The Computer Owner - Guilty or Not Guilty?

Von-at-Infosec_Writers asks: "It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime could become much more difficult especially since, as a recent CNN.com article stated, a hacker's legal defense can be: it wasn't me but my hijacked computer that committed the crime. 'In some cases, I do suspect there are people whose computer is taken over by third parties. It's also a clever defense to exculpate your client,' says Michael Allison of the Internet Crimes Group.What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?" As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?

Re:Innocent Until Proven Clueful

[ktheory]

Good point.

I have several friends who are CS majors and use Windows 98 with no virus protection or firewall.

Win98 came with their computer, and works fine for what they use it to do: play games, download movies and mp3s, and SSH into other computers on campus to do their programming projects. They don't want the hassle of upgrading to a more secure OS or installing security software.

Being a CS major doesn't mean you're serious about network security. It might seem incriminating if a CS major's computer was used in an attack, but hopefully they could defend themselves by showing that they don't hang out in IRC chatrooms or brag about their hacks to other script kiddies.

Re:Innocent Until Proven Clueful

[Maestro4k]

• Problem is, of course, that if you're a CS student who has been a bit lax about security, you're probably screwed. People don't understand computers , so your jury won't understand that anybody who is studying computers or has *specific* knowledge isn't a super-1337 hax0r who is probably guilty.

The sad thing is, I could easily see many CS students managing to get infected. When I got my degree, most of my classmates were good at programming, but couldn't admin or secure a paper bag, much less their personal computers.

The scary part is the general public would assume a CS student knows how to secure their computer like you said, while it isn't something taught in many CS programs. (I know mine was focused on programming and theory, there was not a single required course that focused on security of any kind, even on coding securely.)

Re:Innocent Until Proven Clueful

[Durandal64]

Being a CS student does not necessarily grant one a good working knowledge of networks. I've seen plenty of CS students and experienced programmers who wouldn't know how to properly secure their systems. Now, if the person in question is a Network Infrastructure student or Novell-certified, it's almost a no-brainer that he should know how to secure his machine.

Of course, is it really right to hold someone liable for damages that result in an intrinsically harmless slip-up? Say I forget to patch SSH or Apache and someone launches an attack from my box. Should I be held liable? If so, why? Because I should know better? That may be true, but I can always argue that I'd intended to patch but just hadn't found the time to do so, and someone by chance, found my box. If my schedule in a particular week isn't amenable to patching a particular aspect of my system, but I need SSH or Apache during that week, why should I be held liable for damages resulting from someone illegally hijacking my computer? Let's keep the blame where it belongs, here.

Re:WiFi as a defense

[Anonymous Coward]

Close. Two things though: 1) the standard of proof in a civil case is a "preponderance of evidence," 2) Civil charges result in verdicts of responsible or not responsible.

Comment removed

[account_deleted]

Comment removed based on user account deletion