back to article US Congress mulls first 'hack back' revenge law. And yup, you can guess what it'll let people do

Two members of the US House of Representatives today introduced a law bill that would allow hacking victims to seek revenge and hack the hackers who hacked them. The Active Cyber Defense Certainty Act (ACDC) [PDF] amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber-miscreants legal in …

  1. xeroks

    this going to go well

    At least no-one will actually die, just spend the rest of their lives in legal disputes as the mess gets cleared up.

    oh... was that a hospital system I just wiped?

    1. This post has been deleted by its author

      1. Trollslayer Silver badge

        Re: Reminds of of The Relic:

        Because they had killed each other

    2. TechnicalBen Silver badge
      Terminator

      Re: this going to go well

      The funny thing is* that most of this was in Sci-Fi as sarcasm/cynicism etc... then it happened.

      *because if I don't laugh, I'd have to cry.

    3. Anonymous Coward
      Anonymous Coward

      Re: this going to go well

      this going to go well

      I hope it passes, because I reckon the impact on me (several thousand miles away) will be quite limited. But it will be fantastic entertainment to watch from afar. Imagine the bunglers of Target, Equifax, Home Depot and all the rest trying to find and retaliate against their attackers? These corporations were clueless in the first place, so they'll be crap at finding those responsible, and worse at retaliation, and if they attack the wrong guys, presumably they'll be entitled to hit back, causing more chaos.

      1. John Brown (no body) Silver badge

        Re: this going to go well

        "Imagine the bunglers of Target, Equifax, Home Depot and all the rest trying to find and retaliate against their attackers?"

        Until they start hiring armies of "cyber" mercenaries. Will 2018 be seen from a historic perspective as the beginning of the corporate war?

    4. ElReg!comments!Pierre Silver badge

      Re: this going to go well

      At least no-one will actually die, just spend the rest of their lives in legal disputes as the mess gets cleared up. oh... was that a hospital system I just wiped?

      Some interesting scenarii to consider: find a poorly secured account on the, say, DoJ systems, log in there and use that to chuck whatever mildly worrying connections at a NSA subsystem.

      Interesting side effect: as most people in charge have a very hazy understanding of "hacking", care to imagine what absolute mess would be achievable... heck, some network testing tools allow you to spoof the originating IP out of the box, no actual hacking needed...

      I will say no more lest it gives Anonymous some "interesting" ideas.

  2. goldcd

    erm isn't this what law enforcement is for?

    "I've just been hacked, so setting up a vigilante posse - so cc'd you professionals in"

    1. fung0

      Re: erm isn't this what law enforcement is for?

      This new law uses the same logic as arming children in order to protect schools from mass shootings. The only possible result is a bloodbath. And the only real motivation is to let the government dodge its responsibility to protect its citizens.

      1. Ken Hagan Gold badge

        Re: erm isn't this what law enforcement is for?

        It's not even the same as arming children. /That/ would ensure that the children can shoot back at the time of the attack. /This/ law would still require you to collect evidence to prove who did it, check with law enforcement and compare notes, and then retaliate after everyone is dead.

        If we assume that the police will respond to convincing evidence that one US citizen has committed a crime against another, on US soil, we can conclude that this new law would provide no new tools for the victims. Indeed, the lack of a response by the police could be the basis of a case by the accused that there was *not* sufficient evidence and that the so-called victim is the actual criminal here.

        Totally fucking bonkers.

    2. bombastic bob Silver badge
      Devil

      Re: erm isn't this what law enforcement is for?

      (from the article>

      "Before hacking back, the IT department would have to submit some homework to the FBI's National Cyber Investigative Joint Task Force so the Feds can make sure national boundaries are being respected and that any action wouldn't interfere with an ongoing investigation."

      And I wanted to have a bot do it, automagically. DAMMIT!

      This is like "the 2nd ammendment" for cyber-self-defense. Works for me.

      A cop cannot be everywhere. Citizens have to take it upon themselves to report and stop crime. I don't know about the U.K. but here in the USA we have "citizen's arrest" laws, where if you catch someone "in the act" you have the right to arrest that person with REASONABLE FORCE [but criminals have black eyes, broken bones, missing teeth, and if he doesn't look like a criminal, the cops won't believe it, heh]. So yeah, if you witness someone stealing, raping, murdering, you have EVERY right to use deadly force in many cases, and that's the point. Citizens are as good as cops at stopping crime.

      In this case, it's citizens with computers who could, in theory, do their OWN investigating. But seriously, if you detect an intrusion, putting up a shield may not be enough. You might have to do something to damage the other end, like trick them into downloading a trojan horse that wipes their hard drive or similar. If a bot kicks in a URL re-director that fakes them into going to the wrong web pages [for example], they end up downloading the trojan horse.

      I'd be all for THAT. As an extra added bonus, the law contains liability insurance, so if you destroy some innocent person's computer, you have to pay for it. No biggee. It's the same if you shoot the wrong person. You're liable for that, too.

      /me gets bumper sticker for PC: This Computer is Protected by Smith & Wesson

      1. Anonymous Coward
        Anonymous Coward

        Re: erm isn't this what law enforcement is for?

        I'd be all for THAT. As an extra added bonus, the law contains liability insurance, so if you destroy some innocent person's computer, you have to pay for it. No biggee. It's the same if you shoot the wrong person. You're liable for that, too.

        Bob, could you please let us know where you live, so that we all can avoid getting within 200 miles of that place - at least, not without body armour and heavily armed guard?

        And shooting or otherwise killing a person is a "biggie" for most psychiatrically healthy people, regardless of whether that person is a criminal or an innocent bystander. Most people who have, or might have to do so require extensive training to be able to do it at all. A large fraction of those who end up doing it in real life do require extensive psychological and psychiatric councelling later on - even when the person they killed has been trying to kill them. It gets much worse when killing is unintended or accidental - many people placed in that situation never fully recover.

