
Digital Vigilantes Who Hack Back - tzury
https://www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back
======
badrabbit
What you have to keep in mind here is the concept of "due process" and "fair
punishment". You cannot simultaneously subscribe to the rule of law and
autonomously execute punishment measured with your own subjective scale.

If you don't care about rule of law and justice then consider this: the
wealthiest individuals and largest corporations will afford to "hack back"
mercilessly without any due process while the layman will sit in the middle
catching stray bullets from either side.

All that said I hop at the very least,people who support "hacking back" would
also support a very strict and heavy punishment for anyone who hacks back the
wrong attacker or causes harm to a system that was only being abused post-
compromise (as opposed to attacker-owned infrastructure).

The best kinetic warfare comparison would be modern urban warfare. You can't
just shoot in the direcrtion of a terrorist who attacked you, if that
terrorist is hiding in civilian houses or is holding a hostage. Civilians are
not trusted to make that collateral damage risk assesment due to the terrible
consequence of getting that wrong

~~~
mieseratte
> You cannot simultaneously subscribe to the rule of law and autonomously
> execute punishment measured with your own subjective scale.

At risk of being pedantic, there exists "Stand your Ground" and "Castle
Doctrine" laws in many states that allow one to autonomously execute an
assailant, given certain criteria. Wouldn't hacking back be a fairly natural
extension of this? Assuming there were a law permitting, it doesn't seem
incompatible with rule of law.

~~~
PostOnce
castle doctrine as I understand it means your home is your castle -- you have
no duty to retreat from your own home, if someone has broken into your home,
the odds of something going wrong and you ending up dead are high enough that
those states have said you can defend yourself with violence in your own home,
rather than getting shot in the back or stabbed -- where are you going to
retreat to anyway? You're already home.

So, it seems like the logical extension into cyberspace would be that you can
do anything you want to the attacker's computer while they are connected to
your systems, but you can't pursue them once they've gone, the same as kinetic
castle doctrine.

~~~
gm-conspiracy
Also, if the victim's 'services' are being hacked (of which they do not host
themselves), would it not be more akin to a thief breaking into a rented self-
storage locker?

The castle doctrine would definitely not apply in that situation.

~~~
mieseratte
> The castle doctrine would definitely not apply in that situation.

This is flat-out wrong, at least in the states I'm familiar with.

Most states' Castle Doctrine applies to home, work, vehicles, and property. If
I'm out in the country on land used for hunting, the "Castle Doctrine" still
applies assuming the normal criteria are met.

If I'm at the site, I have a right to defense regardless of it being my
primary residence or a rented facility.

~~~
gm-conspiracy
No, what I meant was you, as a human, not being physically present, it is just
your private property that is "stored" at that location.

------
CM30
Hmm, not a fan of this idea. Feels like it's encouraging vigilantism and
'taking the law into your own hands', which is not something a well run
society should be incentivising. I mean, it seems like someone who hacked
another person or organisation's systems to remove private data could end up
wrecking a bunch of other things, which wouldn't be good for anyone.

And then what if its a case of mistaken identity? You don't really have proof
the data you're trying to erase is on the other party's system until you break
into it, which could then leave the other party extremely annoyed and wanting
to do the same back...

Eh, just feels like companies and individuals wanting to become internet
vigilantes if you ask me.

~~~
Andre_Wanglin
>Feels like it's encouraging vigilantism and 'taking the law into your own
hands', which is not something a well run society should be incentivising.

No, citizens acting on their own and society's behalf should always be
incentivized versus infantilizing everyone into helplessness and dependence. A
home intruder being summarily despatched by an armed homeowner, for example,
is a far superior outcome than the homeowner suffering whatever the intruder
subjects him to while hoping the "authorities" intervene on his behalf. Not to
mention the improbability of any true justice being delivered via the legal
system.

~~~
CM30
Nothing wrong with self defence, but there's a difference between fighting
against/potentially killing an intruder who was going to hurt you/did hurt you
and hunting them down once they'd stolen the goods and blasting their head in
with a shotgun.

Hacking back feels less like the former and more like the latter (ala
vigilante lynch mob going after someone who'd done wrong in the past).

~~~
gm-conspiracy
Also, what is the context of the hacking?

Copying of intellectual property, or hijacking CPU/GPU cycles for crypto
mining?

------
chainsaw10
So what happens if a hacker hacks company A and uses their server as a jump
box to hack company B? Is company B allowed to hack A since their machine was
used in an attack?

Or even worse, what if company B is mistaken as to who attacked them? If they
"hack back" as advocated, but against the wrong target, are they liable?

~~~
Andre_Wanglin
It is amusing that while you can easily recognize the attribution problem, you
venture that others cannot.

~~~
gm-conspiracy
That is why we are here, and the 'other' is not. Hegemony exists.

------
kunle
Anyone else thinking of coining "Digilante"?

------
Sophistifunk
Do you want a cyberpunk dystopia? Because this is how you get a cyberpunk
dystopia. Only without all the badass nanotech and orbital lasers.

