Slashdot Mirror
The Computer Owner - Guilty or Not Guilty?
Von-at-Infosec_Writers asks: "It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime could become much more difficult especially since, as a recent CNN.com article stated, a hacker's legal defense can be: it wasn't me but my hijacked computer that committed the crime. 'In some cases, I do suspect there are people whose computer is taken
over by third parties. It's also a clever defense to exculpate your client,' says Michael Allison of the Internet Crimes Group.What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?" As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?
[...] their attorneys successfully argued that trojan programs found on their computers were to blame.
In all three cases, no one has suggested that the verdicts were anything other than correct.
I think it's going to be pretty easy to tell, within the law, whether the computer owner knew that a hack attack or illegal download was occurring on his/her computer. Most of the time, the court's answer will be "no".
If a remote-control Trojan is on the PC, then the prosecution would have to prove that:
* The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.
* Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.
While the defense attorney needs only argue that his client is just an average Joe(anne), and wouldn't know what a Trojan was if he/she bought one at the drugstore. The defense attorney should be facing a receptive audience. Remember, in the US at least, he'll be facing a jury of 12 average citizens who know as little about how computers work as I do about brain surgery.
Or perhaps less. At least I know which box my brain is in.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
would not there by logs of some sort to PROVE his computer had been Hijacked by a third party?
Unfortunately, I think the "I didn't do it, my computer did"
defense will be all too common. How can you hold people
responsible for holes in their system while microsoft produces
software with numerous holes in it, but is not held responsible.
An interesting analogy is gun crimes. If someone owns a gun,
and it is proven conclusively that the gun committed a crime,
but it cannot be proven conclusively that the owner of the gun
is the one who pulled the trigger (opportunity), then it is
difficult to establish a case.
I think a similar idea will work itself out with computer
crime. The fact that your computer did something isn't enough,
you have to be a willing participant in the incident.
Perhaps there should be laws to punish people who leave
unpatched, unprotected computers sitting on the internet. There
are laws that punish irresponsible gun owners, should we also
punish negligent computer owners? What about negligent
programmers?
As an aside, in the last court case I was involved in, e-mail
was admissible in court. The only thing I had to do was produce
some e-mail correspondence between myself and the other party.
The lawyers and the judges all accepted them without a word.
While the e-mails were in fact real, and the transmission could
be verified by isp records, the simple fact that the opposing
council didn't so much as raise an eyebrow shows me just how
ignorant the legal system still is when it comes to technology.
This happened less than a year ago.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
in the US, if your car is going down the freeway and your brakes fail because you didnt do routine maintenance, you end up crashing and killing someone, you are at fault.
on the other hand, if someone cuts your brake lines, you crash and kill someone, you are not at fault.
I would think that viruses and trojans and worms and such would fall more under the 'someone cuts your brake lines' category.
IANAL, but: To put a rather brutal, but analogous comparison in place. If someone breaks into your house, steals a gun, and then shoots someone on the street. The owner of the house would not be guilty of murder. They may be guilty of negligent storage of a firearm, but not much else.
And since there currently is no crime for keeping a computer unsecured on the internet, I doubt there is much that can be done.
Ok, I give up, why you?
This isn't a poll? And it lends itself so well to a 'cowboyneal' response......
Ads are broken.
Ostensibly for security purposes, biometrics will be used to identify computer users....coded into the CPUs. That'll help the RIAA and MPAA....
there - that should be a good karma wh.....um never mind.....
This sig contains a manual self-destruct. Kindly please put your foot through your monitor in 8 seconds.
For all the heat it takes, it does have some useful attributes.
Just as irrigation is the lifeblood of the Southwest, lifeblood is the soup of cannibals. -- Jack Handy
I don't know. How responsible are you for a drive-by shooting, done with your stolen car?
No encryption can withstand the power of the Lucky Guess.
Are nearly always guilty in part.
So that's that.
And you can ask anyone and they will tell you I'm right.
Blogzine
Fortress of Insanity?
clifgriffin > blog
It's actually very easy to frame someone online which will be (mark my word) the next big thing in divorce cases, criminal cases, etal. I won't comment anymore on these issues though. I've been through the whole shabang. One thing people should be aware of though is the ease of which someone could actually do something malicious to another person. Courts, well let's just say if you're the accused, pray you don't get a computer phobic (which the DA will try to ensure he selects the most of) jury.
MoFscker
Same as with someone's car.
Proving who is on the machine is very difficult though.
X(7): A program for managing terminal windows. See also screen(1).
Competence?
The court can look at the computer skill/intelligence of that individual and tell quite readily. No 80 year old grandma who can barely work AOL will have the 'skillz' to hack whitehouse.gov. A CS/EE major with lots of hacking programs on his computer would. Since the computer would be seized to evidence, they could look at the installed programs (mainly those executed frequently and readily accessible). The true problem comes when the hacker does the hacking using a removable disk drive or on a public computer.
If there is a threat of loss of money or freedom by allowing your PC to become hijacked, popular demand will force computers to be more secure.
If people know they will have to pay money, or serve jail time, the public will fall all over themselves to get security products.
Soon, the money will be behind security, and even Microsoft will put out secure OSes.
More demand will demand more supply.
Pretty Pictures!
If you're driving a car, and the car malfunctions and you hit and kill someone, you shouldn't be held responsible. If you say the car was broken and it wasn't, then it's fraud and you get charged with vehicular manslaughter or whatever.
If your computer was hijacked and you did nothing to prevent it, its YOUR fault. If you ran antivirus/firewall/whatever, then it's the fault of the hacker, and you shouldn't be held responsible.
Of course, we need a good definition of a "good faith attempt at computer security", but that's a grey legal line. Personally, I think that if a patch has been available for more than, say, 2 months, and you aren't patched, its your damn fault. If you installed a program explicitly, then it's your fault (even if it was spyware)-- the analogy, if you get super-duper-hood-attachments for your car and they fly off and impale someone, its your fault.
Of course, that sucks, but it's the only way I can see to segment culpability for crimes in this case.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
> How much responsibility does the owner of an
> Internet-connected computer have for crimes
> committed using their equipment
None, unless they have responsibility for
the use itself.
> and what are ways we can best determine
> their involvement, or lack of it, in said
> crimes?
Firstly, you don't want to. You don't want
to live in a world where people can't
speak freely on the Internet. Therefore
you don't want to live in a world where
it is easy to hunt down and kill anyone
who criticizes you.
Secondly, in the U.S., you need proof beyond
a reasonable doubt to convict of a crime.
That will never happen without human
witnesses to substatiate the accuracy of
data submitted in evidence, since all data
is equally possible to fabricate on demand.
So, in brief, only on the testimony of
disinterested witnesses can responsibility
for a digitally intermediated act be
proven or refuted.
-I like my women like I like my tea: green-
Its not that simple beleive me you. :) A good forensics expert can slice and kill your false I-was-hacked defense in a matter of days.
How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment
Just ask the RIAA and SCO. They'll tell you.
I don't want to be here.
I think it should carry a hefty fine to use that defense. I think a good solution would be a law created that can fine users if their computer is left open to the world. There would be no way to bring someone in on this charge, because the only way to find out that it's open is to hack it, and that's illegal search and seizure. The only way this law would apply would be to people using the "My computer was hijacked" defense, since they're essentially admitting guilt to that charge.
Get the law passed on basis of negligence.
I don't know how it will all go down in the end, but IMO this is how it should work:
... unless it can be PROVEN you had a trojan or something that hijacked your system.
- You are completely responsible for the actions taken using your computer, by ANYONE.... unless
-
This means you can't get off by saying your little brother did it (lame excuse), but can if you were hacked. You could possibly get off if you coluded with the hacker to perpetrate the crime, but the hacker had better be able to make damn sure he's untrackable. An exception to the exception should be made for this instance.
If I run somebody over with my car and kill them, I am guilty of vehicular manslaughter (or worse). If someone steals my car and does the same, they are guilty. No matter that I am the owner and someone got the plate number from the scene. I may be considered a suspect, but I did not commit the crime. Whether the American justice system can tell the difference in the case of a hacker (especially when you throw in the technological aspect) remains to be seen.
I guess if you take time to turn off WU-FTPD, patch Windows RPC, and remove Kazaa, you won't have to worry about it being owned, now would you?
Blogzine
Fortress of Insanity
Homeowners can be jailed when trespassers drown in their pool, because the pool falls under the heading of, "Attractive Nuisance." It thus falls to the homeowner to properly secure access to the pool, or risk getting sued when some vagrant wanders in and gets hurt.
I can see this concept being extended to the Internet: By placing an unsecured box on the network, you have introduced an Attractive Nuisance, and it can be argued that the machine's owner bear responsibility for collateral damage.
Trouble is, can the machine's owner really be held responsible for such consequences when the OS vendor willfully misrepresented the concordant hazards and responsibilities of placing their product on the open Internet?
Schwab
Editor, A1-AAA AmeriCaptions
goatse goatse goatse.
dont mod me down. i didn't post this.
goatse goatse goatse.
i've been hijacked.............. don't mod me down......
