GoKawiilA Server Operator's Perspective
Browsing through server logs and fail2ban notifications is routine work. A significant portion of incoming requests are automated probes targeting .env and .git files: endpoints that, if exposed, would reveal database credentials, API keys, and internal configuration data.
At some point, the thought occurred to me: what if I played along? Serve a convincing .env or .git file, but pad it with a terabyte or more of junk data and let the scanner process that. After a bit of research, it became clear that the law sees things differently.
The Legal Reality of Hack-Back
In most jurisdictions, intentionally disrupting or damaging a third-party computer system is illegal, regardless of what that system was doing to yours first. Relevant statutes include:
§ 303b StGB (Germany) and § 126b StGB (Austria) : Both prohibit intentional disruption of computer systems, with penalties ranging up to several years imprisonment.
and : Both prohibit intentional disruption of computer systems, with penalties ranging up to several years imprisonment. Computer Fraud and Abuse Act (CFAA, USA): Prohibits the intentional transmission of data that causes damage to a protected computer, a definition broad enough to cover virtually any internet-connected system, regardless of geography.
The core principle across all three: the law protects systems, not their operators' intentions. The moment a defensive measure extends beyond protecting your own infrastructure and begins impairing someone else's system, you become liable, even if that system was actively probing yours.
The "they started it" defense doesn't hold. Legally, it's comparable to a booby trap: deliberate, premeditated, and designed to cause harm to whoever triggers it. Courts have consistently found that provoking a harmful automated response does not transfer culpability to the party that triggered it.
Attribution complicates this further. Many malicious scans originate from compromised third-party systems, botnets running on servers or devices whose legitimate owners have no knowledge of the activity. A terabyte-sized trap would not harm the attacker; it would harm an innocent victim's infrastructure. That said, there is at least one unintended benefit: the download attempt would likely alert the compromised system's owner that something is wrong. The law accounts for the broader risk, which is part of why it is written so broadly.
... continue reading