Your network is getting scanned from some system on the other side of the country, or perhaps the globe. You traceroute the IP address, and discern the offending system is infected with a bot that's trying to infect you. You take a look at the device and see it's not patched for a multitude of OS vulnerabilities. Is it ethical (never mind legal) for you to take the system down with some exploits of your own?It's clearly not legal in most areas I'm familiar with. But let's set that annoying fact aside for a moment.
I despise the topic of "offensive computing." The controversial subject seems to come up every couple of years. Following the massive Code Red worm outbreak in the summer of 2001, which brought many networks to a crawl. Shortly thereafter we had the counter-worms Code Green and CRclean surface: both were devised to spread and patch Code Red's target: unpatched IIS Web servers.
It was a desperate time, and sometimes those times call for desperate measures. But these types of worms aren't a good idea. Too many potential unintended consequences. Too high of a risk of collateral damage: innocent networks clogged -- or even data destroyed -- because of a programming error.
In fact, the very idea of offensive computer actions goes against the 10 Commandments of Computer Ethics, created in 1992, by the Computer Ethics Institute, and are supposedly the foundation for the CISSP's own ethics rules:
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people's computer work.
3. Thou shalt not snoop around in other people's files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not use or copy software for which you have not paid.
7. Thou shalt not use other people's computer resources without authorization.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program you write.
10. Thou shalt use a computer in ways that show consideration and respect.
Seems like a good ethical foundation to me. Which is why it was so surprising to me, last year, when Microsoft researchers broached the idea of using worms to propagate patches. From a blog I wrote on the topic last year:
Because no central server needs to provide and coordinate all the downloads, software patches that spread like worms could be faster and easier to distribute because no central server must bear all the load. "These strategies can minimize the amount of global traffic across the network."
I'm sure it would work. Except for those times that it doesn't.
It also could violate Ethical Commandments 1, 2, 7, and often number 10.
But the biggest, most boneheaded notion I think I've ever encountered was Sen. Orrin Hatch's interest in blowing hard-drives off of the Internet if they illegally downloaded music files. From my 2003 news story, "Senator: Give Movie And Record Companies A License To Hack":
The chairman of the Senate Judiciary Committee, Orrin Hatch, R-Utah, said on Tuesday that he'd be interested in learning ways to damage computers used to illegally swap song and movie files.
The comments came during a hearing on copyright abuse. Hatch was quoted by the Associated Press as saying he'd be interested in hearing about ways to disrupt file-swappers without destroying their systems, but if that couldn't be done then he'd be in favor of destroying their computers.
This isn't the first time legislators floated the idea of giving the recording and motion picture industries a license to hack. Lobbyists for those industries have sought the right to hack into and disable peer-to-peer trading networks, and they want legal protection against suits over damages done to the computer systems of file swappers.
That idea was asinine on the face of it. But it shows just how whacked the notion of "offensive security" could possibly get.
Just this morning, the idea of offensive computing reared its provoking head on Christofer Hoff's Rational Survivability blog. Here he raises the question:
Yesterday at IANS, Greg Shipley gave a great keynote that focused on a lot of things we do today in InfoSec that aren't necessarily as effective as they should be. Greg called for a change in our behavior as a community to address the gaps we have.
In the Q&A section, it occurred to me that for the sake of argument, I would ask Greg about his thoughts on changing our behavior and position in dealing with security and our adversaries by positing that instead of always playing defense, we should play some offense.
I didn't constrain what I meant by "offense" other to suggest that it could include "active countermeasures," but what is obvious is that people immediately throw up walls around being "offensive" without spending much time defining what it actually means.
I know Chris is trying to get a discussion on the subject rolling. And we should always re-evaluate how we protect and respond to risks and threats. But my answer is: No, Chris, we should not engage in offensive computing.
Chris didn't define what he meant by offensive computing. I suspect so as to not draw attention away from the spirit of the question. But I can't think of any circumstance where a private citizen, or CISO, would have the right to take offensive action on systems they don't own, control, or have responsibility over.
Chris called this statement out, I'm not sure if it was his analogy, or someone at IANS he was discussing the concept of offensive computing with:
There's not been a war yet that has been won with defense alone, so why do we expect we can win this one by simply piling on more barbed wire when the enemy is dropping smart bombs? This is the definition of insanity and a behavior that we don't talk about changing.
This analogy is stinko. CISOs and private citizens, and even cybercops, aren't fighting a "war" against malware or cybercrime. There is no single enemy. There are a multitude of characters. All with varying means, motives, and capabilities. Some are cyberthugs, some are writing malware just to wreak havoc, others are sophisticated criminal rings conducting identity theft and stealing credit card information. Others are mere annoyances.
Just like fighting any other type of crime, there will be no final victory. There will be no surrender. There will, ultimately, be no end. And, just like any other crime, the best society can do is manage it down to a reasonable level.
So, if you find yourself under digital attack, block the offending ports, call the police, and/or contact the hosting company or ISP of the attacker. Handle it like you would any other crime, but don't commit one of your own in the process by attacking back.
Because if we go down this path, the U.S. government may one day conclude it's within some lobbyist group's rights to wipe your hard drive.