60 comments

[ 3.1 ms ] story [ 121 ms ] thread
For people who won't read the article, it makes it clear that this is just a thought experiment, and offers a lot of reasons why we don't legalize cybercrime.

But one reason that's not mentioned is that it's horribly asymmetric:

> Let me paint a utopian world for you, where all kinds of cybercrime – hacking, ransomware, DDoS, etc. – are entirely legal.

It's much more expensive to defend against a DDoS attack than it is to launch one. Granted, if we did live in a world where cybercrime was legal, and things like IoT cameras were much harder to subvert into a free botnet, it might become more expensive, but in the end a lot more effort would be put into prevention than would be put into cause.

Wouldn't it be possible to make the economics of DDoS symmetrical by enforcing repercussions at the ISP level?

If 10,000 IPs are syn flooding, all out of one ISP, their peers can stop routing that ISP's traffic until that ISP starts mitigating.

I imagine the biggest impracticality is that ISPs are monopolistic, so if you stop routing someone like Comcast, all of a sudden half of America is offline.

Perhaps we COULD let the internet be the Wild West, if we had a fair selection of providers, or if they effectively self-regulated.

Yes. Such things were in my recommendations. You could ensure stuff can always be traced to source (at transport level), filtered, and/or rate-limited. DDOS's get rate-limited automatically by ISP endpoint or middleboxes with costly penalties for this happening. Simultaneously, supply side starts offering all kinds of options to prevent that which are cheaper than being declared digital version of a public nuisance.

The Tier 1-3's mostly don't care since they're paid primarily to provide the line plus have regulators in their pockets. There's certainly work in these to reduce DDOS a bit for competitiveness but they avoid a simple solution like mine out of greed. ;)

> DDOS's get rate-limited automatically by ISP endpoint or middleboxes with costly penalties for this happening.

Who would pay? My name is Serhei, and I'm in Ukraine, and I just unleashed a 100k-strong botnet of smartbulbs and babycams. It's spread somewhat evenly across American households, and mostly among their ISPs. I still pay nothing.

The people who connect products or configurations with shit security to the Internet. Bad security has to cost them something before the demand for good security is generated. Just headaches right now but loss of money or Internet is more severe. Then, with a demand, either the hardware/software market or the regulators will start doing something from there. They're already doing something where numerous products exist that were all created by relatively small companies or teams. They'll do a lot more.
> the biggest impracticality is that ISPs are monopolistic

I reckon the biggest problem would be that you could DoS an entire ISP simply by doing a SYN flood attack from inside it.

Sure, until that ISP learned to not let you do that (or at least not to pass it on to the outside world).
But the same thing applies right now even though cybercrime is a crime.
For me this was just the start of a thought experiment. He didn't take the train past the first station.

At first glance it seems like "Oh if only cybercrime were illegal then companies would have to step up their security practices." But this just isn't true. The companies responsible for the security holes in IoT devices are not the ones who suffer because of the DDoS attacks launched with them.

Similarly, the free market response to the current reality of cyber crime is not for makers of vulnerable devices and software to simply make better products, but it is additional services and companies rising up to fill needs. Some of these are effective and others are not, and they all cost a lot of money for the victims of the attacks, and not for the people making vulnerable products.

For me this blog post was really lazy and needed a lot more thought put into it.

> It's much more expensive to defend against a DDoS attack than it is to launch one.

Only because there is little incentive to change our infrastructure to mitigate such attacks. If we change to content-based addressing that utilizes pervasive multi-level caching, then every DDoS becomes instantly futile.

I do kinda fancy the idea of giving letters of marque for "cybercrime", though it's obviously not realistic for a whole bunch of reasons.
While we can dream of a future where cybercrime is legal and we rely on our code and math to protect us, completely legalizing it today is not our best option. Nevertheless, we should consider moving in that direction.

I like that this article looks at the distributed, societal-level effects that derive from law. But I find the "should consider moving in that direction" part to be perplexing. One straw-man take against that: what about defense in depth? Can we strongly incentivize secure software and software-based appliances and still have legal deterrents against cybercrime perpetrators?

