Dumb Idea Or Dumbest Idea: Letting Companies Use Malware Against Infringers
from the dumbest-ideas-ever dept
We already did a post exploring the ridiculous background and bad assumptions of the so-called IP Commission Report, but we're going to explore some of the "recommendations" of the report as well. In that first post, we noted that the basis, assumptions and methodology of the report were all highly problematic, so it should come as little surprise that the "recommendations" that come out of it are equally ridiculous.Let's start with the one that has received the most attention: the fact that the report recommends a "hack back" legalization, to allow those who feel their (loosely defined) "intellectual property" has been infringed to "hack back" at those who infringe. As Lauren Weinstein summarizes, this proposal more or less is a plan to legalize malware against infringers. Of course, this kind of idea is not new or unique. It's been around for a while. Almost exactly ten years ago, Senator Orrin Hatch proposed allowing copyright holders the right to destroy the computers of anyone infringing. The specifics here are explained over two "suggestions" that, when combined (hell, or even individually), are somewhat insane for anyone even remotely familiar with the nature of malware. First up, legalizing some basic spyware/malware:
Support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means.Basically, malware/DRM-on-steroids. As if that will work. Anyone who had even a modicum of experience with DRM or watermarking knows that these things aren't difficult to get around, and are basically a huge waste of time and money for those who employ them. The idea that they might then lock down entire computers if an incorrect file gets onto one seems even more ridiculous. Given how often DRM causes problems for legitimate users of the content, you can imagine the headaches (and potential lawsuits) this kind of thing would lead to. A complete mess for no real benefit.
Some information or data developed by companies must remain exposed to the Internet and thus may not be physically isolated from it. In these cases, protection must be undertaken for the files themselves and not just the network, which always has the ability to be compromised. Companies should consider marking their electronic files through techniques such as “meta-tagging,” “beaconing,” and “watermarking.” Such tools allow for awareness of whether protected information has left an authorized network and can potentially identify the location of files in the event that they are stolen.
Additionally, software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account. Such measures do not violate existing laws on the use of the Internet, yet they serve to blunt attacks and stabilize a cyber incident to provide both time and evidence for law enforcement to become involved.
So, then, they take it up a notch. If bad DRM/watermarking isn't enough, how about legalizing the pro-active hacking of infringers? No, seriously.
Reconcile necessary changes in the law with a changing technical environment.Notice how that recommendation gets even more insane the further you read. "Retrieving" info? Okay. "Destroying info on an unauthorized network"? Yeah, could kinda see where someone not very knowledgeable about computers and networks thinks that's a good idea. "Photographing the hacker"? Well, that's going a bit far. "Implanting malware in the hacker’s network"? Say what now? "Physically disabling or destroying the hacker's own computer or network"? Are you people out of your minds?
When theft of valuable information, including intellectual property, occurs at network speed, sometimes merely containing a situation until law enforcement can become involved is not an entirely satisfactory course of action. While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.
This isn't just a bad idea, it's a monumentally dangerous idea that will have almost no benefit, but will have tremendously bad and dangerous consequences. Hell, today we already have to deal with a plethora of bogus DMCA takedown notices. Imagine if that morphed into bogus malware attacks or destroying of computers? It makes you wonder how anyone could take anything in the study seriously when you read something like that.
To be fair, the authors of the report say they don't recommend legalizing this stuff yet, but immediately make it clear that something like this is going to need to happen in the future, because "the current situation is not sustainable." Based on what? Well, as we explained in the first post about this report, that's mostly based on the authors' overactive imaginations, rather than anything fact-based.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: copyright, dennis blair, hacking, intellectual property, ip commission, john huntsman, malware, patents
Companies: national bureau of asian research
Reader Comments
Subscribe: RSS
View by: Time | Thread
Not really surprising. And I'm sure it would be 100% accurate and not accidentally do that to innocent people ever...
[ link to this | view in chronology ]
Response to: Tim K on May 28th, 2013 @ 8:10am
[ link to this | view in chronology ]
Of course given that lot's aversion to anything and everything involving the legal system that isn't using it to pass laws to protect themselves from having to adapt, I'm sure they consider that a feature, not a bug. 'This is a copyright case, which means the accused is presumed guilty until they can prove their innocence, and since the only evidence they can present is inadmissible due to both parties having had access to it, it's down to our word versus theirs, which is an automatic win for those making the accusations'.
