This topic has come up in almost every podcast I have listened to lately, and in online discussions amongst the infosec elite and blackhat hackers. While I can understand the viewpoint of most, which is "Why not? their intentions are good", lets take a look at this issue through a law enforcement lens.
It's frustrating to hear some say that hacking back has everything to do with the a groups intentions, but it doesn't have anything to do with intentions.
It's like saying that if you rob a store and your intentions are only to feed your family, that they are good intentions and you should not be punished for the crime. The same goes for hacking, how can I as a law enforcement officer decide to charge one person for an intrusion but not charge the other for the same crime, and furthermore where do we draw that line?
I want you to put yourself in the shoes of an Anon hacker, you are getting messages from your fellow Anon brothers and sisters who are begging for help and are terrified of being captured and killed by the government. You see the video footage of people being gunned down in the streets. You must act.
So you take down several Nicaraguan sites to disrupt their daily work because there is civil unrest, fighting in the streets and you are protecting the people by hurting the government who is killing them. Can an Anonymous hacker, one who knows in their heart they are doing this for the good of the people, credibly claim that their intentions are good?
It doesnt matter what their intentions are, it's still a crime.
Now lets talk about who should be able to hack back. What qualifications should someone have? How do we reglate that? Who regulates that?
For example, if the government sanctions our contractors to hack back Russia, are we all OK with that? If a local IT company thinks they can hack back the person who placed ransomware on their clients computer, are we ok with that?
I certainly am not, and would like to think most reasonable infosec folks wouldn't be either. What qualifications does that IT company have? Are they sure they are hacking back the right person or address?
Are you OK with the local Detective at your police agency hacking back? The guy next door who just learned to hack? I am not OK with either because I only know a handful of folks skilled enough to pull this off effectively and that is IF, and this is a big IF, they know who to hack back.
What if they believe they are hacking back the right person and end up in your personal computer, staring at you, and you get charged in court? What then? You have to hire an attorney, a forensic examiner and spend a ton of money proving it isn't you? Sound familiar?
Now lets look at what happens in court. You charge the person who illegally hacked into your system but ask the court to look the other way for you because you only hacked them to find them and your intentions were good because you are bringing them to justice.
What precedence does that set in court? I don't want to have to defend my position against every suspect who claims the only committed a crime with good intentions.Trust me, almost every suspect I have ever interrogated who has confessed, has claimed they had good intentions.
I am just like all of you and would LOVE, absolutely LOVE, to be able to hack these guys back and find them, catch them and throw them in a prison cell forever. It would make my job a lot easier, but this opens up a whole can of worms that I don't believe we are ready for. If the day comes that we are, I will be the first one backing it.
The act of hacking, whether for hacking back or malicious purpose is still the same criminal act as is any unauthorized access of a computer. An eye for an eye sounds good in practice, but in reality its a road fraught with danger.
Main Image Credit : The awesome piece of artwork used to head this article is called 'Thou Shall Not Pass' and it was created by graphic designer Ednoko.