March 12, 2026
Keyboard pirates vs. the law
Should hack-back be legal?
Hack back or hands off? Keyboard pirates vs lawyers
TLDR: The article says “hack back” is illegal almost everywhere and compares it to a booby trap that can hit innocent bystanders. Commenters split between vigilante payback, fears of collateral damage and megacorps misfiring, and questions about “good” scanners—making this a heated clash of revenge fantasies versus legal reality.
A sysadmin daydreamed about feeding hackers a fake “.env” file stuffed with junk—think a terabyte of digital mashed potatoes—and the article says the law slams the brakes: in Germany, Austria, and under the US CFAA, striking back and slowing someone else’s system is treated like a booby trap. Even worse, most scans come from hacked, innocent computers, so your revenge likely whacks a bystander, not the crook.
But the comments? Absolute cage match. One crowd wants pirate flags: sjducb floats “digital privateering” against countries that “allow fraud,” linking a newspaper piece and igniting side‑eyes and upvotes in equal measure. Another camp rolls their eyes at enforcement—joegibbs deadpans, “Which hacker is calling the cops?”—while andy_ppp gets dark, noting real attackers hijack someone else’s PC first, meaning vigilante traps hit the wrong person. KaiserPro paints a doomsday meme: imagine Google auto‑retaliating and your VPN hop looks suspicious—“Boom, devices down, internet gone.”
On the safer side, the article backs tarpitting (slowing bad connections to a crawl) and boring-but-legal layers like captchas and firewalls. The crowd shrugs: “speed bumps, not shields.” looperhacks asks if “good guy scanners” and notifiers get caught in the crossfire. Verdict from the thread: the law says no, the vibes say maybe, and the popcorn says keep scrolling.
Key Points
- •Serving deceptive large files to burden scanners would likely be illegal in multiple jurisdictions, including Germany, Austria, and the United States.
- •Laws such as § 303b StGB (Germany), § 126b StGB (Austria), and the CFAA (USA) prohibit intentional actions that impair third-party computer systems regardless of intent.
- •Attribution issues mean many scans originate from compromised systems, so aggressive traps risk harming innocent infrastructure rather than attackers.
- •Tarpitting (extreme throttling) is a lawful defensive tactic but is limited by botnet distribution, aggressive timeouts, IP rotation, and traffic that mimics legitimate users.
- •A layered defense—network-level rate limiting, geo-blocking, JS challenges/CAPTCHAs, WAFs with scanner fingerprinting, and threat intel on malicious ASNs—better mitigates persistent scanning.