There’s a case for allowing digital privateering against countries that routinely allow fraud. For example fraud is 68% of Laos’s GDP.
If Laos wants to be taken off the list of permitted targets then it can crack down on fraud. They have effectively allowed digital privateering against us by failing to crack down on fraud.
The issue is those jurisdictions that have allowed such rot to take hold truly don't care.
Both Cambodia and Laos have governments where leadership is directly tied to organized crime, but the PRC has continued to expand their relationships with both because of their strategic position and because their governments directly cooperate with Chinese law enforcement.
Similarly, in the threat hunting space, it's been common to find Russian originated malware that would shut itself off if it identified an indicator or signature that implied that the workload was within the CIS.
In the same manner, if I were to conduct illicit cyberoperations in a jurisdiction like the UAE but not target the US, India, China, and a couple other jurisdictions with strong ties with the UAE I could operate with impunity.
It's the same reason Neville Singham is in Shanghai and Guo Wengui is in New York. It's also the same reason Ecuador handed Assange after the government changed from being hard-left and aligned with Russia and Venezuela to center-right and aligned with the US.
Edit: can't reply
> the case that fraudsters can already target Loas and Cambodia with impunity from certain jurisdictions
Not legally or morally, but this is de facto the case.
That said, the countries most annoyed at Laos and Cambodia (eg. Thailand, Vietnam, and the auS) would much rather use regime change, or use pressure points like financial crimes prosecution which dramatically reduces your freedom and dramatically increases your risk of being used as a pawn to trade, and offer the carrot of negotiated immunity deals in return for flipping.
These kinds of organizations don't exist with impunity - they are pawns that are discarded the moment their value can no longer justify their liabilities.
Are you making the case that fraudsters can already target Loas and Cambodia with impunity from certain jurisdictions?
If you are then I would point out that being legitimate allows you to attract better talent. See America’s private military contracting sector. Yes you can go and be a mercenary abroad and operate in a legal grey area, but if you’re a Private Military Contractor working for a major US company then you won’t go to jail in the US when you come back, and you can put it on your CV.
Hack-backs are a topic that comes up every few months from government representatives here. There are two big problems I have with this:
- you don't know "who" you hit. The case in TFA is still rather simple (just send the "hack" as the response), but you will still most likely hit some residential proxy and nuke some random person instead of the responsible actor
- (this is not too related to TFA but a point in discussions about hack-backs on a state-actor level) unless you're doing a very simple "attack", you need to have some sort of vuln ready to perform any kind of hack-back. Which leaves the ethical dilemma that actors are now motivated to keep vulnerabilities available, thus making the world more unsafe. And once you have used your vulnerability, your "enemy" probably knows it as well.
> Legitimate use cases, including security research, web archiving, and search engine crawling, can be distinguished from credential scanning by scope and target: no valid automated process needs to probe arbitrary third-party servers for .env or .git files.
What about security researchers scanning for their research? What about scanners that notify you?
Insofar as the thing we're talking about here isn't exactly "hack-back" per se, but more like "booby trapping your honeypot", I think you might be able to make an argument analogous to the one that would apply as a booby-trap defense:
Namely, that if "common sense" is enough to prevent someone from suffering any injury from a booby trap even when they do trigger it, then it's not really a "booby trap" in the classical definition. It's just an object with dangerous edge-cases.
In the literal booby-trap case, you might picture, say... a garden hose.
It would be hard to imagine someone being harmed by "normal" use of a garden hose. Most ways to engage with it wouldn't result in any harm. You could turn it on, maybe get a bit wet or lashed if the hose whips around as it stiffens. Point it at yourself and use it to wash yourself clean. Maybe point it in your mouth and choke.
The only clear way to harm yourself with a garden hose, would be to put the hose in your mouth and then turn it on. And then to not remove the hose when you begin to feel very, very uncomfortable.
And that's very silly! Why would you do that? You could have stopped drinking from the hose at any time!
