The Knight Line

Deliver Us From Evil

Thoughts on Computer Self Defense

Dan Knight - 2003.01.16

Should you have the right to take active steps to stop a computerized attack on your computer system? More specifically, would attacking and disabling the malicious process on the computer undertaking the attack be an appropriate response?

In an era of viruses, denial of service attacks, worms, spam, peer-to-peer networking, and who knows what other kinds of spyware and malware, Tim Mullen of SecurityFocus has been making the case for computerized self defense since publishing Right to Defend in July 2002. He writes:

"Let's use Nimda as an example. If I tell my system to issue the exact same series of GET requests that Nimda does against a machine, that action could be considered a federal crime. I would be a criminal. A cracker. A felon. The scum of the earth. But if an administrator does not secure his box, and the same series of GET requests hammer against my network for months at a time, he is a victim."

Mullen proposes that we have a right to defend our systems from such attacks - and that one tool in protecting our computers from these attacks would be a "hack-back" program that would defend itself by attacking the program on the remote computer responsible for the attack.

Call it computerized self defense. When being attacked, computers should have the same right to use reasonable force that homeowners do when their property has been invaded.

This week Mullen takes the issue a step further in Strikeback, Part Deux. Because many attacks are virus- or worm-related, the owner of the machine may not even realize their computer is attacking another - or have a clue how to stop the process.

Mullen has written some code to demonstrate that it is possible for a machine to strike back when attacked, automatically attempting to shut down the rogue process on the attacking machine. Brilliant.

Of course, not everyone agrees. Some would view such a counterattack in the same light as the original malicious process, ignoring the fact that the defense mechanism only acts in response to an attack. And that kind of discussion helps us all grapple with the various aspects of the issue.

There's been a good discussion on Slashdot, Killing Others' Malicious Processes. One of the best postings draws explicit parallels between personal self defense and what Mullen is proposing as computer self defense.

No Duty to Retreat

Pii writes: "There is a concept in law called 'No Duty to Retreat,' and I see no reason why it cannot be applied in much the same way to cases like this.

"This concept relates to self-defense, and deadly force. Follow along with me...

If a person is in public, and is threatened, that person must make every reasonable effort to avoid the use of deadly force as a means of self defense, prior to useing such force. He must attempt to leave the scene, etc. In short, there is a Duty to Retreat.

If, however, that person is in his home, his own property, that person may use deadly force as a means of self defense without having to exhaust every means of escape or avoidance. On his own property, a person has No Duty to Retreat.

"How is the scenario for Cyber-attack any different? Unlike most of the people commenting on this article, I believe you do have the right to take active measures in protecting your property.

"Obviously, we're not talking about deadly force... We're simply talking about electronic countermeasures.

"If an unsecured system on the Internet has been infected by a malicious program, and is now launching it's own attack against your system, your property, denying you the use of bandwidth or resources that you are paying for, I think you're perfectly within your rights to put the attack down, and if necessary, the offending system.

"A person utilizing the Internet has a certain responsibility not to cause harm, either through action, or inaction. Most people on the Internet today seem tragically unaware of this. Without this, the Internet is ripe for a tragedy of the commons situation.

"Is it wrong to still believe that with Rights come Responsibilities, or that with Priviledge comes Obligation?"

Responsibility is a key issue here. Computer users on the Internet have a responsibility to the community of Internet users, a responsibility to do no harm. If they create viruses, actively participate in denial of service attacks, allow spam to be relayed by their servers, or even let an unwanted process run on their machine that brings harm to another, they have abdicated their responsibility to the community.

Just as we have the right to discard spam and remove viruses from our computers, we should have the right to prevent other computers from causing harm over the Internet. Our defense should include the right and ability to block the attack or, failing that, stop the attack at the source.

We cannot retreat short of taking our own computers off the Internet. We must be allowed to defend ourselves.

Who Is Responsible?

JPawloski writes: "'Since the owner of a system has no responsibility for the actions of a worm, or any malicious process, that runs without their knowledge, I submit that they also have no rights to the process. No responsibility means no rights.

"'So, if they have no rights to the process, there is no infringement against them when we neutralize it. If someone wants to claim that their rights were violated by our taking out the attacking process, then they should be held accountable for the actions of the process from its inception. They can't have it both ways.'

"That, I think, is a good point. The solution, however, is not to make the counterattack legal, thus continuing to absolve people of responsibility, but to make the owners of the systems legally responsible for their failure to secure their systems. If your system is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot, Kuro5hin, whoever), then AOL should have the right to sue you for damages. Your incompetence caused their loss."

The point of responsibility is a good one, but it can be extended too far. If someone trespasses on your property and commits a crime, you would generally not be held responsible for their actions. Viruses, worms, and other malware are normally installed without the knowledge of the property (computer) owner.

It's one thing to sue someone for deliberately attacking another computer. It's something completely different to sue them because some new piece of malware has taken parasitic residence on their computer.

