Forgot your password?
typodupeerror
Security Government The Courts The Internet News

The Computer Owner - Guilty or Not Guilty? 539

Posted by Cliff
from the guilt-by-association-may-not-be-sufficient dept.
Von-at-Infosec_Writers asks: "It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime could become much more difficult especially since, as a recent CNN.com article stated, a hacker's legal defense can be: it wasn't me but my hijacked computer that committed the crime. 'In some cases, I do suspect there are people whose computer is taken over by third parties. It's also a clever defense to exculpate your client,' says Michael Allison of the Internet Crimes Group.What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?" As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?
This discussion has been archived. No new comments can be posted.

The Computer Owner - Guilty or Not Guilty?

Comments Filter:
  • by RobertB-DC (622190) * on Thursday November 13, 2003 @06:21PM (#7468929) Homepage Journal
    [...] their attorneys successfully argued that trojan programs found on their computers were to blame.
    In all three cases, no one has suggested that the verdicts were anything other than correct.


    I think it's going to be pretty easy to tell, within the law, whether the computer owner knew that a hack attack or illegal download was occurring on his/her computer. Most of the time, the court's answer will be "no".

    If a remote-control Trojan is on the PC, then the prosecution would have to prove that:

    * The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.

    * Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.

    While the defense attorney needs only argue that his client is just an average Joe(anne), and wouldn't know what a Trojan [trojancondoms.com] was if he/she bought one at the drugstore. The defense attorney should be facing a receptive audience. Remember, in the US at least, he'll be facing a jury of 12 average citizens who know as little about how computers work as I do about brain surgery.

    Or perhaps less. At least I know which box my brain is in.
    • "Hey Mr. FBI, I don't even know what a DDOS thingy is. I only have AOL, does the DDOS cost extra?"
    • by QueenOfSwords (179856) on Thursday November 13, 2003 @06:26PM (#7468980) Homepage
      Problem is, of course, that if you're a CS student who has been a bit lax about security, you're probably screwed. People don't understand computers , so your jury won't understand that anybody who is studying computers or has *specific* knowledge isn't a super-1337 hax0r who is probably guilty.
      • There's a term and I'm sure someone who knows more about law then I do knows it but someone who should know better shouldn't be giving bad advice. At the least it's called malpractice. So if a stockbroker gives bad advice at a coctail party he can in fact be sued when the other guy loses all his money. A CS student is not yet qualified in that field. They would probably get off. Now if they graduate and start working (or drop out and get a job) they will be expected to secure their systems.
      • Good point.

        I have several friends who are CS majors and use Windows 98 with no virus protection or firewall.

        Win98 came with their computer, and works fine for what they use it to do: play games, download movies and mp3s, and SSH into other computers on campus to do their programming projects. They don't want the hassle of upgrading to a more secure OS or installing security software.

        Being a CS major doesn't mean you're serious about network security. It might seem incriminating if a CS major's computer w
        • by Qrlx (258924) on Thursday November 13, 2003 @07:05PM (#7469405) Homepage Journal
          I have several friends who are CS majors and use Windows 98 with no virus protection or firewall.

          Typically the only people who know anything about security are the same people who have built a complete system from parts. It's sad but a lot of CS people aren't hackers (in the hackers-with-a-dumb-glider-logo sense of the word).

          Come to think of it the only programmer I know who actually went to school and got a CS degree is my mom, and it was her second degree -- she went back to school to pursue a well-paying career. I still remember the shoeboxes full of punch cards. She is clueless about Internet security, but pretty 1337 with COBOL and JCL, if such a thing is possible.
        • by markxsd (718350) on Thursday November 13, 2003 @07:31PM (#7469654)
          I have several friends who are CS majors and use Windows 98

          Prison is not an adequate punishment.

          ...I advocate death by SQL injection.

      • Given the way our courts treat "reasonable doubt" I would think any decent lawyer would be able to at least hang a jury in this situation. Especially with the use of expert witnesses. This is what they are for, to inform the jury of matters they don't have the training to understand. A polygraph might also be used to persuade a jury, although there could be issues in admitting it as evidence. However, perhaps the best evidence in any circumstantial case is an alibi, and this could be used here as well. A ha
        • by pyros (61399) on Thursday November 13, 2003 @07:26PM (#7469618) Journal
          A hacking attempt should have a well documented time, and if the defendent can show they were doing something else at the time they should get a non guilty verdict easily.

          That's right, because there is no such thing as batch jobs and scheduled tasks. Any "expert" witness the prosecution calls upon to talk about such things must be getting bribed to do so.