MARIJUANA, SHROOMS, X: ONLINE?! - E
Someone stole my car without my knowledge, and commited a crime with it? Would this situation not apply to a computer being comprimised without the users knowledge? A person wouldn't (shouldn't) be held liable for a crime commited with their car, without their knowledge, because they left it unlocked...
Maybe I'm over simplfying..
"Your honor, it wasn't my computer that was responsible. It was the poorly designed code that had `x` number of security flaws. Microsoft is at fault!"
Or, "Your honor, Bill Gates 0wnz y0u!"
Dude, where's my packet?
How DO you prove whether or not a person had the capability to do the hack? Character witness comes into huge play here, and I have a feeling that as this defense becomes more and more difficult to prosecute in criminal course, we'll see cases popping up where civil suits are being filed against people. In a criminal case you are innocent until proven guilt, while if a civil suit were filed for damages from a specific person's computer, all that has to be proven is that they are the most likely person to have committed the infraction.
I'm waiting for a case to set precedent in this realm. What happens when grandma is on the hook for $250,000 in damages because she was judged for "willful neglect" in not actively taking responsibility to ensure that her computer was adequately protected against trojans? I feel it's only a matter of time before someone proposes that owning a computer carries the same ramifications and responsibilities as owning a gun.
I hope such a thing never actually holds up, but I still fully expect to see it proposed.
Damon,
http://actionPlant.com
Whether they committed the act or not, the owner of the computer system needs to be punished. Not severely, but a 5-10 year prison sentence would be very reasonable and a $5,000-$10,000 fine for a corporation.
ahh... aren't conspiracy theories beautiful?
and, it seems clear that your average jury of 12 AOLers will glaze over about five minutes into the heavy tech testimony, thus giving the creative defense attorney more than enough room to sell "reasonable doubt", or at least to befuddle anyone trying to weigh a "preponderance of evidence" ...
mmm... yeah... You see, we're putting the cover sheets on all TPS reports now before they go out...
Step 1: Prove the crime was committed by the computer in question.
Step 2: Prove the defendent was the one that committed the crime by a preponderance of the evidence (or beyond a reasonable doubt, if it's a criminal court). How? Your most likely way of doing that would be to find emails, chat logs, phone logs, wiretaps, etc., where the defendent discusses the crime, just like in "real life." If you can't do that, you'd get an expert to examine the hard drive for clues, files that were deleted, etc. Or you could setup a sting if you suspect an individual of computer crime. Wiretap them, put keyboard loggers in place, wait for them to strike again.
I would rather use the defense that my sugar and starch intake from twinkies made me do it. I bet Senator Feinstein would buy it.
Mammas don't let your babies grow up to be system admins.
Well, if all else fails most public librarys have computers with low security and free unrecorded access... not that i'm promoting hacking or anything.
Obviously, the cracker is responsible for his crimes, regardless of whose computer he uses. Yes, accused people might say "someone else used my computer," just as one might say "someone else used my gun." Obviously, the court would need to decide whether or not that is true. The grey area, of course, is when someone agrees to let a cracker use their computer for attacks. But again, unless such collusion can be proven, only the hacker is responsible. So if you know your system's been cracked, you're responsible to turn it off. But I don't think people should be liable simply for running insecure systems - all systems are insecure to some degree.
Litigious bastards
their attorneys successfully argued that trojan programs found on their computers were to blame. In all three cases, no one has suggested that the verdicts were anything other than correct.
Who exactly were the attorneys arguing to? A jury/judge with little to no specific technical education regarding the matter? People perhaps ill-equipped to know what is and is not possible with viruses or trojans?
To be assured of a fair decision, the decision-makers in these cases must be people that both display no bias, as is already requisite, and have some understanding of what an unknown third party can and cannot do with someone's computer. If that narrows down the jury selection, so be it. In cases where the question of guilt can be so finely tuned to just a few technical bits, such perceptive ability is absolutely essential, lest computer criminals walk free.
The coolest voice ever.
Just to use a simplified analogy...
If someone steals a car and uses it to commit a crime, is the owner of the car guilty of the crime?
"It sets a precedent now in the judicial system where a hacker can just claim somebody took over his computer, the program vanished and he's free and clear,"
To extend my analogy a little more, the owner of the car used to commit the crime could claim the car was stolen and returned.
Just because it's hard to catch the person who actually committed the crime doesn't mean someone else should be punished for it. It just means that law enforcement is going to have to work harder to catch the guilty party.
People's desire to believe they are right is much stronger than their desire to be right.
I would liken computer crimes to that of bringing the gun back to the owner. An educated gun owner will know if his gun is fired or kept clean. A sloppy computer owner will never know why his computer is slightly slower then normal. In either case it's the owners responsibility to keep their property safe but at some point it's impossible to keep everything safe. I'd say if the owner can show they made a good faith effort to secure their property they should be let go.
But in the real world we know it's never so black and white.
I've hit Karma 50 and gotten a Score:5, Troll... I win!
"Trusted Computing."
then in the same sense shouldn't application developers be as guilty if they have written weak code that has allowed these vulnrabilities and have done nothing to patch the problem within a reasonable (read: short) timeframe?
"It sets a precedent now in the judicial system where a hacker can just claim somebody took over his computer, the program vanished and he's free and clear," he said
...
Right. So if you want to do something illegal, install the version of Windows that's currently most targetted by viruses and worms (XP these days I presume), be very careful *not* to install any service patch, and commit all your crimes with the default Windows telnet client. If you're caught, pretend your computer was hacked and it'll be very plausible. To complete the picture and look even more innocent, pepper a couple of letters to Grandpa, checking account spreadsheets and windows_tips.doc files in your "My Documents" folder.
Of course, don't get caught doing your deeds on a *nix box or your fake computer-loser attitude will appear a lot more suspicious in court
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
One thing investigators can do is to look for evidence that the accused's computer has been "hacked".
If no evidence is found, it is unlikely that the computer was hacked. It is doubtful that the intruder could completely cover his tracks.
The accused may plant evidence of hacking on his own computer, but it may be possible for a forensic analyst to detect this.
Reading Slashdot is ruining my spelling and grammar.
Look at the rest of society, outside of the context of computing.
If I have a knife and I leave it on a table, and a neighborhood kid comes over and stabs himself in the head, I'll probably get sued (and lose) even though I didn't do the stabbing.
If I leave the keys to my car and somebody steals it, drives all over town and runs over a group of teenagers, I'll probably get sued as being somewhat responsible because I provided the car (indirectly).
If I'm a parent with a house full of handguns, and my child finds one and blows his sister's head off, I'll probably end up in jail even though I didn't pull the trigger.
I can't think of too many examples where our society wouldn't sue the hell out of anyone, even if you're just a by-stander, when something goes wrong. Whether or not that's "right" or "the way things should be", it certainly is. So why should it be any different if my computer is used to do something malicious or damaging? I say stick with the established precedent and blame the computer owner, even if he had nothing to do with the crime. It might not be fair, but at least it would be consistent. We don't live in a society of fairness anyway, we live in a society of blame and accusation.
Where someone was acquitted for hacking the Port of Houston using the defence that his computer was infected by a Trojan that was used as a springboard. Information here, I feel I have to apologise for the idiot journalist who wrote this; 'Trojanism - computer language for an outside takeover of his PC'
A lot of people are using a car analogy. However, if Ford sells a car that blows up if you open the door, they issue a recall and presumably pay for any damages that occured due to the malfunction.
Where is the liability of the software manufacturer? Everyone here is blaming either the computer user or the malicious virus writer. Thats like blaming the car owner above for opening the door and blowing his girlfriend to peices, or blaming a theif who stole the car and opened the doors for blowing up his partner in crime.
I loan my hammer to my neighbor. He goes and uses it to break into store. Should I be arrested for breaking and entering? Should I be arrested for aiding in a crime?
this is the most important sig ever! In your face 446154!
To me, this is an easy answer. If I pick up my hammer, bash you in the head with it... I go to jail. If I steal your brother's hammer, and bash you in the head with it... I go to jail.
The computer is an object, a tool, one with thousands (millions?) of legitamate, productive uses. And just as any other tool can be taken and used to break laws or harm others, one cannot hold the owner of a tool responsible when the hands of another are wielding it.
Of course, that makes sense to ME. Which means that it probably has no bearing at all in the way things will play out.
The longer I'm a member of the Human Race, the more I believe Apocalypse is a valid solution.
If you doubt this arguement would hold... the first P2P MP3 archiving worm will truly make this a valid argument.
I'm really suprised nothing like that is out there already. *hint* *hint*
'He was a dreamer, a thinker, a speculative philosopher... or, as his wife would have it, an idiot.' - Douglas Adams
Everyone seems to think there is always *a* owner to a ocomputer and on top of that, that no one else ever uses that computer. In a typical household there are several persons, so how would you go about telling who in the househild is the guilty one? Perhaps outsiders (friends, family and so on visiting you) is using the computer? It is normally very hard to tie a specific person to a specific time and use of a computer.