        1. Alan Brown Silver badge

          Re: erm isn't this what law enforcement is for?

          "And shooting or otherwise killing a person is a "biggie" for most psychiatrically healthy people"

          You're making a big assumption about the mental health of the average american gun carrying individual.

          1. bombastic bob Silver badge
            Devil

            Re: erm isn't this what law enforcement is for?

            "You're making a big assumption about the mental health of the average american gun carrying individual."

            Those who think like wildebeasts have a hard time understanding those who think like LIONS. And they're too willing to judge, point fingers, and try to legislate them away. Except, without some who THINK like LIONS [who aren't necessarily lions, but understand them] you're at the mercy of the REAL LIONS. And that's the point.

            My balls are just TOO BIG for me to think like a prey animal.

            1. Kiwi Silver badge
              Coat

              Re: erm isn't this what law enforcement is for?

              My balls are just TOO BIG for me to think like a prey animal.,My balls are just TOO BIG for me to think like a prey animal.

              The last couple of guys I heard boasting about how big their balls were dropped them PDQ when they realised I wasn't backing down from their threats. Sadly they had the sense to recognise a Tae Kwon Do stance (even though I haven't actually practised in like 20 years!), and left straight away.

              The marbles they dropped on the ground as they ran were about the size I expected - something a newborn kitten would be ashamed of.

              Afraid, like most who make such boasts, you sound much the same as them! :)

              --> Me checking for wallets and valuables amongst the other stuff they left behind (we need a "Captain Runaway" icon!)

            2. jake Silver badge

              Re: erm isn't this what law enforcement is for?

              "My balls are just TOO BIG for me to think."

              Fixed that for you, Zippy.

              (Note to the cross-pond readers: Not all of us Yanks are as daft as Zippy, here. He's an unfortunate casualty of a steady diet of taco sauce and Ding Dongs. Probably the best method of dealing with him is as with any other troll ... simply don't feed him.)

            3. Anonymous Coward
              Anonymous Coward

              Re: erm isn't this what law enforcement is for?

              "My balls are just TOO BIG for me to think like a prey animal."

              Try wanking....may relive some of that pent up frustration.

        2. bombastic bob Silver badge
          Devil

          Re: erm isn't this what law enforcement is for?

          "A large fraction of those who end up doing it in real life do require extensive psychological and psychiatric councelling later on - even when the person they killed has been trying to kill them."

          not me - I'd make sure they stared right into my eyeballs as I stare into theirs, watching the life drain away. I'm the last thing they'd see on the way to HELL.

          [THAT, by the way, makes me a *HARD* *TARGET* - meaning I'm in the house they avoid, or the person they avoid on the street or in a crowd - the one who FIGHTS BACK]

          Sorry, I can't by into your "prey animal" kind of thinking. I think like a predator. A self-disciplined predator who doesn't kill without reason. And I spent time in the military, and have been prepared to take a life in self-defense [or defense of others] since then. No problem.

          The point is *TO* fight back. Make it hard for the criminal. Even if you're passive-aggressive about it, it's still fighting back. I prefer "active aggressive". And *revenge* is a GOOD thing. enough people do it, and you see crime go WAY down, because their's now a PENALTY [potentially] for the bad behavior.

          [this is not how SHEEPLE think. This is how men with BIG BALLS think.]

          1. StargateSg7 Bronze badge

            Re: erm isn't this what law enforcement is for?

            Cough! Cough! Staring into their eyes as their life drains away is

            a GRAVE TACTICAL ERROR! AS YOU WELL SHOULD KNOW,

            9mm and 7.62 rounds don't actually work that well at killing people

            and said shootees TEND to STILL be able to shoot back even

            AS their life EVER-SLOWLY drains away.

            Nooooooo! You ALWAYS move off to the side and preferably north of their head

            from at least a few feet (3 metres!) away STILL pointing your sidearm or your M4

            at their heads. Then you can relax ONLY A TINY BIT! ---- Once they're not moving...

            please do remember to pump two or more rounds point blank into the heart

            JUST TO MAKE SURE that Dead Means Dead !!!

            ONLY THEN can you yourself a REAL MAN WITH BIG JUICY JUEVOS !!!

          2. Laura Kerr

            Re: erm isn't this what law enforcement is for?

            "not me - I'd make sure they stared right into my eyeballs as I stare into theirs"

            Unless, of course, they got in first and shot you from behind.

            1. Terry 6 Silver badge

              Re: erm isn't this what law enforcement is for?

              Unless, of course, they got in first

              FTFY

          3. Anonymous Coward
            Anonymous Coward

            Re: erm isn't this what law enforcement is for?

            *Mentally ill man sees someone he doesn't like the look of in front of him in the queue at Walmart, pulls gun, kills with no warning*.

            Same man, later: oh, was he a HARD TARGET? Totally my bad. Please make him all alive again.

            /You utter twat

          4. tiggity Silver badge

            Re: erm isn't this what law enforcement is for?

            But how would they know you were a "hard target" a "house to avoid" until they actually targeted your house?

            If we assume some random miscreant, than why would they know anything about you (or indeed the owner of whatever house they were breaking into)?

            If we say the miscreant did (in whatever magical way) know you were a hard target, what's to say that although it may discourage some felons, others might be attracted to having a crack at the "hard target" as more of a challenge?

          5. 2+2=5 Silver badge
            Joke

            Re: erm isn't this what law enforcement is for?

            > [this is not how SHEEPLE think. This is how men with BIG BALLS think.]

            [Mildly NSFW]: You are Buster Gonad and I claim my £5

            1. Alan Brown Silver badge

              Re: erm isn't this what law enforcement is for?

              i would have thought that men with big balls would be extremely careful to avoid any situations where they might get bumped. After all, a good kick in the nuts has most guys laying on the ground vomiting.

          6. Bernard M. Orwell Silver badge
            Facepalm

            Re: erm isn't this what law enforcement is for?

            Good Grief....I was wrong....