      • by cyt0plas (629631) * on Thursday November 13, 2003 @06:58PM (#7469364) Journal
        I've had this happen to me personally. I was in a class where 5 people's grades were changed, including mine. The instructor basically said "you're the only one smart enough, so you're it." And being the CS student who has been paid to do security audits doesn't help.
      • So if you are planning a big hack, the best way is doing it through the system of a CS student. It shouldn't be to difficult to find one that doesn't have his system properly secured...
        • Problem is, of course, that if you're a CS student who has been a bit lax about security, you're probably screwed. People don't understand computers , so your jury won't understand that anybody who is studying computers or has *specific* knowledge isn't a super-1337 hax0r who is probably guilty.

        The sad thing is, I could easily see many CS students managing to get infected. When I got my degree, most of my classmates were good at programming, but couldn't admin or secure a paper bag, much less their pe

      • by Durandal64 (658649) on Thursday November 13, 2003 @08:02PM (#7469908)
        Being a CS student does not necessarily grant one a good working knowledge of networks. I've seen plenty of CS students and experienced programmers who wouldn't know how to properly secure their systems. Now, if the person in question is a Network Infrastructure student or Novell-certified, it's almost a no-brainer that he should know how to secure his machine.

        Of course, is it really right to hold someone liable for damages that result in an intrinsically harmless slip-up? Say I forget to patch SSH or Apache and someone launches an attack from my box. Should I be held liable? If so, why? Because I should know better? That may be true, but I can always argue that I'd intended to patch but just hadn't found the time to do so, and someone by chance, found my box. If my schedule in a particular week isn't amenable to patching a particular aspect of my system, but I need SSH or Apache during that week, why should I be held liable for damages resulting from someone illegally hijacking my computer? Let's keep the blame where it belongs, here.
        • Of course, is it really right to hold someone liable for damages that result in an intrinsically harmless slip-up? Say I forget to patch SSH or Apache and someone launches an attack from my box. Should I be held liable? If so, why? Because I should know better? That may be true, but I can always argue that I'd intended to patch but just hadn't found the time to do so, and someone by chance, found my box

          The issue I have here, is that frequently the offender is using an unprotected computer to exploit a ho

    • by Megor1 (621918) on Thursday November 13, 2003 @06:39PM (#7469162) Homepage

      If a remote-control Trojan is on the PC, then the prosecution would have to prove that:

      * The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.

      * Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.

      Really you tell me how to detect a kernel level trojan on a windows box besides running your own seperate intrusion detection system that knows what way the trojan works. (So if its an unknown one you aint gonna find it). And if the person removes the trojan and overwrites itself you aint gonna find any evidence of it

    • What if the trojan hacks someone's computer and then makes itself scarce, ala a rootkit?

    • by Alaren (682568) on Thursday November 13, 2003 @06:48PM (#7469261)

      Well, like most readers of /. IANAL... but, like most readers of /. I have significantly more sense than most lawyers, so here goes...

      I think the "My Computer Was Hacked" has the potential to become the "Twinkie Defense" of the 21st Century. On the other hand, it also has the potential to become the "Insanity Defense" of the 21st Century.

      In other words, where this goes depends heavily on how the courts decide to treat it. If the courts treat it as a ludicrous catch-all defense for computer crimes, it will stop mattering how legitimate the defense really is. If the courts decide to be very sensitive to the defense, it may become a useful catch-all defense for computer crimes.

      Either way, though, the people who *really* suffer will be the computer-savvy. Many computers infected with recent viruses were managed by reasonably competent techies. Would it be fair to say, "Joe is a layperson, his computer might have been affected" but "Jane is a techie, if her computer was infected she must have done it herself?"

      What I think really needs to be addressed, though, is not whether or not there should be laws concerning "Security Negligence" or "Reasonable Doubt Concerning User Expertise." What we really need to evaluate is actual damages and due process. Erasing piles of data is not the same as crashing air traffic control and killing hundreds of people. Making it easier to put people in jail is not necessarily an improvement.

      In short, computers are tools. Let's stop prosecuting computer crimes altogether. Let's only prosecute people for what they do--not for how they do it.

      • "Jane is a techie, if her computer was infected she must have done it herself?"

