8 comments

[ 3.4 ms ] story [ 31.2 ms ] thread
There’s a case for allowing digital privateering against countries that routinely allow fraud. For example fraud is 68% of Laos’s GDP.

If Laos wants to be taken off the list of permitted targets then it can crack down on fraud. They have effectively allowed digital privateering against us by failing to crack down on fraud.

https://www.theguardian.com/technology/2025/dec/02/scam-stat...

I think you’re fine, which hacker is going to go to the police about it?
All vigilantism has issues. For example, if I was ever to do something horrific online I’d probably hack someone unrelated to me first and tunnel through their computer and online presence to make sure if I got caught it would not blowback onto me so easily. Not that I’ve thought about it or anything :-/
I mean it sounds ok, assuming that you are evenly matched. But assuming this was legal and someone like google has automated hack back triggered by some automated rule.

Its a bit trigger happy and I do something like change VPN, with my session, and it looks like I'm trying to probe with multiple IPs.

Boom, my devices all fall apart and my internet is offline until they stop DOS'ing me

> Legitimate use cases, including security research, web archiving, and search engine crawling, can be distinguished from credential scanning by scope and target: no valid automated process needs to probe arbitrary third-party servers for .env or .git files.

What about security researchers scanning for their research? What about scanners that notify you?

Hi, if you are still interested - I updated the post/paragraph and included:

Another approach would be not to make the files 1 TB in size, but only about 50 MB, while distributing them collectively. This would spread responsibility across many participants and reduce the individual burden of liability. If many users offered such files, automated scanners or bots would effectively end up cluttering themselves with useless data, without any single participant impacting the system to a degree that could be framed as deliberate destruction. [...] A possible safeguard for legitimate scanners would be to operate only within defined time limits or request quotas. In contrast, uncontrolled or unrestricted scanners would gradually overwhelm themselves with this distributed noise.

Hack-backs are a topic that comes up every few months from government representatives here. There are two big problems I have with this:

- you don't know "who" you hit. The case in TFA is still rather simple (just send the "hack" as the response), but you will still most likely hit some residential proxy and nuke some random person instead of the responsible actor - (this is not too related to TFA but a point in discussions about hack-backs on a state-actor level) unless you're doing a very simple "attack", you need to have some sort of vuln ready to perform any kind of hack-back. Which leaves the ethical dilemma that actors are now motivated to keep vulnerabilities available, thus making the world more unsafe. And once you have used your vulnerability, your "enemy" probably knows it as well.

(comment deleted)