I think important detail is that it authorised attacks on any foreign vessel (of a specific nation), not only on pirate ships.
It also seems incredibly risky. This US admin might be okay with it, but will the next? For multi-national corporations, will other nations be okay with it? I wouldn't think countries unassociated with the conflict would be happy with digital privateering.
imagine hacking back and accidentally hitting a hospital killing someone in the process
that is a fast line to get an Interpol terrorist arrest request on your head, sure the US won't hand you over, but have fun to never leave the US and get assets abroad sized
worse hacker do like using jump hosts
so wherever you "hack back" to has a good chance to be another victim
it's also a good point to remind people that most cases of "knowing who was it but not catching the people behind it" are either wild guesses without proof or the attacker leaving recognizable traces (like a literally "it has been us <group>" note /not a joke). But the problem with that is any other advanced enough hacker group/apt could also have made it look like that...
That fact that they have money to hire someone to do it?
Now one might ask why didn't they use that money to defend themselves to start with.
Having worked in the space, the normal flow would look something like:
1. Random WordPress blog is hacked, hosts a fake iCloud page, the is linked to in phishing emails. 2. We find it, either by direct reporting or by our internet crawling 3. We reach out to the hacked company, their hosting provider, and their DNS. The goal being take this site offline no matter how.
This worked for the vast majority of hacks. Some random plumbing company has no clue their marketing site is compromised and happily works with us. Or maybe they host at GoDaddy and we have a privileged relationship with them and they disabled the site. Last resort the DNS company will just delete their records.
Sometimes, though, we get a compromised site on a host in a foreign land that won’t cooperate. Then what? Well, it’s a legal grey area that our in-house counsel felt was perfectly fine: hack the site and take it down the hard way. We didn’t advertise or document when we did this. It was an open-secret inside the company however.
All this does is legitimize the sadly necessary work we face in a modern world.
Not required. This is unlikely to be random SecOps and SecEng corporate employees as the legal risk is too high as government administrations are replaced every few years.
Just like real piracy at sea companies would hire mercenaries or nowadays referred to as private military contractors. The fight back would just be to initially identify them (attribution) then activate PMC's at or near their location and neutralize the root cause.
With time countries will tire of random PMC's showing up and will take a stronger approach to dealing with their own hackers in addition to making the internet less anonymous. The effort to make the internet less anonymous has clearly already started as HN have been witnessing. Efforts like bcp38, 84 [1] authenticated packets likely using a nonce after government ID based auth and many other methods will be implemented as previous efforts have stalled.
1.https://videocardz.com/newz/nvidia-allegedly-hacked-the-rans...
The real question is if they can even properly attribute to the correct target. Nobody hacks from their home IP. Anyone remember Uplink? You'd make it way easier to avoid getting arrested (which wipes your save) if you proxied through the tutorial machine first and wiped its logs after you were done. Likewise, even the most basic cybercriminals know to hack with machines they've already compromised, so that all the owners of those machines and their ISP's abuse desks spend all their time pointing the finger at each other.
Sony's movie division financed a movie North Korea disapproved of, and DPRK retaliated[1] by hacking Sony Pictures and released executive salaries, emails, private employee information, unreleased movies, scripts, and set loose wiper malware on Sony Pictures' internal network. Sony was also forced to cancelled the theatrical release because there were threats of terrorist attacks at theaters that showed the film.
"Hacking back" is not a great strategy for most companies, except those that were already juicy targets and are battle-tested against state actors. But what do I know, I'm no fancy CSO.
Also, why burn the resources? Attacking isn’t free.
It's like saying "the police doesn't care any more citizen, so you know just punch back". It's also incredibly dangerous btw to tell private firms they have the authority to engage in what is basically an act of warfare.
If the goal is simply breaking shit (versus e.g. exfiltrating data) offense is way easier than defense. Also, security is an ongoing expense. Retaliation is one time.
Disagree. Retaliating draws a larger target on you. Increasing need for ongoing security. And increasing need to retaliate. You’re retaliating against multiple fronts and vectors. It’s all very expensive and an arms race.