Others have said it, and I'm starting to agree. We need to push for the Right to Bear Technology. The very fact that this question is asked is eveidence of that. Take all the various 'car' examples above this post. It seems to me that it's pretty clear that just because silicone is involved, it isn't necessarily a different crime. Negligence is negligence. Murder is murder. Theft is theft. Does crime by computer make it any worse? No, and it's frightening evidence of the slippery slope we're headed down that some think it does. We need an amendment that forbids laws to consider technology as a factor in crime, or the special interests and FUD-masters are going to beat us about the head with our own PC's.
I would like to see a highly publicized case of holding some home broadband user responsible for the fact that their machine was hijacked to send spam or participate in some DDoS.
I've talked to too many people who've said, "I don't need to bother securing my home system because I've got nothing anyone would want." I've answered, "They want to use your machine to attack me." But the message doesn't sink in.
While these end users are being provided with crap systems, there is a market out there. If their choice of bad systems gets them severly spanked, they will start making demands of their providers.
All it would take would be a couple of high profile cases.
The UK case where the "hacker" claimed a trojan was responsible for the hacking attempts on the US server is very interesting.
The teenager and his lawyers presented no evidence whatsoever about the existance of the trojan on his computer. Based on the press coverage on the case they didn't even identify which trojan had supposedly infected his home computer.
In fact, based on press coverage, experts working for the prosecutors even stated for the record that there was no evidence to suggest there ever was a trojan.
How on earth did he not get convicted???
In Soviet Russia, I ruled you
As long as wireless networks remain as insecure as they are right now its going to be cracker paradise. I don't see an easy solution to the problem, it almost seems like if a hack can be traced back to your computer you almost certainly didn't commit the crime (unless you're a complete asshat).
these fucking sidebar banners, they leave a whole screen of whitespace in between the sidebars, annoying, ads at the top are fine, we see them, if we're interested we click them, which probably happens more often on this site than others, go back to the old banners
...about this scenario. It might actually be better if innocent people are on the line for damages. It would show people that, yes, you have that wonderful cable/adsl line, but you also have the responsibility to use it wisely. Meaning you should put firewalls, antivirus, etc on your computer.
Think about it. People would be forced to become more computer literate, and with more firewalls and security conscious people, there would be less zombies firing away at SPEWS and stuff. Okay, true, US law doesn't reach out to Asia, Europe, etc, but I have to problem banning all traffic from all foreign IPs.
I have been waiting to see one of the RIAA lawsuit defendents use WiFi as a defense. If someone runs a WiFi 802.11a/b/g/etc. network and presents a defense in which they claim that the shared files must have been on a neighbor's computer, it would create the reasonable doubt necessary for the jury to find the defendent not guilty.
I believe that it's only a matter of time and when it happens, it will put a real crimp in the RIAA's plans to sue every user of Kazaa.
P.S. Don't waste bandwidth claiming that the defendent is legally responsible for the actions of others over their unsecured WiFi setup. That's not how the law works. If you leave your car unlocked and I steal it, you are not responsible if I smuggle drugs in your stolen vehicle.
If your responsible for someone else hijacking your computer then Microsoft is responsible for VB virii in outlook and every other securit hole they've left open. Now wheres my cheque?
This comment does not represent the views or opinions of the user.
I completely agree. At the very least, even if the home user wins the case, he'll he be saddled with huge legal fees. Win/Win Scenario. Just like the RIAA...
If my auto-downloader gets the Linux kernel,
then a Microsot Word macro virus alters it,
then an Outlook worm sends it everywhere,
who exactly is liable for infringement on SCO?
Ok, i am sure you didn't really mean to say that 'the gun committed a crime'.. right?
That is just the exact thing that anti-rights people try to get the public to think.. that an inanimate object can be at fault... that the PERSON that committed the crime isn't the one that is truly at fault.. so lets ban the 'object'..
That's just as bad as blaming the car in an accident ' the SUV ran over the little girl'... no it was the DRIVER that ran her over..
If it really wasn't a typo, then you are an idiot
---- Booth was a patriot ----
Comment removed based on user account deletion
Another argument could be that someone took over or used the system down the road from you. WiFi is not that secure and if not secured, anyone on the street with a laptop can use it and neighbors with desktops can use it. No telling what they are getting through your internet connection.
Then you get spammed with porn, some may be child porn, you may delete it immediately but if something happens and your computer gets taken by law enforcement, they may find the deleted emails and think you are trafficing child porn.
You really have to know compuers now days in order to protect yourself but in some cases that is not enough.
Should cases like this be handled in the same fashion as say a homicide? If someone shoots a person with someone else's gun, does the gun owner hold any of the blame? Something like that comes down to if the person gave the murderer the gun, if the negligently left the gun and had no knowledge of it, or if the gun was blatantly taken by force and used in the murder. Of course, your first instinct is that negligent sys-admins should be held liable for not patching their system, but can you say the same thing of the old woman whose son talked her into getting broadband so she can get pictures of her new grandson, and in her mind its the same thing as plugging in the cable from the TV? And if someone can prove within a reasonable doubt that their system may or may not have been compromised to prove their innocence, then so be it, you have to weigh which is better, to allow a thousand guilty men to go free or to punish the innocent...
of course, your biometric keyboard could be hijacked remotely, if a security hole is found in it's firmware..
TallGreen CMS hosting
"It is relatively easy to trace a hack back to a particular computer"
Then what happend at Valve ?(Half-life 2 case)Why can't they trace it back?
I think in essence the problem is similar to that which is being faced in designing "fool-proof" electronic-voting systems.
...
....
....
.... Just a thought for incentive to useful comments from /.'s ....
Each one of the steps in the electronic voting has an analogue to the problem of how to "tie" the computer to the user
Specifically:
1. How do you know that the intended voter really did make the selections and was actually the one interacting with the machine?
2. How do you know that the instructions of the intended voter were fairly transmitted ?
3. How do you make sure that the instructions that were transmitted were faithfully acted upon by the machine
4. How do you know the person who read the results from the machine faithfully read the intentions of the intended voter
So, any attempt to work at solutions on this problem, is also work in the direction of preserving democracy
To see a world in a grain of sand, and then to step back and see the beach where the sand lies
Might it be best to make computer owners responsible for all harm caused by their computers, no excuses allowed? People would become much more security conscious. Insurers could include computer liability insurance with home or business coverage, with "good driver"-like discounts if you can show you use proper safeguards.
It's a harsh position, I know, but it seems like it might work.
When all you have is a hammer, everything looks like a skull.
In the US you do not have to have a license to have a/most gun. In some states you may have to have a license to carry it in public, but that is all.
a hacker broke into my system and uploaded these 20 gigs of mp3s! no really!
I started thinking about it and it is an interesting point. Seems to me that this is heading towards the situation that other mechanical environments have - a certified expert would be used to sort out (if possible) where the responsibility lies between man and machine. When a car moves forward and kills someone the expert is used to sort out whether there's a machine problem (say, accelerator flaw) or not. Engineering disciplines have a system for certifying a "Professional Engineer" who is qualified to testify in court. What would certify such a person for testifying about software security?
If you're victim of a "computer crime" then you deserve it.
In the real world, building a 20-foot tall reinforced-concrete fence to protect your property isn't practical, that's why we have laws and penalties against crimes to your property.
But in the cyberworld, proper use of cryptography will provide the protection equivalent of a lightyear-thick shell of titanium. Computer crimes are prevented by technical solutions, not laws and law enforcement. Just build strong systems, sit back, and let the hackers sling peebles at your lightyear-thick shell of titanium. No laws are needed.
There's a really, really simple analogy... Somebody steals your car because you left the car unlocked and proceeds to run down pedestrians. Is it the owner's fault for leaving the car unlocked? No way. Yes, the car can be a dangerous weapon, but in no way would anybody consider the owner is to blame.
And let's be reasonable here... the damage that a single computer connected to the Net can do is negligible. Sysadmins are always pissing and moaning about zombies, but c'mon... each machine can only ping so many times. So what would you do, hold each owner of a 10,000 machine zombied attack liable for $1?
I'm sure Microsoft will save the day. They'll integrate a keystroke logger, packet sniffer, and disk imager into the Longhorn kernel, with an added feature that it sends all data gathered back to a centralized Microsoft database (running on BSD of course) every hour. That way there will always be a pristine, completely unadulterated record of everything everyone did on their computers, in case the courts need to get involved. And politicians who look at kiddie porn can have that part erased from their data for a small (infinitely recurring) fee.
Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
Unless you have failsafe tamper proof user interfaces that use biometrics to constantly authenticate the user (i.e. fingerprint and body temerature signature recognising keyboards and mice) along with RFID readers to detect the proximity of the user to the machine (based on the RFID chips implanted in the user's body, naturally) along with digitally signing the network traffic generated by the user of the machine with the biometric data of that user in a way that it could not be tampered with, along with video cameras constantly filming what the user is doing, then the trojan case will always be available...
> It is relatively easy to trace a hack back to a
...could become much more difficult especially
> particular computer, but proving that a specific
> person committed the crime...