            "[THAT, by the way, makes me a *HARD* *TARGET* - meaning I'm in the house they avoid, or the person they avoid on the street or in a crowd - the one who FIGHTS BACK]"

            That's the one. Yep. forget my last post.

            " And *revenge* is a GOOD thing"

            oh sweet jebus....he keeps going further....

            So folks, if you want to know what's wrong with America, I give you Bob - AKA Exhibit A. This is how they train their soldiers....

            1. Alan Brown Silver badge

              Re: erm isn't this what law enforcement is for?

              "So folks, if you want to know what's wrong with America, I give you Bob - AKA Exhibit A. This is how they train their soldiers...."

              That and USA 'justice' is about "retribution with interest" rather than "repair and reconciliation"

              Such policies have always led to escalating cycles of violence.

          7. Anonymous Coward
            Anonymous Coward

            Re: erm isn't this what law enforcement is for?

            >I think like a predator

            No Bob, you think like a psycopath. Big difference.

            >And *revenge* is a GOOD thing.

            And you think everyone else is going to hell. Hint for you Bob - the Bible condemns murder, regardless of who does it.

        3. Anonymous Coward
          Anonymous Coward

          Re: erm isn't this what law enforcement is for?

          "most psychiatrically healthy people"

          Errm, to whose or what definition are you referring?

      2. Seajay#

        Re: erm isn't this what law enforcement is for?

        This is not like the second amendment for cyber security and it's not like "stand your ground" laws. In those cases you are (in theory) not retaliating to the attack, you're just taking action to keep yourself safe from an attack that is still ongoing.

        The physical world equivalent of this sort of law would allow you to burgle the houses of people you suspect of being burglars. Utterly bonkers.

        1. Muscleguy Silver badge

          Re: erm isn't this what law enforcement is for?

          Sort of, isn't it rather like the police having to get a warrant from a judge before searching the home and premises of a suspected burglar? Though it reminds of FindMyPhone incidents were the cops, despite being shown specific GPS data decline to intervene and suggest the aggrieved party go there themselves and attempt to get their property back,

          1. Alan Brown Silver badge

            Re: erm isn't this what law enforcement is for?

            "Though it reminds of FindMyPhone incidents were the cops, despite being shown specific GPS data decline to intervene and suggest the aggrieved party go there themselves and attempt to get their property back,"

            Yes, that particular issue is one that worries me, because it's effectively the cops _encouraging_ vigilante justice, when in a lot of cases the criminal is armed and has nothing to lose if a victim shows up.

      3. DeKrow

        Re: erm isn't this what law enforcement is for?

        If nothing else, your commentary is incredibly useful for providing an insight into the way certain individuals think.

        Things to note:

        - Lumping murder and rape together with robbery

        - Using rape and murder as a comparison to copyright infringement / IP theft or other hacking related crimes

        - Comparing a "caught in the act whilst physically present to witness" crime to a digital crime for which the thorough analysis of logs is required in order to confirm whether a crime has even taken place. The very quote you chose from the article means that an immediate response is excluded from this law.

        Overall you come off very "kill 'em all and let god sort 'em out", even without your S&W bumper sticker. That's just the teflon on the tip.

        /me isn't worried about your Smith & Wesson when I'm thousands of 0.62 miles away.

        1. bombastic bob Silver badge
          Devil

          Re: erm isn't this what law enforcement is for?

          Overall you come off very "kill 'em all and let god sort 'em out"

          Well, not GOD, but you get the general idea. heh.

      4. veti Silver badge
        Facepalm

        Re: erm isn't this what law enforcement is for?

        And I wanted to have a bot do it, automagically. DAMMIT!

        No problem, you can have your bot submit the paperwork to the FBI at the same time as it launches the retaliatory strike. The whole process doesn't need to take more than a few seconds.

        There's no mention of "waiting for the FBI to respond" to your notification.

      5. sz54c8

        Re: erm isn't this what law enforcement is for?

        Christ, Bob. I'm pretty right-wing, politics-wise, here in the UK. But you are what we call here in the north-east "a ferkin fruitcake"

      6. Bernard M. Orwell Silver badge
        Facepalm

        Re: erm isn't this what law enforcement is for?

        "you have EVERY right to use deadly force in many cases, and that's the point. Citizens are as good as cops at stopping crime."

        Possibly the most moronic statement I've ever seen in El Reg forums.

    3. Anonymous Coward
      Anonymous Coward

      Re: erm isn't this what law enforcement is for?

      Law Enforcement don't have time to investigate lowly crimes:

      http://www.bbc.co.uk/news/uk-england-london-41633205

      (They're too busy investigating Harvey Weinstein.)

  3. Bill Stewart

    Hacking back against forged attacks

    Bob announces that he will hack back against anybody who attacks him.

    So Mallory impersonates Alice and attacks Bob. Doesn't need to be a big or effective attack.

    Bob detects the attack and launches a hack-back against Alice.

    Alice's network is now trashed, and Bob claims he was retaliating legally.

    Congress seems to be a bunch of Chaos Monkeys.

    1. DeKrow

      Re: Hacking back against forged attacks

      They're an odd mix of throttlingly tight control in some areas (copyright - where money is at risk but lives aren't) and "go get 'em tiger" chaos in others (abhorrently loose gun control - where lives are at risk but money isn't).

      This revenge hack thing sits firmly under chaos, the necessity of which is driven by "corporate / IP" psychopathy.

      Very plain to see what's important to those who occupy the halls of power in the ol' US of A. Land of the free, so long as you can wrench that freedom from thy neighbour's cold dead hand like the true winner you are!

      U! S! A!

      U! S! A!

      U! S! A!

      P.S. If this law passes, the ultimate challenge to a black hat hacker is this:

      Create a circle of forever legitimate revenge attacks between Apple, Google, Facebook, and Microsoft.

