This week’s Friday Photo is from the island of Iona, off the coast of Scotland. This Celtic cross is outside the Iona Abbey, founded in 563 and the traditional resting place of Macbeth. Life is stressful, working in security is even more so, and it’s important that we keep perspective. Our visit there was one of the most peaceful days I’ve ever had – time to slow down, breathe and just be in one of the most beautiful places I’ve ever seen.
Archives for August 2017
Hacking Back is a Bad Idea
A bill was recently introduced in the US congress that would allow private organizations to ‘hack back’ when attacked. This is a Bad Idea™ that should be quickly put to rest – no good can come of it.
When we’re attacked, spoofed, phished, or just annoyed with junk phone calls, it’s human nature to want to return the favor. Companies spend large and growing resources on cybersecurity that could better be spend building new and innovative products. Unfortunately we don’t live in Utopia, and directions there don’t seem to be loaded into our GPS. So we try to protect our organizations as best we can given resource constraints. So should we divert a portion of that capability to hack back at attackers? For private organizations, absolutely not. Let me explain.
It goes back to the problem of attribution, which I’ve written about in the past. Our adversaries are well versed in covering their tracks, planting misdirecting evidence, and throwing blame on innocent third parties. Hacking back is far more likely to inadvertently hit a different victim of the hackers than the actual actors themselves. Worse, we know the bad guys would use this as a new threat vector. Rather than attacking company A directly, they’d hack those servers, and use them to hack company B. When B retaliates against A, they do far more damage than the original hack. If the two firms are direct competitors, then the only ones who really win in this situation are the bad guys and trial attorneys. Oh, and on that last point – no legal counsel worth their salt is going to authorize a hack-back by a private entity, regardless of what the law says.
You’ll notice I’ve only talked about private organizations, which leaves law enforcement or national intelligence and defense. I’m not going to address ethics of ‘stockpiling’ vulnerabilities, but there’s no question that those agencies and the military definitely possess offensive cyber-attack capabilities. Should those be used on behalf of private organizations? Only as much as is necessary for attribution and criminal prosecution – and even then, only with appropriate authorization and oversight.
Friday Photo – Maroon Bells, being loved to death
This week’s photo is from the Maroon Bells, near Aspen, Colorado. Like many of our national parks and wilderness areas, this one’s being loved to death. Crowds have increased to the point where shuttle busses are now required, and soon we may see a quota put on reservations. I’m all for those restrictions to better manage these amazing wild areas, but we still need to do more.
Too many of folks didn’t grow up learning and understanding how to appreciate wilderness without impacting it. Take only pictures, leave only footprints was a mantra in the Boy Scouts long ago, but we went even further, and would always pack out more than we packed in. Unfortunately that’s all too easy to do, as vandals and careless or inconsiderate visitors only think of themselves or expect that Mom’s there to clean up after them.
I have my disagreements with some in the wilderness and environmental movement – capitalism and conservation can co-exist, but finding the right mix isn’t easy. One thing we do agree on is that these amazing places need to be managed to ensure that they’re there for future generations. Do your part and Leave No Trace – and make sure that your children and friends do the same.