Good Offense Not the Best Anti-Virus Defense
Wednesday April 16, 2008 at 10:56 am CST
Posted by Allysa Myers
There was an interesting article in InformationWeek this morning about a couple of security researchers who have presented the possibility of using offensive technologies to go after hackers. The most recent was Joel Eriksson from Bitsec, who presented at RSA last week about exploiting security holes in remote-access Trojans.
The article also brings up a five-year-old example of an earlier attempt at offensive technology to be used against hackers. In this case, Tom Liston created a tool called LaBrea (after the tar pits) that would ensnare computers which were being used to attack it either intentionally or due to worm infection.
There are plenty of people within the security industry who would like to be able to employ these tactics. The urge to take a pound of flesh for the late nights and weekends spent dealing with malware attacks is certainly understandable. But I know very few people in this industry who actually think it’s a sound idea, or worth the potential legal trouble.
Just as there are few locales where it is legal for you to shoot an intruder in your home, there are few locales where it is legal for you to attack those who intrude on your computer. Even in those locales where it is not illegal to attack an intruder, you must take into consideration the possible court costs. It’s highly likely the survivor (either the intruder or a family member) will sue you, and it will take some time with a lawyer to defend yourself against these charges. It’s entirely possible that a hacker or a worm-infected user would do likewise.
This is still assuming that your case was reasonably clear-cut, that it was genuinely a hacker or worm infection that was coming after you. It could just as easily be used as a sort of alternate flavor of Denial of Service attack–spoof the traffic or exploit a machine for the purpose of making it a target.
The general computing population is not particularly knowledgeable about the inner workings of their machines; some say there should be licensing such as for driving a car. It’s my opinion that there would first have to be this sort of licensing, and then a permit akin to a “Concealed Carry Permit” before this could be considered a good idea.
The Internet is a scary enough place without adding even more unskilled attackers.
April 17th, 2008 at 8:07 am
You’re telling me that if someone breaks into your home with a gun, you have a gun to defend yourself, and you aren’t going to use it because of the possible court costs? What about your life? Is that worth so much less than the court costs that you’ll let the intruder shoot you rather than defend yourself?
Unfortunately, it’s just a bad analogy. These aren’t people breaking into your home, they’re robots programmed to break into your home. Now, would you shoot a robot intruding on your home? Yes. (Sadly, this is the job of the poorly written operating systems and poorly performing anti-virus solutions we have today). The analogy you’re fishing for - would you then call the police to find who programmed and sent the robot or go vigilante and try to track the controller down yourself?
April 23rd, 2008 at 10:28 am
This is a very interesting situation in that the issues are the cyberspace equivalent of self-defense, law enforcement, and warfare.
That being the case, if a threat actually enters your computer or network, you have the right to self-defense. You have the right to eliminate the threat that is within your private property. This is done with firewalls, anti-virus, and other security software.
The next level, law-enforcement, is a matter for, well, the law. You as an individual may not have the right to go vigilante on a threat external to your property. I think that’s what Allysa is saying in this article. You may expose yourself to a lawsuit if you go after some external computer with any kind of destructive intent, regardless of the motivation.
The warfare analogy is already playing out (read up on the Storm Botnet, and the cyberwar between Russia and Estonia). But it is very early in that game, and the US military is mostly on defense right now, debating whether it should go offensive yet.
At least cyberwar is merely expensive (time, research, and effort), not deadly. Yet.