      1. Oh Homer Silver badge
        Mushroom

        Re: "lives are at risk"

        Have you met America? That's the country that needs "lives matter" movements because of its prevailing culture of utter indifference to human welfare, but which trips over itself in its eagerness to wage war in defence of the petrodollar.

    2. Notas Badoff

      Re: Hacking back against forged attacks

      Not Alice - see "Joe job". Misdirected reactions since 1996.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hacking back against forged attacks

        Not Alice - see "Joe job". Misdirected reactions since 1996.

        These things happen all the time in the physical world, especially when one of the actors is going through an acute paranoia phase, and has copious amounts of ammo lying around. Very frequently, they do not even require a malicious, misdirecting agent, and come from either a purely accedental glitch somewhere, or because of a misinterpretation of an innocent mistake. See (among many others) the Tonkin incident and KAL 007 incident.

        I am really looking forward to some cowboy "defending" himself by trashing my systems after misinterpreting his logs showing my e-mail arriving 5 minutes before his 15-years old SCSI disk array finally gave up the ghost due to an advanced old age - which will inevitably happen if laws like this one come into force.

      2. bombastic bob Silver badge
        Devil

        Re: Hacking back against forged attacks

        most people understand the 'joe job' problem. I've been Joe-jobbed a couple of times. Fortunately the web service that handles domain e-mails added the ability to put the correct MX DNS info records in place to specify which servers are authorized to send e-mail for the domain, and I haven't seen it happen since.

        in one joe-job case that I allegedly heard about, the alleged perps allegedly had an alleged server running in an alleged country that is well known for having compromised servers and NOT responding to alleged abuse reports because alleged mail service was filtering the abuse reports as "spam". Allegedly. And it allegedly had the usual "fake rolex" and "fake handbag" web sites on it. And it allegedly got flooded with specially crafted (not illegal) HTTP requests that shut it down for a significant amount of time (allegedly exploiting a bug in the way they were re-directing via the "probably compromised" web server), on multiple occasions, with "stop joe jobbing XXX" allegedly being PROMINENT in the logs, allegedly. Yeah, no retaliation THERE, right?

        1. CrazyOldCatMan Silver badge

          Re: Hacking back against forged attacks

          added the ability to put the correct MX DNS info records in place to specify which servers are authorized to send e-mail for the domain, and I haven't seen it happen since.

          Ahh bless. You think anyone takes any notice of that? AOL certainly doesn't (yes, I've had bounces from AOL of spam that's come no-where near my systems and the originating IP isn't even in the same country as me).

          In short, like most of SMTP - those domain SPF records are only any use if receiving domains check them. And a large minority don't.

    3. DougS Silver badge

      Re: Hacking back against forged attacks

      That's fine, because Alice can then hack Bob back and they're both trashed. Mutually assured destruction!

    4. Florida1920 Silver badge

      Re: Hacking back against forged attacks

      @Bill Stewart

      Congress seems to be a bunch of Chaos Monkeys.

      https://en.wikipedia.org/wiki/Parliament_of_Whores

    5. bombastic bob Silver badge
      Devil

      Re: Hacking back against forged attacks

      "Bob announces that he will hack back against anybody who attacks him."

      heh, I wouldn't announce it, just do it.

      That's where the liability comes in - if you don't cover your ass and get the right target, you're as bad as the perp [and so YOU get in trouble]. Unless it becomes a ginormous free-for-all, in which case, popcorn please.

    6. Alan Brown Silver badge

      Re: Hacking back against forged attacks

      "So Mallory impersonates Alice and attacks Bob. Doesn't need to be a big or effective attack."

      swap "XYZ state-sponsored attack team" for Mallory, who hacks into Alice, attacks Bob and then disappears into the night, carefully deleting logfiles which might identify them.

      Then sit back and enjoy the popcorn.

      1. Solarflare

        Re: Hacking back against forged attacks

        "And I spent time in the military"

        Yes Bob, considering your batshit insane attitude to everything, that really doesn't surprise me in the least...

        1. Anonymous Coward
          Anonymous Coward

          Re: Hacking back against forged attacks

          Please don't judge the military by Crazy Bob's remarks any more than you should judge Americans.

          You will probably have seen a lot of stuff recently on forces mental health, especially Prince Harry's involvement. Actual professionals know that whatever size of balls you have, killing is terrible for the perpetrator, though clearly not as bad as for the victim.

        2. Alan Brown Silver badge

          Re: Hacking back against forged attacks

          > Yes Bob, considering your batshit insane attitude to everything

          It covers why he's ex-military. The Batshit Insane ones generally get weeded out early in their careers.

  4. anonymous boring coward Silver badge

    Very intelligent. Vigilante law. Real victims won't have the resources, so they will turn to a suitable avenger, for a fee of course. Proof that they were wronged in the first place? Details... That can be arranged too.

  5. elDog Silver badge

    150,000,000 americans plus several million others can hack Equifax?

    Perfect. I'll set my IoT borgs on the task right now. Oh, by the way, I'll spoof the headers to show it comes from the us congress.

    Hey, this is a joke and is covered by the 36th amendment. Parody of absurdity is reality.

    1. bombastic bob Silver badge
      Trollface

      Re: 150,000,000 americans plus several million others can hack Equifax?

      "Perfect. I'll set my IoT borgs on the task right now. Oh, by the way, I'll spoof the headers to show it comes from the us congress."

      works for me. thanks for the idea.

    2. anonymous boring coward Silver badge

      Re: 150,000,000 americans plus several million others can hack Equifax?

      Spoofing headers may fool some typical users. It won't make any difference to NSA however.

  6. AceRimmer1980
    Coat

    ACDC?

    Cyberspace

    Dirty Deeds Done Dirt Cheap

    Dog Eat Dog

    Got You by the Balls

    etc.

    1. KLane

      Re: ACDC?

      How could you forget 'Highway To Hell'???

      1. Roj Blake Silver badge

        Re: ACDC?

