I got the citrus version because it made such a change from the usual. However, I'd love it if Apple could make some truly vibrant non-pastel colours like tangerine and lime devices they did in the early days.
Sadly yes. IANAL but under the Ripa Act they can issue a section 49 notice and you risk imprisonment for not complying. However, they need proper authorisation to do so, and the notice must be lawfully issued, so presumably a magistrate. This is all part of our famous British Justice!
There are several exceptions. Like border crossing or when hate crime is investigated. Arguing about legality, while interacting with police, is always losing move.
Just carry burner devices, and store sensitive stuff somewhere safe!
I agree! Having seen how some of the police operate in parts of Europe I wouldn't want to upset them especially if I don't speak the language. I have a burner tablet and can always keep stuff I need in the Cloud.
Even better, why would they bother? If it's a non-monetary hack (i.e. for data), hacking them back won't undo leaking the data. If it's a monetary hack, there are surely much better recovery options than trying to do a hack-in-kind to take it back.
It also seems incredibly risky. This US admin might be okay with it, but will the next? For multi-national corporations, will other nations be okay with it? I wouldn't think countries unassociated with the conflict would be happy with digital privateering.
> For multi-national corporations, will other nations be okay with it?
imagine hacking back and accidentally hitting a hospital killing someone in the process
that is a fast line to get an Interpol terrorist arrest request on your head, sure the US won't hand you over, but have fun to never leave the US and get assets abroad sized
I wouldn’t bet my freedom on the current US admin sticking their neck out to save me. Domestically, they’re hemorrhaging polling numbers and can’t eat the PR hit of “innocent people in a random country died because of what we said”. Abroad, we are in a much weaker position than we were a couple years ago both in terms of alliances and economics. We feel very vulnerable to foreign tariffs with the economy as it is.
the comments are about "private firms hacking back"
not about highly specialized groups hacking first
but also "professional hackers" have screwed over hospitals before and confirmed it was accidental, so potentially yes
worse Iranian terrorist with hacking skills might intentional target hospitals and they might not sit in Iran so disconnecting Iran is unlikely to help at all with such a threat
Hacks that need to cross an air gap are often self-replicating. Ie you get an email with a compromised PDF, and your phone starts distributing it to everything else on the same network so if you connect your phone to the air gapped network it can get in.
Then you end up with collateral damage if your wife or roommate or whatever works at a hospital and they take their infected device to work.
so wherever you "hack back" to has a good chance to be another victim
it's also a good point to remind people that most cases of "knowing who was it but not catching the people behind it" are either wild guesses without proof or the attacker leaving recognizable traces (like a literally "it has been us <group>" note /not a joke). But the problem with that is any other
advanced enough hacker group/apt could also have made it look like that...
This already exists to some degree. It’s the “Brand Protection” industry and they’ve been doing it for years. Our clients were all Blue Chips that need additional help and or want plausible deniability.
Having worked in the space, the normal flow would look something like:
1. Random WordPress blog is hacked, hosts a fake iCloud page, the is linked to in phishing emails.
2. We find it, either by direct reporting or by our internet crawling
3. We reach out to the hacked company, their hosting provider, and their DNS. The goal being take this site offline no matter how.
This worked for the vast majority of hacks. Some random plumbing company has no clue their marketing site is compromised and happily works with us. Or maybe they host at GoDaddy and we have a privileged relationship with them and they disabled the site. Last resort the DNS company will just delete their records.
Sometimes, though, we get a compromised site on a host in a foreign land that won’t cooperate. Then what? Well, it’s a legal grey area that our in-house counsel felt was perfectly fine: hack the site and take it down the hard way. We didn’t advertise or document when we did this. It was an open-secret inside the company however.
All this does is legitimize the sadly necessary work we face in a modern world.
okay that is kinda funny and much less legally problematic (because they didn't actively hack back and depending on what that virus did in detail could be seen more like how money bags can spray color on the bills if forcefully opened making them useless but not quite destroying them)
On the Internet, attackers have about the same ratio of advantage that defenders do IRL. They absolutely can hack back, because hacking is easy.
The real question is if they can even properly attribute to the correct target. Nobody hacks from their home IP. Anyone remember Uplink? You'd make it way easier to avoid getting arrested (which wipes your save) if you proxied through the tutorial machine first and wiped its logs after you were done. Likewise, even the most basic cybercriminals know to hack with machines they've already compromised, so that all the owners of those machines and their ISP's abuse desks spend all their time pointing the finger at each other.
If a company's already been hacked, what makes them think they have the knowledge/expertise to fight back?
Not required. This is unlikely to be random SecOps and SecEng corporate employees as the legal risk is too high as government administrations are replaced every few years.
Just like real piracy at sea companies would hire mercenaries or nowadays referred to as private military contractors. The fight back would just be to initially identify them (attribution) then activate PMC's at or near their location and neutralize the root cause.
With time countries will tire of random PMC's showing up and will take a stronger approach to dealing with their own hackers in addition to making the internet less anonymous. The effort to make the internet less anonymous has clearly already started as HN have been witnessing. Efforts like bcp38, 84 [1] authenticated packets likely using a nonce after government ID based auth and many other methods will be implemented as previous efforts have stalled.
I guess this means if you know your attacker as IDd by your MDR, you don't have to feel helpless in not being able to fight back against the likes of Cozybear, Romcom, Lazarus, etc., if you're up to it. Now, I don't think many orgs would be up to it, but perhaps the bigger orgs in the US might quietly fight back -Microsoft and others typically fight back in the legal space with takedowns, etc., but who knows, they could venture further afield.