        I worked for several years as a support tech for an ISP. When Mellissa came around, most of the techs were running around like chickens with their heads cut off, while I laughed. Same thing with the Love Bug. Why? Because unlike everybody else, I used Eudora for email, not Outlook. It doesn't have the well-known security holes, so it's safe from the trojans aimed at Outlook. (OK; that's not the only reason, or the main re

    • by zorander (85178) on Thursday November 13, 2003 @07:27PM (#7469623) Homepage Journal
      I'm a CS student and I can't cound the numberr of people I know who leave BackOrifice installed on their machines for the very reason of deniability in this sense. For them, it's so they can blame their p2p activity on 'evil hackers'...of course, it's a flawed plan since the university just cuts you for 45 days if they are able to download from you (They only make an attempt after the RIAA notifies them that your IP is delinquent. If they fail, they tell the RIAA that they were wrong. If they succeed, they take away your connection and tell the RIAA that the problem was resolved on the inside...up until this point, this has done a pretty good job of protecting the students here from litigation).

      Brian
  • by dtolton (162216) * on Thursday November 13, 2003 @06:23PM (#7468944) Homepage
    Unfortunately, I think the "I didn't do it, my computer did"
    defense will be all too common. How can you hold people
    responsible for holes in their system while microsoft produces
    software with numerous holes in it, but is not held responsible.

    An interesting analogy is gun crimes. If someone owns a gun,
    and it is proven conclusively that the gun committed a crime,
    but it cannot be proven conclusively that the owner of the gun
    is the one who pulled the trigger (opportunity), then it is
    difficult to establish a case.

    I think a similar idea will work itself out with computer
    crime. The fact that your computer did something isn't enough,
    you have to be a willing participant in the incident.

    Perhaps there should be laws to punish people who leave
    unpatched, unprotected computers sitting on the internet. There
    are laws that punish irresponsible gun owners, should we also
    punish negligent computer owners? What about negligent
    programmers?

    As an aside, in the last court case I was involved in, e-mail
    was admissible in court. The only thing I had to do was produce
    some e-mail correspondence between myself and the other party.
    The lawyers and the judges all accepted them without a word.
    While the e-mails were in fact real, and the transmission could
    be verified by isp records, the simple fact that the opposing
    council didn't so much as raise an eyebrow shows me just how
    ignorant the legal system still is when it comes to technology.
    This happened less than a year ago.
    • by gooberguy (453295) <gooberguy@gmail.com> on Thursday November 13, 2003 @06:30PM (#7469042)
      Should we fine and arrest people who keep vulnerable systems on the web? I think not. If your computer gets infected with a virus or worm, no one dies. Sure, damages may be done, but no amount of commercial loss compares with murder. Also, your idea would kill the Internet. The Internet is about freedom. Overall, it is the least regulated, most anonymous medium accesible to Joe Sixpack. If people fear getting arrested for merely being online, they will find something else to do.
      • What if terrorists compromise your computer and use it to plot the next big attack that kills thousands of people?
      • > Should we fine and arrest people who keep
        > vulnerable systems on the web? I think not.

        I think that day is coming.

        I think we're at a point of time in computer ownership that was probably a lot like the early days of car ownership.

        I'd be fairly certain that there were hardly any rules for the first few years that cars were on the roads, since there wasn't sufficient public perception that lots of rules were required. It was only after enough people got run over, enough cars run off the road, enoug
    • Interesting you and I both used guns as an analogy. But in the real world the tool alone isn't responsible for the crime. There has to be a person to pin the crime on. Leaving dangerous objects lying around is a crime but are computers that dangerous yet? If someone hacked my home security attack robot and it killed the paperboy then I could see making a big deal out of this but computer crimes are still just economic at worse. Nobody dies.
    • by southpolesammy (150094) on Thursday November 13, 2003 @06:42PM (#7469194) Journal
      If I leave my car unlocked with the keys in the ignition, and someone steals my car, packs it fulls of C4, and blows up a building with it, hopefully, my alibi is good enough to show that I wasn't the one that perpetrated such a heinous act.

      The problem with computer crime is that the alibi part of the equation is harder for the computer owner to prove. He may very well have been actively using the computer in question that hacked the Bank of North Elbonia at the time of the crime, but that doesn't mean he did it. In spite of that, proving that he wasn't the perp is difficult. Most other alibis work because of physical bias placing the individual in some other place than the crime in question. This is harder to prove in a virtual setting.
    • Well in cases there's 3 major parts. Means, motive, and opportunity. The computer traced back to be the cause of the attack proves part of means. It does not prove skill means. It does not prove opportunity [proving the user was home and on the internet at the time does]. It does not prove motive. As a defense lawyer [I am not a defense lawyer] I'd certainly posit that the computer did it as a reasonable alternative until the prosecution actually made an effective case [by proving oppertunity].

