moves in a target subnet. The only possible justification for an operation would be incontrovertible evidence that a machine or machines on that subnet is being actively used for system compromises -- an automated Nimda attack being the obvious example.

There would be no "law" saying that we are the only ones allowed to have a cannon, to use your analogy. This is international politics; there is no authority who can make a "law" or "tell" you that you can't do something. (Threat or use of force, diplomacy, etc. are other methods, of course.)

Preventing or hindering a DDoS attack is enormously difficult. If a large number of people can take down a site (a.k.a. the Slashdot effect), then a DDoS can too. No matter how you design the protocols, the "too much traffic" threshold can always be reached, either innocently or maliciously. I think this would be a large expenditure of resources for very little return.

[ Parent ]
ISP Oversight (none / 0) (#18)
by xee on Mon Aug 05, 2002 at 01:29:55 AM EST

I doubt that any ISP would allow this sort of activity without government approval (probably not even then). Remember, these ISPs are mostly headquartered in countries where this sort of activity borders illegality.

Proud to be a member.
[ Parent ]
Open logs != secure logs (4.50 / 2) (#13)
by mandyke on Sun Aug 04, 2002 at 12:20:24 AM EST

Just because the logs of this group are open to the public doesn't mean they can't be faked/censored.

As far as I can see there would be no way to guarentee the accuracy of the logs. All it would take is a few members of the group with a little motive and bling, suddenly the group has logs of microsoft.com hosts h4Xx0r1n9 goatse.cx and thereby opening them up to justified hackback action.

And then ofcourse, the action taken could be far different to the action that gets recorded in the logs. “Oh yes, we DoS'd their mail server as that was what they were using to initiate the attacks.” is all fine and dandy, except when what actually took place was a mass purging of their software sources.

I just don't find it possible that any logging system could be 100% effective. Feel free to offer solutions that are capable of securely providing logs to the general public, but I would be very surprised to actually see one.
Note that a random crowd of hippies, nutcases and adolescents is not a lawyer licensed in your jurisdiction. - i

Re: Open logs != secure logs (none / 0) (#17)
by aetius3 on Sun Aug 04, 2002 at 11:06:21 PM EST

Just because the logs of this group are open to the public doesn't mean they can't be faked/censored.

This is true. However, redundant, parallel logging with 3rd party oversight and a manual log would be difficult to beat. If it's just you, a log is easy to modify, if it is you, your partner, someone else who double-checks, and someone taking physical notes it's a bit harder. Physical and social separation of the note-takers and overseers from the security workers is an obvious step. Binaries that control logging would be immutable, on a read-only filesystem, and be checked every second against an md5 checksum list. The logs would be displayed in real time through a physical duplication connection on a host that none of the security workers have access to (both physical, and network -- blocked at the router, another machine that secured from the workers).

I think it could be done. Ultimately, someone would probably figure out a way to beat it, but I think it would take so long (and be so obvious) that you couldn't get it done without someone noticing. And that, of course, is the point. I can't make my system unhackable, but I can make it so difficult that it would take years to do it.

A denial of service attack would be prohibited by the groups standards, since that is exactly the sort of behavior they are trying to prevent. Since the network connection is being monitored (of course) the activity necessary to set up a DDoS net would be difficult if not impossible. Two teams would have to identify a system that is a possible target, and three teams would have to confirm the analysis that the target machine is actively compromised. Then, and only then, would an attempt to "re-convert" the machine be authorized. Not foolproof, but pretty darn hard to beat.

[ Parent ]
My favorite academic discussions... (1.00 / 1) (#14)
by Apuleius on Sun Aug 04, 2002 at 03:57:02 AM EST

...are discussions of things that could get one nailed to the wall should they be noticed by a federal prosecutor whose career is in the doldrums.

There is a time and a place for everything, and it's called college. (The South Park chef)
There are other solutions (1.00 / 1) (#19)
by squigly on Mon Aug 05, 2002 at 07:48:29 AM EST

In the article - Tim Mullen said "Before you criticize, be prepared to offer your own solutions"

Seems easy enough.  Clearly there are several interested parties here - The victim (i.e Tim Mullen), the owner of the compromised machine, and the ISP.  None of these parties want to be part of an attack.  It seems simple enough to call or email the owner of the machine, and politely request that they deal with it, or call the ISP, and ask them to deal with it.

Use a web, not a pyramid (4.00 / 1) (#20)
by bill_mcgonigle on Mon Aug 05, 2002 at 09:12:39 AM EST

The hierarchical nature of your proposal has too much potential for abuse and/or coersion (governments, big business, etc.)

Instead, how about setting up a web-of-trust based system whereby each admin can shut down a particular computer's network access?  Any (n) number of admins could reestablish connectivity for a machine.

Necessary competence testing would precede such access, and abuse would result in priviledge revocation.

There's a certain risk involved, but any system has such risks.  A web-of-trust system can quickly route around such risk, though.  A central authority cannot be routed around.  ICANN is a good example of how that type of system can go bad.  There would have to be a keyserver somewhere, but the users could agree as a whole (or even as a part, to fork the network) to switch to a different keyserver at any time.

Network admins would be incentivized to join the system, because an effective system could just about eliminate network abuses.  Opting out would also be completely under local control.  It would be a layer on top of the Internet, in a way, but without any additional transit or performance costs.  At sufficient size, one might decide to refuse traffic from non-participants.

Two Wrongs Don't Make a Right (none / 0) (#23)
by higinx on Wed Nov 06, 2002 at 01:15:15 AM EST

Nuff said.
Send me a nickel: http://www.ginx.com/nx/donate/patrick
Hackback, Inc | 23 comments (22 topical, 1 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!