The Computer Owner - Guilty or Not Guilty?

Von-at-Infosec_Writers asks: "It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime could become much more difficult especially since, as a recent CNN.com article stated, a hacker's legal defense can be: it wasn't me but my hijacked computer that committed the crime. 'In some cases, I do suspect there are people whose computer is taken over by third parties. It's also a clever defense to exculpate your client,' says Michael Allison of the Internet Crimes Group.What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?" As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?

Innocent Until Proven Clueful

[RobertB-DC]

[...] their attorneys successfully argued that trojan programs found on their computers were to blame.
In all three cases, no one has suggested that the verdicts were anything other than correct.

I think it's going to be pretty easy to tell, within the law, whether the computer owner knew that a hack attack or illegal download was occurring on his/her computer. Most of the time, the court's answer will be "no".

If a remote-control Trojan is on the PC, then the prosecution would have to prove that:

* The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.

* Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.

While the defense attorney needs only argue that his client is just an average Joe(anne), and wouldn't know what a Trojan was if he/she bought one at the drugstore. The defense attorney should be facing a receptive audience. Remember, in the US at least, he'll be facing a jury of 12 average citizens who know as little about how computers work as I do about brain surgery.

Or perhaps less. At least I know which box my brain is in.

Re:Innocent Until Proven Clueful

[QueenOfSwords]

Problem is, of course, that if you're a CS student who has been a bit lax about security, you're probably screwed. People don't understand computers , so your jury won't understand that anybody who is studying computers or has *specific* knowledge isn't a super-1337 hax0r who is probably guilty.

Re:Innocent Until Proven Clueful

[Megor1]

If a remote-control Trojan is on the PC, then the prosecution would have to prove that:

* The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.

* Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.

Really you tell me how to detect a kernel level trojan on a windows box besides running your own seperate intrusion detection system that knows what way the trojan works. (So if its an unknown one you aint gonna find it). And if the person removes the trojan and overwrites itself you aint gonna find any evidence of it

Re:Innocent Until Proven Clueful

[pyros]

A hacking attempt should have a well documented time, and if the defendent can show they were doing something else at the time they should get a non guilty verdict easily.

That's right, because there is no such thing as batch jobs and scheduled tasks. Any "expert" witness the prosecution calls upon to talk about such things must be getting bribed to do so.

Re:Innocent Until Proven Clueful

[techno-vampire]

"Jane is a techie, if her computer was infected she must have done it herself?"

I worked for several years as a support tech for an ISP. When Mellissa came around, most of the techs were running around like chickens with their heads cut off, while I laughed. Same thing with the Love Bug. Why? Because unlike everybody else, I used Eudora for email, not Outlook. It doesn't have the well-known security holes, so it's safe from the trojans aimed at Outlook. (OK; that's not the only reason, or the main reason I use it. But it was what kept me safe.)

The point here is, that techs are just as likely to follow the path of least effort as anybody else, and either use vulnerable software or not bother to secure what they have. Not only that, but just working as a tech doesn't mean you actually know what you're doing; I could tell numerous horror stories about techs using Reply All to ask a question about a message sent to a number of people, using "fixes" known to cause the issue to get worse, and otherwise proving that having a job as a tech doesn't make you one.

No, just proving the defendant worked in a tech field or as a tech or was studying CS isn't going to be enough, at least if the defense lawyer is any good. You're going to have to prove that he or she knew enough to have installed the trojan, had access to it and had a reason to do so. Just like with any other crime, Motive Means and Opportunity have to be demonstrated.

Re:Innocent Until Proven Clueful

[Dr+Damage+I]

Of course, is it really right to hold someone liable for damages that result in an intrinsically harmless slip-up? Say I forget to patch SSH or Apache and someone launches an attack from my box. Should I be held liable? If so, why? Because I should know better? That may be true, but I can always argue that I'd intended to patch but just hadn't found the time to do so, and someone by chance, found my box

The issue I have here, is that frequently the offender is using an unprotected computer to exploit a hole in the security of the target computer. Is it really fair to assess damages against someone in favor of a victim who was equally negligent?

The courts will work this out....eventually

[dtolton]

Unfortunately, I think the "I didn't do it, my computer did"
defense will be all too common. How can you hold people
responsible for holes in their system while microsoft produces
software with numerous holes in it, but is not held responsible.

An interesting analogy is gun crimes. If someone owns a gun,
and it is proven conclusively that the gun committed a crime,
but it cannot be proven conclusively that the owner of the gun
is the one who pulled the trigger (opportunity), then it is
difficult to establish a case.

I think a similar idea will work itself out with computer
crime. The fact that your computer did something isn't enough,
you have to be a willing participant in the incident.

Perhaps there should be laws to punish people who leave
unpatched, unprotected computers sitting on the internet. There
are laws that punish irresponsible gun owners, should we also
punish negligent computer owners? What about negligent
programmers?

As an aside, in the last court case I was involved in, e-mail
was admissible in court. The only thing I had to do was produce
some e-mail correspondence between myself and the other party.
The lawyers and the judges all accepted them without a word.
While the e-mails were in fact real, and the transmission could
be verified by isp records, the simple fact that the opposing
council didn't so much as raise an eyebrow shows me just how
ignorant the legal system still is when it comes to technology.
This happened less than a year ago.

