
Ask HN: What if we legalize cybercrime? - CiPHPerCoder
https://bqp.io/should-we-legalize-cybercrime.html
======
bmmayer1
What if we legalize murder?

People will be forced to be nicer to one another. People will learn self
defense and become stronger and more capable. There will be more gun safety
because everyone will be trained in gun use properly. Fewer spouses will
cheat.

It will be a great world for everybody.

~~~
darawk
I don't know if that's quite a fair comparison. Physical self-defense is a
cost we all would have to incur all the time. Software security, on the other
hand, can be paid in a bit more of a centralized way by companies who are
paying that cost anyway.

Obviously this is a thought experiment and probably shouldn't actually be
done, but I think the murder comparison is slightly unfair to the idea.

~~~
JumpCrisscross
The analogy is hyperbolic but apt. States exist to hold a monopoly on violence
and protect property rights. One takes priority to the other, but they're both
fundamental _raisons d 'être_.

~~~
darawk
I'm not sure what you're arguing against there. Nobody is advocating or even
talking about relinquishing the state's monopoly on violence.

~~~
JumpCrisscross
> _I 'm not sure what you're arguing against _

The top commenter analogized, jestfully, legalizing homicide with legalizing
cybercrime [1]. A second comment said this comparison was unfair [2]. My
comment [3] responds to that second comment.

In essence, if a state's claim to a monopoly on violence is legitimate, then
its claim to protecting property rights is (almost) as valid. Thus, advocating
a dissolution of the latter, _e.g._ legalizing cybercrime, can be compared, as
a legal _argumentum ad absurdum_ , with permitting murder.

[1]
[https://news.ycombinator.com/item?id=13266097](https://news.ycombinator.com/item?id=13266097)

[2]
[https://news.ycombinator.com/item?id=13266146](https://news.ycombinator.com/item?id=13266146)

[3]
[https://news.ycombinator.com/item?id=13266749](https://news.ycombinator.com/item?id=13266749)

~~~
darawk
But nobody is advocating that the state relinquish the right to protect
property. They aren't making a philosophical argument about rights and laws of
nature. They are making a practical case that, it may not make sense for the
government to protect cyber property specifically. And that they make that
determination on the basis of practical considerations.

They aren't relinquishing their theoretical right to control it. They are
simply choosing not to for practical reasons.

------
pavel_lishin
For people who won't read the article, it makes it clear that this is just a
thought experiment, and offers a lot of reasons why we don't legalize
cybercrime.

But one reason that's not mentioned is that it's horribly asymmetric:

> _Let me paint a utopian world for you, where all kinds of cybercrime –
> hacking, ransomware, DDoS, etc. – are entirely legal._

It's much more expensive to defend against a DDoS attack than it is to launch
one. Granted, if we did live in a world where cybercrime was legal, and things
like IoT cameras were much harder to subvert into a free botnet, it might
become more expensive, but in the end a lot more effort would be put into
prevention than would be put into cause.

~~~
ajamesm
Wouldn't it be possible to make the economics of DDoS symmetrical by enforcing
repercussions at the ISP level?

If 10,000 IPs are syn flooding, all out of one ISP, their peers can stop
routing that ISP's traffic until that ISP starts mitigating.

I imagine the biggest impracticality is that ISPs are monopolistic, so if you
stop routing someone like Comcast, all of a sudden half of America is offline.

Perhaps we COULD let the internet be the Wild West, if we had a fair selection
of providers, or if they effectively self-regulated.

~~~
nickpsecurity
Yes. Such things were in my recommendations. You could ensure stuff can always
be traced to source (at transport level), filtered, and/or rate-limited.
DDOS's get rate-limited automatically by ISP endpoint or middleboxes with
costly penalties for this happening. Simultaneously, supply side starts
offering all kinds of options to prevent that which are cheaper than being
declared digital version of a public nuisance.

The Tier 1-3's mostly don't care since they're paid primarily to provide the
line plus have regulators in their pockets. There's certainly work in these to
reduce DDOS a bit for competitiveness but they avoid a simple solution like
mine out of greed. ;)