      I don't see
    • I think the gun and car analogies are a bit too much here. In these analogies, the tool of the crime is obviously taken away from the owner, so it's relatively easy to compare the time of the crime to the alibis and figure out who did it.

      I think a better analogy is that of possession of stolen goods. I can buy a used bike, for example, in good faith from a garage sale, use it for months, then one day the police stop me and tell me that bike was stolen. How can I prove that I didn't steal it myself? How can
    • "Perhaps there should be laws to punish people who leave unpatched, unprotected computers sitting on the internet. There are laws that punish irresponsible gun owners, should we also punish negligent computer owners? What about negligent
      programmers?"


      Not a fan of either. A significant chunk of vulnerable machines out there are owned by people who don't have a strong enough interest in computers to know they should be patching. Making sure your computer is secure is not as simple as putting a lock on you
  • well (Score:4, Insightful)

    by JeanBaptiste (537955) on Thursday November 13, 2003 @06:24PM (#7468957)
    in the US, if your car is going down the freeway and your brakes fail because you didnt do routine maintenance, you end up crashing and killing someone, you are at fault.

    on the other hand, if someone cuts your brake lines, you crash and kill someone, you are not at fault.

    I would think that viruses and trojans and worms and such would fall more under the 'someone cuts your brake lines' category.
    • Re:well (Score:3, Insightful)

      by j0keralpha (713423) *
      Reasonable Mitigation. There is very little you can do to prevent someone from cutting your brakelines. A lot of Computer Zombification stems from users not proactively patching AV and OS (lets not even talk about applications). Slammer (yes i know this was a server-worm) and Blaster are excellent examples. The world at large had 6 months and 1.5 months respectively to prevent the nightmare from happening, but nobody takes responsibility for (to extend your car analogy) Changing the oil and other basic main
      • 'Is the burden of proof upon the user to show they are not at fault, or the attack victim to show that they are?'

        The burden of proof is always on the accuser. Well according to the Constitution it is, but lets not get into that....
      • Continuing with the car analogy: it's not against the law to forgo basic car maintenance; rather, it's against the law (AFAIK) to drive an unsafe car on public roads, for some definition of unsafe. My point here would be that you ought to be responsible for operating an unsafe computer on the Internet.

        This raises all sorts of issues, namely what is to be considered unsafe. In the US, the definition of unsafe vehicle seems to vary from state to state; at the very least, it's enforced differently. In Texa
    • And I would think that failing to apply the latest security patches, thus allowing the infection by viruses and trojans, would fall more under the 'you didn't do routine maintenance' category. Or it should. If more people were held responsible for their own inaction maybe fewer PCs would be trojaned.

      Personally, I'd blame my ISP. They won't let me behave as if my PC is directly connected to the internet (e.g., they won't let me run my own mail server or web server or FTP server; they won't give me a static I

      • Interestingly, what about MSN, AOL and Mindspring who all advertise protection from the big bad nasty internet. Aren't they begging for responsibility when their customers get infected?
  • IANAL, but: To put a rather brutal, but analogous comparison in place. If someone breaks into your house, steals a gun, and then shoots someone on the street. The owner of the house would not be guilty of murder. They may be guilty of negligent storage of a firearm, but not much else.

    And since there currently is no crime for keeping a computer unsecured on the internet, I doubt there is much that can be done.
  • SIMPLE! (Score:5, Funny)

    by w3weasel (656289) on Thursday November 13, 2003 @06:26PM (#7468987) Homepage
    What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?
    Simple! Keylogger installed with every OS, mandatory by order of the DHS. All Keylogs submitted to a central government database for use only by the DHS, related departments, and companies funding beach houses for the high ranking officials in said offices! Won't you sleep better knowing that we will have the right man?
    • That whould make me either use an OS i can edit and compile myself, as i'm allready doing, or i'll just crack my 'perfectly normal home computer' myself using my 'sup3r s3cr37 1337 1@p70p'.

      I guess i'll opt for the first option...

      Keyloggers will only help proving it wasn't done by the guy that say's it's computer was hijacked, it will not help getting the right man. Since the guy with the hijacked computer can use that argument now allready and we all hope 'Innocent until proven otherwise' still applies
  • by segment (695309) <sil @ p o l i t rix.org> on Thursday November 13, 2003 @06:27PM (#7468998) Homepage Journal
    Been there done that [politrix.org]

    It's actually very easy to frame someone online which will be (mark my word) the next big thing in divorce cases, criminal cases, etal. I won't comment anymore on these issues though. I've been through the whole shabang. One thing people should be aware of though is the ease of which someone could actually do something malicious to another person. Courts, well let's just say if you're the accused, pray you don't get a computer phobic (which the DA will try to ensure he selects the most of) jury.

