Baby Got Hack Back

Presented at BSidesLV 2017, July 26, 2017, 11 a.m. (85 minutes)

You've heard it before: the bad guys are winning; US companies are under attack every day, and defenders are on the losing end of the war. We are less resourced and, held back by the legal framework, less free to act, to fight back against our adversaries. This is not just a common lament in security circles, it is also the foundation of the ‘hack back' argument. It continues that organizations on the receiving end of attacks should be able to defend themselves the same way US citizens can defend themselves against intruders in their homes. Defenders should be able to fight back, launch a counterstrike. This is hack back. And today it is illegal for private entities in the US. But there is increasing noise about legalizing it, with a bill introduced to do just that earlier this year, and a number of foreign governments also discussing it. The arguments that support it are appealing, yet it is widely opposed by many in the security community, with dire warnings about potential consequences of authorizing such measures. This talk will examine the arguments for and against hack back; the current legal constraints; potential outcomes of authorizing it; and how hack back fits within both broader cybersecurity policy discussions, and other security program practices, such as active defense. We will begin with an objective, balanced overview from the Department of Justice's Leonard Bailey and Rapid7's Jen Ellis (40 mins) of the legal and practical dimensions of hack back. They will then be joined by advocates for and against authorizing hack back for a lively debate (40 mins). There may also be some bad rapping, but we make no promises.

Presenters:

• Robert Graham - Errata Security
  Robert Graham is the CEO of Errata Security, a pentest/consultingfirm. He's known for creating the first IPS, the BlackICE series ofproducts, sidejacking, and masscan. In his spare time, he scans theInternet. He has been speaking at several conferences a year for thepast decade. He may have some patents, but they'd anger you if you ever read them.
• Leonard Bailey
  Leonard Bailey joined the Department of Justice's Terrorism and Violent Crime Section (TVCS) in 1991 and served as Special Counsel and Special Investigative Counsel to the Department's Inspector General in the late 1990's. In 2000, he joined the Computer Crime and Intellectual Property Section (CCIPS) where he has prosecuted computer crime and intellectual property cases; advised on matters related to searching and seizing electronic evidence and conducting electronic surveillance; and chaired the Organization of American States' Group of Government Experts on Cybercrime. Between 2009 and 2012, he focused on DOJ cyber policy while serving as Senior Counselor to the Assistant Attorney General for the National Security Division and an Associate Deputy Attorney General. He returned to the Criminal Division in 2013 where he is currently Special Counsel for National Security in CCIPS. Mr. Bailey is a graduate of Yale University and Yale Law School. He has taught law courses at Georgetown Law School and Columbus School of Law in Washington, D.C.
• Davi Ottenheimer - product security - mongoDB
  flyingpenguins, Cyberwar History, Threat Intel, Hunt, Active Defense, Cyber Letters of Marque, Cloudy Virtualization Container Security, Adversarial Machine Learning, Data Integrity and Ethics in Machine Learning (Formerly Known as Realities of Securing Big Data).
• Jen Ellis - VP of community and public affairs - Rapid7
  Jen Ellis is Rapid7's Vice President of Community and Public Affairs. She believes security practitioners are the guardians of Society's trust in technology, and works extensively with security professionals, technology providers/operators, and various Government entities to promote better collaboration. She believes this is our best path to reducing cybercrime and protecting consumers and businesses. To this end, Jen also provides free skills training to security professionals so they can get greater buy-in and achieve more positive security outcomes. She has testified before Congress and spoken at numerous security industry events.

Links:

• https://bsideslv2017.sched.com/event/BNG6/baby-got-hack-back
• https://infocon.org/cons/Security BSides/BSides Las Vegas/Bsides Las Vegas 2017/Baby Got Hack Back - Jen Ellis.mp4
• https://infocon.org/cons/Security BSides/BSides Las Vegas/Bsides Las Vegas 2017/Baby Got Hack Back - Jen Ellis.eng.srt (subtitles)
• https://www.youtube.com/watch?v=0w6qTE08b9Q

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / ARRR Maties! A map to the legal hack-back
• DEF CON 29 (2021) / Defending against nation-state (legal) attack: how to build a privacy-protecting service in the era of ubiquitous surveillance
• THOTCON 0x7 (2016) / ARRR Maties! A map to the legal hack-back