Lawfulness or Unlawfulness of Hackbacks

This week I’ll be presenting my latest thoughts to law students on the technical and ethical foundations for “hackback”.

I’ve been asked to present on the ever popular slides from 2012 CONSEGI in Brazil called CyberFall: Active Defense (sometimes called by others my peak “letters of marque” period).

IT is a matter of when, not if, your systems will be breached by attack. Many security experts argue against an active defense plan for fear of legal ramifications, harm to innocent bystanders or risk of failure. This presentation takes the audience through the heart of the debate; participants will learn key legal, ethical and business considerations to practice technical self-defense in cyberspace. The latest trends in threat innovation and actions are contrasted with conflict theory in order to offer the philosophical, political and economic framework of a successful active defense. As Carl von Clausewitz might say: “CyberFall is the continuation of political intercourse with the addition of other means”.

My belated thanks to Canada for providing such a wonderful escort home from South America. Probably should have said that sooner.

I wonder to this day who was operating the Mercury outboard if their Navy was sitting with me.

Kidding of course. I’m sure they used Honda inboard by then.

I’ll also be discussing with students the online casebook by Robert Chesney, “Cybersecurity Law, Policy, and Institutions” pp. 185-208, especially the pages on “hackback” lawfulness or unlawfulness (pp. 201-208).

…we should note that there is some disagreement regarding the proper meaning of the term “hackback.” Some use it to refer to any defensive measure adopted by a potential victim where the measure will have a downstream effect inside an adversary’s system. On that view, even a simple beacon would count. Others would reserve the term for more aggressive forms of self-defense, limiting it to measures that have a disruptive effect on the adversary’s system or that provide the victim (or whomever is assisting the victim, for the victim may turn to an outside security vendor for help) with ongoing unauthorized access to some part of that system. Those who take this narrower view sometimes distinguish between “hackback” and “active defense,” with the latter referring to less-aggressive measures (like beacons) that are not disruptive and that do not provide ongoing access. On the other hand, you sometimes will see the phrase “active defense” used more broadly to span across this entire category. The important point, at any rate, is that you should make sure to make clear how you are using these labels, and likewise that you understand how others use them. For the sake of convenience, I will use “hackback” as a catch-all phrase meant to encompass the entire category of self-defense measures that might have an effect within the attacker’s own system.

Russia’s Tank Literally Empty. Reserves Called Up But No Answer

Not long after the Russian dictatorship was mocked and ridiculed for coercing thousands of its own citizens to needless deaths — ill-equipped, unprepared and misled conscripts sent into “action” against Ukraine — news started circulating about its “best tanks” loitering empty and abandoned.

Ukraine Just Captured Russia’s Most Advanced Operational Tank: The T-90M is the latest main battle tank to enter front line Russian service, and one has now been captured by Ukrainian forces.

Perhaps it is easy to see why Russia’s “most advanced” weaponry would be just a sitting duck, empty and silent, for its alleged targets as they approached.

This tank’s crew had been abandoned by Russia long before they climbed out and walked away from their poorly maintained armor in a feckless “action”. I’m sure they were thinking “if this isn’t a war, then why am I being asked to die in this dumb box”.

Russians have a far higher chance of living to see another day when they walk away from the false leadership of team Putin.

The Ukrainian army’s counteroffensive around the city of Kharkiv in northeastern Ukraine starting on Sept. 6 destroyed half of the best tank division in the best tank army in the Russian armed forces. A hundred wrecked or captured tanks in a hundred furious hours. That’s how much destruction the Ukrainians inflicted on the Russian 4th Guards Tank Division, part of the elite 1st Guards Tank Army, the Russian army’s best armor formation.

A large amount of the “most advanced” technology by Russia in their “best armor formation” was toast within a few hours.

Illustration of quality of life with Russia’s most advanced engineering within their best formation…

Abandonment in mid September is thus predictable if we believe Russian soldiers in any way were aware of that action let alone initial battle test results five months ago in early May.

Russia’s Best Tank Destroyed Just Days After Rolling into Ukraine […] Kyiv first reported the presence of the T-90M in eastern Ukraine on April 25.

There’s no need to get into the weeds on why this tank is terrible, I mean beyond understanding that Russia delivers sub-par engineering, with unreliable service/support, and non-existent ground leadership (a norm in dictatorships).

From an engineering quality and safety perspective you might say Putin is on par with Musk, driving a Russian tank in Ukraine is about as safe as being in Tesla on public roads.

Actual quality of life with Tesla’s most advanced engineering… Source: vg.no

In other words the “best” technology delivered from a dishonest flip-flopping “strongman” who loves censorship has been proving itself (whether a T90 or Model 3) basically to be…a death-trap.