A garden hose has a dangerous edge-case: the water stream is infinite, and the hose fits in your mouth, and the internal stomach capacity of a human is finite. But it's an absurd dangerous edge-case. Nobody with common sense would encounter this edge-case. So a garden hose is not a booby trap. And an abandoned house with a garden house connected to a water supply, is not a booby-trapped house.
See what I'm getting at here?
You can give up and stop streaming (/ parsing / building-up-your-in-memory-ADT-from) an HTTP response that "just keeps going and going" at any time. And any vuln-scanning client programmed by someone with some common sense (e.g. a professional security researcher) would have that common sense built into it. So a 1TB .env-file HTTP response is not a booby trap.
And yet, of course, it will catch (and break) those "special" clients, built by people with no software-engineering common sense, i.e. script kiddies. But it's not your fault that some people have built deranged software that goes around wrapping its mouth around strangers' garden hoses!
You are right. I am not satisfied with this sentence myself and will revise it. In its current form it sounds contradictory and nonsensical. However, I have not yet been able to identify a reliable demarcation criterion...
All vigilantism has issues. For example, if I was ever to do something horrific online I’d probably hack someone unrelated to me first and tunnel through their computer and online presence to make sure if I got caught it would not blowback onto me so easily. Not that I’ve thought about it or anything :-/
I mean it sounds ok, assuming that you are evenly matched. But assuming this was legal and someone like google has automated hack back triggered by some automated rule.
Its a bit trigger happy and I do something like change VPN, with my session, and it looks like I'm trying to probe with multiple IPs.
Boom, my devices all fall apart and my internet is offline until they stop DOS'ing me
There’s a case for allowing digital privateering against countries that routinely allow fraud. For example fraud is 68% of Laos’s GDP.
If Laos wants to be taken off the list of permitted targets then it can crack down on fraud. They have effectively allowed digital privateering against us by failing to crack down on fraud.
https://www.theguardian.com/technology/2025/dec/02/scam-stat...
The issue is those jurisdictions that have allowed such rot to take hold truly don't care.
Both Cambodia and Laos have governments where leadership is directly tied to organized crime, but the PRC has continued to expand their relationships with both because of their strategic position and because their governments directly cooperate with Chinese law enforcement.
Similarly, in the threat hunting space, it's been common to find Russian originated malware that would shut itself off if it identified an indicator or signature that implied that the workload was within the CIS.
In the same manner, if I were to conduct illicit cyberoperations in a jurisdiction like the UAE but not target the US, India, China, and a couple other jurisdictions with strong ties with the UAE I could operate with impunity.
It's the same reason Neville Singham is in Shanghai and Guo Wengui is in New York. It's also the same reason Ecuador handed Assange after the government changed from being hard-left and aligned with Russia and Venezuela to center-right and aligned with the US.
Edit: can't reply
> the case that fraudsters can already target Loas and Cambodia with impunity from certain jurisdictions
Not legally or morally, but this is de facto the case.
That said, the countries most annoyed at Laos and Cambodia (eg. Thailand, Vietnam, and the auS) would much rather use regime change, or use pressure points like financial crimes prosecution which dramatically reduces your freedom and dramatically increases your risk of being used as a pawn to trade, and offer the carrot of negotiated immunity deals in return for flipping.
These kinds of organizations don't exist with impunity - they are pawns that are discarded the moment their value can no longer justify their liabilities.
Are you making the case that fraudsters can already target Loas and Cambodia with impunity from certain jurisdictions?
If you are then I would point out that being legitimate allows you to attract better talent. See America’s private military contracting sector. Yes you can go and be a mercenary abroad and operate in a legal grey area, but if you’re a Private Military Contractor working for a major US company then you won’t go to jail in the US when you come back, and you can put it on your CV.
