The Computer Owner - Guilty or Not Guilty? 539
Von-at-Infosec_Writers asks: "It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime could become much more difficult especially since, as a recent CNN.com article stated, a hacker's legal defense can be: it wasn't me but my hijacked computer that committed the crime. 'In some cases, I do suspect there are people whose computer is taken
over by third parties. It's also a clever defense to exculpate your client,' says Michael Allison of the Internet Crimes Group.What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?" As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?
Re:Innocent Until Proven Clueful (Score:2, Informative)
I have several friends who are CS majors and use Windows 98 with no virus protection or firewall.
Win98 came with their computer, and works fine for what they use it to do: play games, download movies and mp3s, and SSH into other computers on campus to do their programming projects. They don't want the hassle of upgrading to a more secure OS or installing security software.
Being a CS major doesn't mean you're serious about network security. It might seem incriminating if a CS major's computer was used in an attack, but hopefully they could defend themselves by showing that they don't hang out in IRC chatrooms or brag about their hacks to other script kiddies.
Re:Innocent Until Proven Clueful (Score:3, Informative)
The scary part is the general public would assume a CS student knows how to secure their computer like you said, while it isn't something taught in many CS programs. (I know mine was focused on programming and theory, there was not a single required course that focused on security of any kind, even on coding securely.)
Re:Innocent Until Proven Clueful (Score:5, Informative)
Of course, is it really right to hold someone liable for damages that result in an intrinsically harmless slip-up? Say I forget to patch SSH or Apache and someone launches an attack from my box. Should I be held liable? If so, why? Because I should know better? That may be true, but I can always argue that I'd intended to patch but just hadn't found the time to do so, and someone by chance, found my box. If my schedule in a particular week isn't amenable to patching a particular aspect of my system, but I need SSH or Apache during that week, why should I be held liable for damages resulting from someone illegally hijacking my computer? Let's keep the blame where it belongs, here.
Re:WiFi as a defense (Score:1, Informative)
Comment removed (Score:2, Informative)