The Computer Owner - Guilty or Not Guilty? 539
Von-at-Infosec_Writers asks: "It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime could become much more difficult especially since, as a recent CNN.com article stated, a hacker's legal defense can be: it wasn't me but my hijacked computer that committed the crime. 'In some cases, I do suspect there are people whose computer is taken
over by third parties. It's also a clever defense to exculpate your client,' says Michael Allison of the Internet Crimes Group.What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?" As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?
Innocent Until Proven Clueful (Score:5, Insightful)
In all three cases, no one has suggested that the verdicts were anything other than correct.
I think it's going to be pretty easy to tell, within the law, whether the computer owner knew that a hack attack or illegal download was occurring on his/her computer. Most of the time, the court's answer will be "no".
If a remote-control Trojan is on the PC, then the prosecution would have to prove that:
* The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.
* Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.
While the defense attorney needs only argue that his client is just an average Joe(anne), and wouldn't know what a Trojan [trojancondoms.com] was if he/she bought one at the drugstore. The defense attorney should be facing a receptive audience. Remember, in the US at least, he'll be facing a jury of 12 average citizens who know as little about how computers work as I do about brain surgery.
Or perhaps less. At least I know which box my brain is in.
Re:Innocent Until Proven Clueful (Score:3, Funny)
Re:Innocent Until Proven Clueful (Score:3, Funny)
Re:Innocent Until Proven Clueful (Score:5, Funny)
Re:Innocent Until Proven Clueful (Score:3, Funny)
Re:Innocent Until Proven Clueful (Score:5, Insightful)
Re:Innocent Until Proven Clueful (Score:2)
Re:Innocent Until Proven Clueful (Score:2, Informative)
I have several friends who are CS majors and use Windows 98 with no virus protection or firewall.
Win98 came with their computer, and works fine for what they use it to do: play games, download movies and mp3s, and SSH into other computers on campus to do their programming projects. They don't want the hassle of upgrading to a more secure OS or installing security software.
Being a CS major doesn't mean you're serious about network security. It might seem incriminating if a CS major's computer w
Re:Innocent Until Proven Clueful (Score:5, Interesting)
Typically the only people who know anything about security are the same people who have built a complete system from parts. It's sad but a lot of CS people aren't hackers (in the hackers-with-a-dumb-glider-logo sense of the word).
Come to think of it the only programmer I know who actually went to school and got a CS degree is my mom, and it was her second degree -- she went back to school to pursue a well-paying career. I still remember the shoeboxes full of punch cards. She is clueless about Internet security, but pretty 1337 with COBOL and JCL, if such a thing is possible.
Re:Innocent Until Proven Clueful (Score:5, Funny)
Prison is not an adequate punishment.
Re:Innocent Until Proven Clueful (Score:3, Interesting)
Re:Innocent Until Proven Clueful (Score:4, Insightful)
That's right, because there is no such thing as batch jobs and scheduled tasks. Any "expert" witness the prosecution calls upon to talk about such things must be getting bribed to do so.
Re:Innocent Until Proven Clueful (Score:4, Interesting)
Re:Innocent Until Proven Clueful (Score:3, Funny)
Re:Innocent Until Proven Clueful (Score:3, Informative)
The sad thing is, I could easily see many CS students managing to get infected. When I got my degree, most of my classmates were good at programming, but couldn't admin or secure a paper bag, much less their pe
Re:Innocent Until Proven Clueful (Score:5, Informative)
Of course, is it really right to hold someone liable for damages that result in an intrinsically harmless slip-up? Say I forget to patch SSH or Apache and someone launches an attack from my box. Should I be held liable? If so, why? Because I should know better? That may be true, but I can always argue that I'd intended to patch but just hadn't found the time to do so, and someone by chance, found my box. If my schedule in a particular week isn't amenable to patching a particular aspect of my system, but I need SSH or Apache during that week, why should I be held liable for damages resulting from someone illegally hijacking my computer? Let's keep the blame where it belongs, here.
Re:Innocent Until Proven Clueful (Score:3, Insightful)
The issue I have here, is that frequently the offender is using an unprotected computer to exploit a ho
Re:Innocent Until Proven Clueful (Score:5, Insightful)
If a remote-control Trojan is on the PC, then the prosecution would have to prove that:
* The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.
* Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.
Really you tell me how to detect a kernel level trojan on a windows box besides running your own seperate intrusion detection system that knows what way the trojan works. (So if its an unknown one you aint gonna find it). And if the person removes the trojan and overwrites itself you aint gonna find any evidence of it
Re:Innocent Until Proven Clueful (Score:3, Insightful)
Comment removed (Score:5, Insightful)
Re:Innocent Until Proven Clueful (Score:3, Insightful)
I worked for several years as a support tech for an ISP. When Mellissa came around, most of the techs were running around like chickens with their heads cut off, while I laughed. Same thing with the Love Bug. Why? Because unlike everybody else, I used Eudora for email, not Outlook. It doesn't have the well-known security holes, so it's safe from the trojans aimed at Outlook. (OK; that's not the only reason, or the main re
Re:Innocent Until Proven Clueful (Score:5, Interesting)
Brian
Re:Innocent Until Proven Clueful (Score:3, Interesting)
Or did you mean that the person who should be prosecuted is the person who made the trojan/virus that was used on the system? In this case the analogy would be something close to "The only person who should be held liable in the case
Re:Innocent Until Proven Clueful (Score:3, Insightful)
While it would be great to prosecute only the people that deliberately exploit holes in programming, your idea would do more harm than good. (Much like the DMCA...). If I write code to work around a known Windows API bug that exploits a not-quite-normal workaround, am I hacking Windo
The courts will work this out....eventually (Score:5, Insightful)
defense will be all too common. How can you hold people
responsible for holes in their system while microsoft produces
software with numerous holes in it, but is not held responsible.
An interesting analogy is gun crimes. If someone owns a gun,
and it is proven conclusively that the gun committed a crime,
but it cannot be proven conclusively that the owner of the gun
is the one who pulled the trigger (opportunity), then it is
difficult to establish a case.
I think a similar idea will work itself out with computer
crime. The fact that your computer did something isn't enough,
you have to be a willing participant in the incident.
Perhaps there should be laws to punish people who leave
unpatched, unprotected computers sitting on the internet. There
are laws that punish irresponsible gun owners, should we also
punish negligent computer owners? What about negligent
programmers?
As an aside, in the last court case I was involved in, e-mail
was admissible in court. The only thing I had to do was produce
some e-mail correspondence between myself and the other party.
The lawyers and the judges all accepted them without a word.
While the e-mails were in fact real, and the transmission could
be verified by isp records, the simple fact that the opposing
council didn't so much as raise an eyebrow shows me just how
ignorant the legal system still is when it comes to technology.
This happened less than a year ago.
Re:The courts will work this out....eventually (Score:5, Insightful)
Re:The courts will work this out....eventually (Score:2)
Re:The courts will work this out....eventually (Score:3, Insightful)
> vulnerable systems on the web? I think not.
I think that day is coming.
I think we're at a point of time in computer ownership that was probably a lot like the early days of car ownership.
I'd be fairly certain that there were hardly any rules for the first few years that cars were on the roads, since there wasn't sufficient public perception that lots of rules were required. It was only after enough people got run over, enough cars run off the road, enoug
Re:The courts will work this out....eventually (Score:2)
Re:The courts will work this out....eventually (Score:2)
Re:The courts will work this out....eventually (Score:3, Interesting)
Did you not read my post? I said "no amount of commercial loss compares with murder." The consequences of negligent gun ownership are infinitely worse than simply leaving your computer online without patching it. If you think outlawing vulnerable computers is going to stop all hacks, you are either stupid or naive. Many people don't own guns because they fear t
Re:"If a computer gets infected, no one dies" (Score:3, Insightful)
Re:The courts will work this out....eventually (Score:2)
Re:The courts will work this out....eventually (Score:2)
Re:The courts will work this out....eventually (Score:2)
Re:The courts will work this out....eventually (Score:5, Insightful)
The problem with computer crime is that the alibi part of the equation is harder for the computer owner to prove. He may very well have been actively using the computer in question that hacked the Bank of North Elbonia at the time of the crime, but that doesn't mean he did it. In spite of that, proving that he wasn't the perp is difficult. Most other alibis work because of physical bias placing the individual in some other place than the crime in question. This is harder to prove in a virtual setting.
