

Ask HN: What types of subversive hacking are illegal? - bendmorris

With the sudden advent of "patriotic hacking" we've seen "hackers" (for lack of a better word) take matters into their own hands and bring down corporate websites, etc. I've never engaged in this behavior myself and I'm curious as to the legality of various types of subversive "hacking" - DoS attacks, form spamming, or whatever other creative ways you can think of. Are there any good resources on this? Which ones could potentially get you in legal trouble? How easy is it to get caught, if you upset the wrong people?
======
david_shaw
The short answer is that they're all illegal. If you're in the United States,
you might consider reading the Computer Fraud and Abuse Act
<http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act>

But seriously--anything you might consider "subversive hacking" is illegal.
I'm trying to think of an exception, and one really isn't coming to mind. It's
legal to port scan people, but scanning the government or military is sort of
asking for trouble.

It is easy to get caught if you don't know how to cover your tracks. I'm not
going to give more details on not getting caught doing illegal things, because
that's not how I roll.

I work in information security, and would love to point you in the direction
of legal (but still cool) resources. One popular resource is the Offensive
Security Metasploit Unleashed course [http://www.offensive-
security.com/metasploit-unleashed/Metas...](http://www.offensive-
security.com/metasploit-
unleashed/Metasploit_Unleashed_Information_Security_Training) \-- It's well
written and teaches you pretty much all there is to know about Metasploit,
from basic usage to advanced scripting.

Hope that helps a little bit, and remember--the knowledge isn't illegal, but
breaking into systems without propor authorization is. Don't throw away a
bright future because you want to see what's on some random box.

~~~
MoreMoschops
"But seriously--anything you might consider "subversive hacking" is illegal."

What are you counting as "hacking"? Hacking together some encryption software
to retain privacy from an intrusive government is subversive and, in many
countries, legal.

~~~
david_shaw
Well, first of all, if you're writing crypto software to avoid an intrusive
government, then said government would probably make that software illegal.

My goal was actually to show (as you're rightly pointing out) that there are
lots of cool security related hacks that one can do legally.

The poster, though, was asking about DDoS, form stuffing and otherwise "black
hat" activities in relation to the law. You can't DDoS or exploit software on
systems that you don't have permission to test, nor can you stuff forms to
defraud advertisement providers like Adsense. Spamming email is illegal as
well.

I'm not trying to argue the semantics of "hacker" and "cracker" and "script
kiddie." Hacker News refers to _hacker_ in its original sense, where as I
perceive the poster to be asking about security related practices.

------
cd34
Years ago there was a tool by Tom Liston called LaBrea Tarpit that could be
used in defending against a DDOS. The theory behind Tarpit was to acknowledge
the packet, then silently forget about it, releasing the resources on the
defending side, but, the attacking side sat there with the resources being
used. We used it rather successfully against a DDOS and while handing data
over to several three letter agencies. Through cooperation with another
country, 18 months later the hacker was arrested.

Now, LaBrea was unique, DMCA was a new law on the block and Tom Liston
received a legal brief or opinion (I don't recall from whom) that stated that
several states that were classified as Super DMCA States might actually
consider LaBrea to be a reverse DDOS. It was sort of a stretch of the existing
law, but, you could see how it could be applied.

The original intent of the SuperDMCA law was to prevent the anti-telemarketing
devices from holding the line open when telemarketers called. Because of the
way the old phone system worked, a flashhook would not disconnect two parties
in case the person was on an older 1A switch and was trying to access certain
services. This behavior moved over to 5ESS switches and even to this day, when
someone calls, if they refuse to hang up and you don't have digital service,
when you hang up you will not immediately get a dial tone. Briefly, the
contention was that this behavior could prevent someone from calling 911 and
could put the person in jeopardy. The rough comparison between the law and
LaBrea Tarpit claimed Tarpit's behavior could constitute itself as a reverse
DDOS - and Tom Liston stopped distribution of it. Of course, it was open
source, but, by taking the stand that he wasn't distributing it, he was trying
to protect himself from any legal liability.

I've dealt with the FBI on other DDOS attacks and I am in Florida, and I have
told them that I have used Tarpit to defend against the DDOS. During one
attack, they did offer to write an OIA as they wanted the data (political
site).

So, even defending yourself against a DDOS could be illegal. :)

------
aspir
If you have to ask, you're probably playing around with forces you shouldn't
mess with.

Hack via providing goods and services that consumers or businesses will pay
for. You'll actually see a return on your efforts.

------
kakaylor
On the flip side, I have had some positive experiences doing some casual (non-
malicious) hacking on some tech-blogs \ websites I frequent. Nothing too
fancy, just simple SQL injection for privilege escalation and the like.

Any time I find something I immediately follow up with an email to the
owner/administrator with all of the relevant information (including my IP
address and contact information). The reactions have generally been quite
positive (I've even gotten some complementary swag out of it).

------
jesseendahl
A lot of tools can be used for either good or evil. I am with david_shaw.
Don't do anything illegal. That said, <http://sectools.org> is a great
resource for network security software.

------
bendmorris
For the record (believe it or not), I'm not interested in doing any of this
myself. I'm just curious as to what kind of trouble those that have been doing
this recently might be in.

------
rprasad
Anything involving doing something to someone else's computer systems, without
their permission, is illegal. It doesn't matter what your motives are.

Whether you will be prosecuted or convicted for those acts is a separate
issue. Rule of thumb: if you cause harm/damage/bad things to happen, you will
be prosecuted.

