You wrote "But if an administrator does not secure his box, and the same series of GET requests hammer against my network for months at a time, he is a victim. An innocent." But he IS abetting the crimminal who wrote the worm/virus. I suggest that he either "knew or should have known" what was his system was doing. He should not be considered completely blameless, especially if the activity has been going on "for months at a time".

Suppose, instead of a cyber-crime, we were talking about a landlord whose property was being used for illegal purposes, such as a drug lab. Although you, as a private citizen, do not have the right to break-in and destroy the lab, the proper authorities can obtain a warrant and do it for you. However, we currently lack an "internet police force". In light of the international nature of the internet, that appears unlikely in the near term.

Instead, what if a few existing computer security organizations (such as CERT) were granted the ability to take emergency actions such as your suggested "hack-back" against an attacking computer? Individuals could report suspected attacking systems to these organizations for investigation; if the attacks were confirmed, and attempts to work with the cognizant administrators were fruitless, then a "hack-back" could be initiated.

I would feel better knowing that only a few approved, publicly known, and technically qualified groups were performing these "hack-backs". The thought that anyone with access to "hack-back" scripts should be allowed to do so, on their own initiative, is disquieting...

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/98/15883#15883