Also of note, if it suddenly becomes legal to plant malware/spyware on the computers of anyone suspected of having pirated files, companies around the US are going to go absolutely nuts hacking their competitors, as all they'd need to do to justify it would be to claim that they thought the other company had pirated files on their servers.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
After all, if you have the legal right to act as judge, jury, and executioner, why would you bother with a trial?
Moreover, this has nothing to do with actually stopping "piracy" - it's real purpose is to stop competition. You wanna silence the TPB movie? Claim that it infringes your copyright, upload a copy with a virus and destroy the computer of anyone who downloads it. Wanna "get back" at someone who criticizes you? Hack the computer of anyone who downloads "Homeland".
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
...Which is really the point in all this.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
Better yet, it would basically legalize the activities of "organizations" like anonymous. Everyone infringes copyright at some point, especially the copyright maximalists. I can only imagine the hilarity of anonymous LEGALLY pulling apart all the IAAs byte by byte.
[ link to this | view in chronology ]
The Stupid is strong in this one...
We already have fake antivirus extortion schemes plaguing people that are just trying to learn how to use online banking and Facebook.
The abuse that will follow this will be monumental.
Maybe this is just another way the Maximalists hope to break the internet.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
hooray
[ link to this | view in chronology ]
No, seriously, I want to know.
Because *MY* tax dollars are apparently being funneled into funding this glaring insanity. That needs to stop.
Fuck this entire administration.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Where do the malware vendors go
[ link to this | view in chronology ]
Re: Where do the malware vendors go
[ link to this | view in chronology ]
Virus
[ link to this | view in chronology ]
Re: Virus
any good and decent citizen would allow their pcs to be overloaded with malware
[ link to this | view in chronology ]
See, I've just solved the copyright problem, since nothing could exist in digital form that was not approved. In fact, all data could be government approved. Wouldn't that be dandy.
[ link to this | view in chronology ]
Re:
There are powerful motivations for this in those who want control, not just over IP.
[ link to this | view in chronology ]
Turnabout is fair play
[ link to this | view in chronology ]
Re: Turnabout is fair play
Still, that fact that this got past the "ARE YOU HIGH?" test says a lot about both the current administration and those that support culture theft.
[ link to this | view in chronology ]
Re: Turnabout is fair play
[ link to this | view in chronology ]
Re: Re: Turnabout is fair play
Seriously, this is required reading. When will politicians and there corporate sponsors realize that there's a breaking point?
[ link to this | view in chronology ]
Re: Turnabout is fair play
Could that target that got hit in error then turn around and hack back in turn?
[ link to this | view in chronology ]
This already exists, one of them is called truecrypt
if you need help googling that, please contact me
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Botnets, that rely on computers infected with malware, are used daily in DDOS attacks, spamming, phishing and many other evil activities.
Now these idiots want to flush all that hard work down the toilet, and green-light the use of malware?
The idiot that proposed this should be SHOT for proposing legislation that intentionally makes the world less safe.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
I mean, private people can advocate anything, but if they're officials, proposing ideas like this in an official role at least warrants immediate dismissal, if not an investigation for high treason (trying to subvert national security etc...).
[ link to this | view in chronology ]
It's not sustainable for the current plutocracy. The current plutocrats want to be able to continue to make money and do little to earn it while forcing laws that are unfairly enforced on everyone else. They have gotten away with it for this long but people are catching up and their business model is not sustainable. They may have to actually work for a living instead of relying on bought laws (ie: 95+ year copy protection lengths and retroactive extensions, a one sided penalty structure, govt. established broadcasting and cableco monopolies for private and commercial use, govt. established taxi cab monopolies, etc...).
[ link to this | view in chronology ]
Give hackers a free method of malware that will most likely be prevented from being labeled as malware.
Give hackers access to what could potentially become the largest botnet in history.
Give people who infringe a perfect defense to fight back.
Give people who have equipment destroyed a perfect case to sue because they have the perfect defense to say they were set up.
Sounds like a damn good plan to completely destroy any means of fighting copyright infringement.
[ link to this | view in chronology ]
Hacker plants malware on MPAA/RIAA computers.