'Hack' != 'crime'
>
> since, as a recent CNN.com article stated, a
> hacker's legal defense can be: it wasn't me but
> my hijacked computer that committed the crime.
And 'hacker' != 'criminal', no matter what the assholes who edit "Newsweek" say.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
That being said, a good hacker can go a long way toward misleading an average forenzics expert.
But there is another issue here. If end users are called on to be responsible for securing their computers against attack (many of whom are still trying to figure out that "cup-holder" thingy), shouldn't the paid professionals responsible for the attacked system bear as much responsibility?
ACME Sysadmin: "Your computer hacked my system!".
Home User: "Not me! Someone must have hacked in and used it!"
ACME Sysadmin: "Not my problem, you are responsible for securing your internet connected computer."
Home User: "And you aren't? You get paid to know how to secure your stuff - I have to rely on Micrososft's word!"
Personally, I believe that with operating ANY equipment (car, gun, computer, can-opener, ...) the user must be responsible for it's (mis)use and should make a reasonable attempt at educating themselves in it's proper use.
But then, what's "reasonable"? Should the manufacturer of the "device" make the device "safe" by default? Or, if the device is deemed fundamentally "unsafe" by it's nature (cars, guns, computers...?) should a proficency test and a license be required to operate it?
I don't have the answers here. But as computers become more and more incorporated into every part of our lives, their irresponsible/mis-use will have graver consequences.
We are holding gun and auto-makers more and more responsible for what consumers are doing with their products and requiring safer-by-default specifications. Although it may seem a leap now to put conputers next to those items, it won't be long before their ubiquity will require enforced due dilligence on everyone's part.
"terrorism" and "pedophilia" are the root passwords to the Constitution
Suspect?? I would say that very few serious hackers attack their primary target without tunnelling through a few other covering machines first.
Check out Takedown, the book about how Kevin Mitnick was caught for an example.
Do you think most computer criminals in the future will resort to such scapegoat tactics? If the hacker who know the authorities are onto him deliberately installs a Trojan as insurance how can computer forensic experts know that? (Trojans are many times installed by the unaware user. But this time it's deliberate.) I believe it goes beyond forensics.
Von (<---poster of the article),
The Information Writers
Q.
Insert Signature Here
Just as with anything else you'd have to prove that the computer owner was exhibiting negligence and that that enabled the crimes to be committed. What constitutes negligence is a difficult question. How much can you expect a user to know?
I'd imagine an exploit that had been around longer and that had had available patches longer would imply more negligence then the RPC hack that came out 24 hours ago. Still, though, fine lines. When it comes down to it computers are highly imperfect machines and it's hard to blame the user of a product for its flaws.
Brian
hacker,
one who hacks:
a. wood
b. computers
c. people
d. sourcecode
i would consider 'b' and 'c' to be a crime. 'a' is a crime if your a treant. 'd' is a crime if your using visualbasic (ba dum bum, ching!)
BEcause, although we can easily argue that the computer owner is the only one ultimately who CAN be responsible for what it does.. that's not practical.
Nor is making the ISP entirely responsible.
In fact, if we take this too far, trying to find some ultimate party to blame for everything, we end up with a bloated legal and beurocratic mess, where everyone is afraid to do anything.
ISPs should publish guidelines to customers regarding keeping their systems secure.
ISPs should revoke connections if customers are hacked too many times.
No, the computer owner should not be responsible by default legally... like any other crime, one should have to PROVE who caused the maliciouis act.
The whole idea that we have to find SOMEONE to blame, even if we don't know who really did it, is a bad one.
If you leave guns lying around where children can get them, you will get fined for criminal negligence. The same should be true with computers. If you don't keep the computer reasonably protected, then you should be fined for criminal negligence. Problem: the governement would use it to restrict access. Possible Solution: Admendment #30 The right to bear computers. Helpful Unintended Benefit: Children would only be able to use the Interent with parent's supervision since a connection to the Interent that was used irresponsibly would cause the aforementioned criminal negligence. You don't let children play wih guns, you won't be able to let children freely surf or connect to the Internet. I admit, there are problems with this. Children have to be given some freedom to go online as they choose (possible restrict dl rights, accessable sites, or insure they are working on an up to date computer with perhaps special protections), and there is an issue with freedom of access to information (the last thing we need is a siociety where access to information is based on government approval - like you need to have a stamp from the governemnt that your a good citizen first or any other 1984, Brave new world strategy), but I think the overall strategy would be good. Plus, license software developers of comercial software. All other software coudl be left with the use at your own risk tag - first problem traced back to it and you get fined. Or better yet, maybe have it set up with an approval comittee that would verfiy and thus become responsibe acting like a license for the software. A comittee composed of say EFF or GNU ppl. Comercial software guy loses his license if he is found to not have taken the necessary percautions but is able to grant a license himself to any piece of software he creates. As long as your licensed or the product you create gets licensed, you will be absolved from finicial rsponsibilty. As long as your computer uses only approved or licensed products you too are absolved. If you do not keep an application on your computer up to date you can get fined. If you use a non-apporved application, adn you computer is hyjacked or otherwise does damage, then you are held finicially responsible. The developer will be free from finicial liability, but the risk of unapproved software will prevent most from using your software, etc and will have a negative effect on those who are unable to get or maintain a license. Hence, the drive to get and maintain a license in order to appeal to a wider audience will drive developers to write good code, while finicial liability will drive the consumers to reject bad code.
There's a growing sense that even if The Future comes,
most of us won't be able to afford it.
-- Lemmy
This is like saying when you broke into someone's car using a hammer, it was the hammer's fault. Completely illogical.
The owner *is* partially responsible, if they didnt take proper precautions that their SUV wouldnt be used improperly.. ( same for the firearm, or baseball bat ).
But i agree it will be hard to *prove* the pc owner is responsible, since its similar to having your SUV/GUN/ETC stolen and used in a crime.. as long as you took reasonable steps then you are ok...
---- Booth was a patriot ----
See? I can make up words too.
If whales learn how to use weapons we're all screwed!
If you leave your car unlocked and it is stolen and involved in a hit and run, are you responsible? Breaking and entering in a house could be as simple as opening an unlocked door if you are an intruder on the premises. I don't think computer owners whose machines are broken into should have any liability. If you knowingly aid the use of your machine as a gateway then you should have some added liability, much like drug trafficing. I think in some cases some of these computer hijackings for DDOS can be more serious in reality than some of the drug trafficing people. Computer hackings can cause a lot of damage, even to the government. All in all, computer owners should make a reasonable effort to secure their systems, but should not be held in neglect if not properly maintained and that allows an intruder to compromise the system and use it in an attack.
The laws already exist to punish computer owners for allowing people to break into their computer. I hope there will never be further laws passed. As it is you can be held liable ( as in sued for money) for any damages done by any property ( read computer ) if you were negligent in taking care of it or securing it and someone else is damaged by that property. I don't think we need any further law because. 1) you should not be jailed for stupidity 2) the possibility of being sued will eventually force better security ( as soon as lawyers see money to be made here). 3) it makes no sense to have greater punishment for this then any other negligence. that being said I think the liability is interesting. How many companies that are hacked sustain enough damages to make it worth suing the person that owned the computer and how often does the person that owns it have enough money to pay them even if they won.
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
Yes, I agree it is with me, but not quite the way you were thinking.
My hot button, so to speak, is when information like that comes out and its subliminal impact on people. ( especially when it impacts American rights and freedoms )
Regardless of ones intent, if the general population keeps seeing ' the SUV killed' , 'the gun killed', ' the video game made him ' etc.. it makes a subconscious impact on peoples attitudes about the inanimate object..
Only thru diligence can the subtle ( often un-intentional ) brainwashing be avoided...
---- Booth was a patriot ----
This is why soft digital signatures don't work.
...which is why Microsoft, banks, governments, etc want to introduce "Trusted computing".
"No your honour, I didn't sign that contract/made that online bank transfer/cast that online vote. A virus infected my computer and did that. And deleted itself afterwards."
And if you think about it, it could actually happen...
)9TSS
There was an analogy above about cars and basic maintenance...
... $25 or something for patch updates (OS or otherwise), virus/spyware/adware scan, firewall config, defrag etc...
I can't help but think that if people can't keep their computers patched (change their oil, so to speak) then they need to get someone to do it for them. Just like they'd get someone do change their oil for them. Hell, I'd do it
Who doesn't like free music?
Your mare will never hijack your computer!
It is entirely possible to convict someone based solely on circumstantial evidence. IANAL (though I watched every Perry Mason episode), but the standard test a prosecutor must meet is means, motive, and opportunity. If your car was used in a hit-and-run, and driven by someone who looked like you, but you have an alibi, you're off the hook. If your most advanced level of programming is setting the clock on the VCR, you're probably off the hook. If they cannot show a motive, they will have a hard time convicting.
I don't think there will be more than a handful of criminal convictions of computer owners based solely on identifying the originating computer.
There will undoubtedly be lawsuits based on failure to properly secure your computer. There are several precedents for that, including gun lock laws and attractive nuissance laws. But if your computer is used to hack some big company and billions of dollars of damage is done, they know that they won't recoup that from your paycheck. They'll be more interested in seeing the real offender severely punished as an example to others.