Wouldn't the presence of those legal deterrents allow a company to transfer resources away from tech and into legal to mitigate the problem?
Odd that google.com now redirects me to bing.com when I use Microsoft Edge... Ah, another Facebook blackmail notice, need to remember to send them their monthly $20, so they don't tell my significant other about my affair... Somebody left a phone on the ground, oh damn it, it just scanned my fingerprint and is breaking into my bank account, serves me right, I should have known better than to go outside today.

Yeah, I'm not digging this dystopian future. On the plus side, it would bring typewriters back into common use.

> Somebody left a phone on the ground, oh damn it, it just scanned my fingerprint and is breaking into my bank account

Never, ever, use biometrics as a valid login option for identity-sensitive data/applications. They're way too easy to find out for an attacker.

The real problem is when it becomes a mandatory authentication system. We've all seen the ridiculous password requirements some sites have, that in reality offer no additional protection -- and their implementations are often questionable; Chase Bank still is case insensitive for example. All it will take is for someone to think it's a good idea, and make a push for that as a standard.
(comment deleted)
> Somebody left a phone on the ground, oh damn it, it just scanned my fingerprint and is breaking into my bank account

brb picking up an old google phone on craigslist

waht if they legalize security research :-D
An interesting thing to consider would be the retaliation that might develop. The best defense is a good offense, so all these companies might start actively attacking their attackers.
It's a reasonable tactic when you have comparable resources to your opponent, and you know how to attack them. Both cases are probably untrue, the latter in particular.
What if we legalize murder?

People will be forced to be nicer to one another. People will learn self defense and become stronger and more capable. There will be more gun safety because everyone will be trained in gun use properly. Fewer spouses will cheat.

It will be a great world for everybody.

I don't know if that's quite a fair comparison. Physical self-defense is a cost we all would have to incur all the time. Software security, on the other hand, can be paid in a bit more of a centralized way by companies who are paying that cost anyway.

Obviously this is a thought experiment and probably shouldn't actually be done, but I think the murder comparison is slightly unfair to the idea.

If we think what would really happen if murder was "legalized", the comparison is fairly apt.

Essentially, the state would have abandoned its job of providing protection and average people would be left to their own devices.

But more importantly, who ever had power in other capacities would be tempted to use murder to solve their problems, including getting people to pay bills on time and stuff. The legality of murder is kind of what separates a mafia-state from a regular state. Murder isn't constant in a mafia state but the strong are willing to prey on the weak ruthlessly there.

Similarly, if hacking is legal, every legitimate software vendor will be happy to put backdoors in their product - and use those backdoors against those too weak to fight back.

Which is to say, the thing the "legalize hacking and people will be more careful about criminals" and similar arguments misses is that the laws have the important effect of making it more likely that only "criminals", people outside normal society, will do crime. When those with power and money also do crime, the average person suffers pretty badly (and the law doesn't guarantee the end of corruption, just makes it a bit less likely).

> Similarly, if hacking is legal, every legitimate software vendor will be happy to put backdoors in their product - and use those backdoors against those too weak to fight back.

That isn't necessarily true. It is, for instance, not illegal to make shitty quality products that break down, or provide low quality services. But companies that do that develop a reputation for doing so, and are penalized for it in the market place.

That is to say, if you were to legalize cybercrime, yes, some companies would try to capitalize on that. But others would then move to fill that hole in the market place by being honest. And once their credibility and therefore future profits are predicated on that honesty, they will be highly incentivized to protect it.

This is vaguely analogous to the argument that security by obscurity is bad. If our computer networks and systems are secure due to the threat of violence of the state and not due to their inherent security, are they really secure?

Now, I think the nuance here is that sometimes this sort of argument is correct and sometimes it is not. When two forms of safety compete, they crowd each other out.

- When the state prevents murder, people don't have to. - When the state prevents cybercrime, vendors don't have to. - When your security procedures are secret, they're harder to exploit (until they become known).

Sometimes the tradeoffs involved are good, and sometimes they are bad. In the cases of the two cited instances on the ends, which is which is pretty clear. But #2 pretty clearly falls somewhere in the middle. Why that is true can be seen by analyzing the likely components of that value equation:

- How good is the state at preventing thing X? - What would the cost of that burden be on the private sector?

In the case of murder, the state is pretty good at preventing it - not nearly as much in the case of cybercrime. The cost of everyone protecting themselves from murder at all times would be astronomical, as there is no scalable way to do that. The cost of software security on the other hand, is not nearly as high.