[ link to this | view in chronology ]
The main malware today is javascript, mainly by Google.
Yes, I DO believe that's relevant as Google doesn't bother to ask permission to run its tracking software on my machine, so same principle.
[ link to this | view in chronology ]
Re: The main malware today is javascript, mainly by Google.
Google doesn't need Javascript to track you.
Every resource you load from the internet can be used to track you.
This is just one way to do it:
https://en.wikipedia.org/wiki/Web_bugs
Want to stay hidden? Bury yourself in a concrete bunker on the bottom of the ocean.
[ link to this | view in chronology ]
Re: Re: The main malware today is javascript, mainly by Google.
You granted permission the moment your browser sent an HTTP GET request to the server.
Either learn to configure your browser appropriately, or STFU.
[ link to this | view in chronology ]
Re: Re: The main malware today is javascript, mainly by Google.
Once again displaying what an idiot you are.
[ link to this | view in chronology ]
Re: Re: Re: The main malware today is javascript, mainly by Google.
[ link to this | view in chronology ]
Re: The main malware today is javascript, mainly by Google.
[ link to this | view in chronology ]
Re: The main malware today is javascript, mainly by Google.
[ link to this | view in chronology ]
Re: The main malware today is javascript, mainly by Google.
Pathetic, even by your standards.
[ link to this | view in chronology ]
huh?
Didn't SOPA fail already?
[ link to this | view in chronology ]
Obviously No Thought Given to Consequences
They might want to pay close attention to the latest results of the US/Israeli Stuxnet project.
[ link to this | view in chronology ]
Re: Obviously No Thought Given to Consequences
http://www.jpost.com/Iranian-Threat/News/Report-Wave-of-cyber-attacks-on-US-originating-in- Iran-314308
[ link to this | view in chronology ]
First off rootkits are hidden from the OS discovering it. Doesn't mean it's gone, only that it isn't visible to detection through the OS. If you can discover what the rootkit folder is named, as in the first letter or digit or two, you can add to the rootkit whatever it is you like, say like more malware. By trying a series of digits and letters you can find what it is, say like a* or $*. It won't show you it took it but you will know by the absence of an error. So any hack with a few hours work at best will be able to access it and use this rootkit for their own purposes.
As far as permission to use malware, lots of companies are unofficially already doing this under the table., The RIAA has a long history dating back to the Gnutella networks of using malware methods. The first one off the top of my head is the old Loudeye that was hired to serve up malware on file sharing networks. It started out returning bogus search results in file sharing networks and expanded beyond that. Loudeye opened up a second branch called Overpeer.
http://www.theinternetpatrol.com/mpaa-contractor-infects-downloaders-machines-with-adwa re-spyware/
While the article only mentions the MPAA the RIAA was up to it's eyeballs in it as well.
So being given official permission would only bring it out in the open, what is already and has already been being used.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Vigilante justice?
That guy looked at me funny! He must be a murderer, so I can now kill him!
Yep, sounds like a great idea.
Yes, I compared copyright to murder, but hey, right to culture is as much a right as right to life.
[ link to this | view in chronology ]
Shall we play a game?
Cowboy style "justice" may appeal to our baser instincts. But anybody can assemble a posse. And the people who are asking for a blanket authorization of vigilante responses might want to consider that any number can play that game if you abandon good laws and decent behavior.
And when it comes to that sort of technology and creativity, I think the 'court advantage' is squarely with the "rest of the world" rather than corporate security and IT departments
[ link to this | view in chronology ]
Re: Shall we play a game?
[ link to this | view in chronology ]
The Wild Wild West
Personally in a war of hackers vs. Everyone Else my bet is with the hackers winning the Cyber-West.
[ link to this | view in chronology ]
Example on a soundmixing forum:
Guy: "Does anyone have a good recording of birds singing?"
Troll: "Sure no problem."
*Sends recording to guy named Birds_01.ogg*
*Guy opens Birds_001.ogg and discovers that it is really a copyrighted song*
Computer of guy: "You have been deemed guilty of copyright infringement and your files are now locked. Please report for public execution at your nearest MIAA center."
That is gonna be "sooo fun" for the rest of us (not trolls).
And to think that at one time not too long ago, I had an almost childish excitement for the future. I seem to have lost that in the last couple of years due to morons like this.
