Tag Archives: law

Active Defense/Hack Back and “Complete Ignorance”

I recently read a post about “Active Defense” or as some call it, hack back. I won’t reveal the author or the title so as not to disparage anyone. Certainly this topic is very sexy right now and many like to write about it, but most of articles I have seen constitute fear mongering with comments not based in fact or even sound theory, but ignorance of the topic, the laws, and the technology and appear to be an attempt to sensationalize the topic.

Yes, there is a problem. Yes, companies are suffering. Some of the companies have a legitimate complaint. They have done all they can and the government has tied their hands by saying things like, “if you hack back you are no different than the hackers.” A lot of companies, though, have no right to complain because their security really sucks, is like Swiss cheese and they are not willing to spend the money to fix it.

The blog I read recently quoted a former DoJ attorney who stated that it is illegal to go outside of your network and hack back at your attacker. In the next paragraph the writer quotes a so-called security expert who says his company has the capability to determine who attackers are and collect intelligence on them, and this is not illegal but good practice. The expert provides the usual, “do not try this at home,” warning. I will leave it to you to decide whether this warning is good advice or simply self-serving.

So here’s my problem: These quotes claim on one hand it is illegal to attack your attacker but on the other hand not to take the steps necessary to determine who your attacker is? If determining who attackers are was really that easy and clearly lawful everyone would be doing it. Most would admit the greatest challenge with cyber crime is determining who the attacker is, e.g. Attribution. One of the great claims by those who believe “Active Defense” is illegal and immoral is that attribution is extremely difficult and if you can’t determine attribution then you may be, “attacking an innocent victim.”

As a side note to the above comment, and as I have said in previous blogs, if someone has been compromised and their server is being used to attack my company, that person is NOT innocent. A victim like me, yes, but innocent, no. If I have to disrupt his server to protect my company then so be it. Chances are that server owner does not want the other hundreds or thousands of companies who are victims of his server attacks to know that he is the patsy attacking them due to his crappy security

So, I would kindly ask those who like to write about “Active Defense” to please do some research, think the process through, stop confusing the issue and stop writing fear mongering comments like, “you might start a war with China.”

Courts and Lawyers: Gauging the Level of Technical Knowledge

Like many people, I make a lot of assumptions.  Lately, I have made a lot of assumptions about people’s level of knowledge when it comes to cyber security and technology.  This is likely due to my background and training.  If you work in the IT or cyber security or related areas chances are you also make a lot of these assumptions as well.

Recently I learned that the level of knowledge regarding cyber security and technology amongst the legal profession is not as high as I had assumed.  This is not a knock on my colleagues in the law profession, but my failure to avoid making assumptions.  For instance, when emails are offered into evidence their authenticity must be established, but does this include whether the email address is genuine and was not spoofed, the content is original and was not altered, the date and time was not altered, the location of where the mail was accessed if webmail; how webmail works, where the servers are located, the meta data of messages, etc.  Example: if one party offers emails to prove a point about their opponent and the offering party had not been given access to the email account, the question should be raised as to where the emails came from and whether they constitute evidence of a crime; e.g. was the email account hacked?

This is not unique to email but would apply to social media accounts as well.  Many people today do not realize how easy it is to fake, alter and manipulate Online or E-accounts.  Certainly the legal profession must be provided the training and information to know the right questions to ask regarding the authenticity of evidence.