Or if you prefer history as a comparison instead of “future” cars, Russia appears to be repeating mistakes much like the doomed Nazi crews condemned to serve the hot-headed and disorganized Rommel in WWII.

Nazis abandoned tanks in 1942 like Russia abandons tanks in 2022

A detail about Russian tank engineering is still worth noting here, given the increasingly low morale of Russians who expect to die in them. Instead of latching onto an industrial-age fantasy of “automation” that treats its soldiers as disposables, the American tank platform actually is designed to depend on highly skilled and valued operators.

Difficulties fielding the latest and greatest tank led Russia to pivot from the T-14 and reinvest in older T-80s and T-90As. […] “China and Russia are still operating under a three-man crew mindset and maintaining an auto-loader system,” Sgt. Emmett Fulgham, a tank gunner with 3rd Battalion, 8th Cavalry Regiment, told Coffee or Die Magazine last summer. “We have a four-man crew with an actual human loader. Most loaders can do their job in five seconds on a bad day but usually in under four. Russian tanks still take 10 seconds to load, if not longer, so for every round they get off, we can fire two or three times.”

Read that again just to be clear on this point. And especially keep in mind Tesla CEO’s false promises of a future with no need for human interaction with machine.

Over-confidence in full-automation has led both to difficulties in the latest generation of technology achieving readiness. And even if it goes to full production in real-world conditions (battle deployment for T90, public roads for Model 3) it’s not even on par with more-reliable higher-performance human-centered augmentation machinery.

To put it another way Russian leadership doesn’t care about humans much, and certainly doesn’t care about quality or reality. This translates into a ruthless bully mindset that targets defenseless civilians, the most vulnerable, as a quick fix to feel artificially powerful.

Bodies recovered from mass burial site in liberated Ukrainian city ‘show signs of torture’. More than 400 bodies said to be buried at site, including women and children, with Ukrainian president likening discovery to massacre of Bucha.

When any real resistance shows up — military force of trained soldiers and modern weapons — the Russian bully melts into a puddle or runs away.

Russia’s latest response to all this, in light of a very public melt-down, brings us to yet another empty-sounding move.

Putin has said he’s calling his non-active reserves to join his “non-war” with a “non-country“.

Any Russian citizen who is in the reserve can receive a call-up notice. Basically, this can be any man up to the age of 60. “There haven’t been cases like this in peace time, yet by law it is possible. Generally, soldiers and junior officers in reserve are called up. […] “There is no criminal responsibility for refusing the call-up. Just an administrative warning or a fine of up to $10,” Murakhovsky concluded.

Oooops.

Sorry, my bad, that’s actually a story from 2018.

I guess it’s still worth noting from 2018 that Putin is legally allowed to try and get military reserves to fight during peace-time (keeping up the ruse of not being at war with a foreign country while sending soldiers to predictable death in one) and that there’s no penalty for refusing such a suicidal call.

On that point, here’s the actual September 2022 news story about Putin flaunting a call to action.

One-way flight tickets out of Russia began to rapidly begin selling out following Russian President Vladimir Putin’s announcement of a partial military mobilisation to call-up 3,00,000 reservists to shore up Russia’s manpower-depleted forces fighting a floundering war in Ukraine…. searches for Aviasales — Russia’s most popular platform for purchasing flight tickets, with a monthly audience exceeding 15 million users — spiked considerably immediately following Putin’s announcement.

The migration data is important. It’s a superb counter-argument to hawkish analysts who try to float things like “at some stage, all the ‘dumb Russians’ will be dead and a few good generals will ultimately become replacements”.

Uhhh, nope. Smart Russians are either leaving, if not already gone, or desperately trying to appear dumb to avoid being seen as a threat to Putin.

Perhaps we can say it’s like the American Civil War where Generals on a rather stupid side of fighting to expand slavery became dumber and dumber (brutal, petty and useless) as time wore on.

Soon headlines should read something like this (puns obviously intended):

Put-in something they don’t want, Rushin’ to get away

The Russian soldiers, despite being under Elon Musk-like censorship and propaganda, clearly saw they should be leaving behind Tesla-like death-trap automation boxes. Russian reservists meant to replace them now also apparently think it’s better to leave behind their military duty.

It all shows how Putin’s attempts to play his best hand instead has repeatedly revealed major weakness of the dictator.

“The whole system is in shock and what makes this situation worse is the absolutely inadequate reaction of Putin personally,” [ex-speechwriter to Putin] Gallyamov told CNN, adding that when Putin “is in shock himself” and “doesn’t know how to act,” the Russian leader “is trying to show that nothing bad is happening.”

Expect passive resistance in Russia to soon turn very hot.

“Having a great time. Does this Russian S400 hiding in Crimea go well with my new vacation bikini?” Source: The Ministry of Defense of Ukraine

No clear leadership transition plan in that context begs the obvious next question.

