Rep. Gohmert Wants A Law That Allows Victims To Destroy The Computers Of People Who Hacked Them
from the do-these-people-even-listen-to-themselves? dept
Last week, we had talked about some concerns about how various cybersecurity provisions would allow those hit by malicious hackers to "hack back" or, as some call it, engage in an "active defense." There were significant concerns about this, but as Marvin Ammori briefly mentioned in last week's favorites post, Rep. Louis Gohmert seems to not only think hacking back is a good idea, but that it should be explicitly allowed under the CFAA (Computer Fraud and Abuse Act). You can see his explicit statements to this effect below during last week's House Judiciary Committee hearing on the CFAA. It appears he heard a story about someone installing some malware on a hacker's computer to get a photograph of them, and has decided "that's a good thing, that helps you get at the bad guys," without ever thinking of the very, very long list of dangerous consequences of allowing such things:Here's the basic transcript. The really crazy part is where Gohmert says he doesn't care as long as the hack back is "destroying that hacker's computer."
Rep. Gohmert: It's my understanding that under 18 USC 1030 that it is a criminal violation of law to do anything that helps take control of another computer, even for a moment. Is that your understanding?First off, kudos to Orin Kerr for keeping a (mostly) straight face through that exchange. There are many amazing things about this particular exchange, but the fact that Rep. Gohmert is one of the people in charge of how the CFAA gets reformed, and doesn't understand these very basic concepts, is immensely troubling. Among the headsmackers in that exchange: the idea that hackers are bad -- and not just partially bad, but apparently obviously and totally bad, like out of a movie. Also: that they're somehow easy to identify and that a freebie on hackbacks wouldn't be abused in amazing ways. Further, as Kerr pretty clearly points out that you can't automatically track back and (without saying so directly, but clearly implying) that hackers likely would shield their identity or fake someone else's identity, Gohmert still doesn't get it and somehow thinks that Kerr is saying we don't want to allow hackbacks on US government snooping (which, again, Gohmert seems to have no problem with). Yikes. Please do not let people like this near laws that have anything to do with computers. To me, this level of misunderstanding is worse than the whole "series of tubes" garbage from a few years back by Senator Stevens.
Orin Kerr: It depends exactly what you mean by "taking control." If "taking control" includes gaining access to the computer, assuming a network your not supposed to take control of, then yes, that would clearly be prohibited by the statute.
Rep. Gohmert: For example, my understanding is that there was a recent example where someone had inserted malware on their own computer, such that when their computer was hacked and the data downloaded, it took the malware into the hacker's computer, such that when it was activated, it allowed the person whose computer was hacked to get a picture of the person looking at the screen. So they had the person who did the hacking, and actually did damage to all the data in the computer. Now, some of us would think 'that's terrific, that helps you get at the bad guys.' But my understanding is that since that allowed the hackee to momentarily take over the computer and destroy information in that computer and to see who was using that computer, then actually that person would have been in violation of 18 USC 1030. So I'm wondering if one of the potential helps or solutions for us would be to amend 18 USC 1030 to make an exception such that if the malware or software that allows someone to take over a computer is taking over a hacker's computer, that it's not a violation. Perhaps it would be like for what we do for assaultive offenses, you have a self-defense. If this is a part of a self-defense protection system, then it would be a defense that you violated 1030. Anybody see any problems with helping people by amending our criminal code to allow such exceptions or have any suggestions along these lines?
Orin Kerr: Mr. Gohmert, that's a great question that is very much debated in computer security circles. Because, from what I hear there is a lot of this "hacking back" as they refer to it. But at least under current law, it is mostly illegal to do that.... The real difficulty is in the details. In what circumstances do you allow someone to counterhack, how broadly are they allowed to counterhack, how far can they go? The difficulty, I think, is that once you open that door as a matter of law, it's something that can be difficult to cabin. So I think if there is such an exception, it should be quite a narrow one to avoid it from becoming the sort of exception that swallows the rule.
