Deliver Us From Evil
Thoughts on Computer Self Defense
- Dan Knight
Should you have the right to take active steps to stop a
computerized attack on your computer system? More specifically, would
attacking and disabling the malicious process on the computer
undertaking the attack be an appropriate response?
In an era of viruses, denial of service attacks, worms, spam,
peer-to-peer networking, and who knows what other kinds of spyware and
malware, Tim Mullen of SecurityFocus has been making the case for
computerized self defense since publishing Right to
Defend in July 2002. He writes:
- "Let's use Nimda as an example. If I tell my system to issue the
exact same series of GET requests that Nimda does against a
machine, that action could be considered a federal crime. I would be a
criminal. A cracker. A felon. The scum of the earth. But if an
administrator does not secure his box, and the same series of
GET requests hammer against my network for months at a time,
he is a victim."
Mullen proposes that we have a right to defend our systems from such
attacks - and that one tool in protecting our computers from these
attacks would be a "hack-back" program that would defend itself by
attacking the program on the remote computer responsible for the
Call it computerized self defense. When being attacked, computers
should have the same right to use reasonable force that homeowners do
when their property has been invaded.
This week Mullen takes the issue a step further in Strikeback, Part
Deux. Because many attacks are virus- or worm-related, the
owner of the machine may not even realize their computer is attacking
another - or have a clue how to stop the process.
Mullen has written some code to demonstrate that it is possible for
a machine to strike back when attacked, automatically attempting to
shut down the rogue process on the attacking machine. Brilliant.
Of course, not everyone agrees. Some would view such a counterattack
in the same light as the original malicious process, ignoring the fact
that the defense mechanism only acts in response to an attack. And that
kind of discussion helps us all grapple with the various aspects of the
There's been a good discussion on Slashdot,
Killing Others' Malicious Processes. One of the best
postings draws explicit parallels between personal self defense and
what Mullen is proposing as computer self defense.
No Duty to Retreat
Pii writes: "There is a concept in law called 'No Duty to Retreat,'
and I see no reason why it cannot be applied in much the same way to
cases like this.
"This concept relates to self-defense, and deadly force. Follow
along with me...
If a person is in public, and is threatened, that person must make
every reasonable effort to avoid the use of deadly force as a means of
self defense, prior to useing such force. He must attempt to leave the
scene, etc. In short, there is a Duty to Retreat.
If, however, that person is in his home, his own property, that
person may use deadly force as a means of self defense without having
to exhaust every means of escape or avoidance. On his own property, a
person has No Duty to Retreat.
"How is the scenario for Cyber-attack any different? Unlike most of
the people commenting on this article, I believe you do have the right
to take active measures in protecting your property.
"Obviously, we're not talking about deadly force... We're simply
talking about electronic countermeasures.
"If an unsecured system on the Internet has been infected by a
malicious program, and is now launching it's own attack against your
system, your property, denying you the use of bandwidth or resources
that you are paying for, I think you're perfectly within your rights to
put the attack down, and if necessary, the offending system.
"A person utilizing the Internet has a certain responsibility not to
cause harm, either through action, or inaction. Most people on the
Internet today seem tragically unaware of this. Without this, the
Internet is ripe for a tragedy of the commons situation.
"Is it wrong to still believe that with Rights come
Responsibilities, or that with Priviledge comes Obligation?"
Responsibility is a key issue here. Computer users on the Internet have
a responsibility to the community of Internet users, a responsibility
to do no harm. If they create viruses, actively participate in denial
of service attacks, allow spam to be relayed by their servers, or even
let an unwanted process run on their machine that brings harm to
another, they have abdicated their responsibility to the community.
Just as we have the right to discard spam and remove viruses from
our computers, we should have the right to prevent other computers from
causing harm over the Internet. Our defense should include the right
and ability to block the attack or, failing that, stop the attack at
We cannot retreat short of taking our own computers off the
Internet. We must be allowed to defend ourselves.
Who Is Responsible?
JPawloski writes: "'Since the owner of a system has no
responsibility for the actions of a worm, or any malicious process,
that runs without their knowledge, I submit that they also have no
rights to the process. No responsibility means no rights.
"'So, if they have no rights to the process, there is no
infringement against them when we neutralize it. If someone wants to
claim that their rights were violated by our taking out the attacking
process, then they should be held accountable for the actions of the
process from its inception. They can't have it both ways.'
"That, I think, is a good point. The solution, however, is not to
make the counterattack legal, thus continuing to absolve people of
responsibility, but to make the owners of the systems legally
responsible for their failure to secure their systems. If your system
is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot,
Kuro5hin, whoever), then AOL should have the right to sue you for
damages. Your incompetence caused their loss."