And in Russia the computer hacks you ... er wait ...
Heh, should make a nifty defense. The computer hacked you.
I just saw this this in the thread Your Rights Online: Jail Time for Movie Swappers, and I think it's also relevant here.
Do you think most computer criminals in the future will resort to such scapegoat tactics? If the hacker who know the authorities are onto him **deliberately** installs a Trojan as insurance how can computer forensic experts know that? (Trojans are many times installed by the unaware user. But this time it's deliberate.) I believe it goes beyond forensics. Von ---poster of the above question
The Information Writers
if someone steals my car and mowes down 10 people am I responsible, certainly not. What if I left my keys in the car? What if I left it running at a gas station? What if I did not know what a key was for but I left my keys in there anyway? I think the only ones that will be held accountable for their equipment is us, the geeks.
As the right man, I would much prefer it if we had the wrong one.
paintball
...thanks. I forgot to do my Constitutional duty:
Claria == Gator == SPYWARE!
Tell your friends!
<disclaimer>I'm not a lawyer.</disclaimer>
This same topic was part of SANS NewsBites
I wrote to them:
Re: SANS NewsBites Vol. 5 Num. 44
> --Trojan Defense Successful Three Times in UK Courts
> (28 October 2003)
> Three cases in UK courts have set a significant precedent for
> prosecuting those accused of cyber crimes. In all three cases,
> defendants' attorneys successfully argued that their clients' computers
> had been hijacked by Trojan horse programs and therefore the defendants
> were not responsible for the alleged crimes. While some view the
> precedent as a safeguard against convicting innocent people, others are
> concerned that it gives cyber criminals a blanket defense. The Trojan
> defense has not yet been used in the US court system.
> computerworld
The Register (UK)
> [Editor's Note (Schultz): I fear that this will become the
> universally-used defense in cybercrime cases. Juries are not likely to
> know enough to see past this type of alibi.]
Actually the problem will be if _prosecutors_ can't get past the Trojan defense. Juries are routinely forced to learn the technical details of a criminal situation, whether it's a pyramid scheme or a poisoning. A prosecutor has to educate the jury and then convince the jury that the defendant is guilty of cognizant action (or inaction). It's the cognizant inaction part that will most likely break through the Trojan defense.
An analogy is as old as law itself: if I have a dog known to get out of its pen and bite the neighbors, then unless I try to do something about it I'm liable for the damages the dog does.
Another analogy: if I ask you to carry an envelope over to the mailbox, and don't tell you it contains anthrax, then you act legally by placing the envelope in the mailbox. I commit the crime, even if I don't specifically ask you to carry anything but just arrange for it to happen. Knowledge is the key, coupled with the choice to act or not to act.
If the prosecutor can't show that the defendent knew his computer was doing illegal things, then the jury should acquit. If he did know about the illegal activity, the prosecutor still has to show intentional action or inaction. That's how it works for dogs and owners, for letters and mailboxes, and that's how it's supposed to work for computer networks, too.
sigs, as if you care.
Look at photo radar.
As the rules currently stand in Canada, the owner of the car is charged for breaking the speed limit, but not the driver.
You, as the owner, pay a fine. You, as the driver, don't pay in terms of demerits attached to your driving record. This is specifically because they cannot prove who was driving the car.
Several people have successfully defended the fine by producing records that their car was in the shop on the date & time in question -- allowing them to prove that they were NOT in face driving, and therefore NOT in fact responsible for its operation over the speed limit.
I think that is the precedent which has merit here. You'll be presumed guilty, unless you can specifically prove that you didn't know, and that you didn't have the knowledge to produce the Trojan in the first place.
Of course, proving you can't do something which involves intelligence is quite difficult. I'm reminded of a "Kids in the Hall" sketch. Guy is on trial for murder and takes the stand.
Prosecutor: Did you in fact kill the deceased?
Guy: No.
Prosecutor: May I remind you that you are under oath, that the police found you standing over the body with the bloody knife in your hands. And I ask you again, did you kill the deceased?
Guy: No. [aside to his friend in the audience] heh. This is easy. [to the Prosecutor] Go ahead, ask me again.
Reason why there is hope for the future generation #364:
"I wish my grass was emo so it could cut itself."
Proper management of a computer, including keeping it from doing Bad Things, absolutely should be the responsibility of owner.
The computer cannot do anything on its own. It can only follow the instructions given to it by someone else, which includes the instruction to follow someone else's instructions.
In the end the operator has the ultimate control of the computer. If the computer does something it does it through permission of the owner and therefore the owner is responsible.
Yes, this does suck in many cases, but the reality is that some people are not qualified to operate today's general purpose computers, and some others need to be forced into better practices with theirs.
who supplied the computer and the software vendor et al.
In the free world the media isn't government run; the government is media run.
First,
Before any of these laws are set in place we should ask Bill Gates why and how so many computers have trojans installed on them.
-Adam
This isn't necessarily true.
It's reasonable to imagine that some life supporting medical devices might be controlled by a computer with an Internet connection. Three reasons, for instance: to let the manufacturer download new software with additional features; to let authorized doctors retrieve patient records remotely; for insurance companies to verify the machine is actually in use, and thereby reduce fraudulent claims. There may well be more reasons.
I'm not a medical technology expert, but I could imagine that machines of this type might eventually include devices that control anaesthesia during surgery, or other devices in which a system failure could literally kill the patient within minutes.
It's not unreasonable to imagine that some manufacturers, despite the protests of the average Slashdot reader, might have the control and reporting software run on a commodity operating system or database sold by a commercial vendor in Silicon Valley or the Pacific Northwest.
It's not unreasonable to imagine that the nurses and hospital clerks and medical equipment technicians who are familiar with the medical usage of the equipment, might not also be expert in installing the latest security patches and firewall configurations that would maximize the security of the system.
When someone sends a virus that attacks, say, all Windows XP machines, or all SQL Servers, the sender has no way of knowing for sure that NONE of the eventual receiving systems will encounter unscheduled downtime, as a result of the software exploit, that literally kills one or more patients.
The parent post to this one was excessively glib about what could, literally, be a life or death matter.
If someone steals your cell phone, and uses it to conduct some sort of illegal activity -- say sell drugs -- is it your fault? No.
Why the hell should it be the end users' fault for hackers' mischief activities?
If I were to drive my pickup truck up and down the
streets of my city, all the while shouting out the
window that I want the homeowners to put valuable
stuff in my truck bed, am I committing a crime?
What if at one home, there is a robot that greets
me with "How may I help you?". So, I ask the robot
for valuable stuff, and it loads up my truck bed?
Was this a crime? At the next house, a robot asks
me a riddle, and when I answer correctly, this robot
also loads my truck bed with great stuff. Was that
a crime? Three streets down from here, is a really
fancy and clever robot that hears my plea for stuff,
and it packages some great stuff up and
mails it to my home. Is this a crime? When I get
home, now that I know there are fancy robots out
there, I make it a habit to ask for stuff out
loud, and as if by magic, clever robots send me
stuff. Every now and again, I get a letter with
a riddle in it, and when I figure the answer, I
say it out loud, and a clever robot sends me
stuff in the mail. None of this sounds like
a crime to me. Perhaps the people in this city
should stop buying clever robots, or at least
try a little harder to get these robots to listen
and obey a smaller list of people.
The language we use to describe something new
is more important than what we actually describe.
Our culture will assimilate the new through
analogy to something old. But, if you step
outside the box you can see that a different
analogy would lead to different expectations.
As we computerize and automate our world, it
would be better if security is improved rather
than a never ending flow of new laws to patch
over our faulty analogy.
-Peter
Time flies like an arrow. Fruit flies like a banana.
if m$ didn't put in the holes that get exploited ...
... well, at least the ones that involve computers running m$ products.
after all this time, one would think that they would have some small idea of how to code, wouldn't one?
at the very least, perhaps they should be included as an accomplice in all these "computer crimes"
So if someone steals my car even if it was unlocked and the keys were in the ignition and then hits someone would any jury ever think i was responsible?
don't believe it
I belive computer owners who have systems connected to the internet should be held acountable even if theyre pc was hijacked, unless, they can prove haven takeing resonable steps to protect there computer. like, antivirus software, fire wall, being a well educated computer user. Something i dont think many people understand or would agree w/ , is that owning a computer that is conected to the interner, has a certain resposibility w/ it. like owning a car, or a gun, caries great resposibility, im not equating the two. ignorant computer users, who knowingly or unknowing contribute to virus propogation, shoule be held accountable for it. just like if you dont keep your car well maintained, and it causes and accedent, you will be held accountable, becasue of you negligence. it is very easy to porotect your computer from virus's and other unwanted programs, as im shure most /. readers will a gree, the problem is the general public, and average computer users dont know how easy it is. you have to have a license to to everyting in the us, exept own a computer, and have a kid, maybee its time to start on those too.
less morons, and less morons useing computers.
--The Titanic was built by proffesionals. --The Ark was built by Amatures.
