When the hackee becomes the hacker… In a somewhat amusing twist to the ongoing Sony Pictures hack and massive breach of sensitive files and unreleased films, the company is now fighting back. According to two unnamed sources, Sony is now using “hundreds of computers” to perform a DDoS on websites where you can download the leaked data. Better yet, Sony is apparently using Amazon’s cloud servers — Amazon Web Services — to perform the DDoS. While I’m all for proactive security measures, Sony might be taking it a little bit too far here.

The report, from Recode, says that Sony is using hundreds of computers in Asia to DDoS “sites where its pilfered data is available.” Beyond that, very few technical details of the attack are available, but I don’t think that Sony is simply doing a standard DDoS on a bunch of websites — that would (probably) be illegal, and I suspect a complete breach of Amazon’s terms of service. It is more likely that Sony is poisoning the BitTorrent swarms that are sharing the stolen data, making it very hard for people to download data — and if they do succeed in downloading, the poisoning should mean that the data is too corrupt to be of any use.

There are various types of torrent poisoning, but they’re all fairly effective. Sony is probably using a mix of interdiction — spamming peers with hundreds of servers, to prevent legitimate users from connecting to the peer to download the block of data — and index poisoning, which floods the swarm with lots of messages saying “hey, we have the block you’re looking for!” but then the block isn’t there, or it has been intentionally corrupted. In both cases, if this report is accurate, Sony could be making it very hard for people to download the torrents full of sensitive data, celebrity contact details, unreleased movies, and so on.

At first it’s fairly hard to believe that Sony — an upstanding multinational megacorporation — could be involved in such nefarious tactics. There are precedents, though — way back in Napster and Kazaa times, it wasn’t unusual for a publisher (or an outside agency) to upload fake or corrupt files. In more recent times, a commercial company called MediaDefender performed a variety of torrent poisoning attacks at the behest of most major film studios and music labels. It is somewhat unusual that Sony is reportedly performing the DDoS itself; to be honest, I wouldn’t be surprised if it is actually a third-party agency that’s doing it under Sony’s guidance.

As for the tidbit in Recode’s report about the use of Amazon Web Services (AWS), I’m not quite sure what to make of it. I’m guessing Sony needed a quick pool of well-connected computing power, and the cloud was the obvious choice — but generally, most cloud providers frown upon illegal (or even questionable) activity.

Morally, I suspect Sony’s position is somewhat defensible — it’s trying to protect stolen data, after all — but I’m sure if the law (or Amazon) will see Sony’s antics in the same light. Generally, hacking and computer misuse laws exist to prevent people from doing unwarranted stuff to computer systems that they don’t own. Basically, if a system was designed to do one thing (like serving torrents), but you subvert it into doing something else — and you don’t own the remote system — you are a hacker in the eyes of the law.

Now read: The ultimate guide to staying anonymous and protecting your privacy online