Rep. Gohmert: Well, I'm not sure that I would care if it destroyed a hacker's computer completely. As long as it was confined to that hacker. Are you saying we need to afford the hacker protection so we don't hurt him too bad?
Orin Kerr: (brief confounded look on his face) Uh... no. The difficulty is that you don't know who the hacker is. So it might be that you think the hacker is one person, but their routing communications... Let's say, you think you're being hacked by a French company, or even a company in the United States...
Rep. Gohmert: Oh and it might be the United States Government! And we don't want to hurt them if they're snooping on our people. Is that...?
Orin Kerr: No.
Rep. Gohmert: I don't understand why you're wanting to be protective of the hacker.
Orin Kerr: The difficulty is first, identifying who is the hacker. You don't know when someone's intruding into your network who's behind it. So all you'll know is that there's an IP address that seems to go back to a specific computer. But you won't know who it is who's behind the attack. That's the difficulty.
I'm sorry, but it seems that if you can't understand that there isn't some magic list that says "these hackers are bad, and therefore we should destroy their computers," I don't think you should have any role in making laws around this topic.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, destroying computers, hackers, hacking, louis gohmert, orin kerr
Reader Comments
Subscribe: RSS
View by: Time | Thread
Gohmert the unbearable
This is the same guy that wants to lock up journalists, shut down the government, stop the government from spending money on its citizens, keep taxes lowered ok the richest people, believes in gerrymandered districts over democratic rights of the people, denies climate change based on his bribes from the oil industry, and his overall morality is atrocious when it's based on being a self-centered power hungry mad man who treats the public like serfs and peasants instead of people with valid concerns.
Have I missed anything or does anyone else see the problem with these people in office supporting the worst representation of American culture?
[ link to this | view in chronology ]
Re: Gohmert the unbearable
MAFIAA & Government & Others who Enter my Domain will be Hacked and Brought down because I will be the Victim !
Gohmert you are one big stupid Clown ! Amazing how losers like him get Voted in...........those people who said YES must of had a brain fart.
[ link to this | view in chronology ]
Re: Gohmert the unbearable
Gohmert the Gohmerian?
[ link to this | view in chronology ]
Re: Re: Gohmert the unbearable
[ link to this | view in chronology ]
Re: Gohmert the unbearable
[ link to this | view in chronology ]
Re: Re: Gohmert the unbearable
[ link to this | view in chronology ]
Re: Gohmert the unbearable
[ link to this | view in chronology ]
Re: Re: Gohmert the unbearable
[ link to this | view in chronology ]
Re: Gohmert the unbearable
[ link to this | view in chronology ]
If I remember that story correctly, the victim of the stolen laptop installed the software himself.. Which remotely sent him a picture of the thief..
What hackers have to do with it idk...
[ link to this | view in chronology ]
Re:
Tbh, I don't know what all the fuss is about.. More people should install anti-hacker apps imo and it should be legal.. Screw anyone who hacks in I say, be it a real hacker or the government :P
[ link to this | view in chronology ]
Re: Re:
2) how do you identify a counterhack? If a victim of hacking can counterhack, how do you determine they actually were hacked in the first place? It could become a defense that makes the law utterly toothless.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
- 127.0.0.1 references the loopback interface (actually anything in the 127.0.0.x range does) which won't allow you to access another computer according to IE specs. Just to clarify. Thus, you're either hacking yourself or incorrectly identifying the source of the original attack. This is one such problem with the whole thing...identification of the ACTUAL source.
- Assuming you correctly identified the source, IP addresses change as you noted. So while you can identify the specific attacking computer at a given point in time (assuming you can correctly do so), you still have a risk that the address of the computer that actually performed the act changes before you can respond. Now, granted, if you respond in a very short period of time, the likelihood of the IP address changing is slim, but legally, you have to consider the ramifications of a possible change in address between action and reaction.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Shame the addresses aren't as recognizable as 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/20, or 10.0.0.0/8.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Oh and if that poor guy caught in the middle found out you're hacking him, he could hack you back... Because to him you'd look like an original hacker, he would not know you're trying to counter-hack.