        Back in Black (hat)

    2. The Indomitable Gall

      Re: ACDC?

      ...but not Breakin the Rules, sadly.

      1. Omgwtfbbqtime Silver badge
        Mushroom

        Re: ACDC?

        Time to sell a suite of easy to use hacking tools called Thunderstruck.

  7. gerdesj Silver badge
    Windows

    At least there is a discussion

    This article made my minute.

    On the face of it a discussion is at least happening somewhere about what happens in a "land" called the internet. It's almost as though the internet has finally become a thing.

    ... mmm beer ....

  8. Magani
    Pint

    Location, Location, Location...

    ... so the Feds can make sure national boundaries are being respected...

    Whose national boundaries? Are they concerned that someone in the US of A is being targeted and want to stop it, or are they really worried about the national boundaries of Burkino Faso or one of the 'stans, or the two largest countries in Asia?

    I'll bet a dead dingo's donger that the Feds are only concerned about one nation's boundaries.

    (No icon for a DDD, so have a beer instead.)

  9. a_yank_lurker Silver badge

    Congress Critters

    No one every accused Congress critters of being intelligent or ethical. In fact, it is a good assumption to assume that adding up the IQs of all the critters would result in large negative number. And it is a good assumption they have are on someone else's till as well as the US taxpayers. Party affiliation only influences whose payroll they are on.

    1. CrazyOldCatMan Silver badge

      Re: Congress Critters

      IQs of all the critters would result in large negative number

      AKA - they reduce the IQ of an empty room by walking in..

  10. isogen74

    Machine != Hacker

    The main issue as I see it is that most hacks are bounced via other compromised machines first. As noted on the classic movie "Hackers", you don't hack a bank from your house. ... because thats just stupid. If you allow retaliation attacks then really you're in all likelyhood just setting people off against machines owned by other "good guys". The "bad guys" are long gone.

    1. bombastic bob Silver badge
      Devil

      Re: Machine != Hacker

      well, if you do things properly on YOUR end, researching the hack/crack, it becomes obvious when a web site is being used as a "pure re-director". A little research may lead you to the REAL web site (or person doing the shell access cracking, whichever), especially for things _LIKE_ when the POST transactions in a fake web page reveal exactly where that is [for getting your credit card info, for example]. If your server is the re-director, then you study the logs to see where everything is going, and go from there. That kind of thing. Or if it's someone else, you can often determine where it REALLY came from through various means.

      From that point, the lazy coder's or incompetent script-kiddie's ass is YOURS. Just "follow the money" (or in this case, the IP address of the server doing the credit card stuff or intrusions). Notifying the credit card companies along the way is an extra added 'bonus'.

      (I would normally expect crack attempts to come in via web site requests as a vector, unless you allow ssh access for more than 1 or two obscure user names with either proper pass-PHRASES or cert-only, or both)

  11. Anonymous Coward
    Anonymous Coward

    What if it's the NSA probing my network?

    This won't end well...

  12. Will Godfrey Silver badge
    Unhappy

    Pah!

    Against man's politicians' stupidity the gods themselves, contend in vain.

    1. Commswonk Silver badge

      Re: Pah!

      I just had to log in for the sole purpose of giving that an upvote.

  13. Anonymous Coward
    Anonymous Coward

    Such a "law" already exists in some countries

    I know that where we are, we're legally in the clear if we mount a DDoS on networks that seek to hack our infrastructure, provided we preserve the evidence. However, the problem is that traffic is easy to fake, either at IP level if you're not concerned about return traffic, or via proxy through a hacked resource like a breached WP site, so we could end up being used to zap an innocent entity who just has rubbish security. You may consider that deserved, but that's not how we tick.

    The funny thing is that if other countries implement such a measure, the US will get blasted from all over the place given how often US companies and government get breached.

    The recipe is thus:

    1 - re-hack OPM and install a proxy

    2 - hack whitehouse.gov

    3 - as bonus, maybe hack trump<anything>.com

    4 - point them at each other

    5 - buy popcorn and watch the show.

    Where did all the smart people go? Canada?

  14. jake Silver badge

    A "law bill"?

    https://www.youtube.com/watch?v=Otbml6WIQPo

    It's not only a good idea, it's the law ;-)

  15. dbtx Bronze badge

    Femto-poll

    Is the word 'cyber' dead or not? Is it terribly undignified to try to use it since maybe a generation ago? I think so. Convince me otherwise (please!) so I needn't facepalm every time I hear someone say it as though it's a meaningful, professional term. I would prefer to be wrong, and merely be reminded about how I was wrong, each time... it would be Significantly Less Horrible™

    1. Jamie Jones Silver badge

      Re: Femto-poll

      When your digital doppelganger is regularly surfing the information superhighway, and conversing with good netiquette with people in this virtual playground, it's easy to forget what's happening in meatspace. As such, who knows if words like 'cyber" still used out in the wild?

      1. The Indomitable Gall

        Re: Femto-poll

        Who let all those cats out onto the information superhighway? There's going to be a pretty messy accident...

    2. Destroy All Monsters Silver badge
      Alien

      Re: Femto-poll

      No, and additionally we are now moving to ICE (Intrusion Countermeasure Electronics),

      No signs of demons in the slot-in cartridges yet, sadly. The real world stays boring.

    3. dbtx Bronze badge
      Meh

      ...

      Been trying to think of an answer to the obvious question: what not-horrible term, or ordinary term with not-horrible common usage, should everyone be using instead?

      Maybe techno-? (ignoring the bucket of electronic music) I couldn't think of one with roughly the same coverage. Sheeit. So what is my problem? Do I hate the word, or its use, or its abuse, or something else-- such as the way its users seem to be trying to manufacture the sound of knowing WTF they're talking about? Not sure... of course that last one would be the irritating one only because it proves to me that I CAN recognize that pattern, forces me to admit I've seen it before, and burns off any hope of using ignorance as an excuse.

      Maybe that's all there was.