It's very simple to find out if someone is commiting a crime. You convice a judge with reasonable evidence that someone is up to no good and get a warrent to spy on the person just like with old wire tape. Just they will conceil a video camera in the persons residence, place spyware on his computer, and verifiable catch the person in the act. The cops will just have to follow through rather than arresting someone just on suspicion. The question is if such investigating is worth the salery of the cops to prove a case. Does it benefit the public? No, it only makes the crime more sexy and imfamous and result in more such crimes.
If you installed a program explicitly, then it's your fault (even if it was spyware)
Most viruses in Outlook you need to actually click to execute. In other words, all those people are at fault. There's no way an average jury, knowing how little clue they have with their machines, will accept that argument.
Kjella
Live today, because you never know what tomorrow brings
Then someone would take some care to make his machine reasonably secure (or find someone who can). Imagine how many fewer incidents there would be on the internet!
Anyone reading slashdot is by definition in a vanishingly tiny minority. We, and only we, have a relatively good sense of how how to defend ourselves.
The rest of the population are a bit like my neighbour. He has a Windows 2000 laptop (that's what it came with) and recently got an ADSL connection. His ADSL link went live about 10:30 one morning; by 12:15 he had been blocked by his ISP for spreading Blaster.
That's when he knocked on my door. I printed out his task list (i.e. things that couldn't even be bothered to cloak themselves). Including Blaster, he had already been compromised five ways. A hacked copy of Dameware was in there, plus a ratio-based FTP server. I can't remember what the other two were.
The point is, he could have unknowingly been carrying gigabytes of warez or child porn on the same day he bought his shiny new ADSL modem.
So I'm inclined to take very seriously the "it wasn't me" defence. For almost everyone, it's true.
In your vision, spam wouldn't work because people would _know_ the evil-internet isn't to be trusted so they'd never even consider sending cash to the nigerian-bank. Many problems would be fixed that way.
If a car runs over somebody on the road, do you just automatically arrest the owner of the car? No, this would obviously be ridiculous. You ask witnesses who was driving the car, and arrest that person. Same with computers, find proof that a certain person was using a computer at the time of the infringement by asking witnesses.
Automobiles introduced this problem
(easy to kill people/damage property)
insurance, license (USA solution)
You will be required to carry insurance, and a government issued license if you use a firearm I mean computer.
The DCV will be created to manage licensing of computer users.
I think that is the precedent which has merit here. You'll be presumed guilty
MERIT!?! Guilty until proven innocent has MERIT!??!
In the US it is not the defendant's responsibility to prove he is innocent. It is the government's responsibility to prove he is guilty. That does not change simply because the government whines about having a hard time proving it's case.
The only reason they get away with mailing bills in the case of red-light photos is because it simply isn't worth the time/effort/money to appear in court. Hell, you could be a blind paraplegic who doesn't own a car and it's easier to mail a check for a few bucks than to take a trip to the courthouse. That does not make you guilty, and it does not provide precident that the accused have to prove their innocence.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Will computer crimes start falling under violent felonies?
They'd better find a good way of determining who's cimmitting these crimes. They may be lethal one day, instead of annoying.
"As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?"
I have to say that I disagree with most of the highly moderated posts here so far.
A legal precedent for this type of defense is already set. This type of case should not be considered differently from other crimes.
If my car is stolen and later used in a bank robbery I am not culpable in any way. I was not an accomplice before, during or after the fact, I did not commit the crime. In fact, I am one of the victims. My lack of culpability remains intact weather I am aware of my care being stolen or not, and wither I report it stolen or not.
In all such cases regardless of the items used to commit the crime or how they where obtained the burden of proof lies with the prosecution to demonstrate that it was in fact the defendant who was in control of the items at the time, and therefore the guilty party.
The only complicating factor in computer cases is that the computer may be in the virtual control of one person while in the physical control of another. This has the net effect of slightly shifting the burden of proof towards the diffident; his control of the computer is implied. This is, in my opinion, unfortunate and I hope that future cases will set precedent that shifts the burden back to the prosecution.
In a truly free country the legal system must expend most of its effort keeping innocent people free, not punishing the guilty.
Naturally, a different set of guidelines exist for civil cases.
Who is ever going to launch a crack from its own computer ?
If I was part of this world, my first reflex would be to do it from an Internet Coffee or a public-place-based computer...
Did I miss a point at some time ?
Regards,
JDif
Let's overcome our weakness.
Its only common sense.
If someone steals your car (and I don't mean infringes your copyright, I mean steals), and runs over a baby, then its your fault, right ?
If someone steals a metal fork out of your silver chest, and kills a lady in the hospital on life support, of course its your fault.
Its only common sense.
Gday from Australia!
I'm starting a political party here, which will be largely based online. As such, I am grappling with how to implement secure, online voting (only for our own party members, not full on electoral voting which I think should remain a paper ballot for the foreseeable future).
I've come up with similar statements to yours in our draft Constitution:
An online vote must fulfil the following criteria to be considered valid:
a. The Member must be able to cast his vote such that only he knows how he voted;
b. The Member must be able to verify that his vote has been correctly registered, both at the time of casting the vote and at any other time after the event;
c. The Member must only be able to vote once per issue;
d. The vote must be correctly registered at the server;
e. The server must be able to prove it has not been tampered with;
f. The server's hardware and software must be open to scrutiny at any time and independently verifiable by a third party;
g. The server must be able to check the authority of a Member to cast a vote, but not retain specific identifiable information on how a Member voted after the event without that Member providing a hash key of some sort for verification purposes.
Not easy to come up with a solution to this problem. In part a. I think having a mailed out card with five or more numbers on it, of which one is the key and the others false keys, is at least a way to ensure that the voter can vote from home free of coercion. As long as the vote goes through regardless of which key is inputted, the voter being coerced (say by their spouse) can dutifully say that they put in the correct key and the spouse cannot prove otherwise.
There's plenty more to do yet to implement the full system, but that's where I'm at right now.
If you'd like to contribute feel free to visit my website:
http://www.users.on.net/grypen/politics/
or read through the Yahoo Group posts (our first forum, temporary in nature until we get a real one):
http://au.groups.yahoo.com/group/neteffect/
Doesn't matter what nationality you are, I intend for all world citizens to have a voice on our proper forum once it's up, although of course only party members will be able to vote on party issues when it's going.
Visceral Psyche Films
> it wasn't me but my hijacked computer that committed the crime.
Scriptkiddie: "It wasn't me!"
Gil Grissom: "That was a big rap hit a year ago wasnt it? Too bad for you that we got forensic evidence that proove that you cleaned up your harddrive from various automated attack tools."
*endcredits start rolling of another CSI episode*
not that i want hackers to be screwed over because they certainly don't deserve it, but this might be a case for negligent security and making it illegal...
*cough*microsoft*cough*
"How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?" is the question asked by Cliff. Would it be any less relevant to say "How much responsibility does the owner of a car have for crimes committed using their equipment... etc.?" I think the trojan argument is similar to arguing someone stole your car and used it in a crime, with similar problems of convincing a jury you weren't the one driving.
How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment...
In my mind, the same as the owner of a gun that was stolen and used in a violent crime. Do gun owners have a responsibility to properly store and care for their weapons? Of course. Are gun owners responsible when someone steals that gun (even if not stored properly) and then tries to shoot someone with it? Only minimally.
Don't become a regular here, you will become retarded. -- Yoda the Retard
if the nacho cheese covered battlestar galactica t-shirt don't fit, the jury must acquit.
And then there was E
1) Look for coding patterns. It's circumstantial, but programmers have their own set of rules on how to produce variable and function names, how to group member functions and variables inside class definitions, and so on.
...and finally...
2) Similar to 1, file naming conventions, location of the project, tree structure of the directories of the project, and so on.
3) If he links in crap from his own libraries that he uses in his own other projects, then that's pretty guilty looking. I doubt a hacker is gonna examine someone's personal library and write to it.
4) If it's so easy to track, why can't they continue the track backwards for the hacker who hacked into the computer? All connections to the computer should be traceable, and those used by known hacks can be explored further backwards.
"Has [being a kidnapped teenage girl, raped repeatedly for months] changed you?" - Katie Couric to Elizabeth Smart
He didn't say that his grade went up... it could've been changed DOWN.
Either way, it doesn't make sense that he would do it.
..........FULL STOP.
Simple, ivil liability for negligence if you did not take reasonable measures in the circumstances to ensure your PC was secure.
Fore example, if you are running a server you have applied patches for known vulnerabilities, if you are a client permenantly connected to the internet you avhe installed a firewall etc.
Of course I do not think people should be punished for every mistake, but if you ahve been genuinely negligent and someone has suffered a loss as a result you should have to compensate them.
I wonder what is possible within the confines of the law as it is?
If all the hacker does is destroy some data, then you probably won't be able to catch em. Restore from backup, and move on.
If on the other hand the hacker hacked into your bank account and transferred money into his, that might leave a record that's going to point to someone.
If you're not concerned with criminal prosecution, you might even be able to get a verdict in your favor without proof that the person's computer wasn't hacked. Where was the person at the time of the hacking? At home on the computer? What motive does the person have against you?