Making criminals' lives more complicated is a good strategy. Corporate vigilantism, I don't know.
Verifying the actual source of a hack is not necessarily easy, as far as I know.
The Geneva convention says that combatants must be identifiable by uniform, so we can just enforce that, right? /s
One reason: When a corporation attacks someone, how do they decide who they are attacking? What if they attack the wrong person due to misattribution? What if they do it due to incompetence (stretch your mind adn try to imagine incompetence in IT) or just to look like they did something? What if they attack enemies or competitors? I'm sure they can find some excuse.
In every other domain of justice, there is a warrant, an arrest, indictment, and trial, involving they agreement of many people in two branches of government.
Also, does this mean I can 'hack back' the endless scammers?
0 – https://en.wikipedia.org/wiki/Pardon_of_January_6_United_Sta...
1 – https://www.nbcnews.com/politics/politics-news/trump-calls-a...
> That sort of thing does, however, to fit with the present administration's ideology
These kinds of firms (usually branded as boutique consultancies) have already existed in the OffSec space for over a decade now in most countries and with tacit approval of their law enforcement agencies.
It was BSides this weekend and RSAC right now so you will bump into plenty of them walking around Moscone.
https://www.whitehouse.gov/wp-content/uploads/2026/03/Presid...
I don't see where the policy instructs the private sector to "hack back", a quoted term in the article.
Link seems to be down ATM. Is this caused by that cloud flare issue affecting archive.today that was just posted recently?
For clarity, the recent issue[0] likely wasn't intermittent. Cloudflare's malware blocking DNS server now blocks those archive.today sites. Doesn't affect the non-malware-blocking DNS server (1.1.1.1).
[0] https://news.ycombinator.com/item?id=47474255 "Cloudflare flags archive.today as \"C\&C\/Botnet\"; no longer resolves via 1.1.1.2"
The attendant does not want smoke… but if circle K can hire top talent to “eliminate”?
How cool would a team of 12 guys charged with hurting the hacking firm be? Awesome job. And if successful you’d have a cool story. White hat but you don’t need to work for the NSA.
Only if they know that they have been hacked. Hello Microsoft
Instead of automating away a job that is mostly about blathering on with half-truths about the future of the company (something that AI could actually do perfectly fine), they instead think they can fire half the engineers and replace them with a Claude Code.
If our society was organized around the needs of workers, and existed to help workers compete at their crafts (somehow), then this would make sense.
But it isn't. Every one of our jobs exists as a contract that was initially offered by an owner of capital, and created in order to make that person more money.
As such, ownership is literally the _only_ job that will never be replaced, because it is the atom from which all the rest of the market's building blocks have been built.
AI could replace every job in the market, and company-owner would be the only job left untouched, because every other job in existence, ultimately, has been created to serve that person, not the other way around.
If the country isn’t on fire afterwards, I’m giving up on it.
How?
Maybe this time they will only let it go down for a couple days.
However, the law needs to reflect that if people are to actually take the suggestions seriously.
There’s no such thing as a secure system that’s usable. You can asymptomatically approach it giving infinite money, in the same way you can approach physical security (“if it were really important to you, you would’ve cloned Fort Knox, so I guess you don’t care”) or even the speed of light. But even Fort Knox is vulnerable to a highly determined invading army.
Getting compromised doesn’t inherently mean you made mistakes.
I entirely agree, but I think the reason you see such upset posts is that they are thinking of situations where EGREGIOUS mistakes were made and no liability was found.
Central control over everything gives you central way to shoot yourself in the foot. Duh. Don't be a control freak company maybe, or if you are, have 2FA on your admin's accounts.
"Nation state" my ass.
They also demonstrated that one rogue admin could have deleted the entire company in like one evening, too, if he felt bad enough.
Well, they also relied on this company to protect them, so...
https://www.bleepingcomputer.com/news/security/microsoft-ent...
And what is the limit on that, because the only actually-secured system is one that is not connected to anything or accessed by anyone.
Look, I agree that people are shit and the only person you can trust is one you've killed yourself, but that's not really a workable solution.
