FRAMINGHAM (04/03/2000) - My first mugging was at age 12. I was the muggee, not the mugger. Over the years living in New York, I was held up at knifepoint several times, handed over my wallet and then watched the bad guy scamper away.
If I had the guts or the skills, I might have tried to take the knife away. If I had taken the knife away and the mugger was still threatening, I might have knifed him. In the court system that is called self-defense.
Fast forward to cyberspace.
You are running a Web site. Making money perhaps, and visitors are seeing your message. Then, according to your perimeter intrusion-detection device, some online goofball or criminal hacker is beating on your door. What are you going to do?
In September 1998, the Pentagon reacted to a browser-based denial-of-service attack by the hactivists Electronic Disruption Theater by using offensive applets to shut down the attacking browsers. Clean. Quick. Effective. But the Pentagon lawyers went ballistic within minutes. The techies defending the Pentagon servers had broken too many laws to enumerate - including a military prime directive, "posse comitatus," which forbids the military from taking unilateral actions within the U.S. and against U.S. citizens.
In addition, the techies by their actions had committed several federal felonies for which hackers have gone to jail.
The simple truth is that it is illegal to disarm your online assailant. Doing so requires that you take some offensive action - send out hostile applets, return fire with your own denial-of-service tools or anything else that will shut down the attack. The net effect is that both the attacker and the victim (who is attacking back) are breaking the law.
At first glance, it doesn't make any sense: If you can disarm a knife-wielding mugger, why can't you disarm your electronic mugger?
But in the physical world, you know who is mugging you. During the physical attack there is a person with a knife, and while you may not know his name or see his face, you are 100 percent sure that the knife you are taking away is in the hands of a bad guy.
In the networked world, though, you cannot be sure the guy (IP address) that seems to be attacking you is really the one attacking you. For example, many of the zombie-based, distributed denial-ofservice attacks that occurred in February were traced back to benign networks which were merely unwitting hosts to remote-triggered Trojans located on their servers.
Hostile perimeter defense is a really tough problem, and right now the law protects the bad guys more than the good guys. I don't have a perfect solution to this conundrum, but a few thoughts do come to mind:
Let the industry design a set of hostile response tools that will stop an attack, but minimize harm just in case a zombie is in the middle. Then, legalize the use of these tools.
Legalize hostile responses, and zombie computers be damned if their security is so bad that their networks can be compromised.
Build a hardened back-channel on the Internet which will provide fast routing so that trace-back and bad-guy ID is easier, faster, and with the cooperation of the ISP community, automatic.
Develop an Internet-based Caller ID system so that Web sites know who's there, what they're doing and can ignore all anonymous requests.
Do nothing: Let the bad guys continue to win.
So in the spirit of the networked community, I'm asking Network World readers to help out: What do you think is a fair and efficient way of disarming online assailants to protect your net?
Be creative, let loose; write laws or design technology. And send me your ideas. Maybe together we can get something done.
Schwartau is president of Interpact, a security awareness consulting firm, founder of Infowar. Com and author of the upcoming book, CyberShock. He can be reached at firstname.lastname@example.org.