While I'm robbing your place;
If I hurt my knuckles
When I punch you in the face...
I'm gonna sue! Sue! Yeah, that's what I'm gonna do!
Sue! Sue! I might even sue you!"
—Weird Al Yankovic, "I'll Sue Ya"
If the hacker is any good, they'll be using other people's machines. this means that you could be triggering legal fun™
Its a bit trigger happy and I do something like change VPN, with my session, and it looks like I'm trying to probe with multiple IPs.
Boom, my devices all fall apart and my internet is offline until they stop DOS'ing me
What about security researchers scanning for their research? What about scanners that notify you?
Namely, that if "common sense" is enough to prevent someone from suffering any injury from a booby trap even when they do trigger it, then it's not really a "booby trap" in the classical definition. It's just an object with dangerous edge-cases.
In the literal booby-trap case, you might picture, say... a garden hose.
It would be hard to imagine someone being harmed by "normal" use of a garden hose. Most ways to engage with it wouldn't result in any harm. You could turn it on, maybe get a bit wet or lashed if the hose whips around as it stiffens. Point it at yourself and use it to wash yourself clean. Maybe point it in your mouth and choke.
The only clear way to harm yourself with a garden hose, would be to put the hose in your mouth and then turn it on. And then to not remove the hose when you begin to feel very, very uncomfortable.
And that's very silly! Why would you do that? You could have stopped drinking from the hose at any time!
A garden hose has a dangerous edge-case: the water stream is infinite, and the hose fits in your mouth, and the internal stomach capacity of a human is finite. But it's an absurd dangerous edge-case. Nobody with common sense would encounter this edge-case. So a garden hose is not a booby trap. And an abandoned house with a garden house connected to a water supply, is not a booby-trapped house.
See what I'm getting at here?
You can give up and stop streaming (/ parsing / building-up-your-in-memory-ADT-from) an HTTP response that "just keeps going and going" at any time. And any vuln-scanning client programmed by someone with some common sense (e.g. a professional security researcher) would have that common sense built into it. So a 1TB .env-file HTTP response is not a booby trap.
And yet, of course, it will catch (and break) those "special" clients, built by people with no software-engineering common sense, i.e. script kiddies. But it's not your fault that some people have built deranged software that goes around wrapping its mouth around strangers' garden hoses!
- you don't know "who" you hit. The case in TFA is still rather simple (just send the "hack" as the response), but you will still most likely hit some residential proxy and nuke some random person instead of the responsible actor - (this is not too related to TFA but a point in discussions about hack-backs on a state-actor level) unless you're doing a very simple "attack", you need to have some sort of vuln ready to perform any kind of hack-back. Which leaves the ethical dilemma that actors are now motivated to keep vulnerabilities available, thus making the world more unsafe. And once you have used your vulnerability, your "enemy" probably knows it as well.
sjducb•52m ago
If Laos wants to be taken off the list of permitted targets then it can crack down on fraud. They have effectively allowed digital privateering against us by failing to crack down on fraud.
https://www.theguardian.com/technology/2025/dec/02/scam-stat...
alephnerd•46m ago
Both Cambodia and Laos have governments where leadership is directly tied to organized crime, but the PRC has continued to expand their relationships with both because of their strategic position and because their governments directly cooperate with Chinese law enforcement.
Similarly, in the threat hunting space, it's been common to find Russian originated malware that would shut itself off if it identified an indicator or signature that implied that the workload was within the CIS.
In the same manner, if I were to conduct illicit cyberoperations in a jurisdiction like the UAE but not target the US, India, China, and a couple other jurisdictions with strong ties with the UAE I could operate with impunity.
It's the same reason Neville Singham is in Shanghai and Guo Wengui is in New York. It's also the same reason Ecuador handed Assange after the government changed from being hard-left and aligned with Russia and Venezuela to center-right and aligned with the US.
Edit: can't reply
> the case that fraudsters can already target Loas and Cambodia with impunity from certain jurisdictions
Not legally or morally, but this is de facto the case.
That said, the countries most annoyed at Laos and Cambodia (eg. Thailand, Vietnam, and the auS) would much rather use regime change, or use pressure points like financial crimes prosecution which dramatically reduces your freedom and dramatically increases your risk of being used as a pawn to trade, and offer the carrot of negotiated immunity deals in return for flipping.
These kinds of organizations don't exist with impunity - they are pawns that are discarded the moment their value can no longer justify their liabilities.
sjducb•40m ago
If you are then I would point out that being legitimate allows you to attract better talent. See America’s private military contracting sector. Yes you can go and be a mercenary abroad and operate in a legal grey area, but if you’re a Private Military Contractor working for a major US company then you won’t go to jail in the US when you come back, and you can put it on your CV.