------
motohagiography
Thinking there is this idea on this thread that you are committing violence or
harming systems by "hacking back," when really you are following a trail and
picking up crumbs of identifying data the attackers left behind, through
systems that were neglected in the first place.

In regard to the idea that you need the law to "punish," people and that
defense is against the "rule of law," that concept only applies to violence,
and almost exclusively to the monopoly on violence we grant the state as part
of that rule of law.

Is it undermining the rule of law to chase a thief across private property? In
some pedantic universe sure, but not by any standard of reasonable conduct.

Shrill objections to vigilantism are not applicable to collecting counter
intelligence on people who have attacked your business and property. No doubt
there is legal risk from agencies and institutions who are rightly humiliated
by their own powerlessness, but moralizing about vigilantism on this issue is
un-serious.

~~~
gm-conspiracy
What about putting somebody in prison for more than 5 years because they made
copies of DVDs and printed a Windows and Dell logo on the DVD?

------
2close4comfort
If you thought that Nation-State hacking looked bad wait until Private Sector
hacking reaches Blackrock levels should only take a few weeks...then it will
be who can afford the biggest stick.

------
SuoDuanDao
It's a difficult balance to strike. On the one hand, people who feel
sufficiently righteous to decide what the appropriate response is to something
like a cyberattack are rarely the people we'd want in that role.

On the other hand, this sort of impromptu duelling adds so much risk to being
a bad actor and there are so many benefits to standing up to bullies that I
suspect we do want some of this activity.

I suspect the process may be self-correcting. A society that rewards someone
for tying up a scam company's phone line will also punish someone for doxxing
the wrong target. Perhaps the next decades will see us move from mob justice
to crowdsourced justice. I feel it could be done...

~~~
gm-conspiracy
Be careful what you wish for...

[https://en.wikipedia.org/wiki/The_Lottery](https://en.wikipedia.org/wiki/The_Lottery)

~~~
mdrzn
That was a great read, being from outside US I've never heard that story.

I guess we can have crowdsourced justice, we just need to always question our
motives.

------
haZard_OS
Apparently, the hacker who posted this to HN is so good, he/she hacked into
the future to bring it here.

Cue the HackerMan intro:
[https://youtu.be/KEkrWRHCDQU](https://youtu.be/KEkrWRHCDQU)

------
driverdan
> While there, he was struck by the power of digital weapons: military jets
> routinely flew overhead, using electronic pulses to detonate hidden bombs
> before they could kill American soldiers.

Anyone have more details about this? I know there's some current research into
portable EMPs but never heard of them being used in 2011. A quick search
didn't turn anything up.

~~~
greeneggs
I don't think it is accurate.

Airborne IED _jammer_ , the Intrepid Tiger II pod (2011):
[https://www.stripes.com/news/middle-
east/afghanistan/airborn...](https://www.stripes.com/news/middle-
east/afghanistan/airborne-ied-buster-may-be-flying-soon-over-
afghanistan-1.155164)

Remote IED _detonator_ , but not airborne and just in testing (2011):
[https://www.popsci.com/technology/article/2011-02/new-
device...](https://www.popsci.com/technology/article/2011-02/new-device-uses-
electromagnetic-pulses-detonate-ieds-safe-distance)

------
ChuckMcM
I have always wondered if these folks really want to know someone who is
living in Belize or something. It seems that setting up an 'active defense'
relationship with a third party not encumbered by the CFAA would be a useful
strategy.

I agree with the premise that if its "safe" to hack the US then people will
continue to do it.

------
esbafb8
Yeah right. Good luck hacking back when most attacks are relayed through
zombie devices.

~~~
Andre_Wanglin
Why do you assume your imagined incompetent whitehats are incapable of
differentiating zombie hosts from C&C and other meaningful infrastructure?

~~~
dvhh
Because competent whitehats sound expensive to contract

~~~
Andre_Wanglin
No one paid Marcus Hutchins. He just acted. (And look what what that got him.)

------
SolarNet
Upside more jobs in tech... all these companies are going to want active
offense teams if this passes.

------
tomohawk
It's the hallmark of free people in every age that they have the right to
defend themselves.

We've been disarmed, so we're not free. Those who have disarmed us seem to
think that the most important thing is that we not interfere with their work,
even as we continue to be attacked. Not only that, they will more zealously
guard their turf than defend us against aggressors, since we're easy to target
and fit within their competence. They will essentially join in the attack to
protect their turf.

It's all for our protection, though. We just need to trust them that
eventually they really will protect us. Any day now. Just you wait.

------
zitterbewegung
All is fine an good until someone hacks back and created an even bigger
problem. Although at this point the FBI needs Microsoft’s help to fix big
messes that cracking causes .

~~~
walshemj
Yes but Lockheed martin and Sandia Labs are not your average sv company they
will have some one whos job it is to laisse with the security services.

Surprised that the journalist don't seem to know that, I am sure the new
Yorker has a security/defence correspondent

Bit surprised that he went to the local FBI and not his internal security team
or direct to the CIA and got some cover.

~~~
jessaustin
He probably didn't trust his management/HR. Wise move, in retrospect, but
nearly canceled out by trusting _FBI_.