[ link to this | view in chronology ]
Am I becoming a conspiracy nut???
Enough said, this is giving me a headache, maybe I better go see if there is enough tin foil for a hat! j/k, maybe
[ link to this | view in chronology ]
Re: Am I becoming a conspiracy nut???
[ link to this | view in chronology ]
Which translates to the authors of the proposal not smoking enough crack yet to push for implementation of insane Big Brother DRM, but enough to come up with such lunacy. In the future, when their smoking efforts will progress so sustain their growing appetites, they can get to pushing the idea into action.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I hate to play this card, but...
Good God above, what have we come to?
Just sayin',
IPTT (and Mom, whose kids would be in heap big trouble for retaliation)
[ link to this | view in chronology ]
Bring 'em on
[ link to this | view in chronology ]
Re: Bring 'em on
They will define themselves out of existing laws.
[ link to this | view in chronology ]
Justification!
"Someone there downloaded Fast and Furious 26: Fasterer and Furiouserer"
"There you have it your honour, justifiable homicide!"
[ link to this | view in chronology ]
Alternative OS
[ link to this | view in chronology ]
Re: Alternative OS
[ link to this | view in chronology ]
Re: Re: Alternative OS
[ link to this | view in chronology ]
Sounds like someone on the commission got the moneypak virus and said, "We could be making money with a scam like this!"
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The people sharing files would take about 2 minutes after it was discovered to spread the word, ensuring that almost no one got this malware.
It's obvious it hasn't been well thought out. But then idiots don't tend to think very deeply.
[ link to this | view in chronology ]
It's egomaniacs run amok with their wet dreams and it's a horrible, laughable suggestion.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Quiet under this bridge so far
[ link to this | view in chronology ]
Anyone attacked by a copyright group can send a notice of infringement claiming that they were wrongly attacked.
The offending group must not only cease all cyberterrorism attacks (let's call it what it is), but disable all firewall and protective capabilities for a set period.
They can appeal, but are forbidden from reactivating their protection in the meantime.
If the RIAA and their ilk want the "right" to commit acts of cyberterrorism, they should have to take the maximum risk of retaliation when they're found to be in the wrong, as they inevitably will be.
[ link to this | view in chronology ]
Weapon
> if an incorrect file gets onto one seems even more ridiculous.
> Given how often DRM causes problems for legitimate users
> of the content, you can imagine the headaches (and potential
> lawsuits) this kind of thing would lead to.
This would be a helluva weapon for disruptive groups like Occupy that hate big corporations and banks. They could easily send one of these protected files to the entire corporate email list, and every secretary, mail boy, and assistant will then try and open it, resulting in a huge percentage of the company's computers locked down for a day or so.
[ link to this | view in chronology ]
In Soviet America..
[ link to this | view in chronology ]
Burnin' Down the House!
Using this logic, if I THINK (not know, not can prove....simply THINK) you have stolen my garden hose then I should be able to burn your entire house down.
At least if you try to put the fire out with my garden hose I can rest comfortably knowing I finally proved you a thief!
and get off my Cyber-Lawn!
[ link to this | view in chronology ]
"disabling or destroying the hacker’s own computer or network"
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
No way this could backfire
What would happen if anyone (rival companies, evil hackers, hacker-activists, etc) decided to watermark and plant fake files on people's computers? Then what happens when the real company sends a malware attack onto these computers?
But most of all, what ever happened to the idea of due process of law? There's the fact that the company should prove the file is infringing, then they should prove you did it on purpose. Like we've seen with false takedown notices, will there be any repercussions for false malware attacks? I don't think the RIAA can just say "oops, my bad" when they take down a college's network because one person named their class project with the same name as a Hollywood movie.
However, it would be beyond hilarious if the automated takedown company (which so many companies seem to use) attacked NBC's own website for "illegally" hosting its own shows.
But, as usual, there are no technical details to back up this plan: just some vague ideas about what "should be done". What would happen if some IT guys (or any IT guys) were to explain that none of this is actually feasible? Or like some other posters are saying, does anyone care about the feasibility as long as they look like they're "doing something".
[ link to this | view in chronology ]
iu tfrdesx poijukhgkyhgo (èuitv oiub²
[ link to this | view in chronology ]