Who can replace Putin? It doesn’t bode well for Russian stability that a smooth transition isn’t in the deck of cards Putin wants Russia to play with.

Dictatorship suggests a very rough road ahead (e.g. see recent news of “suspicious ends met by those who crossed the Kremlin“), unless maybe Putin takes a note from everyone around him (including his infamous friend Snowden) and runs away.

On a related note, how many innocent people must die before Musk leaves Tesla?

Russian Military Desperate: Recruiting Homeless and Prisoners to Fight Putin’s Wars

Two reports together reveal the depravity of Putin’s military footing. The issue stems from a simple fact that nobody in Russia appears willing to fight for Putin (e.g. he’s failed to raise any cause above his personality).

Allegedly there are three main routes (mercenary exploitation, release from incarceration or alternative to desperation) actively used by Russia to recruit soldiers into its “irreversible mistakes“.

Task and Purpose reports first:

The attempt to entice unhoused Russians is the latest sign that the military is getting desperate to meet recruitment goals from the Kremlin. In August, Russian President Vladimir Putin signed a decree for the military to expand from its current 1.9 million person size to 2.04 million. That’s a tough ask for the military. Estimates put Russian casualties in Ukraine at 70,000-80,000, with a third of those being deaths.

Despite having several thousands of soldiers already trained and conscripted, Russia can’t actually field them. Since Putin has insisted on calling the war a “special military operation” and not actually a war, it’s limited his military options. A Russian law prohibits sending conscripts into a war, forcing the Kremlin to rely on its contract soldiers, as well as a slew of mercenaries (oftentimes Russian veterans, but also fighters from Syria and elsewhere). So far Russia has tried to make these contracts more appealing, offering higher pay and bonuses for various “heroic acts.” It appears the government is hoping that can entice unhoused Russians.

And next the BBC reports:

Yevgeny Prigozhin, head of the Wagner group, said those who do not want to send convicts to fight should send their own children instead. Earlier, leaked footage showed him telling inmates they would be freed if they served six months with his group. The Wagner group is believed to have been fighting in Ukraine since 2014. In a statement published on social media after the video went viral, Mr Prigozhin said that if he were in prison he would “dream of” joining the Wagner group to “pay my debt to the Motherland”. He added a message to those who do not want mercenaries or prisoners to fight. “It’s either private military companies and prisoners, or your children – decide for yourself.”

Note that reference to “debt to the Motherland”. Putin never successfully built any loyalty to motherland, so it’s a bit late now to try and pull such an old, tired yarn. It falls flat especially because Putin is known for being dangerously jealous of loyalty to anything other than himself.

If loyalty to nation did work in recruiting military, one would have to wonder how far Putin could let that go before sensing a threat to his own power.

No rational military would have agreed to bumble its tanks into a hostile “non-war” after being told “Ukraine isn’t even a country“. He is known to move the goal-posts so often and serve only himself such that very few could really believe a win could mean anything to the country, only him.

Ultra-processed foods harmful “much like an invading bacteria”

New studies are confirming that ultra-processed foods are harmful, which was expected, but in ways that may have no better solution than better transparency leading to bans.

…researchers have theorized that ultra-processed foods increase inflammation because they are recognized by the body as foreign – much like an invading bacteria. So the body mounts an inflammatory response, which has been dubbed ‘fast food fever’. This increases inflammation throughout the body as a result.

How do they classify a food as ultra-processed?

These foods are also not labelled as such on food packaging. The best way to identify them is by looking at their ingredients. Typically, things such as emulsifiers, thickeners, protein isolates and other industrial-sounding products are a sign it’s an ultra-processed food. But making meals from scratch using natural foods is the best way to avoid the harms of ultra-processed foods.

Processed means not raw or made from raw ingredients — many stages of complicated processing such as the industrial polysaccharide polymer “guar gum” often found in inexpensive dairy products to transform their viscosity (prevent proper crystallization and melt).

While it’s true labels on food packaging don’t say processed, when you see ingredients on food more than six things long… you’re typically getting into processing.

Ice-cream for example should be a short list such as this Strauss label:

That company is yelling at you for a reason. Their label is in fact revealing a huge difference from a list of ultra-processed ingredients like this:

Basically if you see guar gum in ice cream it’s a symptom for you to run, don’t walk, away from its ultra-processed “viscosity” not to mention all its other questionable additives.

That might sound like a new idea but it reminds me of a 1516 “purity law” from the Bavarian city of Ingolstadt, which said beer can only contain barley, hops and water (yeast was later added).

Initially this allow list was only within the Duchy of Bavaria and it gradually expanded across German states becoming a modern German law in 1906. Talk about precedent…