    • by mveloso (325617) on Thursday November 13, 2003 @07:39PM (#7469722)
      It's already easy for this to happen. Think about your workplace - the IT guys (you guys, mostly) can put whatever the hell you want on someone's box, and they'd have no idea.

      For example:

      Staffer: "Hey, I have no idea where that child pr0n came from!"

      Manager: "Look, don't make this harder than it has to be. Just pack up your stuff and we won't tell your wife or the paper."

      Staffer: "But I never saw that before!"

      Manager: "That's what they all say."

      With a careful admin, even browser history and caches can be faked. And there's not a thing that the poor staffer could do about it.
  • How about cars? (Score:2, Redundant)

    by jon787 (512497)
    How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment?

    Same as with someone's car.

    Proving who is on the machine is very difficult though.
  • Same as in a car! (Score:4, Insightful)

    by scovetta (632629) on Thursday November 13, 2003 @06:27PM (#7469005) Homepage
    If you're driving a car, and the car malfunctions and you hit and kill someone, you shouldn't be held responsible. If you say the car was broken and it wasn't, then it's fraud and you get charged with vehicular manslaughter or whatever.

    If your computer was hijacked and you did nothing to prevent it, its YOUR fault. If you ran antivirus/firewall/whatever, then it's the fault of the hacker, and you shouldn't be held responsible.

    Of course, we need a good definition of a "good faith attempt at computer security", but that's a grey legal line. Personally, I think that if a patch has been available for more than, say, 2 months, and you aren't patched, its your damn fault. If you installed a program explicitly, then it's your fault (even if it was spyware)-- the analogy, if you get super-duper-hood-attachments for your car and they fly off and impale someone, its your fault.

    Of course, that sucks, but it's the only way I can see to segment culpability for crimes in this case.
  • by aminorex (141494) on Thursday November 13, 2003 @06:28PM (#7469007) Homepage Journal
    > How much responsibility does the owner of an
    > Internet-connected computer have for crimes
    > committed using their equipment

    None, unless they have responsibility for
    the use itself.

    > and what are ways we can best determine
    > their involvement, or lack of it, in said
    > crimes?

    Firstly, you don't want to. You don't want
    to live in a world where people can't
    speak freely on the Internet. Therefore
    you don't want to live in a world where
    it is easy to hunt down and kill anyone
    who criticizes you.

    Secondly, in the U.S., you need proof beyond
    a reasonable doubt to convict of a crime.
    That will never happen without human
    witnesses to substatiate the accuracy of
    data submitted in evidence, since all data
    is equally possible to fabricate on demand.
    So, in brief, only on the testimony of
    disinterested witnesses can responsibility
    for a digitally intermediated act be
    proven or refuted.
  • by rxed (634882) on Thursday November 13, 2003 @06:28PM (#7469009)
    Its not that simple beleive me you. :) A good forensics expert can slice and kill your false I-was-hacked defense in a matter of days.
    • I could set up a good "I was hacked" defense easily enough: just break into one of my own computers and compromise it, leaving just one step (such as making it the DMZ box from my NAT router) to automatically complete if I don't periodically cancel it.
  • by ewhac (5844) on Thursday November 13, 2003 @06:28PM (#7469024) Homepage Journal

    Homeowners can be jailed when trespassers drown in their pool, because the pool falls under the heading of, "Attractive Nuisance." It thus falls to the homeowner to properly secure access to the pool, or risk getting sued when some vagrant wanders in and gets hurt.

    I can see this concept being extended to the Internet: By placing an unsecured box on the network, you have introduced an Attractive Nuisance, and it can be argued that the machine's owner bear responsibility for collateral damage.

    Trouble is, can the machine's owner really be held responsible for such consequences when the OS vendor willfully misrepresented the concordant hazards and responsibilities of placing their product on the open Internet?

    Schwab

    • Following the pool anaology: yes, sort of.

      If the pool came with a fence to keep people out, and the fence didn't work it then becomes an argument if the owner knew the fence didn't work. In Microsoft's case, even commoners know it's less secure. Either way, the fence maker would then be liable for misrepresentation, and the resultant effects.