Hack-backs are a topic that comes up every few months from government representatives here. There are two big problems I have with this:
- you don't know "who" you hit. The case in TFA is still rather simple (just send the "hack" as the response), but you will still most likely hit some residential proxy and nuke some random person instead of the responsible actor - (this is not too related to TFA but a point in discussions about hack-backs on a state-actor level) unless you're doing a very simple "attack", you need to have some sort of vuln ready to perform any kind of hack-back. Which leaves the ethical dilemma that actors are now motivated to keep vulnerabilities available, thus making the world more unsafe. And once you have used your vulnerability, your "enemy" probably knows it as well.
> Legitimate use cases, including security research, web archiving, and search engine crawling, can be distinguished from credential scanning by scope and target: no valid automated process needs to probe arbitrary third-party servers for .env or .git files.
What about security researchers scanning for their research? What about scanners that notify you?
Insofar as the thing we're talking about here isn't exactly "hack-back" per se, but more like "booby trapping your honeypot", I think you might be able to make an argument analogous to the one that would apply as a booby-trap defense:
Namely, that if "common sense" is enough to prevent someone from suffering any injury from a booby trap even when they do trigger it, then it's not really a "booby trap" in the classical definition. It's just an object with dangerous edge-cases.
In the literal booby-trap case, you might picture, say... a garden hose.
It would be hard to imagine someone being harmed by "normal" use of a garden hose. Most ways to engage with it wouldn't result in any harm. You could turn it on, maybe get a bit wet or lashed if the hose whips around as it stiffens. Point it at yourself and use it to wash yourself clean. Maybe point it in your mouth and choke.
The only clear way to harm yourself with a garden hose, would be to put the hose in your mouth and then turn it on. And then to not remove the hose when you begin to feel very, very uncomfortable.
And that's very silly! Why would you do that? You could have stopped drinking from the hose at any time!
A garden hose has a dangerous edge-case: the water stream is infinite, and the hose fits in your mouth, and the internal stomach capacity of a human is finite. But it's an absurd dangerous edge-case. Nobody with common sense would encounter this edge-case. So a garden hose is not a booby trap. And an abandoned house with a garden house connected to a water supply, is not a booby-trapped house.
See what I'm getting at here?
You can give up and stop streaming (/ parsing / building-up-your-in-memory-ADT-from) an HTTP response that "just keeps going and going" at any time. And any vuln-scanning client programmed by someone with some common sense (e.g. a professional security researcher) would have that common sense built into it. So a 1TB .env-file HTTP response is not a booby trap.
And yet, of course, it will catch (and break) those "special" clients, built by people with no software-engineering common sense, i.e. script kiddies. But it's not your fault that some people have built deranged software that goes around wrapping its mouth around strangers' garden hoses!
You are right. I am not satisfied with this sentence myself and will revise it. In its current form it sounds contradictory and nonsensical. However, I have not yet been able to identify a reliable demarcation criterion...
All vigilantism has issues. For example, if I was ever to do something horrific online I’d probably hack someone unrelated to me first and tunnel through their computer and online presence to make sure if I got caught it would not blowback onto me so easily. Not that I’ve thought about it or anything :-/
I mean it sounds ok, assuming that you are evenly matched. But assuming this was legal and someone like google has automated hack back triggered by some automated rule.
Its a bit trigger happy and I do something like change VPN, with my session, and it looks like I'm trying to probe with multiple IPs.
Boom, my devices all fall apart and my internet is offline until they stop DOS'ing me
I think you’re fine, which hacker is going to go to the police about it?
Depends.
If the hacker is any good, they'll be using other people's machines. this means that you could be triggering legal fun™
The better question is will you get killed. Foreign intelligence does not take kindly to interference, nor do well funded criminal enterprises.
"If I sprain my ankle
While I'm robbing your place;
If I hurt my knuckles
When I punch you in the face...
I'm gonna sue! Sue! Yeah, that's what I'm gonna do!
Sue! Sue! I might even sue you!"
—Weird Al Yankovic, "I'll Sue Ya"
you just better be sure they initially exploited the only vulnerability they found the first time.