Fine, you don't advocate hacking back.
Now, it only takes *one* of you to deviate from that, and put a stop to these miscreants. I wouldn't lose much sleep over it in this instance, if it were done properly.
Security researchers have discovered flaws in the Mirai botnet that might be used to mitigate against future attacks from the zombie network. Scott Tenaglia, a researcher at endpoint security firm Invincea, found a weakness in the HTTP flood attack that Mirai is capable of mounting. Specifically a stack buffer overflow …
Does the law actually and specifically forbid an active self-defence? After all, if someone is coming at you with a knife, even a UK court will very likely not convict you of kicking the bastard in the balls. (a recent clarification of the has confirmed this)
Pre-emptively taking out an infected computer which might attack you is currently illegal, but I don't think anything has been tested in court where someone has attacked back against a currently attacking endpoint. If this flaw allows for a more active defence by crashing or otherwise disabling attacking endpoints, it sounds like a reasonable use of force in self-defence. I could imagine it might get messy though since there are likely to be many international jurisdictions involved.
As you don't really know where the endpoint that is attacking you is physically located, the legalities are very sticky as you have no way of knowing which jurisdictions might apply and so which lws you would need to follow.
That said, you are highly unlikely to get caught knocking infected consumer kit offline unless you announce that you did it.
Good response but likely not true.
The snag is, if it is 'consumer' kit in a hospital that was coopted and used as a jump off point and you hack back, possibly doing some damage (inadvertently) for something like a life saving device. Once an investigation begins to discover how that device was brought down, law enforcement will be able to back track to your IP.
Then, unfortunately, you're going to be on the hot seat for causing damage (or a death), even if your heart was in the right place in trying to stop the hack.
But I think most of us are with you in wanting to do some kind of hack back to stop this crap from malevolent, idiotic, STUPD morons causing this mayhem....
"If this flaw allows for a more active defence by crashing or otherwise disabling attacking endpoints, it sounds like a reasonable use of force in self-defence."
If I follow the article correctly it's not actually the device itself that's being crashed, just a process that's been placed there by a previous attack. All that's happening is that the device is being returned to its original estate. The only person with a standing to make a complaint is the original attacker - who can't complain without incriminating themselves.
if you have a BitDropper 666 modem, or webcam, or baby monitor, or whatever that is known vulnerable, the FTC could order a recall. industry would wake up pretty quick if all their DVRs and Smart TVs were forced to be recalled and refunded because the software was shit full of holes.
That's probably the best suggestion I've heard yet. We know how expensive recalls are, from the Samsung battery fun, so they'll be desperate to avoid that even more than a fine.
It's a good way to smack stupid IoT manufacturers without the useless, decades-long court process.
Number of people that will return a £500 brand new mobile device because it might burn their face off?
Nearly all of them.
Number of people that will return a £40 IP camera because it makes some websites fall over?
Close enough to zero for it not to make any difference.
All very well having a massive recall, but you've got to get the device owner to climb up a ladder, take down the camera, wait for a replacement yadda yadda yadda. There's too much effort required by the end user for what appears to them to be zero benefit.
The only way to make the device owners take notice would be to make the devices stop working, or curtail their internet connection in someway.
"The only way to make the device owners take notice would be to make the devices stop working, or curtail their internet connection in someway."
If the recall is not properly honoured or enforced, then block the "phone home" server as malicious.
Why not indeed, except that also violates almost every country's computer misuse laws. Seems the bad guys can get away with it, but the good guys can't and sure as hell don't see the manufacturers jumping up and telling everyone "we'll fix those holes immediately".