Of course, all of this assumes that the person left evidence on the computer of a hack attack in the first place. Lack of such evidence would be pretty damning, if the computer can be confiscated soon after the incident.
Interestingly, this could make Windows the platform of choice for script kiddie hackers, instead of Linux or *BSD, since it will be easier to use this defense if one is running the most-hijacked OS.
Microsoft can make a system that is somewhere above -1 on the security scale, or unless someone else creates a majority secure OS. Either of these would clear things up. If my computer got hacked running win2k, I wouldn't point and swear at whoever hacked by box, I'd point and M$ and say, "what are you smoking."
Unix would fix a lot of the problems of users, etc.. not as many root holes. I think computer should be subjected to the same kind of rules as Vehicles... If it's proven that you let someone use your car, knowing they were going to commit a crime: you're guilty. If your car was stolen, you report it, etc... Law enforcement is guilty (just like M$) for not stopping the threat, and crime.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
I am a computer security enthusiest and a bit of a crypto head, my entire hard drive, save a small /boot partition is encrypted with AES/Rijmdael encryption (Recomended by the federal national institute of standards and a technology, computer security research center for protection of goverment documents) and would be rather hard for a prosecutor or law enforcement agency to break. Also being a civil rights supporter and enthusiest I will not decrypt my hard drive for anyone just on principal alone. So now what? will I be subpeonad to decrypt my hard drive, to prove my own innocence in a country where I am already innocent till proven guilty. And what about reviewing ISP web logs? I mean you should be able to monitor trojan usage through packet dumps, right? wrong! now they have programs that implement truely covert channel communications between 2 computers that are even undetectable to the creators, one such program being steg tunnel. So now I really must know, now what? would a court deam me innocent simply cause they cannot prove my guilt or would I be suppeonad to decrypt my hard drive in violation with my contitionally protected rights? even if I have been hacked and used machine to bounce these attacks could I be improsened simply cause I would like to keep the private contents of my pc private? I want to know!!!
How is this kind of situation any different from when a stolen car is used to commit a crime?
Your car being used in a getaway may make you the first stop for Mr Nice Policeman, but should you be charged for not securing your car well enough that it was stolen that morning?
Should you be presumed guilty (as an accomplice, perhaps?) automatically if you can't prove that your car was stolen?
Sometimes "high-tech" problems are very similar to old familiar ones.
- Muggins the Mad
Let's say you leave your car running while you go in to get cash/booze/cigarettes/food. Let's also say that someone hops in your running car and robs a bank.
You're an accessory. Have fun in jail, sucker.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
This is nonsense. If someone steals your car, and then commits a drive-by shooting with it, should you be held responsible because you hadn't installed an anti-theft system in it? If someone steals an axe out of your garage and kills someone with it, should you be responsible for their actions? If someone steals your gun and uses it to commit a crime, should you serve that person's time?
The answer to all of these situations is no. It would be different if you were allowing the person to use these things and knew they were going to be used in a crime, however, you still wouldn't be the one ultimatly responsible for the actual crime, whatever it is. The key is the person commiting the crime is commiting a secondary, enabling crime by stealing someone from you to commit the real crime in question.
I think all the stuck up trolls here on Slashdot who drone on about updating this and that, firewall this and that are missing the big picture. How much software do you have that needs security updates, how often, and what type of knowledge does it take to do this? Keep in mind that every user doesn't read bugtraq. The answer to this question: probably a lot, and new updates are required almost weekly.
Oddly enough, there are some people (read: a lot, the majority) that use a computer like a tool, similar to a calculator or copier. An office device to get their work done. Most people are too busy with their lives and their work that doesn't involve computers but involves using one to constantly update and manage the increasingly tangeled mess that is internet security.
It's true that as a member of the Internet community you should try to be responsible, especially if you are a corporate member or someone providing a large service. But to try to hold joe sixpack with his job in Marketing, two kids and busy schedule responsible for not keeping up on his updates or using a firewall on his hacked computer that his kids use primarily to play games on is just plain silly.
People need to wake up and realize that the fault ultimatly lies with the person that commited the crime, this is the integral wrong and always will be. This computer owner is guilty non-sense is dumb and non-sensical.
EOD
"I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
Issues like proxies started coming up in child porn cases from the earliest says of Internet crime and it helps to understand how that has been played out to better understand the limits of computer crimes prosecutions.
Because some people in commercial child pornography rings were, in fact, quite sophisticated about security, porsecutors had to develop strong cases that involved much more than monitoring net traffic. They had to monitor phone calls, watch bank transactions and finally go in and actually seize physical media. Even then there was no guarantee they could make the charges stick.
So, this isn't really news that it's not easy to prosuecute computer crimes without more than just a bit of alleged data. The fact that this was already long ago established is what made the RIAA's plan so bizarre. The only hope was to completely shock the public into quitting P2P in one fell swoop. They have already failed.
As soon as it begins trickling out in the media that the defendants who didn't pay up are walking away left and right the card will have been played and P2P will easily be twice as popular as it was without changing any laws at all.
In order to expose a particular port for the Internet (needed by many P2P protocols for proper function) you must configure a route through your router/NAT. That is if I must expose, say port 9999 for P2P, I must tell my router that all requests to 9999 go to 192.168.2.15:9999. This means that not only must I leave my WiFi AP open, I have to have a route configured as well, so the AP must be reprogrammable. Again, if I wanted to appear a total idiot, I *could* have left the AP open for programming.
See my journal, I write things there
What happens in traffic? Aren't you responsible for your vehicle, even if someone else is driving?
It seems the same must apply to computers - maybe that way we'd scare off all the droolers and the Internet would be a nice place again.
I can be attacked and have my machine taken over, even before I have patched it up to date. XP is horribly broken out of the box. In the time it takes to get it 'up to date' and AV software installed, it may be compromised.
See my journal, I write things there
A user who permits his computer to be used as a tool for attacking another computer /web site / network should be held responsible for maintaining an "attractive nuisance". Users aren't going to be motivated to do even the simple things with respect to security unless they are held responsible. If he's liable for $100 in damages due to the party he let his computer attack for each malware file sent, he's got an incentive to find out what "best practices" are, especially if that's an explicit defense against that kind of lawsuit.
A warning is adequate for a first offense. If somebody has to haul their ass into court to answer for the 50,000 copies of the latest Windows virus they sent me, even if there isn't a cash penalty, they'll take complaints seriously next time before they get into a courtroom, especially when the judge tells him fix your computer or next time,it's $100(USD) per virus or whatever.
And if this persuades people that the Net is too difficult or dangerous to use, that's probably a good thing.
what are ways we can best determine their involvement, or lack of it, in said crimes?
That is what a forensic analysis of a user's computer is supposed to do. Erased files are easy to find. Even overwritten files can be found with the right kind of hard drive recovery tools.
Tech Public Policy stuff
The question is not whether technological measures exist to identify who is using a particular computer at any given time, but whether or not we should want to identify the user at any given time.
Do we, as a society, want computer owners idenfied by their computers for every process they execute? Do you want someone to be able to remotely check your computer for politically unacceptable websites you might have visited? Do you want spyware programs to have proof that it was you that viewed some illicit pornography when Outlook automagically opened a spam message for you? Do you want the RIAA to have a biometric signature to identify that you were a) sharing MP3s and b) listening to MP3s that you downloaded and have c) proof of how many times you listened to those songs and for how long? Do you want them to argue in court that you are a social deviant because you listened to the Ghetto Boys or the Misfits or did not listen to Britany Spears?
If your identity is connected with every program execution on your computer, what would stop someone from compiling enough circumstantial "proof" that you were a terrorist to blackmail you with public humiliation.
The real criminals will always be able to defeat any technological identification scheme. However, the average joe will not. Who will lose by this? You will.
Computers keeping tabs on you will make this amendment null and void.Punishing criminals is important, but criminalizing large portions or all of society should not be the goal of law. Crime will always exist (even in non-free societies). Get used to it.
All data is speech. All speech is Free.
By making your computer publicly available on the internet you should obviously accept some responsibility, the same way walking around a dodgy area with gold dripping from neck and hands will more then likely get you mugged.
Ye not guilty
All we need are new compilers that require a DNA sample to compile. Now you just need to keep track of that specimin cup.
When I leave my house, car, bike or whatever unlocked and it gets broken into or stolen, I will not receive a single penny from my insurance company.
Now please, please tell me why this should be different with computers. If someone is not smart enough to use even the most basic protection, say a virus scanner and a host-based firewall, both of which get updated automatically, then such a person should either not connect their computer to a network or not have a computer in the first place.
Cluelessness should never be an excuse for ignorance. If you don't know, either ask someone more knowledgeable or just don't do it. But don't do it ignorantly!
Prison is not an adequate punishment.
This may sound like some kind of self-help meeting, but I got my BS-CS in '93, and have been working in the computer industry since then. I run Windows98 on two machines at home, mine and my wife's.