And wait until hackers plant false evidence that you were a hacker yourself, so they can claim they were counter-hacking you.
Seriously, legalizing counter-hacking is just loads of bullshit. If you're being hacked, just block the IP address hacking you and contact the authorities.
[ link to this | view in chronology ]
Re: Re: Re: Re:
The first step of tracing the hack backwards is checking the connection log to see if this was an origination point or just a step along the way. Of course, you need to use a log undeleter with a high enough level to make sure it wasn't just falsified!
I wish you could do this in real life... except... no, I don't.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
God forbid somebody else in your house actually use that computer, it would be useless for a while and all data YOU stored would be gone.
That is not the only way it could go wrong though.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Unlike other bills that simply tack on the word cyber and say there's a difference because its on a computer...just because...in this case there actually IS a difference. Since he's using the analogy of self defence, if I'm being attacked physically, I can see who's attacking me. I can fight back against those who are clearly identifiable as my attackers. Not so with a hacker. They're going to rout through and use proxies, so just like with Six Strikes, this means allowing harm to innocents because the lawmakers and policy pushers are complete and total morons.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
2. Hacker uses Computer A to hack into Computer B
3. User of Computer B notices hack attempt from Computer A
4. User B installs covert software to snap a pic from the webcam of Computer A to catch evil hacker
5. User A happens to be a teenage girl who's changing clothes at the time.
6. User B gets 50 years in PMITA prison for child porn.
7. Lawmakers pat themselves on the back for catching dangerous predator of America's youth.
8. Lawmakers continue to propose stupid laws. Americans continue to elect stupid lawmakers.
[ link to this | view in chronology ]
Re:
1) User A is a troll who posts the password to their forum account online.
2) User B uses the password to log in as User A and make a few joke posts for fun.
3) User A then tricks User B into clicking on some bad links to install malware on their computer, which lets User A take control of User B's computer.
4) User A steals User B's bank account information and steals all their money, and then floods User B's hard drive with a bunch of junk files saying "You suck User B".
5) User B finds out that they've been hacked and robbed, and goes to the police and FBI.
6) In court User A points out that User B 'hacked' into their forum user account first, so all their retaliation hacking against User B is perfectly legal thanks to Rep Gohmert.
7) Case is dismissed against User A. User B is charged with hacking under the CFAA, and is still out over $100,000 stolen by User A.
8) User A goes on to get himself 'hacked' by more 'victims' for a living, and the federal government continues to lock up those 'victims' for 5 or more years.
9) User A gives very big campaign donations to Rep Gohmert, so everyone wins! Everyone except User B's!
[ link to this | view in chronology ]
Re:
Me: Here's an example. Suppose you have a computer.
G: OK.
M: And someone takes it over without your knowledge.
G: OK.
M: They then use it to attack my computer. To me, it looks like the attack is coming from your computer (because it is.)
G: OK.
M: Are you suggesting that I should have the legal right to destroy your computer because it's attacking me?
G: Well, no.
M: OK, then. Shut up and let the adults discuss this.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Heard this one before
[ link to this | view in chronology ]
Re: Heard this one before
[ link to this | view in chronology ]
Re: Heard this one before
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Politics :D
[ link to this | view in chronology ]
(Post from 2001, on a discussion about counter-hacking machines infected with the Code Red worm. Look up "Core War" on Wikipedia to understand the reference.)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I think we should pass a law that states "In order to pass legislation on a particular subject, you must first pass a college level test on that subject". Hell, even a high schooler with basic IT knowledge would know that's idiotic.
[ link to this | view in chronology ]
Well...
[ link to this | view in chronology ]
Re: Well...
[ link to this | view in chronology ]
If you hack back the wrong person, does that person have the right to hack back against you?