      [IANAL]
    • It whould be fun to see judge say somthing like 'You install OS something, Guilty as charged'. But with the current focus on security the big OS vendors have that won't happen...
      (Or was it because of the big amounts of money?)
    • "Attractive Nuisance" isn't really applicable here. The base theory in your example rests on the idea the owner of the pool can reasonably and assuredly secure it. This can be through fences, locks, covers, and various other luddite techniques... techniques that any responsible homeowner can understand and be held liable for implementing correctly.

      However, with software, the complexity of the system is so great that even the original authors will not warrant it's correctness and/or security. The average
  • "Your honor, it wasn't my computer that was responsible. It was the poorly designed code that had `x` number of security flaws. Microsoft is at fault!"

    Or, "Your honor, Bill Gates 0wnz y0u!"

  • Hmmm (Score:2, Insightful)

    by ActionPlant (721843)
    How DO you prove whether or not a person had the capability to do the hack? Character witness comes into huge play here, and I have a feeling that as this defense becomes more and more difficult to prosecute in criminal course, we'll see cases popping up where civil suits are being filed against people. In a criminal case you are innocent until proven guilt, while if a civil suit were filed for damages from a specific person's computer, all that has to be proven is that they are the most likely person to
  • I'm not sure I'd buy that one... in fact, if I were some hacker's defense attorney, I'd sure argue that my client's skills placed him/her squarely in the crosshairs of a jealous rival who wished to do him/her harm by planting a trojan ... *and* making sure it led back to him/her!

    ahh... aren't conspiracy theories beautiful?

    and, it seems clear that your average jury of 12 AOLers will glaze over about five minutes into the heavy tech testimony, thus giving the creative defense attorney more than enough room

  • Obviously, the cracker is responsible for his crimes, regardless of whose computer he uses. Yes, accused people might say "someone else used my computer," just as one might say "someone else used my gun." Obviously, the court would need to decide whether or not that is true. The grey area, of course, is when someone agrees to let a cracker use their computer for attacks. But again, unless such collusion can be proven, only the hacker is responsible. So if you know your system's been cracked, you're res
  • their attorneys successfully argued that trojan programs found on their computers were to blame. In all three cases, no one has suggested that the verdicts were anything other than correct.
    Who exactly were the attorneys arguing to? A jury/judge with little to no specific technical education regarding the matter? People perhaps ill-equipped to know what is and is not possible with viruses or trojans?

    To be assured of a fair decision, the decision-makers in these cases must be people that both display n
  • Just to use a simplified analogy...

    If someone steals a car and uses it to commit a crime, is the owner of the car guilty of the crime?

    "It sets a precedent now in the judicial system where a hacker can just claim somebody took over his computer, the program vanished and he's free and clear,"

    To extend my analogy a little more, the owner of the car used to commit the crime could claim the car was stolen and returned.

    Just because it's hard to catch the person who actually committed the crime doesn't mean
  • If a mobster dumps his bodies in a hole behind your barn and you didn't know about it are you guilty of murder? Is it the gun that murders or the person pulling the trigger? Now what if the gun is used and then put back without the owner knowing? Is the rental car company guilty of hit and run? I think there's precident in the real world for this kind of thing.

    I would liken computer crimes to that of bringing the gun back to the owner. An educated gun owner will know if his gun is fired or kept clean.

    • I like the analogy, but, you need a license to get a gun. This means you must have a certain baseline amount of gun knowledge to own a gun. Since a baseline precedent has already been set, it could be adjusted higher if necessary, to the point where a gun owner would definitely know if his gun was fired.

      Computer's have no such license requirement, and as such, no baseline requirement. Since there is no baseline, imposing one would be very difficult. Especially imposing a baseline knowledge requirement
      • In the US you do not have to have a license to have a/most gun. In some states you may have to have a license to carry it in public, but that is all.
    • But you have to define "good faith" effort. To me, that's at least installing a good firewall and antivirus. Hell, forget the antivirus. Just pop in a good firewall and tell the user not to open suspicious attachments.

      How hard is it to use and configure a firewall? ZoneAlarm in learning mode is a good example. It prompts you every time a program wants to launch a connection or accept a connection to/from the internet. Simply allow all programs you know, disallow anything that you don't know about.