The point of responsibility is a good one, but it can be extended too
far. If someone trespasses on your property and commits a crime, you
would generally not be held responsible for their actions. Viruses,
worms, and other malware are normally installed without the knowledge
of the property (computer) owner.
It's one thing to sue someone for deliberately attacking another
computer. It's something completely different to sue them because some
new piece of malware has taken parasitic residence on their
That said, it's conceivable that we could reach the point where
failure to take measures against such trespass could make one liable
for attacks launched on their computers. Especially on the Windows
platform with its tens of thousands of worms and viruses, it should be
unthinkable to run a computer connected to the Internet that doesn't
have antivirus software and keep it updated.
Vigilante Justice or Self Defense?
Phil Reed writes, "Here's an interesting distinction (found in the
letters on Crypto-Gram): If you reverse-attack a machine that's
attacking you, is it vigilante justice or is it self-defense? Vigilante
justice is when you hunt somebody down after the fact, self-defense is
when you stop somebody during the act. Both have significant case law,
and self-defense is quite justifiable under certain circumstances
(action was done to avert a threat of immediate, significant harm, harm
caused by the action was not disproportionate to the harm avoided,
etc). I think a strong case for self-defense can be made here."
I have to agree. Launching a counterattack specifically against the IP
address, rogue process, or computer responsible for the initial attack
Loss of Business
KDan writes, "The only problem with this strikeback thing is what if
the machine which is infected is business-critical?
"If you're going to take it on yourself to fix other people's
machines, what if this causes them loss of business? And there's also
varying definitions of what 'strikeback' or 'fixing' could mean. What
if someone decides to "fix" your database server by shutting it down?
Shouldn't they be held liable for the damages caused, just as someone
who does that maliciously can be held liable?
"There's just too many holes in this strikeback philosophy. It opens
the door to tons of abuse too: 'I only broke into this machine to fix
it, I swear, gov'nor!'
"I think it would also result in pretty dire situations when a
machine equipped for strikeback mistakenly decides another machine
(also strike-back-enabled) needs to be 'fixed', and starts attempting
to hack into it - and then the other one detects it as well, and they
start concurrently trying to hack into each other... probably
saturating the network with crap on the way..."
If the machine is mission critical, why is someone allowing it to be
hijacked by malware? That's my key objection to KDan's posting.
Whether the machine is "critical" or not shouldn't be a factor. If
the machine is responsible for attacking another and the IP can't be
blocked and the process can't be stopped any other way, it may be
necessary to shut down or crash the system. This is one more argument
for protecting computers from malware.
Today's computers are easier to use and have much more complex
operating systems than ever before. Most users have no idea how many
different processes are going on in the background, ranging from
keyboard and mouse input to Internet access to possibly recording
keystrokes in case of a crash to who knows what kinds of spyware
reporting our computing activities to who knows what organizations.
Most people using a computer do not have the tools or expertise to
identify a rogue process, let alone kill it. Ideally users would have
programs on their computers that would notify them when a new process
launches, especially if it's not part of the operating system. Even
then most users wouldn't know what to do when some piece of malware
launched itself, unless this program also gave them the ability to
terminate the process.
Because the average computer user can't be expected to know
everything their computer is doing, it's crucial that hack-back
software exists. This software should function on several different
- Identify the type, severity, and source of the attack.
- Notify the system owner of the attack.
- Attempt to block the attack at the firewall or router by blocking
the offending IP address.
- Notify the sys admin of the network or ISP where the attack is
taking place, requesting they block the offending IP, shut down the
process, or turn off the attacking computer.
- Failing that, attempt to shut down the process and possibly remove
the offending bit of malware.
- Failing that, attempt to shut down the computer.
- Failing that, attempt to crash the computer.
- Report details of the attack and response to a central clearing
Computer self defense would be rooted in taking the minimum steps
necessary to protect your own computer and stop future attacks from the
other machine. And this would have to be done very carefully.
As Digital Quartz notes on Slashdot, "Since you are intentionally
running a process on someone else's machine, you are accountable for
it's results." That's why I suggest a process that takes the minimum
steps necessary to first protect your computer and then stop the
There is a proposal floating about that would allow the RIAA to
legally attack computers they suspect of illegally swapping music
files. Under the proposed legislation, the RIAA would not be liable for
any damage they inflict on these computers, even if they attacked one
that was not involved in music swapping.
Self defense software such at Mullen proposes could be a tool in
protecting our computers from the predations of the RIAA, MPAA, and
anyone else who thinks denial of service attacks and other ways of
attacking user computers might in any way be considered a good
It's bad enough the record companies have produced "music CDs" that
fail to work or actually damage computers that attempt to play them. A
right of computer self defense would give us a tool we need to protect
ourselves not only from worms and viruses, but also from deliberate
attacks on our personal computers authorized by law.