~~~
pavel_lishin
> _DDOS 's get rate-limited automatically by ISP endpoint or middleboxes with
> costly penalties for this happening._

Who would pay? My name is Serhei, and I'm in Ukraine, and I just unleashed a
100k-strong botnet of smartbulbs and babycams. It's spread somewhat evenly
across American households, and mostly among their ISPs. I still pay nothing.

~~~
nickpsecurity
The people who connect products or configurations with shit security to the
Internet. Bad security has to cost them something before the demand for good
security is generated. Just headaches right now but loss of money or Internet
is more severe. Then, with a demand, either the hardware/software market or
the regulators will start doing something from there. They're already doing
something where numerous products exist that were all created by relatively
small companies or teams. They'll do a lot more.

------
saidajigumi
_While we can dream of a future where cybercrime is legal and we rely on our
code and math to protect us, completely legalizing it today is not our best
option. Nevertheless, we should consider moving in that direction._

I like that this article looks at the distributed, societal-level effects that
derive from law. But I find the "should consider moving in that direction"
part to be perplexing. One straw-man take against that: what about defense in
depth? Can we strongly incentivize secure software and software-based
appliances _and_ still have legal deterrents against cybercrime perpetrators?

~~~
za_creature
Wouldn't the presence of those legal deterrents allow a company to transfer
resources away from tech and into legal to mitigate the problem?

------
marcosdumay
There's no lack of cybercrime around to force people into hardening their own
security.

People still don't care. And it is still asymmetric in that the people with
loose security aren't being hurt by their own loosiness. And it is still
impossible to ensure your system is completely secure. And it is still
asymmetric in that attackers only need one flaw to win, defense must fix every
flaw.

------
tim333
>With no law to hide behind, companies will put a much more serious effort
into making products that are secure from day one. The "Nobody will do this
because it's illegal!" excuse is gone.

It's not like the "Nobody will do this" stuff makes much sense at the moment
given there are hacking stories in the press all the time.

~~~
jack9
Even the most deranged psychopath follows the lines on the road when driving.
The lines serve a purpose, which may fail for specific individuals, but does
provide a guideline so that most do (even if some of those following some
lines will cross others). Laws do not govern by consequence alone, but by
exploited instincts in humans. Humans do not cleanly separate social
agreements from safety constructs from linear optimizations.

------
wcummings
I do kinda fancy the idea of giving letters of marque for "cybercrime", though
it's obviously not realistic for a whole bunch of reasons.

------
goda90
An interesting thing to consider would be the retaliation that might develop.
The best defense is a good offense, so all these companies might start
actively attacking their attackers.

~~~
naasking
It's a reasonable tactic when you have comparable resources to your opponent,
and you know how to attack them. Both cases are probably untrue, the latter in
particular.

------
shurcooL
This is a good thought experiment. I'd like to expand on it.

The author points to these items:

    
    
        - The value they expect to gain for themselves by attempting the attack.
        - The probability of getting caught.
        - The punishment they expect to receive if they do get caught.
    

They then make the argument that it's disadvantageous to try to maximize the
probability of getting caught or increasing the punishment (items 2 and 3).

Legalizing cybercrime would have some positive effects, for sure, but also
many negatives, as discussed.

What if we tried to minimize "value they expect to gain for themselves by
attempting the attack"?

Here's a twist, I'd like to consider minimizing that by breaking it down
further. There are two important components here:

    
    
        1. the value
        2. the who (the boundary of what's included as part of "themselves")
    

I don't think it's easy or viable to reduce the value gained, but what if it
were possible to change the definition of "the who"?

I look at myself as an example here. I personally have very little interest in
harming others. Even if I were in a hypothetical situation where I knew I
could do something with low chance of being caught and/or low punishment, I
still wouldn't take advantage of that situation. In fact, I would really enjoy
being nice/white hat in such a situation. But it's not because the value is
low, it's because I consider "myself" as the overall humanity and not just
myself the person who's typing this comment. My goal is to maximize the
benefit for everyone by creating net positive value. I know that if I could to
DDoS or steal money from someone, even if it's risk-free or legal, I still
wouldn't do it just because it doesn't benefit all of humanity (even if it
benefits myself)... the value as I see it is overall negative (I gain less
than someone else loses).