Re:The courts will work this out....eventually (Score:2)
I don't see
Re:The courts will work this out....eventually (Score:3, Insightful)
I think a better analogy is that of possession of stolen goods. I can buy a used bike, for example, in good faith from a garage sale, use it for months, then one day the police stop me and tell me that bike was stolen. How can I prove that I didn't steal it myself? How can
Re:The courts will work this out....eventually (Score:3, Insightful)
programmers?"
Not a fan of either. A significant chunk of vulnerable machines out there are owned by people who don't have a strong enough interest in computers to know they should be patching. Making sure your computer is secure is not as simple as putting a lock on you
well (Score:4, Insightful)
on the other hand, if someone cuts your brake lines, you crash and kill someone, you are not at fault.
I would think that viruses and trojans and worms and such would fall more under the 'someone cuts your brake lines' category.
Re:well (Score:3, Insightful)
Re:well (Score:2)
The burden of proof is always on the accuser. Well according to the Constitution it is, but lets not get into that....
Re:well (Score:2)
This raises all sorts of issues, namely what is to be considered unsafe. In the US, the definition of unsafe vehicle seems to vary from state to state; at the very least, it's enforced differently. In Texa
Re:well (Score:2)
Personally, I'd blame my ISP. They won't let me behave as if my PC is directly connected to the internet (e.g., they won't let me run my own mail server or web server or FTP server; they won't give me a static I
Re:well (Score:2)
For better or worse a pretty valid argument (Score:2, Insightful)
And since there currently is no crime for keeping a computer unsecured on the internet, I doubt there is much that can be done.
SIMPLE! (Score:5, Funny)
Re:SIMPLE! (Score:2)
I guess i'll opt for the first option...
Keyloggers will only help proving it wasn't done by the guy that say's it's computer was hijacked, it will not help getting the right man. Since the guy with the hijacked computer can use that argument now allready and we all hope 'Innocent until proven otherwise' still applies
Breaking Point Chaos and Destruction Online (Score:5, Interesting)
It's actually very easy to frame someone online which will be (mark my word) the next big thing in divorce cases, criminal cases, etal. I won't comment anymore on these issues though. I've been through the whole shabang. One thing people should be aware of though is the ease of which someone could actually do something malicious to another person. Courts, well let's just say if you're the accused, pray you don't get a computer phobic (which the DA will try to ensure he selects the most of) jury.
Re:Breaking Point Chaos and Destruction Online (Score:4, Insightful)
For example:
Staffer: "Hey, I have no idea where that child pr0n came from!"
Manager: "Look, don't make this harder than it has to be. Just pack up your stuff and we won't tell your wife or the paper."
Staffer: "But I never saw that before!"
Manager: "That's what they all say."
With a careful admin, even browser history and caches can be faked. And there's not a thing that the poor staffer could do about it.
How about cars? (Score:2, Redundant)
Same as with someone's car.
Proving who is on the machine is very difficult though.
Re:How about cars? (Score:2)
Well, I guess I have to ask...can I borrow your car?
Same as in a car! (Score:4, Insightful)
If your computer was hijacked and you did nothing to prevent it, its YOUR fault. If you ran antivirus/firewall/whatever, then it's the fault of the hacker, and you shouldn't be held responsible.
Of course, we need a good definition of a "good faith attempt at computer security", but that's a grey legal line. Personally, I think that if a patch has been available for more than, say, 2 months, and you aren't patched, its your damn fault. If you installed a program explicitly, then it's your fault (even if it was spyware)-- the analogy, if you get super-duper-hood-attachments for your car and they fly off and impale someone, its your fault.
Of course, that sucks, but it's the only way I can see to segment culpability for crimes in this case.
Answers to your questions. (Score:3, Interesting)
> Internet-connected computer have for crimes
> committed using their equipment
None, unless they have responsibility for
the use itself.
> and what are ways we can best determine
> their involvement, or lack of it, in said
> crimes?
Firstly, you don't want to. You don't want
to live in a world where people can't
speak freely on the Internet. Therefore
you don't want to live in a world where
it is easy to hunt down and kill anyone
who criticizes you.
Secondly, in the U.S., you need proof beyond
a reasonable doubt to convict of a crime.
That will never happen without human
witnesses to substatiate the accuracy of
data submitted in evidence, since all data
is equally possible to fabricate on demand.