I know the original post was supposed to be funny, and it is. My main machine is running Redhat 7.3, and my Win98 machine has pretty much been relegated to playing Half-Life (The Gate, currently) and Quake MegaTF. And a couple of other games, but that's pretty much it. Is it directly connected to the net? Are you crazy? Firewalls, baby, that is what they are for.
So why don't I have something newer? Well, I do have a copy on NT Workstation that I got with an old PC I bought years ago, but I never took the time to reinstall the machine. I also heard that gaming on NT wasn't that great. I am not going to go out and buy Win2k. Could I grok it from somewhere? Of course. But why? Why break it in a different way if it isn't really broken? I don't think installing Win2k would be a "fix". Better than Win98? Sure. More exploitable? Maybe. But for the maybe-once-a-week that I fire the machine up, it isn't worth it. My wife's computer sees more use, but again, It isn't worth it to mess up her whole environment just to upgrade to a new set of headaches. Even though we weren't hit at home with the latest rash of worms/viruses, some of them didn't even affect Win98. :-)
But to the topic, imagine that your parent's PC is compromised. Should they be held accountable? I know my parents barely get the idea of computers, let alone security. Although I have scared my mom so badly about viruses that she won't hardly open any attachment in her email.
If you make computer users accountable for being compromised, then all you are doing is widening that digital divide. As much as my parents like email, they aren't going to go to jail over it. If owning a computer becomes a hassle (security) then they just won't use it. It has to be easy for the average person to use it. That is how Microsoft got to where they are today, remember?
My beliefs do not require that you agree with them.
The question of whether a computer owner is responsible for the crimes that happen with his or her computer hardware is like pointing to the victim of the crime and asking if they are responsible.
In some ways yes the victim is responsible, however being in the wrong place at the wrong time is hardly a jailing offense. The computer hardware and software that is installed on your computer for most people is a matter of necessity, those that do split from the norm are usually more computer literate than average and thereby less likely to be prone to this in the first place.
By extension the maker of the software is responsible for not making their out of box software secure in the first place.
Even the creators of the tools used to perpetrate the crime are in some way responsible, but we can't punish the makers of crowbars or knives. Nor should we, both are useful instuments when placed in the right hands.
This however is a side issue, while we can point fingers at microsoft or whoever the scapegoat of the day is, it still comes back to the malicious will of the criminal. Guns don't fire themselves, crowbars don't go wandering around breaking into things, and computer though they have made leaps and bounds in the field of AI still need that driving force behind them.
What the solution is to placing the criminal behind the computer I don't know. Perhaps bio scanners could be used to log people into computers . One thing I know though, this is going to be one of the hardest fought battles of the 21st century, to move forward requires that those that perpertrate crimes in cyberspace can be punished, until that happens and the cybercriminals realise that its not a game their can be no more steps forward.
If someone steals my car and uses it to mow down a dozen people on a busy street, am I culpable? Do I become any more culpable if I left my car unlocked, with the keys in the glove box?
Downmodding is the refuge of the weak. Don't downmod, make a better argument!
"But officer, someone hacked into my brain and took over my thoughts and actions!" When the time comes, that's gonna be a mother of a defense.
...so how can anyone be responsible for securing it? This whole thread is absurd.
If man built it, man can break into it. Period.
No one can ever be held accountable for this. It is a law of nature, immutable. You may as well start suing people for going to the bathroom too much.
The CIA has been hacked and so has the FBI, how the hell can grandma be expected to secure her Dell? No matter what program she uses, someone will write a script to break it, and take out her and all the rest of the people using it.
No one at those agencies lost their jobs or went to jail, even though their computers were used by hackers to gain illegal information and do who knows what. They get *paid* to be secure and employ the most sound security policies around.
I am sorry but Joe Sixpack couldn't do anything about hackers if he worked 24x7 for years learning about security and applying what he learned. Security "experts" with 20 years of experience have been hacked. Half don't even realize it.
l8,
AC
If Windows is the insecure POS it is, use something else.
Then why do 99 percent of the hardware devices on the shelves of the computer sections of Best Buy stores list "Insecure POS" in the system requirements?
Will I retire or break 10K?
Now, not only is he a moron but he himself broke the law by even downloading kidpix.
The only way that one would possibly break a U.S. federal law by downloading Kid Pix is possibly by infringing Broderbund's copyright therein.
Will I retire or break 10K?
our increasing reliance on a system (the internet) that is inherently insecure and vulnerable to any number of exploits
Can "The Internet" itself really be called "secure" or "insecure"? "The Internet" covers only up to layer 3 (routing) of the OSI model; anything on top of that is an application. Layer 1 is the domain of cables, layer 2 that of interface cards and switches, and layer 3 that of routers. Everything from level 4 on up happens in the hosts. (TCP sits in layer 4 and 5, apps sit in layers 6 and 7, and the whole concept of SOAP just standardizes layer 6.) I can't see any significant vulnerabilities in layer 3 and below other than denial of service by bandwidth consumption or by physical interruption of a connection. However, I can see vulnerabilities in the various layer 4-7 applications used by hosts connected to the Internet, but to avoid confusion, it's best to call these "Apache vulnerabilities" or "IIS vulnerabilities" rather than "Internet vulnerabilities."
Will I retire or break 10K?
Yes, but the owners can start a class action against the OS vendor.
I thought that when signing the sales slip for the computer with a pre-installed proprietary operating system, the computer owners WAIVED, RENOUNCED, AND GAVE UP THEIR RIGHTS TO SUE THE OS VENDOR, IN ALL CAPITAL LETTERS IN THE EULA.
Will I retire or break 10K?
It's a great defense. The way things are now, it's nearly impossible to tell who's using a computer, especially if the ip log doens't show them signing in to email, networks, or other user-specific sites. But when some hacker jacks into a hospital, power grid, or air traffic system, these defenses will be less viable. The public will demand higher accountability, and trace programs will become far more advanced. The protocols will become like those sentinels in the matrix, and ECHELON-like systems will be introduced. Most importantly, these systems will be able to trace a computer's activity before the hacking took place, because the govt will say they need to figure out how and when the hacking program got there. That means that the longer a user has been visiting hacking sites or illegal porn or terrorist sites, the more the govt will believe that the computer's owner is the hacker/pervert/suicidal zealot. It's all part of building a circumstantial case that the feds can take to a jury. Sure, there could spawn a new trend of 'revengeware' through which hackers infiltrate, create agents to cause disasters or download old Traci Lords videos or collect bomb-making instructions before deleting themselves, but the creators would have to be incredibly judicious about the dissemination of such powerful systems. As soon as such code entered the mainstream it would proliferate and be recognized. If, for example, Pat Robertson, Jerry Falwell, and Billy Graham were all indicted as being part of Al-Quaeda, it's likely someone would recognize a glitch in the system. Cheers
Why not? Face it! NO windows is secure from
the biggest baddest trojan bendin cookie monster
of all, Billy Boy Gates. By extension that includes every suede shoe boy that ever gave Uncle
Bill a buck or two for the inside info that micro$
keeps from all ordinary users (read sheep to be
fleeced).
Here is the way you run windows. They are like
the rules for keeping a 'MogWai' from the movie
'Gremlins':
Never feed them after midnight....don't keep
an open internet connection so that uncle bill's
friends can suck material off your computer after
you go to bed...or plant material on unbeknownst
to you in amounts greater than 50 MB so that their
other 'friends' can later 'find' it.;
Never give them water......don't ever use any
real names, real place addresses, real credit
cards, etc. that allows bill's friends to steal
identities, credit info, business data, etc.
Only use windows for games. That is all it is
good for. win98 does fine as it will still play
all the DOS games that did not spy on their own
until the monopolist took over the game publishing
houses a year or two ago and started to put out
only crap with trojans in them;
Do all your real business with heavily secured
linux. Use linux to scrub and destroy everything
that windows refuses to delete
Hey, maybe I found a use for Petabyte Hard disks, the hardware never deletes anything ever, under any circumstances.
In other words, WORM (write once read many). Why not just log to CD-R all changes committed to personal information in government databases?
Will I retire or break 10K?
One minor nitpick: Reply All isn't due to ignorance about technology. It's usually just arrogance: the belief that What I'm saying is important enough to send to everybody.
Cars and guns are all about freedom, too. If a technology is widespread enough to be both important to the culture (economically or whatever) and dangerous to life and limb, then it gets regulated in one way or another.
If it's not done through legislation, then courts will establish "standards of due care." In other words, if you persist in using techniques that everyone knows will allow your system to be stolen by someone else, then you're providing an attractive nuisance, like a backyard swimming pool without a childproof fence. That makes you liable for civil damages at least.
Of course, today's typical computer users can't tell whether their systems are cracker bait or not, so the "clueless" defense works. Given the state of computer system, this defense should continue to work for several more years.
Rick.
IANAL but I think this would apply to the topic and many of the replies:
"Most legal definitions of due diligence say something like "due diligence is a measure of prudence, activity, or assiduity, as is properly to be expected from, and ordinarily exercised by, a reasonable and prudent person under the particular circumstances; not measured by any absolute standard but depends on the relative facts of the special case."
Due Diligence
Words to men, as air to birds.