Re:The courts will work this out....eventually

[gooberguy]

Should we fine and arrest people who keep vulnerable systems on the web? I think not. If your computer gets infected with a virus or worm, no one dies. Sure, damages may be done, but no amount of commercial loss compares with murder. Also, your idea would kill the Internet. The Internet is about freedom. Overall, it is the least regulated, most anonymous medium accesible to Joe Sixpack. If people fear getting arrested for merely being online, they will find something else to do.

Re:The courts will work this out....eventually

[southpolesammy]

If I leave my car unlocked with the keys in the ignition, and someone steals my car, packs it fulls of C4, and blows up a building with it, hopefully, my alibi is good enough to show that I wasn't the one that perpetrated such a heinous act.

The problem with computer crime is that the alibi part of the equation is harder for the computer owner to prove. He may very well have been actively using the computer in question that hacked the Bank of North Elbonia at the time of the crime, but that doesn't mean he did it. In spite of that, proving that he wasn't the perp is difficult. Most other alibis work because of physical bias placing the individual in some other place than the crime in question. This is harder to prove in a virtual setting.

well

[JeanBaptiste]

in the US, if your car is going down the freeway and your brakes fail because you didnt do routine maintenance, you end up crashing and killing someone, you are at fault.

on the other hand, if someone cuts your brake lines, you crash and kill someone, you are not at fault.

I would think that viruses and trojans and worms and such would fall more under the 'someone cuts your brake lines' category.

Re:well

[j0keralpha]

Reasonable Mitigation. There is very little you can do to prevent someone from cutting your brakelines. A lot of Computer Zombification stems from users not proactively patching AV and OS (lets not even talk about applications). Slammer (yes i know this was a server-worm) and Blaster are excellent examples. The world at large had 6 months and 1.5 months respectively to prevent the nightmare from happening, but nobody takes responsibility for (to extend your car analogy) Changing the oil and other basic maintenance on their computers. If a users computer causes x amount in damages and they had a reasonable ability to patch the problem and mitigate it, then they should be held responsible. This obviously doesnt apply for 0-day takeovers. The problem then lies in showing HOW the computer was compromised, and the question is: 'Is the burden of proof upon the user to show they are not at fault, or the attack victim to show that they are?'

Same as in a car!

[scovetta]

If you're driving a car, and the car malfunctions and you hit and kill someone, you shouldn't be held responsible. If you say the car was broken and it wasn't, then it's fraud and you get charged with vehicular manslaughter or whatever.

If your computer was hijacked and you did nothing to prevent it, its YOUR fault. If you ran antivirus/firewall/whatever, then it's the fault of the hacker, and you shouldn't be held responsible.

Of course, we need a good definition of a "good faith attempt at computer security", but that's a grey legal line. Personally, I think that if a patch has been available for more than, say, 2 months, and you aren't patched, its your damn fault. If you installed a program explicitly, then it's your fault (even if it was spyware)-- the analogy, if you get super-duper-hood-attachments for your car and they fly off and impale someone, its your fault.

Of course, that sucks, but it's the only way I can see to segment culpability for crimes in this case.

Re:If this were the case...

[happyfrogcow]

would not there by logs of some sort to PROVE his computer had been Hijacked by a third party?

if a computer is compromised, never believe the logs.

Guilty by precedent

[kaan]

Look at the rest of society, outside of the context of computing.

If I have a knife and I leave it on a table, and a neighborhood kid comes over and stabs himself in the head, I'll probably get sued (and lose) even though I didn't do the stabbing.

If I leave the keys to my car and somebody steals it, drives all over town and runs over a group of teenagers, I'll probably get sued as being somewhat responsible because I provided the car (indirectly).

If I'm a parent with a house full of handguns, and my child finds one and blows his sister's head off, I'll probably end up in jail even though I didn't pull the trigger.

I can't think of too many examples where our society wouldn't sue the hell out of anyone, even if you're just a by-stander, when something goes wrong. Whether or not that's "right" or "the way things should be", it certainly is. So why should it be any different if my computer is used to do something malicious or damaging? I say stick with the established precedent and blame the computer owner, even if he had nothing to do with the crime. It might not be fair, but at least it would be consistent. We don't live in a society of fairness anyway, we live in a society of blame and accusation.

Any hacker (cracker) with a clue

[Michael+Crutcher]

.. just walks up to an apartment complex with a wireless card and initiates their hack from there. Toss the wireless card (bought in cash) or spoof the mac address (entirely possible) and poof, its not going to be traced. This is a sticky problem because only the dumbest crackers (script kiddies) aren't going to take these extremely simple precautions to avoid being caught.

As long as wireless networks remain as insecure as they are right now its going to be cracker paradise. I don't see an easy solution to the problem, it almost seems like if a hack can be traced back to your computer you almost certainly didn't commit the crime (unless you're a complete asshat).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Breaking Point Chaos and Destruction Online

[mveloso]

It's already easy for this to happen. Think about your workplace - the IT guys (you guys, mostly) can put whatever the hell you want on someone's box, and they'd have no idea.

For example:

Staffer: "Hey, I have no idea where that child pr0n came from!"

Manager: "Look, don't make this harder than it has to be. Just pack up your stuff and we won't tell your wife or the paper."

Staffer: "But I never saw that before!"

Manager: "That's what they all say."

With a careful admin, even browser history and caches can be faked. And there's not a thing that the poor staffer could do about it.