That said, it's conceivable that we could reach the point where failure to take measures against such trespass could make one liable for attacks launched on their computers. Especially on the Windows platform with its tens of thousands of worms and viruses, it should be unthinkable to run a computer connected to the Internet that doesn't have antivirus software and keep it updated.

Vigilante Justice or Self Defense?

Phil Reed writes, "Here's an interesting distinction (found in the letters on Crypto-Gram): If you reverse-attack a machine that's attacking you, is it vigilante justice or is it self-defense? Vigilante justice is when you hunt somebody down after the fact, self-defense is when you stop somebody during the act. Both have significant case law, and self-defense is quite justifiable under certain circumstances (action was done to avert a threat of immediate, significant harm, harm caused by the action was not disproportionate to the harm avoided, etc). I think a strong case for self-defense can be made here."

I have to agree. Launching a counterattack specifically against the IP address, rogue process, or computer responsible for the initial attack is self-defense.

Loss of Business

KDan writes, "The only problem with this strikeback thing is what if the machine which is infected is business-critical?

"If you're going to take it on yourself to fix other people's machines, what if this causes them loss of business? And there's also varying definitions of what 'strikeback' or 'fixing' could mean. What if someone decides to "fix" your database server by shutting it down? Shouldn't they be held liable for the damages caused, just as someone who does that maliciously can be held liable?

"There's just too many holes in this strikeback philosophy. It opens the door to tons of abuse too: 'I only broke into this machine to fix it, I swear, gov'nor!'

"I think it would also result in pretty dire situations when a machine equipped for strikeback mistakenly decides another machine (also strike-back-enabled) needs to be 'fixed', and starts attempting to hack into it - and then the other one detects it as well, and they start concurrently trying to hack into each other... probably saturating the network with crap on the way..."

If the machine is mission critical, why is someone allowing it to be hijacked by malware? That's my key objection to KDan's posting.

Whether the machine is "critical" or not shouldn't be a factor. If the machine is responsible for attacking another and the IP can't be blocked and the process can't be stopped any other way, it may be necessary to shut down or crash the system. This is one more argument for protecting computers from malware.

Processes

Today's computers are easier to use and have much more complex operating systems than ever before. Most users have no idea how many different processes are going on in the background, ranging from keyboard and mouse input to Internet access to possibly recording keystrokes in case of a crash to who knows what kinds of spyware reporting our computing activities to who knows what organizations.

Most people using a computer do not have the tools or expertise to identify a rogue process, let alone kill it. Ideally users would have programs on their computers that would notify them when a new process launches, especially if it's not part of the operating system. Even then most users wouldn't know what to do when some piece of malware launched itself, unless this program also gave them the ability to terminate the process.

Because the average computer user can't be expected to know everything their computer is doing, it's crucial that hack-back software exists. This software should function on several different levels:

  1. Identify the type, severity, and source of the attack.
  2. Notify the system owner of the attack.
  3. Attempt to block the attack at the firewall or router by blocking the offending IP address.
  4. Notify the sys admin of the network or ISP where the attack is taking place, requesting they block the offending IP, shut down the process, or turn off the attacking computer.
  5. Failing that, attempt to shut down the process and possibly remove the offending bit of malware.
  6. Failing that, attempt to shut down the computer.
  7. Failing that, attempt to crash the computer.
  8. Report details of the attack and response to a central clearing house.

Computer self defense would be rooted in taking the minimum steps necessary to protect your own computer and stop future attacks from the other machine. And this would have to be done very carefully.

As Digital Quartz notes on Slashdot, "Since you are intentionally running a process on someone else's machine, you are accountable for it's results." That's why I suggest a process that takes the minimum steps necessary to first protect your computer and then stop the attack.

The RIAA

There is a proposal floating about that would allow the RIAA to legally attack computers they suspect of illegally swapping music files. Under the proposed legislation, the RIAA would not be liable for any damage they inflict on these computers, even if they attacked one that was not involved in music swapping.

Self defense software such at Mullen proposes could be a tool in protecting our computers from the predations of the RIAA, MPAA, and anyone else who thinks denial of service attacks and other ways of attacking user computers might in any way be considered a good thing.

It's bad enough the record companies have produced "music CDs" that fail to work or actually damage computers that attempt to play them. A right of computer self defense would give us a tool we need to protect ourselves not only from worms and viruses, but also from deliberate attacks on our personal computers authorized by law. LEPC

Join us on Facebook, follow us on Twitter, or read Low End Mac's RSS news feed

Recent Content

Go to our home page for a listing of recent content.

About Low End PC Support Usage Privacy Contact

Custom Search

Share

Follow Low End PC on Twitter
Join Low End PC on Facebook

Favorite Sites

MacWindows
Deal Brothers
DealMac

Affiliates

Amazon.com
The iTunes Store
PC Connection Express
Parallels Desktop for Mac
eBay

Advertise

Open Link