So, while it likely still ends up to be a bad idea on balance, I think there is an interesting case to be made in that direction, at least as a thought experiment.

> That isn't necessarily true. It is, for instance, not illegal to make shitty quality products that break down, or provide low quality services. But companies that do that develop a reputation for doing so, and are penalized for it in the market place.

That really depends on both the jurisdiction and the product. The USA is the exception not the norm here, and even in that regard still has strict laws on big ticket items like appliances and automobiles.

The analogy is hyperbolic but apt. States exist to hold a monopoly on violence and protect property rights. One takes priority to the other, but they're both fundamental raisons d'être.
No, one is a potential raising d'être, the other is just a definitional requirement for being a state -- whatever entity or collection of entities holds a monopoly on legitimate violence in a region is, ipso facto, the state, no matter what it's reasons for existing are.
Exactly. If we legalize crime we just move from monopoly to oligopoly. Frankly the state's monopoly is my preference for as long as it remains broadly representational of the interests of its citizens.
I'm not sure what you're arguing against there. Nobody is advocating or even talking about relinquishing the state's monopoly on violence.
> I'm not sure what you're arguing against

The top commenter analogized, jestfully, legalizing homicide with legalizing cybercrime [1]. A second comment said this comparison was unfair [2]. My comment [3] responds to that second comment.

In essence, if a state's claim to a monopoly on violence is legitimate, then its claim to protecting property rights is (almost) as valid. Thus, advocating a dissolution of the latter, e.g. legalizing cybercrime, can be compared, as a legal argumentum ad absurdum, with permitting murder.

[1] https://news.ycombinator.com/item?id=13266097

[2] https://news.ycombinator.com/item?id=13266146

[3] https://news.ycombinator.com/item?id=13266749

But nobody is advocating that the state relinquish the right to protect property. They aren't making a philosophical argument about rights and laws of nature. They are making a practical case that, it may not make sense for the government to protect cyber property specifically. And that they make that determination on the basis of practical considerations.

They aren't relinquishing their theoretical right to control it. They are simply choosing not to for practical reasons.

Maybe this would be a better analogy if you could murder a bunch of people at once, and no one, including the victim would ever notice. Or maybe if solving one murder prevented all future murders of the same type.

Or maybe I should just read this as a punchy response, rather than a decent analogy. In which case I should probably just downvote the comment as sensationalist ;)

Pretty sure we'll all just end up killing off people to form our own mini kingdoms. The warlords with the most kills wins control of their domains.

Basically this is what happens at the international level, since there is no global authority - countries can kill as much as they want. And they established themselves through killings.

If you do that at the local level, you will end up with the same - lots of warlords establishing themselves through killings, assisted by forming alliances, etc..

Heinlein: "Beyond This Horizon".

One of his earlier works, with their contemporary-culture-driven stereotypes; nonetheless interesting.

P.S. A lot of murder in today's world is currently de facto "legal", whatever some doctrine written down somewhere may say. Having an honest perspective towards, recounting of, and analysis of this might improve our approach to building and maintaining societies.

P.P.S. I'm not advocating for murder, but for a more honest conversation about power dynamics -- and communication of this to younger people learning to navigate the world.

We are slowly moving towards anarchy. I'm still not sure how I feel about that.
The tragedy of Galois is that he could have contributed so much more to mathematics if he'd only spent more time on his marksmanship.
What if we legalize guns?

People would live in fear, and crazy people could shoot up schools and movie theaters, whenever they want to.

Oh, wait that's reality in the USA.

I think a better analogy here would be fraud.
This is why we need sarcasm markers on the internet. Not just for this comment but the entire thread is full of propositions that are ridiculous on their face.
Cyber attacks are financial, and involve money and information.

Murder is the permanent end to a human being's life.

The difference makes your argument a non sequitur.

The article is a good thought experiment, but I think doesn't touch on the one current legal form of cybercrime: bug bounties.

While they have their issues, properly administered they are a win for security researchers, consumers and companies.

A great recent example is Shopify: https://news.ycombinator.com/item?id=13200455

>With no law to hide behind, companies will put a much more serious effort into making products that are secure from day one. The "Nobody will do this because it's illegal!" excuse is gone.

It's not like the "Nobody will do this" stuff makes much sense at the moment given there are hacking stories in the press all the time.