So, in brief, only on the testimony of
disinterested witnesses can responsibility
for a digitally intermediated act be
proven or refuted.
Just a matter of good forensics (Score:3, Interesting)
Re:Just a matter of good forensics (Score:2)
"Attractive Nuisance" (Score:5, Interesting)
Homeowners can be jailed when trespassers drown in their pool, because the pool falls under the heading of, "Attractive Nuisance." It thus falls to the homeowner to properly secure access to the pool, or risk getting sued when some vagrant wanders in and gets hurt.
I can see this concept being extended to the Internet: By placing an unsecured box on the network, you have introduced an Attractive Nuisance, and it can be argued that the machine's owner bear responsibility for collateral damage.
Trouble is, can the machine's owner really be held responsible for such consequences when the OS vendor willfully misrepresented the concordant hazards and responsibilities of placing their product on the open Internet?
Schwab
Re:"Attractive Nuisance" (Score:2)
If the pool came with a fence to keep people out, and the fence didn't work it then becomes an argument if the owner knew the fence didn't work. In Microsoft's case, even commoners know it's less secure. Either way, the fence maker would then be liable for misrepresentation, and the resultant effects.
[IANAL]
Re:"Attractive Nuisance" (Score:2)
(Or was it because of the big amounts of money?)
Re:"Attractive Nuisance" (Score:2)
However, with software, the complexity of the system is so great that even the original authors will not warrant it's correctness and/or security. The average
B1ll Gat3s r00t k1t (Score:2)
"Your honor, it wasn't my computer that was responsible. It was the poorly designed code that had `x` number of security flaws. Microsoft is at fault!"
Or, "Your honor, Bill Gates 0wnz y0u!"
Hmmm (Score:2, Insightful)
l33t are less likely to use the defense? (Score:2)
ahh... aren't conspiracy theories beautiful?
and, it seems clear that your average jury of 12 AOLers will glaze over about five minutes into the heavy tech testimony, thus giving the creative defense attorney more than enough room
What's the problem? (Score:2)
A modest proposal (Score:2)
Who exactly were the attorneys arguing to? A jury/judge with little to no specific technical education regarding the matter? People perhaps ill-equipped to know what is and is not possible with viruses or trojans?
To be assured of a fair decision, the decision-makers in these cases must be people that both display n
It seems pretty clear to me (Score:2)
If someone steals a car and uses it to commit a crime, is the owner of the car guilty of the crime?
"It sets a precedent now in the judicial system where a hacker can just claim somebody took over his computer, the program vanished and he's free and clear,"
To extend my analogy a little more, the owner of the car used to commit the crime could claim the car was stolen and returned.
Just because it's hard to catch the person who actually committed the crime doesn't mean
Brick and Mortar Crimes (Score:2)
I would liken computer crimes to that of bringing the gun back to the owner. An educated gun owner will know if his gun is fired or kept clean.
Re:Brick and Mortar Crimes (Score:2)
Computer's have no such license requirement, and as such, no baseline requirement. Since there is no baseline, imposing one would be very difficult. Especially imposing a baseline knowledge requirement
No, you don't (Score:2)
Re:Brick and Mortar Crimes (Score:2)
How hard is it to use and configure a firewall? ZoneAlarm in learning mode is a good example. It prompts you every time a program wants to launch a connection or accept a connection to/from the internet. Simply allow all programs you know, disallow anything that you don't know about.
What we
Re:Brick and Mortar Crimes (Score:3, Interesting)
Finally something Windows is good for (Score:3, Funny)
Right. So if you want to do something illegal, install the version of Windows that's currently most targetted by viruses and worms (XP these days I presume), be very careful *not* to install any service patch, and commit all your crimes with the default Windows telnet client. If you're caught, pretend your computer was hacked and it'll be very plausible. To complete the picture and look even more innocent, pepper a couple of letters to Grandpa, checking account spreadsheets and windows_tips.doc files in your "My Documents" folder.
Of course, don't get caught doing your deeds on a *nix box or your fake computer-loser attitude will appear a lot more suspicious in court
Guilty by precedent (Score:5, Insightful)
If I have a knife and I leave it on a table, and a neighborhood kid comes over and stabs himself in the head, I'll probably get sued (and lose) even though I didn't do the stabbing.