      Might use Greasemonkey to change it to sighber or derper or whatever, something fun.

    4. Seajay#

      Re: Femto-poll

      https://xkcd.com/1573/

      Case closed

  16. Red Bren

    American Logic

    If we all have more guns, there will be less shootings.

    If we all have hacking tools, there will be less hacking.

    Perhaps the US government would be get better results by insisting that software must be fit for purpose before being sold?

    1. HieronymusBloggs Silver badge

      Re: American Logic

      "Perhaps the US government would be get better results by insisting that software must be fit for purpose before being sold?"

      That would be of limited value, considering the amount of software that doesn't need to be bought to acquire it. Or was that your point?

    2. hplasm Silver badge
      Facepalm

      Re: American Logic

      Zeroth Law:

      If we all have more stupid, there will be less intelligence.

  17. Version 1.0 Silver badge

    Cool!

    So we can all hack the US Government back now without worrying about getting extradited? Milud, I was just hacking them back as permitted under the US Active Cyber Defense Certainty Act.

    Case dismissed.

    1. bombastic bob Silver badge
      Devil

      Re: Cool!

      "So we can all hack the US Government back now without worrying about getting extradited?"

      you have MY permission, if they're invading your computer without probable cause, and without any kind of legal approval in the UK. They should get a UK warrant first. Then it would be _legal_ in the UK to do that. Or let the UK gummint do it on the US gummint's behalf. Then it's all above-board diplomatically.

      But invading your computers? bad idea. hack 'em back. [if you don't mind the legal fees associated with defending yourself, anyway, and IANAL so my legal advice is probably worthless]

  18. handleoclast Silver badge
    FAIL

    An analogy

    I came up with an analogy to explain to the politicians why this is such a very bad idea. It goes like this...

    The Las Vegas mass shooting was terrible.

    Maybe everyone should be armed.

    And legally permitted to shoot back in retaliation.

    That way, when a crazed gunman starts firing, everyone will fire back at him.

    Problem solved.

    Of course, a moment's thought shows this to be an astoundingly bad idea. Most people are very bad at handling guns. Couldn't hit the side of a barn at two paces. There will be bullets flying everywhere. Somebody is going to get hit accidentally, causing his friends to return fire at somebody who was trying to hit the crazed gunman but instead hit a spectator. His friends are going to retaliate. Pretty soon everybody is shooting at everybody else, and the crazed gunman shits himself from laughter.

    That, privileged white gentlemen, is exactly how your cyber-retaliation will play out. It isn't just ineffective, it actually makes matters a lot worse.

    To which the response is "I cain't see nothing wrong with arming everywun like the saycond amendmunt sayes. Freedumb!" and they pass the cyber-retaliation bill too.

    1. Terry 6 Silver badge

      Re: An analogy

      Yep. The NRA would go for it.

    2. Destroy All Monsters Silver badge

      Re: An analogy

      Well, I don't think we will know until we have tried it,

      Best case, it will work.

      Worst case, less people dead than there would be otherwise.

    3. Laura Kerr
      Thumb Up

      Re: An analogy

      "Pretty soon everybody is shooting at everybody else, and the crazed gunman shits himself from laughter."

      Taking that to its ultimate conclusion, the gunman wouldn't even need a gun. Just to let off some firecrackers, stand well back and watch everyone slaughter each other.

      Anyone remember the film Hopscotch?

  19. allthecoolshortnamesweretaken Silver badge

    Sure, go ahead with this.

    We all know that the best defense is a preemptive attack, right?

  20. Anonymous Coward
    Anonymous Coward

    Oh my. What. How. No way. Yup, totally okay with this - can't see how it could possibly go wrong.

    F**k.

  21. Nolveys Silver badge
    Mushroom

    Whelp...

    ...time to figure out how to get Fail2ban to call Metasploit. But what should I use for a payload? Maybe the payload should be Fail2ban and Metasploit.

    1. bombastic bob Silver badge
      Happy

      Re: Whelp...

      "time to figure out how to get Fail2ban to call Metasploit"

      I call that "a good start" - heh. Unfortunately, con-grab wants gummint in the loop. DAMMIT.

  22. W. Anderson

    stupider and stupider

    Those two members of US Congress and many others in both House (of Representatives) and Senate are just as daft as their President to put forth such stupid, unenforceable Bill.

    THE US CIA, FBI, Department of Defense, European and Asian security agencies, nor any of the top technology companies in the world cannot prove - without question and with full verification - who hacked them, how in God's name is an individual or and other entity going to bring about a legitimate counter-hack result.

    The idiocy of Donald Trump is apparently rubbing off very quickly and completely onto Republican law makers.

    1. bombastic bob Silver badge
      Devil

      Re: stupider and stupider

      "how in God's name is an individual or and other entity going to bring about a legitimate counter-hack result."

      it's been done before [locating the perp]. An enterprising and intelligent operator of a router system did it once, back in the 90's. I can't recall his name, but he got the FBI involved because he was seeing some really unusual activity... and as it turned out, it was someone trying to crack into gummint computers, if I remember correctly.

      Someone at an ISP could assist a company in doing the same thing, or if you have your own routers [that can display the right kind of info], you could do it yourself.

      even WireShark can be very helpful.

      auto-redirect routing to a honeypot server - even better. make it nice and sweet. download that trojan, yeah! let it phone home, and we'll see who you REALLY are! back-door THAT machine, looks for back doors already there, and keep digging until you find the perp. chances are, he's not protecting himself very well... thinking "TOR" will anonymize him. Uh, huh... and then you examine his facebook cookie, his twitter cookie, his microsoft login cookie, ...

      1. handleoclast Silver badge

        Re: stupider and stupider

        @bombastic bob

        it's been done before

        The only thing I can think of remotely similar to your account, in that timeframe, was Clifford Stoll and he wrote a book about it called Cuckoo's Egg.