      What we
      • People throw the idea of a private trusted internet around all the time but I can say in the case of the university there are damn few people in my research group (chemistry) who know or care to secure the computers. We want them to be tools and don't want to spend any time worrying about updates and security. Someone will connect to the university and they will be the lowest common denominator. Who's to say the average guy on the street wouldn't be smarter? I'll stick to the one internet and keep closi
  • by Rosco P. Coltrane (209368) on Thursday November 13, 2003 @06:34PM (#7469093)
    "It sets a precedent now in the judicial system where a hacker can just claim somebody took over his computer, the program vanished and he's free and clear," he said

    Right. So if you want to do something illegal, install the version of Windows that's currently most targetted by viruses and worms (XP these days I presume), be very careful *not* to install any service patch, and commit all your crimes with the default Windows telnet client. If you're caught, pretend your computer was hacked and it'll be very plausible. To complete the picture and look even more innocent, pepper a couple of letters to Grandpa, checking account spreadsheets and windows_tips.doc files in your "My Documents" folder.

    Of course, don't get caught doing your deeds on a *nix box or your fake computer-loser attitude will appear a lot more suspicious in court ...
  • by kaan (88626) on Thursday November 13, 2003 @06:36PM (#7469113)
    Look at the rest of society, outside of the context of computing.

    If I have a knife and I leave it on a table, and a neighborhood kid comes over and stabs himself in the head, I'll probably get sued (and lose) even though I didn't do the stabbing.

    If I leave the keys to my car and somebody steals it, drives all over town and runs over a group of teenagers, I'll probably get sued as being somewhat responsible because I provided the car (indirectly).

    If I'm a parent with a house full of handguns, and my child finds one and blows his sister's head off, I'll probably end up in jail even though I didn't pull the trigger.

    I can't think of too many examples where our society wouldn't sue the hell out of anyone, even if you're just a by-stander, when something goes wrong. Whether or not that's "right" or "the way things should be", it certainly is. So why should it be any different if my computer is used to do something malicious or damaging? I say stick with the established precedent and blame the computer owner, even if he had nothing to do with the crime. It might not be fair, but at least it would be consistent. We don't live in a society of fairness anyway, we live in a society of blame and accusation.
  • Where someone was acquitted for hacking the Port of Houston using the defence that his computer was infected by a Trojan that was used as a springboard. Information here [guardian.co.uk], I feel I have to apologise for the idiot journalist who wrote this; 'Trojanism - computer language for an outside takeover of his PC'
  • This would be the arguement I'd use against the RIAA if I were ever dragged to court. In fact, once the first person actually argues this and wins, it will take ALL of the wind out of their sails as far as harassing P2P users goes.

    If you doubt this arguement would hold... the first P2P MP3 archiving worm will truly make this a valid argument.

    I'm really suprised nothing like that is out there already. *hint* *hint*

  • Everyone seems to think there is always *a* owner to a ocomputer and on top of that, that no one else ever uses that computer. In a typical household there are several persons, so how would you go about telling who in the househild is the guilty one? Perhaps outsiders (friends, family and so on visiting you) is using the computer? It is normally very hard to tie a specific person to a specific time and use of a computer.
  • The UK case where the "hacker" claimed a trojan was responsible for the hacking attempts on the US server is very interesting.

    The teenager and his lawyers presented no evidence whatsoever about the existance of the trojan on his computer. Based on the press coverage on the case they didn't even identify which trojan had supposedly infected his home computer.

    In fact, based on press coverage, experts working for the prosecutors even stated for the record that there was no evidence to suggest there ever was
  • by Michael Crutcher (631990) on Thursday November 13, 2003 @06:42PM (#7469195)
    .. just walks up to an apartment complex with a wireless card and initiates their hack from there. Toss the wireless card (bought in cash) or spoof the mac address (entirely possible) and poof, its not going to be traced. This is a sticky problem because only the dumbest crackers (script kiddies) aren't going to take these extremely simple precautions to avoid being caught.

    As long as wireless networks remain as insecure as they are right now its going to be cracker paradise. I don't see an easy solution to the problem, it almost seems like if a hack can be traced back to your computer you almost certainly didn't commit the crime (unless you're a complete asshat).

  • ...about this scenario. It might actually be better if innocent people are on the line for damages. It would show people that, yes, you have that wonderful cable/adsl line, but you also have the responsibility to use it wisely. Meaning you should put firewalls, antivirus, etc on your computer.

    Think about it. People would be forced to become more computer literate, and with more firewalls and security conscious people, there would be less zombies firing away at SPEWS and stuff. Okay, true, US law doesn't re
  • WiFi as a defense (Score:5, Interesting)

    by fmaxwell (249001) on Thursday November 13, 2003 @06:45PM (#7469225) Homepage Journal
    I have been waiting to see one of the RIAA lawsuit defendents use WiFi as a defense. If someone runs a WiFi 802.11a/b/g/etc. network and presents a defense in which they claim that the shared files must have been on a neighbor's computer, it would create the reasonable doubt necessary for the jury to find the defendent not guilty.

