I don’t believe that researchers should jeopardize their freedom or future for any organization. There is certainly value in having red team skills to become a better defender. However, let’s remember that most companies are functioning with understaffed or non-existent security teams, and attribution continues to be a challenge.
Did you read Kimberly Crawley’s article about what happened to @MalwareTechBlog after DEFCON??
He was arrested and nailed to the internet cross. Although he is a hero to many (including me), this situation should still make researchers think twice about trying to test drive the industry’s newest (oldest?) soundbite.
Read my full response on Tripwire’s State of Security blog about hacking back, along with commentary from other security practitioners and writers in the industry.
Despite what politicians may be pushing, hacking back is just not worth it.