> Now, I don't think many orgs would be up to it, but perhaps the bigger orgs in the US might quietly fight back
Sony's movie division financed a movie North Korea disapproved of, and DPRK retaliated[1] by hacking Sony Pictures and released executive salaries, emails, private employee information, unreleased movies, scripts, and set loose wiper malware on Sony Pictures' internal network. Sony was also forced to cancelled the theatrical release because there were threats of terrorist attacks at theaters that showed the film.
"Hacking back" is not a great strategy for most companies, except those that were already juicy targets and are battle-tested against state actors. But what do I know, I'm no fancy CSO.
Exactly. They don't even have the know-how to defend themselves -- there is no hope of them getting on the offensive, at least not without extensive external help.
This has nothing to do with the reality of computer security. Not getting hacked requires doing everything right and some luck. Hacking requires some luck or doing one thing right.
The problem is to hack something you need to know the what, where, who.
Companies have a very visible what, where, who in most cases.
Hacker don't, and take extra steps to obscure it (e.g. jump hosts, bot nets etc.).
Now if it's idk. a spear phishing campaign or similar "hacking back" by giving them trapped data or reverse social engineering attacks might work.
But if it's a technical security vulnerability some one found by scanning and sneaked into using multi-country jump hosts and cleaned up behind them. Then you have little chances to find them and to do so likely requires getting information from telcoms which require judge orders to be handed over, and from multiple countries, too.
Sure though I would view that as a separate problem with the idea of asking anyone to target attackers.. Everyone is an equally good psychic some believe they are better than others.
Extending your logic, highly debatable as it is, a firm should first of all be hacking itself constantly via red teaming. This will help it discover and perhaps fix issues that external hackers can otherwise exploit. This self-offense is a means of defense.
Every company that meets modern regulations runs scanners that identify some attacks against themselves. The scanners sold to them stop there because it is liability to do anything beyond that. You don't have to be a genius to use Telegram instead of Teams you'll simply be fired for taking risks with better tools for the job than organizations and governments want to be acceptable and routine if you are in a Western regulated industry.
Announce a change that is believable and all the corporate software will change to match the utility that is no longer a liability.
it's also why Germany started WW1 and what made it easy to put all the blame on them (after WW1, WW2 is a different thing)
and also is related to common war crimes iff in a conflict combatants frequently hide as civilians (as a defense by offense will sooner or later lead to attacking random civilians due to mistaking them for hidden combatants)
What are you “scoring” though. US firm loses data, has downtime, lost revenues, etc. If they attack back, what damages are they doing that they even care about? Seems to me they just are asking to be continually targeted.
Also, why burn the resources? Attacking isn’t free.
except this isn't a game of sports and a private company doesn't gain anything from attempting to "hack back" a foreign adversary. It just costs them resources and makes them an even larger target. And given that those adversaries are in all likelihood state sponsored the actual opponent is the US government, which is abdicating their responsibility.
It's like saying "the police doesn't care any more citizen, so you know just punch back". It's also incredibly dangerous btw to tell private firms they have the authority to engage in what is basically an act of warfare.
Look at every single sportsball event where the losing team had > 0 points. Same thing. Has there ever been a "war" with 0 casualties on the winning side?
There's also a quote from Prez in The Wire, "Nobody wins. One team just loses more slowly"
> what makes them think they have the knowledge/expertise to fight back?
If the goal is simply breaking shit (versus e.g. exfiltrating data) offense is way easier than defense. Also, security is an ongoing expense. Retaliation is one time.
> Also, security is an ongoing expense. Retaliation is one time.
Disagree. Retaliating draws a larger target on you. Increasing need for ongoing security. And increasing need to retaliate. You’re retaliating against multiple fronts and vectors. It’s all very expensive and an arms race.
> Retaliating draws a larger target on you. Increasing need for ongoing security
Does it? I feel like I could pretty easily pay a mercenary group to fuck around with Iran without being particularly concerned about blowback. (My main risk would be getting scammed.)
If you could keep your association with that mercenary a secret then sure. But if you were IDK, Walmart, and you went on this offensive or openly admitted to backing the mercenary. Well, now that Iranian group may want to push harder. Instead of attacking your servers, they begin attacking your POS, thermostats, security cameras, time clocks, inventory mgmt hardware, etc. they eventually start targeting your employees and their personal homes and such.
They could do all this now, but they generally don’t. Poke the bear and it might bite.
Having worked in anti-Phishing brand protection firm on behalf of firms like Apple, it absolutely draws a target on your back.
We used to receive routine threats from the IRGC on top of the usual DDoS attacks on our systems. Turns out cybercriminals don’t like it when you disrupt their cash flow. Thankfully we never got SWAT’d or had a box of heroin shipped to our office like that one journalist.
This is likely why the administration is suggesting that private firms to hack back. It draws a larger target on the private firms instead of the administration.
I think it’s a good strategy to tell firms, don’t hold back and essentially they won’t be held liable for damages they cause but it’s another thing entirely for those firms to actually go on an offensive mission.
But yes, I think it’s understood that you’re on your own on this front and the government isn’t going to come to your rescue or protect you, which I feel like isn’t really a change from status quo but just being more direct in admitting it
I don't think that follows. There's not a single large organization - private business or a government - that can claim to be 100% hacker-proof. A lot of "cyber" problems are also people problems: humans make mistakes, deliberately circumvent policies and security mechanisms to "get stuff done", can be coerced or bribed. That doesn't mean they are incompetent, just that defense is never perfect.
Making criminals' lives more complicated is a good strategy. Corporate vigilantism, I don't know.
reply