        It was in 1986 rather than the 90s. And he was monitoring dial-up modems not routers. My increasingly-unreliable memory tells me people were tromboning dial-up systems to get to his, not using the nascent Internet. And the on-line world was a much smaller place back then. And he was lucky. And his opponents weren't too clever. Apart from all that, it's a perfect match.

        Oh, and Stoll is very, very clever. Even if his youtube videos give a completely different impression (like the one where he accidentally started a fire in his kitchen).

        It's not as easy as you imply to track these people down and retaliate. If only because they're using botnets so all you're likely to do is trash thousands of computers belonging to innocent people without ever hitting the person responsible (other than by diminishing the size of his botnet).

        Dramatization of Stoll's story (probably uploaded in violation of copyright, so don't watch if you're squeamish about that sort of thing) here.

  23. razorfishsl

    It is a stupid idea,

    from morons with a 1 dimensional thought process.

    since most hackers with any brains , use other peoples systems, where does that leave retaliation?

  24. Blotto

    THE IT-TEAM!!!

    "In 2017, a crack commando unit was sent to prison by a military court for a hack they didn't commit. These men promptly escaped from a maximum security stockade to the Los Angeles underground. Today, still wanted by the government they survive as soldiers of fortune. If you have a problem, if no one else can help, and if you can find them....maybe you can hire The IT-Team."

    1. hplasm Silver badge
      Devil

      Re: THE IT-TEAM!!!

      ...if you can find them....maybe you can hire The IT-Crowd.

      Reality bites...

  25. Mikey

    What you really need to remember is...

    ...That the average US internet connection is about as fast as a crippled snail on morphine, so the actual utility of this word-embellished piece of bog roll is diminished to the point of utter uselessness anyway.

    Plus most ISPs would either block it or charge you more for a premium 'Retaliation Plus' service which coincidentally is only available as an upgrade to our Platinum Service and would you kindly sign here for only $74.99 a month extra....

  26. Alexander Hanff 1

    So they would be able to hack the NSA, CIA and other TLAs now? Or did they include an exemption for security services hacking you?

  27. Wolfclaw Silver badge

    Should be good for laugh, US says it's OK for a US company to hacks EU computer, illegal in EU, who gets prosecuted, the dude who did it, the boss that ordered it, CEO and would they ever get extradited?

    EU geezer hacks back against a US company, that wrongly hacks him, illegal in EU but justified in the US, oh but wait, US company goes crying to FBI and asks for help ... oh what a can of worms !

  28. Marketing Hack Silver badge
    Coat

    Because the internet is not already "wild, wild west" enough

    Let's instead turn it into full-on Syria-on-a-bad-day!

    (Mine is the M1A1 Abrams tank.)

  29. Anonymous Coward
    Anonymous Coward

    Anonymous for many good reasons...

    One of my websites was under constant attack from a networked photocopier/printer in Australia a few years ago. So what do you do..?

    ...You find the default login for the machine and set it to print 10,000 copies of a message that says 'This machine has been hacked and is being used to attack websites. Fix it. Change your login.' That's what you do.

    Might have been 1,000 copies but it was enough to make 'em take notice. Never heard from that machine again.

    It is reasonable to expect that if you hack into someone's system(s) then you must expect to be targeted back with a reasonable response.

  30. Stevie Silver badge

    Bah!

    I have no doubt that this will end up being viewed as the greatest law ever and will show no possible downsides.

    In unrelated news: "SWATting" seems to be on the rise again.

  31. Lion

    The Lawmakers who introduced this Bill must be under the impression that all cyber criminals are bored millennials inhabiting suburban basements. They want to start an American 'civil war' in cyber space, to fix the misguided. The enemy is thy neighbor.

    Meanwhile, a real cyber war has been underway for years, populated with sophisticated state actors, agents of chaos and organised crime. Vigilante counterattacks here and there will be met with either contempt, a vicious up the ante campaign or they will fuel the American cyber 'civil war' to their own advantage. My bet is on the latter.

    1. StargateSg7 Bronze badge

      While you are for the most part correct, you SHOULD also realize that one is

      dealing with America!....and a pissed off America tends to shoot first and ask

      questions later! Which means that in the REAL WORLD, said state actors,

      criminal agents and even the moms-basement dwelling millennial will end up

      with their basements burned and bombed out to the concrete and theirs and

      their children's and/or Mom's guts and brains spilling out into the street from

      a suite of Hellfire missiles fired from 50,000 feet (15000 metres)!

      Try NOT to piss off an America already-pissed off even more so than it already is!

      1. Laura Kerr
        Mushroom

        "Try NOT to piss off an America already-pissed off even more so than it already is!"

        So it's a natural state of affairs that the rest of humanity must live in fear of that ignorant lout in the White House? I don't think so.

        I'd happily see America descend into perpetual civil war, if that would stop Washington poking its nose into other countries' affairs.

        1. jake Silver badge

          Laura, and other "anti Yank" folks:

          Might want to put your own house in order before attempting to fix ours.

          Or at least visit before painting us all with the same brush. Ta.

          1. Laura Kerr

            Re: Laura, and other "anti Yank" folks:

            Two things, Jake:

            1. I have visited the US, and seen more places than just the tourist hot-spots. I don't claim to understand the entire country, but I have seen more than just BBC pap and clickbait webshites.

            2. Our house is well and truly screwed, agreed. I wouldn't trust our government to make a success of running a public lavatory, if the Brexit farce is anything to go by. That's why I returned home last year, as Holyrood still has a fighting chance of saving Scotland from disaster.

            But dysfunctional governments aside, the difference between the left and right pondians is that we don't ponce around the world thinking we own the place and we also make it difficult for people to own firearms without having a legitimate need for them. We also take a dim view of vigilantism, which this proposed legislation appears to be encouraging.

            I couldn't care less what the US does internally - those are matters between US citizens and their elected government. What I do care about is that government's attitude to the rest of the globe, as the cretin in the White House is quite capable of provoking a nuclear war. And that's something everyone, including Americans in the backwoods, should be concerned about, as radioactive particles and nuclear winter don't give a toss about your border security, or anyone else's, for that matter.