    I believe that it's only a matter of time and when it happens, it will put a real crimp in the RIAA's plans to sue every user of Kazaa.

    P.S. Don't waste bandwidth claiming that the defendent is legally responsible for the actions of others over their unsecured WiFi setup. That's not how the law works. If you leave your car unlocked and I steal it, you are not responsible if I smuggle drugs in your stolen vehicle.
    • If you leave your car unlocked and I steal it, you are not responsible if I smuggle drugs in your stolen vehicle.

      No, but in the case of running an open wifi network or unsecure computer, the prosecution may well try to hit you with a claim of negligence.
  • by joelparker (586428) <joel@school.net> on Thursday November 13, 2003 @06:47PM (#7469249) Homepage

    If my auto-downloader gets the Linux kernel,
    then a Microsot Word macro virus alters it,
    then an Outlook worm sends it everywhere,
    who exactly is liable for infringement on SCO?

  • Should cases like this be handled in the same fashion as say a homicide? If someone shoots a person with someone else's gun, does the gun owner hold any of the blame? Something like that comes down to if the person gave the murderer the gun, if the negligently left the gun and had no knowledge of it, or if the gun was blatantly taken by force and used in the murder. Of course, your first instinct is that negligent sys-admins should be held liable for not patching their system, but can you say the same thing
  • I think in essence the problem is similar to that which is being faced in designing "fool-proof" electronic-voting systems.

    Each one of the steps in the electronic voting has an analogue to the problem of how to "tie" the computer to the user ...

    Specifically:
    1. How do you know that the intended voter really did make the selections and was actually the one interacting with the machine?

    2. How do you know that the instructions of the intended voter were fairly transmitted ?

    3. How do you make sure that the i
  • by isomeme (177414) <cdberry@gmail.com> on Thursday November 13, 2003 @06:55PM (#7469331) Homepage Journal
    Might it be best to make computer owners responsible for all harm caused by their computers, no excuses allowed? People would become much more security conscious. Insurers could include computer liability insurance with home or business coverage, with "good driver"-like discounts if you can show you use proper safeguards.

    It's a harsh position, I know, but it seems like it might work.
  • by fbg111 (529550) on Thursday November 13, 2003 @07:08PM (#7469442)
    I'm sure Microsoft will save the day. They'll integrate a keystroke logger, packet sniffer, and disk imager into the Longhorn kernel, with an added feature that it sends all data gathered back to a centralized Microsoft database (running on BSD of course) every hour. That way there will always be a pristine, completely unadulterated record of everything everyone did on their computers, in case the courts need to get involved. And politicians who look at kiddie porn can have that part erased from their data for a small (infinitely recurring) fee.
  • The issues (Score:3, Insightful)

    by skinfitz (564041) on Thursday November 13, 2003 @07:08PM (#7469450) Journal
    Unless you have failsafe tamper proof user interfaces that use biometrics to constantly authenticate the user (i.e. fingerprint and body temerature signature recognising keyboards and mice) along with RFID readers to detect the proximity of the user to the machine (based on the RFID chips implanted in the user's body, naturally) along with digitally signing the network traffic generated by the user of the machine with the biometric data of that user in a way that it could not be tampered with, along with video cameras constantly filming what the user is doing, then the trojan case will always be available...
  • Everyone but us (Score:3, Interesting)

    by gdav (2540) on Thursday November 13, 2003 @08:58PM (#7470278)
    Anyone reading slashdot is by definition in a vanishingly tiny minority. We, and only we, have a relatively good sense of how how to defend ourselves.

    The rest of the population are a bit like my neighbour. He has a Windows 2000 laptop (that's what it came with) and recently got an ADSL connection. His ADSL link went live about 10:30 one morning; by 12:15 he had been blocked by his ISP for spreading Blaster.

    That's when he knocked on my door. I printed out his task list (i.e. things that couldn't even be bothered to cloak themselves). Including Blaster, he had already been compromised five ways. A hacked copy of Dameware was in there, plus a ratio-based FTP server. I can't remember what the other two were.

    The point is, he could have unknowingly been carrying gigabytes of warez or child porn on the same day he bought his shiny new ADSL modem.

    So I'm inclined to take very seriously the "it wasn't me" defence. For almost everyone, it's true.

Faith may be defined briefly as an illogical belief in the occurence of the improbable. - H. L. Mencken

Working...