Oh, and this could create jobs, couldn't it? I mean, now every public library and coffee house with public wi-fi will need to hire a new security expert just to protect the network from all the hackbacks triggered by hackers using them to launch the initial attack.
[ link to this | view in chronology ]
Maybe this will help
Attacking people or charging them with crimes based on an IP address, is like charging the current resident of a hotel room with a crime that was committed there last month.
[ link to this | view in chronology ]
Re: Maybe this will help
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Every election is a choice between voting for an idiot or a moron. Heads they win, tails we lose. It's a vicious cycle, and as long as big businesses can keep funding both parties to guarantee favorable legislation, it'll probably keep going for a long time.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Hacking vs land mines
The second issue, making hacking back legal, is absolutely insane. Ignoring the script kiddies, any hacking is probably coming from another compromised machine, not one owned by the hacker. So the hack-back will not affect the hacker, but will cause further harm to a different victim.
[ link to this | view in chronology ]
Re: Hacking vs land mines
Force the assholes to reformat or make it force their GPU and CPU fans and attack the PSU as well as encrypting. "If you're looking to actually destroy their system."
IMO a reformat is punishment enough but some people rather take it to the max.
[ link to this | view in chronology ]
Re: Re: Hacking vs land mines
force their GPU and CPU fans "run at max"
[ link to this | view in chronology ]
Re: Re: Hacking vs land mines
Force the assholes to reformat or make it force their GPU and CPU fans and attack the PSU as well as encrypting. "If you're looking to actually destroy their system."
And if the software is not immediately pulled to the attacker's own machine, but that of one of the hacker's already-compromised victims?
[ link to this | view in chronology ]
Re: Hacking vs land mines
First is you can install anything you like and if that happens to be a nastygram piece of malicious code that destroys a hackers computer after they've stolen it, so be it.. Should be legal..
The second, which as I read it does not follow the story anyway is a back-hack after the event against the IP who attacked you.. While that may sound like fun it's entirely to dangerous as who can say 100% you get the right IP to attack...
The whole thing reminds me of Ghost in the Shell where everyone's Cyborized with external computing and memory.. When someone gets hacked there they get blocked by active firewalls called Phages which backtrace the connection immediately and fry the brain of the attacker.. Perhaps this Senator's been watching too much Manga?
[ link to this | view in chronology ]
Re: Hacking vs land mines
Apple would disagree with you on this, and Micro$oft is moving in the same direction. The MAFIAA would love to be able to control everyone's computers, so that they can kill all forms of piracy.
Long Live Linux and the BSDs.
[ link to this | view in chronology ]
This is something the lobbyists and "experts" for some other industries do very well. Their positions and statements may be utter crap--but at least it's understandable crap--and this is why we get crappy laws.
[ link to this | view in chronology ]
Re:
Move this out of the 'computer hacking' arena and it is totally nuts. He refers to self-defense, but self-defense laws are very narrowly defined and require imminent harm. Until there is a hack that is going to kill people through their keyboards, we are not talking about self-defense.
This is defense of property. As far as I am aware, there are no states that allow me to go throw a rock through my neighbor's window if they threw one through mine. That would be insane. You call the police and they investigate or you bring a civil action.
Anyone that suggests that 'hacking back' is a solution needs to hand in their citizenship card and move to the stone ages or some country that we just bombed (possibly back into the stone ages).
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
How is this worse than "Series of Tubes" Stevens?
I'm not disagreeing, but I'm curious how this is worse than Ted Stevens?
I think Stevens displayed an even thinner grasp of understanding of the internet than Gohmert is doing, currently. I think Gohmert seems to understand how computers work, but is just showing a limited amount of thought into the issue (or a limited ability to reason out his own argument).
Stevens' display of understanding was terrible, and I don't see how this is worse (bad as it is). So my question is whether I'm missing something, myself.
[ link to this | view in chronology ]
Re: How is this worse than "Series of Tubes" Stevens?
Stevens' display of understanding was terrible, and I don't see how this is worse (bad as it is). So my question is whether I'm missing something, myself.