        2. Bernard M. Orwell Silver badge

          "So it's a natural state of affairs that the rest of humanity must live in fear of that ignorant lout in the White House?"

          The United States was founded in 1776. That's 239 years ago. During that period of time, the US has been in a formal state of war with one party or another for 222 years. That's 93% of its existence, or, if you prefer, it has been in a state of peace for 17 years of its entire life. It's longest period of "peacetime" was six years, from 1935 to 1940.

          I think that speaks for itself.

          [Source] : http://www.washingtonsblog.com/2015/02/america-war-93-time-222-239-years-since-1776.html

          1. Bernard M. Orwell Silver badge

            "1 thumb down"

            I'm sorry you don't like facts. I know they can be uncomfortable.

            Hugs and Stuff from Uncle UK.

  32. RedPills

    Always about money, corruption

    It's quite likely that this proposal is coming from "cyber" security lobby groups who know that their industry could grow tenfold if they are allowed to work the offensive side. Fat official government contracts, mercenary arrangements, and limitless commercial vigilante work. Hell, they could even play both sides. The industry is already swimming in cash, so the chance at a significant increase I'm sure justified quite large campaign donations, enough to convince these representatives to present such laughable legislation. Given the shift in american politics, playing to the ignorant in the extreme, they just might get away with it.

  33. billslater
    Black Helicopters

    What about #Attribution?

    So how will the victims who are contemplating #RevengeHacks solve #TheAttributionProblem?

    Just curious.

  34. CircuitBreaker

    Extremely limited usefulness

    It seems, to me at any rate, all this does is potentially put only Americans under the gun for hacking. It does nothing to staunch the flow of Chinese/Russian/Insert fav country incursions into American networks which is the real source of problems.

  35. Michael H.F. Wilkinson Silver badge
    Coat

    In a perfect world

    an ACDC bill would have been introduced by representatives named Tesla and Edison.

    Further proof the world isn't perfect

    I'd better get me coat.

  36. Anonymous Coward
    Anonymous Coward

    Computer Misuse

    I am looking forward to when advertisers step over the line regarding using my machine. I guess then they become fair game, and I am legally allowed cyber attack them?

  37. Tigra 07 Silver badge
    Pirate

    That featured tweet is an exaggeration:

    "I never thought of it this way. It's basically the cyber version of being allowed to murder someone for entering your property."

    It's more like being given a license to burgle your burglar and destroy or steal your own property in the process.

    This sounds good. I've always been a fan of an eye for an eye, but the collateral damage will be horrendous: Person A burgles Person B, who suspects Person C, and burgles him...He then suspects Person D...And...See where i'm going with this?

    We'll end up with the Purge...

  38. Jtom Bronze badge

    Ok. Sorry to disappoint, this is not snarky, insulting, or full of bravado, but a real question. I am curious why those with massive data files (cough, cough, Equifax), don't have 'red dye-packs' buried in their data files. They would be buried routines that would trigger some event if they were moved from one network/operating system/whatever to another. No one would legitimately be asking for the transfer of these specific 'files' because no one would know they were there. They would only be accessed in a bulk transfer.

    The triggered event could be something benign - like sending a traceable email to the data-owner, or more severe, like encrypting everything in the files (and only the data-owner has the key).

    If this gives anyone any ideas for a product, I relinquish all rights. I'm tired of the creeps causing these problems.

    1. anonymous boring coward Silver badge

      "I am curious why those with massive data files (cough, cough, Equifax), don't have 'red dye-packs' buried in their data files. They would be buried routines that would trigger some event if they were moved from one network/operating system/whatever to another."

      Data isn't generally executed. Things don't quite happen in the way it does in movies, most of the time. Although Microsoft has tried hard to make it really insecure by running all sorts of sh*t that should never be run, on the altar if being "friendly".

  39. onebignerd

    Hack back

    Yeah this is what we need, tit-for-tat revenge in Federal Laws. I am sure this won't cause any problems.

  40. jobardu

    Hacking Back is common sense and necessary

    The government is doing a poor job of protecting the citizenry, the economy and the military against foreign hackers. ADM Mike Rogers, NSA Director, opposes hacking back by using scare terms about Pandora's Box and chaos. He wants his office to retain its monopoly on offensive cyber and hacking back. Yet the citizenry feels helpless and the people are still bleeding jobs and fortunes.

    Another fear of Rogers and the bureaucracy is that allowing private industry to defend citizens and companies from hacking and pursuing offenders could show up politically constrained, conflicted- priority government efforts for their lack of accomplishments, focus and effectiveness.

    I can remember not too long ago, the SOPA and PIPA bills which showed that the Government priorities were protecting music and movies over protecting Industry and personal information. It was a reenactment of the Dutch purchasing Manhattan Island for $25 worth of Trinkets. In this case, it was the Government, and the then head of the NSA, that was selling the country to the Chinese for a few DVDs. Few people, and fewer news media, called them out on it then and isn't doing so now, the sponsors of this legislation excepted.

    Free enterprise and private industry can always do a better job if there is a free market. What we need is a few companies to serve as Cyber Pinkertons or similar organizations. Will it have some rough spots and will make it a little uncomfortable for government civil service cyber defense groups. Yes, it will, but it will also help make people feel less helpless and provide a layer of threat and uncertainty to private hackers. Hacking won't stop until the price of hacking exceeds the returns yielded by hacking. That isn't happening now, and it is time for a change.

  41. olumuyiwa

    hotel hell

    thank is happen to me now have been to three hotel motel6, palace in and crossland by highway6 palace at main street now at intown hotel still going on sound coming in like music , eardroping sound from the ac and talk from the bed wall, sound from microwave and toilet vent, as the hotel about the room security say they have from the doors, but still hear the sound

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019