Disarming On-Line Muggers
President and CEO, Interpact, Inc.
first mugging was at age 12.
I was the muggee, not the mugger.
in New York, over the years I was held up at knifepoint several
times, handed over my wallet and cheapo watch and then watched the
bad guy scamper.
I had the guts or the skill, I might have tried to take the knife
away. If I had indeed succeeded in taking the knife away and the
mugger was still threatening, I might have knifed him. In the court
system that is called self defense.
forward to cyberspace.
are running a nice Web site. Making some money perhaps, and lots
of visitors are seeing your message. Then, according to your perimeter
intrusion detection device, some on-line goofball or criminal hacker
is beating on your door. What are you going to do?
September 1998 the Pentagon reacted to a browser-based denial-of-service
attack by the hactivists Electronic Disruption Theater by using
offensive applets to shut down the attacking browsers. Clean. Quick.
Effective. But the Pentagon lawyers went ballistic within minutes.
The techies defending the Pentagon servers had broken too many laws
to enumerate -- including a military prime directive, "posse comitatus,"
which forbids the military from taking unilateral actions within
the U.S. and against U.S. citizens.
addition, by their action the techies had committed several computer-crime
federal felonies for which hackers have gone to jail The simple
truth is that it is illegal to disarm your on-line assailant. Doing
so requires that you take some offensive action -- send out hostile
applets, return fire with your own denial-of-service tools or anything
else that will shut down the attack.
net effect is that both the attacker and the victim (who is attacking
back) are breaking the law.
first glance it doesn't make any sense: If you can disarm a knife-wielding
mugger, why can't you disarm your electronic mugger? Doesn't quite
in the physical world, you know who is mugging you. During the physical
attack there is a person with a knife, and while you may not know
his name or see his face, you are 100% sure that the knife you are
(hopefully) taking away is in the hands of a bad guy.
In the networked world, though, you cannot be sure that the guy
(IP address) that seems to be attacking you is really the one attacking
you. For example, many of the zombie-based distributed denial-of-service
attacks that occurred in February were traced back to universities
and other benign networks which were merely unwitting hosts to remote-triggered
Trojans located on their servers.
perimeter defense is a really tough problem, and right now the law
protects the bad guys more than the good guys. I don't have a perfect
solution to this conundrum, but a few thoughts do come to mind:
Let the industry design a set of hostile response tools that will
stop an attack, but do minimal harm just in case a zombie is in
the middle. Then, legalize the use of these tools in certain documentable
Legalize hostile responses, and zombie'd computers in the middle
be damned if their computer security is so bad that their networks
can be so compromised by the bad guys.
Build a hardened back-channel on the Internet which will provide
fast routing so that trace-back and bad-guy ID is easier, faster,
and with the cooperation of the ISP community, automatic.
Develop an Internet-based Caller ID system so that Web sites know
who's there, what they're doing and can ignore all anonymous requests.
Do nothing, and let the bad guys continue to win.
in the spirit of the networked community, I'm asking Network World
readers to help out by answering this question: "What do you think
is a fair and efficient way of disarming on-line assailants to protect
creative, let loose; write laws or design technology. And send me
your ideas. Maybe together we can get something done.
© 2000-2001 Interpact, Inc. All Rights Reserved
For comments about this page, contact: Kelley
Walker, Interpact, Inc.