If the ISP is responsive and the rules of engagement say you don't escalate if the ISP is responsive, then hacking back isn't legit. But that doesn't suggest you should avoid figuring out what the rules should be - seems to me it suggests you should figure out the rules. We didn't have this one before, did we? But now we have a consensus on this point. So all we need to do is make sure sysadmins are appropriately responsive and the rules around escalation become moot. So, following this alternative branch, what are the rules for sysadmin responsiveness? In other words, when can I hold an ISP liable for failing to cut off hostile activity? -----Original Message----- From: Crispin Cowan [mailto:crispin@private] Sent: Thursday, June 19, 2003 11:30 AM To: Christiansen, John (SEA) Cc: crime@private Subject: Re: CRIME Senator Hatch - Destroy file swappers' computers Christiansen, John (SEA) wrote: >2. Technical contacts should be attempted as one of the first lines of >action. If they are responsive that ought to fix the problem. But experience >teaches they aren't always responsive, so what to do then? This is where >"rules of engagement" might specify, for example, that you cannot >legitimately escalate to self-help without trying this route first, and >having it fail. > I submit that these problems can *always* be solved by technical means without having to "hack back". Regardless of where the attacking machine is, there is always a responsive ISP between the attacker and you. You ask that ISP to block the attacker's traffic. In the limit, that ISP is your own ISP. But it still works. One step beyond the limit is where the attacking machine is inside your own domain. At this point it is a management problem. Hacking back is never appropriate, unless we're talking nation states at war. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
This archive was generated by hypermail 2b30 : Thu Jun 19 2003 - 12:12:09 PDT