So I wonder if it's possible for more people to look at things that way, where
they try to maximize value for everyone rather than themselves. Can we
increase people's empathy? But most importantly, if everyone behaved this way,
would that actually be better for us, or would absence of selfish behavior and
competition be harmful?

~~~
CiPHPerCoder
> Can we increase people's empathy?

Psychopaths exist. What do we do about them?

~~~
dsp1234
More specifically, there are several mental disorders that are defined, in
part, by a lack of empathy (ex: Narcissistic Personality Disorder). Attempts
to "increase people's empathy" will likely fail on those individuals.

~~~
CiPHPerCoder
Ah right, I forgot about the others. :(

Yeah, it's a real problem that needs to be addressed when discussing empathy.

------
hackuser
Why doesn't the government protect people from cybercrime? You can openly
threaten, harass, and slander people with no penalty. You can steal things
from people - even from the institutions that are fundamental to democracy -
with very little risk of punishment.

It's the wild west; government has abandoned it's responsibility to protect
its citizens and institutions, and for some reason very few people object;
they accept it as the norm.

------
michaelbuckbee
The article is a good thought experiment, but I think doesn't touch on the one
current legal form of cybercrime: bug bounties.

While they have their issues, properly administered they are a win for
security researchers, consumers and companies.

A great recent example is Shopify:
[https://news.ycombinator.com/item?id=13200455](https://news.ycombinator.com/item?id=13200455)

------
tehabe
Reminds me indeed on the idea on some Libertarians, who believe we all steal
from each other. So making every legal would result in that you get an
equilibrium in which everybody gives up something voluntary and nobody steals
anything. This is probably badly summarised but I never believed that would a
good idea or even realistic.

------
Scirra_Tom
> Making the punishments more severe is a poor idea too. We've see again and
> again people being prosecuted under cybercrime law for "crimes" that
> shouldn't have been crimes.

This is bad logic, increasing punishments does not necessarily mean more
innocent people get caught.

~~~
ryanlol
I think you're misinterpreting.

It's not necessarily that _more_ innocent people get prosecuted, but that when
they do the stakes will be higher.

------
drawkbox
I think in many places or situations, depending on the targets and the
overseers, it sort of is.

Intelligence or military cybercrime is definitely legal to the ones doing it.
Some places or countries are too small to enforce or don't care about it. Some
people are probably helped by funders who have bribed their way into legality.

------
kardos
In the same vein as the title question: what if we (ie, one of the botnet
operators) made all the shitty IoT devices into TOR exit nodes? My guess is
that would either (a) incentivize people into securing or discarding them or
(b) normalize exit nodes for the benefit of tor and online anonymity.

------
insulinrocks
Interesting concept, but seriously what is up with the comments on this blog
post?? I could not have been more surprised or confused by that.

~~~
crystalPalace
The comments appear to be written by Terry A. Davis, a schizophrenic computer
programmer famous for creating TempleOS as well as his belief that one can
communicate with God through random numbers. He was shadowbanned a number of
years ago on HN for making similar off-topic and offensive comments.

------
andrewclunn
Odd that google.com now redirects me to bing.com when I use Microsoft Edge...
Ah, another Facebook blackmail notice, need to remember to send them their
monthly $20, so they don't tell my significant other about my affair...
Somebody left a phone on the ground, oh damn it, it just scanned my
fingerprint and is breaking into my bank account, serves me right, I should
have known better than to go outside today.

Yeah, I'm not digging this dystopian future. On the plus side, it would bring
typewriters back into common use.

~~~
mattashii
> Somebody left a phone on the ground, oh damn it, it just scanned my
> fingerprint and is breaking into my bank account

Never, ever, use biometrics as a valid login option for identity-sensitive
data/applications. They're way too easy to find out for an attacker.

~~~
elliottcarlson
The real problem is when it becomes a mandatory authentication system. We've
all seen the ridiculous password requirements some sites have, that in reality
offer no additional protection -- and their implementations are often
questionable; Chase Bank still is case insensitive for example. All it will
take is for someone to think it's a good idea, and make a push for that as a
standard.