Even the most deranged psychopath follows the lines on the road when driving. The lines serve a purpose, which may fail for specific individuals, but does provide a guideline so that most do (even if some of those following some lines will cross others). Laws do not govern by consequence alone, but by exploited instincts in humans. Humans do not cleanly separate social agreements from safety constructs from linear optimizations.
Interesting concept, but seriously what is up with the comments on this blog post?? I could not have been more surprised or confused by that.
The comments appear to be written by Terry A. Davis, a schizophrenic computer programmer famous for creating TempleOS as well as his belief that one can communicate with God through random numbers. He was shadowbanned a number of years ago on HN for making similar off-topic and offensive comments.
There's no lack of cybercrime around to force people into hardening their own security.

People still don't care. And it is still asymmetric in that the people with loose security aren't being hurt by their own loosiness. And it is still impossible to ensure your system is completely secure. And it is still asymmetric in that attackers only need one flaw to win, defense must fix every flaw.

This is a good thought experiment. I'd like to expand on it.

The author points to these items:

    - The value they expect to gain for themselves by attempting the attack.
    - The probability of getting caught.
    - The punishment they expect to receive if they do get caught.
They then make the argument that it's disadvantageous to try to maximize the probability of getting caught or increasing the punishment (items 2 and 3).

Legalizing cybercrime would have some positive effects, for sure, but also many negatives, as discussed.

What if we tried to minimize "value they expect to gain for themselves by attempting the attack"?

Here's a twist, I'd like to consider minimizing that by breaking it down further. There are two important components here:

    1. the value
    2. the who (the boundary of what's included as part of "themselves")
I don't think it's easy or viable to reduce the value gained, but what if it were possible to change the definition of "the who"?

I look at myself as an example here. I personally have very little interest in harming others. Even if I were in a hypothetical situation where I knew I could do something with low chance of being caught and/or low punishment, I still wouldn't take advantage of that situation. In fact, I would really enjoy being nice/white hat in such a situation. But it's not because the value is low, it's because I consider "myself" as the overall humanity and not just myself the person who's typing this comment. My goal is to maximize the benefit for everyone by creating net positive value. I know that if I could to DDoS or steal money from someone, even if it's risk-free or legal, I still wouldn't do it just because it doesn't benefit all of humanity (even if it benefits myself)... the value as I see it is overall negative (I gain less than someone else loses).

So I wonder if it's possible for more people to look at things that way, where they try to maximize value for everyone rather than themselves. Can we increase people's empathy? But most importantly, if everyone behaved this way, would that actually be better for us, or would absence of selfish behavior and competition be harmful?

> Can we increase people's empathy?

Psychopaths exist. What do we do about them?

More specifically, there are several mental disorders that are defined, in part, by a lack of empathy (ex: Narcissistic Personality Disorder). Attempts to "increase people's empathy" will likely fail on those individuals.
Ah right, I forgot about the others. :(

Yeah, it's a real problem that needs to be addressed when discussing empathy.

> Making the punishments more severe is a poor idea too. We've see again and again people being prosecuted under cybercrime law for "crimes" that shouldn't have been crimes.

This is bad logic, increasing punishments does not necessarily mean more innocent people get caught.

I think you're misinterpreting.

It's not necessarily that more innocent people get prosecuted, but that when they do the stakes will be higher.

Why doesn't the government protect people from cybercrime? You can openly threaten, harass, and slander people with no penalty. You can steal things from people - even from the institutions that are fundamental to democracy - with very little risk of punishment.

It's the wild west; government has abandoned it's responsibility to protect its citizens and institutions, and for some reason very few people object; they accept it as the norm.

Reminds me indeed on the idea on some Libertarians, who believe we all steal from each other. So making every legal would result in that you get an equilibrium in which everybody gives up something voluntary and nobody steals anything. This is probably badly summarised but I never believed that would a good idea or even realistic.
I think in many places or situations, depending on the targets and the overseers, it sort of is.

Intelligence or military cybercrime is definitely legal to the ones doing it. Some places or countries are too small to enforce or don't care about it. Some people are probably helped by funders who have bribed their way into legality.

In the same vein as the title question: what if we (ie, one of the botnet operators) made all the shitty IoT devices into TOR exit nodes? My guess is that would either (a) incentivize people into securing or discarding them or (b) normalize exit nodes for the benefit of tor and online anonymity.