Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Computer Owner - Guilty or Not Guilty?

Posted by Cliff on from the guilt-by-association-may-not-be-sufficient dept.

Von-at-Infosec_Writers asks: "It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime could become much more difficult especially since, as a recent CNN.com article stated, a hacker's legal defense can be: it wasn't me but my hijacked computer that committed the crime. 'In some cases, I do suspect there are people whose computer is taken over by third parties. It's also a clever defense to exculpate your client,' says Michael Allison of the Internet Crimes Group.What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?" As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?

2 of 539 comments (clear)

  1. Re:Innocent Until Proven Clueful by Maestro4k · · Score: 3, Informative
    • Problem is, of course, that if you're a CS student who has been a bit lax about security, you're probably screwed. People don't understand computers , so your jury won't understand that anybody who is studying computers or has *specific* knowledge isn't a super-1337 hax0r who is probably guilty.
    The sad thing is, I could easily see many CS students managing to get infected. When I got my degree, most of my classmates were good at programming, but couldn't admin or secure a paper bag, much less their personal computers.

    The scary part is the general public would assume a CS student knows how to secure their computer like you said, while it isn't something taught in many CS programs. (I know mine was focused on programming and theory, there was not a single required course that focused on security of any kind, even on coding securely.)

  2. Re:Innocent Until Proven Clueful by Durandal64 · · Score: 4, Informative

    Being a CS student does not necessarily grant one a good working knowledge of networks. I've seen plenty of CS students and experienced programmers who wouldn't know how to properly secure their systems. Now, if the person in question is a Network Infrastructure student or Novell-certified, it's almost a no-brainer that he should know how to secure his machine.

    Of course, is it really right to hold someone liable for damages that result in an intrinsically harmless slip-up? Say I forget to patch SSH or Apache and someone launches an attack from my box. Should I be held liable? If so, why? Because I should know better? That may be true, but I can always argue that I'd intended to patch but just hadn't found the time to do so, and someone by chance, found my box. If my schedule in a particular week isn't amenable to patching a particular aspect of my system, but I need SSH or Apache during that week, why should I be held liable for damages resulting from someone illegally hijacking my computer? Let's keep the blame where it belongs, here.