A security researcher has disclosed details on more than a dozen previously unknown vulnerabilities that people responding to web-based attacks can exploit to strike back at online assailants. The bugs reside in off-the-shelf crimeware kits that go by names such as Eleonore, Liberty, Neon, and Yes. Attackers install them on …
Yes & No
“If the answer to that question is yes then it's a technical violation of the US computer crimes statutes. In other words, you do so at your own legal peril.”
If there is little or no enforcement, who really worries about risk? I for one welcome enforcement, but not back-lash draconian measures that come too late. *or as expected. ie:allow problem to fester and grow until previously unacceptable solution becomes acceptable.
"I for one" recognize the vicious blundering insanity of the country I live in
I can absolutely believe we'd see a white-hat type, or even a civilian, prosecuted for striking back at a botnet operator -- this is the United States, after all. If there's a way to be in the wrong on something, then sooner or later, we'll find it.
You need a daemon drops one ACK and transmits a message that states: by allowing your machine to be used to attack mine you grant me permission to neutralize the threat. When the remote end re-tries you render their PC unbootable and then make it reboot.
Microsoft goes bankrupt as everyone blames them and switches to Mac.
Steve Jobs puts his success down to his strong personality and immediately outlaws all programs that can be used to connect to non-apple servers, and sponsors a bill in congress that labels non-apple users as terrorists.
I'm sure I missed something. Tony Blair goes on a speaking tour and some unknown white man picks his pocket in the green room.
It's usually illegal to hurt somebody else -- but often not illegal at all to defend yourself, which is what this article is describing.
“The question is: Are you accessing their machine..."
Whose machine is it? In many cases, it's going to be a compromised machine of some innocent victim. Identify them, have a chat and ask for appropriate authorisation.
However, the whole operation needs to be planned and carried out by duly authorised law enforcement officers so that innocent parties are protected, and the integrity of the evidence is maintained for prosecution of the criminals.
That's not a coat, it's the Scales of Justice.
In a physical attack there is an accepted principle of not being guilty of assault due to reasonable "self defence", I wonder at what point it becomes OK for a computer to retaliate against an attacker?
Remember the concept of "outlaw": if you were breaking the Law, you did not have any recourse to it? Somewhere along the lines, the criminals went from having no legal back to having *all* legal backing. ("oh, the poor dear twisted his ankle on your rug while breaking-and-entering into your home. We're going to sue you for that.")
You don't quite get it...
“If the answer to that question is yes then it's a technical violation of the US computer crimes statutes. In other words, you do so at your own legal peril."
"If there is little or no enforcement, who really worries about risk? " - tuna1
The problem is NOT that you will be arrested yourself. The problem is that if you have broken the law while investigating a presumed attacker, you will find it difficult if you ever get the case to court. Your legal standing will be 'in peril'.....
This is a job for a crack squad of autistic, UFO-obsessed teens if I ever saw one. Not only are they likely to possess the skills, they would have all the excuses.
the law and the cops are for everybody
A robber can complain to have been robbed, a black hat can complain to have been hacked.
The cop sizes the robber's theft, so, only a cop could hack the black hat.
In the end, the cop can do evil.
“The question is: Are you accessing their machine without authorization or in excess of authorization?” said Mark Rasch, a former assistant US attorney who prosecuted hacking crimes and is the founder of Secure IT experts in Bethesda, Maryland. “If the answer to that question is yes then it's a technical violation of the US computer crimes statutes. In other words, you do so at your own legal peril.”
that had to come from a lawyer protecting his main sourse of revenue, didn't it?
bet he hates people who beat up muggers.
How about a new security product?
We could call it self-defense-ware. You run an app in the background (like an AV program) that detects malicious websploitation signatures or activity and knows their current vulnerabilites, while you surf. Whenever you hit a nasty web-site or link, you get the following pop-up screen:;
https://www2.buggerthemall.net/scamland/poke_me.html has tried to probe your version of IE with the following exploit: my_favorite_trojan.w32
Don't take it lying down!
What would you like to do?
1) Shoot it down !
Download and run latest version of the correct retaliation tool or exploit (default choice)
2) Tell your friends !
Update shared repository with this evil URL so all your fellow app-users can attack it too.
3) Piss and Moan !
Send a complaint to the registration authority and/or ISP hosting this nefarious site.
4) All of the above !
Self-defense-ware INC. is registered in a country with no extradition treaties or liablity laws so don't blame us it when it all goes horribly wrong. This tool has been designed for research purposes only.
As a product launch, we can set up a public internet scoreboard, and download the latest list of identified websploit sites for a day of fun and games. Cool or what ?
Can you imagine the chaos? Sometimes I even scare myself.