Stevens clearly wasn't particularly computer savvy, but fundamentally his series of tubes analogy was not bad. In fact don't we sometimes refer to them casually as pipes? What's the difference?
[ link to this | view in chronology ]
Judicial Review
So it's okay for anyone to hack anyone else, as long as they first accuse them of hacking you first?
That would make sense, because it is okay to accuse anyone (like the MPAA) of copyright infringement six times to get their internet cut off or slowed down.
[ link to this | view in chronology ]
Gotta just love the intellegnce that runs our country!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Sony
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Somebody has to suggest it...
Might this be the copyright industry trying to use the guise of hacking to get a law introduced that will later be expanded to include them? Legal to hack "back" infringes?
The reason I suggest this is due to the fact that they have introduced other measures with buzzwords, just because it would go easier with the public, judges and politicians. An example of this is the danish Anti Piracy Group who made the child porn filter because "Childporn is a thing they understand". And they then, as planned, got it expanded to include other sites.
It might sound insane for some, but really when you think about it: Hacking and Cyber are the new buzzwords and judging by other stuff that group has done or suggested over the years, would you really be surprised?
Links about what was said by the danish APG boss about the filter:
https://www.techdirt.com/articles/20100427/1437179198.shtml
https://christianengstrom.word press.com/2010/04/27/ifpis-child-porn-strategy/
[ link to this | view in chronology ]
Some good comments here
HOW easy is it to TRACK a bot/advert that has been installed on your computer.
You goto a site that has ADVERTS and 1 installs its cookie on your system, that TRACKS you, all over the net..
It opens a backdoor for OTHER ADVERTS for what it THINKS you are looking for..
This idea(from the article) will take a TON of discussion and cleanup, of WHAT/WHO is a hack..
I mean, if the GOV. REALLY wanted to track this crap down, they would hok up with a few companies like spybot/AVAST/Malwarebyte and ADD tracking to the data.
THINK about it..You get a BOT from a site and its LOGGED where you got it..NOT ANONYMOUS..
A few years back I had a CLEAN MACHINE..and had to install updates and protection. It was dialup, so connected and the FIRST SITE it went to was MSN.. 7 virus and 37 bots from the FRONT PAGE. It took 15 minutes to gain control of the computer...and 6 more hours to clean up..
I sent a letter to MSN..1 year later they QUIT adverts from 3rd parties.
Then comes the thought, of WHO do you hold responsible?
THE SITE? They didnt SCAN and clean it..
You have to understand WHY adverts are all OVER the place..
SOMEONE IS GETTING PAID. and there has to be INFO in the bot, of WHO DID IT..so they can get paid.
The Company wanted Adverts, they shipped it to an ADVERt company, they shipped it to person to DO THE WORK..
NOW:
COMMENTS:
STUXNET..look it up.
Do you think the Other countries have rights to BOMB the USA with virus after we did it to THEM?? Do you REALLY think this is the first time?
COMPUTER security is FAIRLY SIMPLE..
1. MAJOR systems DONT HAVE ACCESS TO THE NET..
2. ANY outside data to be installed is SCANNED(HEAVILY) before being inserted..from DECODERS to AV/BOT scanners..
3. ALL input data is TESTED ON REMOTE/OFFLINE systems FIRST. NOT on the primary system..
dont do this..
http://consumerist.com/2013/03/08/its-totally-not-cool-that-my-fridge-stops-working-and-tell s-the-wrong-temperature/
[ link to this | view in chronology ]
Goobernuts
[ link to this | view in chronology ]
There would be interesting side effects...
[ link to this | view in chronology ]
Did you happen to upset somebody?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Gohmert the unbearable
1- leaving malicious code in a honeypot as a counter-measure/defense to attack on your systems is ethical, appropriate, and justified
2- tracing the origin of the attack in order to attempt a hackback is too difficult and a foolish idea
[ link to this | view in chronology ]