Slashdot Mirror
The Computer Owner - Guilty or Not Guilty?
Von-at-Infosec_Writers asks: "It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime could become much more difficult especially since, as a recent CNN.com article stated, a hacker's legal defense can be: it wasn't me but my hijacked computer that committed the crime. 'In some cases, I do suspect there are people whose computer is taken
over by third parties. It's also a clever defense to exculpate your client,' says Michael Allison of the Internet Crimes Group.What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?" As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?
[...] their attorneys successfully argued that trojan programs found on their computers were to blame.
In all three cases, no one has suggested that the verdicts were anything other than correct.
I think it's going to be pretty easy to tell, within the law, whether the computer owner knew that a hack attack or illegal download was occurring on his/her computer. Most of the time, the court's answer will be "no".
If a remote-control Trojan is on the PC, then the prosecution would have to prove that:
* The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.
* Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.
While the defense attorney needs only argue that his client is just an average Joe(anne), and wouldn't know what a Trojan was if he/she bought one at the drugstore. The defense attorney should be facing a receptive audience. Remember, in the US at least, he'll be facing a jury of 12 average citizens who know as little about how computers work as I do about brain surgery.
Or perhaps less. At least I know which box my brain is in.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
Unfortunately, I think the "I didn't do it, my computer did"
defense will be all too common. How can you hold people
responsible for holes in their system while microsoft produces
software with numerous holes in it, but is not held responsible.
An interesting analogy is gun crimes. If someone owns a gun,
and it is proven conclusively that the gun committed a crime,
but it cannot be proven conclusively that the owner of the gun
is the one who pulled the trigger (opportunity), then it is
difficult to establish a case.
I think a similar idea will work itself out with computer
crime. The fact that your computer did something isn't enough,
you have to be a willing participant in the incident.
Perhaps there should be laws to punish people who leave
unpatched, unprotected computers sitting on the internet. There
are laws that punish irresponsible gun owners, should we also
punish negligent computer owners? What about negligent
programmers?
As an aside, in the last court case I was involved in, e-mail
was admissible in court. The only thing I had to do was produce
some e-mail correspondence between myself and the other party.
The lawyers and the judges all accepted them without a word.
While the e-mails were in fact real, and the transmission could
be verified by isp records, the simple fact that the opposing
council didn't so much as raise an eyebrow shows me just how
ignorant the legal system still is when it comes to technology.
This happened less than a year ago.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
in the US, if your car is going down the freeway and your brakes fail because you didnt do routine maintenance, you end up crashing and killing someone, you are at fault.
on the other hand, if someone cuts your brake lines, you crash and kill someone, you are not at fault.
I would think that viruses and trojans and worms and such would fall more under the 'someone cuts your brake lines' category.
would not there by logs of some sort to PROVE his computer had been Hijacked by a third party?
if a computer is compromised, never believe the logs.
Look at the rest of society, outside of the context of computing.
If I have a knife and I leave it on a table, and a neighborhood kid comes over and stabs himself in the head, I'll probably get sued (and lose) even though I didn't do the stabbing.
If I leave the keys to my car and somebody steals it, drives all over town and runs over a group of teenagers, I'll probably get sued as being somewhat responsible because I provided the car (indirectly).
If I'm a parent with a house full of handguns, and my child finds one and blows his sister's head off, I'll probably end up in jail even though I didn't pull the trigger.
I can't think of too many examples where our society wouldn't sue the hell out of anyone, even if you're just a by-stander, when something goes wrong. Whether or not that's "right" or "the way things should be", it certainly is. So why should it be any different if my computer is used to do something malicious or damaging? I say stick with the established precedent and blame the computer owner, even if he had nothing to do with the crime. It might not be fair, but at least it would be consistent. We don't live in a society of fairness anyway, we live in a society of blame and accusation.
As long as wireless networks remain as insecure as they are right now its going to be cracker paradise. I don't see an easy solution to the problem, it almost seems like if a hack can be traced back to your computer you almost certainly didn't commit the crime (unless you're a complete asshat).
Comment removed based on user account deletion