If I leave the keys to my car and somebody steals it, drives all over town and runs over a group of teenagers, I'll probably get sued as being somewhat responsible because I provided the car (indirectly).
If I'm a parent with a house full of handguns, and my child finds one and blows his sister's head off, I'll probably end up in jail even though I didn't pull the trigger.
I can't think of too many examples where our society wouldn't sue the hell out of anyone, even if you're just a by-stander, when something goes wrong. Whether or not that's "right" or "the way things should be", it certainly is. So why should it be any different if my computer is used to do something malicious or damaging? I say stick with the established precedent and blame the computer owner, even if he had nothing to do with the crime. It might not be fair, but at least it would be consistent. We don't live in a society of fairness anyway, we live in a society of blame and accusation.
There was a reent case in Britain... (Score:2)
Use this against the RIAA! (Score:2)
If you doubt this arguement would hold... the first P2P MP3 archiving worm will truly make this a valid argument.
I'm really suprised nothing like that is out there already. *hint* *hint*
More problems to sort out (Score:2)
No proof of trojans (Score:2)
The teenager and his lawyers presented no evidence whatsoever about the existance of the trojan on his computer. Based on the press coverage on the case they didn't even identify which trojan had supposedly infected his home computer.
In fact, based on press coverage, experts working for the prosecutors even stated for the record that there was no evidence to suggest there ever was
Any hacker (cracker) with a clue (Score:5, Insightful)
As long as wireless networks remain as insecure as they are right now its going to be cracker paradise. I don't see an easy solution to the problem, it almost seems like if a hack can be traced back to your computer you almost certainly didn't commit the crime (unless you're a complete asshat).
I've often thought... (Score:2)
Think about it. People would be forced to become more computer literate, and with more firewalls and security conscious people, there would be less zombies firing away at SPEWS and stuff. Okay, true, US law doesn't re
Comment removed (Score:5, Interesting)
Re:WiFi as a defense (Score:2)
No, but in the case of running an open wifi network or unsecure computer, the prosecution may well try to hit you with a claim of negligence.
Can we ask Daryl about this? (Score:4, Funny)
If my auto-downloader gets the Linux kernel,
then a Microsot Word macro virus alters it,
then an Outlook worm sends it everywhere,
who exactly is liable for infringement on SCO?
Reasonable Doubt (Score:2)
Similar Conceptually to Electronic Voting Problems (Score:2)
Each one of the steps in the electronic voting has an analogue to the problem of how to "tie" the computer to the user
Specifically:
1. How do you know that the intended voter really did make the selections and was actually the one interacting with the machine?
2. How do you know that the instructions of the intended voter were fairly transmitted ?
3. How do you make sure that the i
Actions and consequences (Score:3, Insightful)
It's a harsh position, I know, but it seems like it might work.
Don't worry, Microsoft will solve it (Score:3, Funny)
The issues (Score:3, Insightful)
Everyone but us (Score:3, Interesting)
The rest of the population are a bit like my neighbour. He has a Windows 2000 laptop (that's what it came with) and recently got an ADSL connection. His ADSL link went live about 10:30 one morning; by 12:15 he had been blocked by his ISP for spreading Blaster.
That's when he knocked on my door. I printed out his task list (i.e. things that couldn't even be bothered to cloak themselves). Including Blaster, he had already been compromised five ways. A hacked copy of Dameware was in there, plus a ratio-based FTP server. I can't remember what the other two were.
The point is, he could have unknowingly been carrying gigabytes of warez or child porn on the same day he bought his shiny new ADSL modem.
So I'm inclined to take very seriously the "it wasn't me" defence. For almost everyone, it's true.
Re:If this were the case... (Score:2)
Re:If this were the case... (Score:2)
Re:If this were the case... (Score:2)
Re:If this were the case... (Score:5, Insightful)
if a computer is compromised, never believe the logs.
Re:If this were the case... (Score:2)
Re:Security, by popular demand. (Score:2)
No, the public will more likely fall all over themselves to get off the internet.
Re:Competence? (Score:2)
Re:Competence? (Score:2)
Re:Competence? (Score:2)
Re:How 'bout if (Score:2)
Re:come now (Score:2)
Re:... and shoot those that leave open relays/prox (Score:2)