Slashdot Mirror
The Computer Owner - Guilty or Not Guilty?
Von-at-Infosec_Writers asks: "It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime could become much more difficult especially since, as a recent CNN.com article stated, a hacker's legal defense can be: it wasn't me but my hijacked computer that committed the crime. 'In some cases, I do suspect there are people whose computer is taken
over by third parties. It's also a clever defense to exculpate your client,' says Michael Allison of the Internet Crimes Group.What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?" As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?
It's actually very easy to frame someone online which will be (mark my word) the next big thing in divorce cases, criminal cases, etal. I won't comment anymore on these issues though. I've been through the whole shabang. One thing people should be aware of though is the ease of which someone could actually do something malicious to another person. Courts, well let's just say if you're the accused, pray you don't get a computer phobic (which the DA will try to ensure he selects the most of) jury.
MoFscker
> How much responsibility does the owner of an
> Internet-connected computer have for crimes
> committed using their equipment
None, unless they have responsibility for
the use itself.
> and what are ways we can best determine
> their involvement, or lack of it, in said
> crimes?
Firstly, you don't want to. You don't want
to live in a world where people can't
speak freely on the Internet. Therefore
you don't want to live in a world where
it is easy to hunt down and kill anyone
who criticizes you.
Secondly, in the U.S., you need proof beyond
a reasonable doubt to convict of a crime.
That will never happen without human
witnesses to substatiate the accuracy of
data submitted in evidence, since all data
is equally possible to fabricate on demand.
So, in brief, only on the testimony of
disinterested witnesses can responsibility
for a digitally intermediated act be
proven or refuted.
-I like my women like I like my tea: green-
Its not that simple beleive me you. :) A good forensics expert can slice and kill your false I-was-hacked defense in a matter of days.
Homeowners can be jailed when trespassers drown in their pool, because the pool falls under the heading of, "Attractive Nuisance." It thus falls to the homeowner to properly secure access to the pool, or risk getting sued when some vagrant wanders in and gets hurt.
I can see this concept being extended to the Internet: By placing an unsecured box on the network, you have introduced an Attractive Nuisance, and it can be argued that the machine's owner bear responsibility for collateral damage.
Trouble is, can the machine's owner really be held responsible for such consequences when the OS vendor willfully misrepresented the concordant hazards and responsibilities of placing their product on the open Internet?
Schwab
Editor, A1-AAA AmeriCaptions
I have been waiting to see one of the RIAA lawsuit defendents use WiFi as a defense. If someone runs a WiFi 802.11a/b/g/etc. network and presents a defense in which they claim that the shared files must have been on a neighbor's computer, it would create the reasonable doubt necessary for the jury to find the defendent not guilty.
I believe that it's only a matter of time and when it happens, it will put a real crimp in the RIAA's plans to sue every user of Kazaa.
P.S. Don't waste bandwidth claiming that the defendent is legally responsible for the actions of others over their unsecured WiFi setup. That's not how the law works. If you leave your car unlocked and I steal it, you are not responsible if I smuggle drugs in your stolen vehicle.
Given the way our courts treat "reasonable doubt" I would think any decent lawyer would be able to at least hang a jury in this situation. Especially with the use of expert witnesses. This is what they are for, to inform the jury of matters they don't have the training to understand. A polygraph might also be used to persuade a jury, although there could be issues in admitting it as evidence. However, perhaps the best evidence in any circumstantial case is an alibi, and this could be used here as well. A hacking attempt should have a well documented time, and if the defendent can show they were doing something else at the time they should get a non guilty verdict easily.
I've had this happen to me personally. I was in a class where 5 people's grades were changed, including mine. The instructor basically said "you're the only one smart enough, so you're it." And being the CS student who has been paid to do security audits doesn't help.
Contact Me (got tired of viruses emailing me).
People throw the idea of a private trusted internet around all the time but I can say in the case of the university there are damn few people in my research group (chemistry) who know or care to secure the computers. We want them to be tools and don't want to spend any time worrying about updates and security. Someone will connect to the university and they will be the lowest common denominator. Who's to say the average guy on the street wouldn't be smarter? I'll stick to the one internet and keep closing that window telling me there are new updates available. I don't have time to wait for that crap to install.
I've hit Karma 50 and gotten a Score:5, Troll... I win!
I have several friends who are CS majors and use Windows 98 with no virus protection or firewall.
Typically the only people who know anything about security are the same people who have built a complete system from parts. It's sad but a lot of CS people aren't hackers (in the hackers-with-a-dumb-glider-logo sense of the word).
Come to think of it the only programmer I know who actually went to school and got a CS degree is my mom, and it was her second degree -- she went back to school to pursue a well-paying career. I still remember the shoeboxes full of punch cards. She is clueless about Internet security, but pretty 1337 with COBOL and JCL, if such a thing is possible.
I'm a CS student and I can't cound the numberr of people I know who leave BackOrifice installed on their machines for the very reason of deniability in this sense. For them, it's so they can blame their p2p activity on 'evil hackers'...of course, it's a flawed plan since the university just cuts you for 45 days if they are able to download from you (They only make an attempt after the RIAA notifies them that your IP is delinquent. If they fail, they tell the RIAA that they were wrong. If they succeed, they take away your connection and tell the RIAA that the problem was resolved on the inside...up until this point, this has done a pretty good job of protecting the students here from litigation).
Brian
Not with COBOL, but it's perfectly possible to do all sorts of arcane things with JCL if you're willing to take the time to learn how. Can't say I particularly recommend it, though...
Anyone reading slashdot is by definition in a vanishingly tiny minority. We, and only we, have a relatively good sense of how how to defend ourselves.
The rest of the population are a bit like my neighbour. He has a Windows 2000 laptop (that's what it came with) and recently got an ADSL connection. His ADSL link went live about 10:30 one morning; by 12:15 he had been blocked by his ISP for spreading Blaster.
That's when he knocked on my door. I printed out his task list (i.e. things that couldn't even be bothered to cloak themselves). Including Blaster, he had already been compromised five ways. A hacked copy of Dameware was in there, plus a ratio-based FTP server. I can't remember what the other two were.
The point is, he could have unknowingly been carrying gigabytes of warez or child porn on the same day he bought his shiny new ADSL modem.
So I'm inclined to take very seriously the "it wasn't me" defence. For almost everyone, it's true.
Or did you mean that the person who should be prosecuted is the person who made the trojan/virus that was used on the system? In this case the analogy would be something close to "The only person who should be held liable in the case of a double murder is the gun manufacturer (assuming it was a shooting." (note: for this argument, assume the gun used was of a type that has something like a silencer or something so it would only be used for illigitamate uses.)
Not sure I agree with either point, but not sure I don't eiter, but I think I've helped clarify it. (Which point was it btw, the maker of the unsecure OS(truck) or the maker of the trojan(gun) who you were prosecuting?
Little Brother, watching the watchers
So I should be able to place one of my handguns out on my front screen porch and if I child picks it up, kills someone, then I am not responsible?
Did you not read my post? I said "no amount of commercial loss compares with murder." The consequences of negligent gun ownership are infinitely worse than simply leaving your computer online without patching it. If you think outlawing vulnerable computers is going to stop all hacks, you are either stupid or naive. Many people don't own guns because they fear the consequences of owning one. I don't want to see that happen with computers, where it shouldn't. Guns are dangerous if used negligently, but computers, even when used maliciously, are merely annoyances.
Karma: Meh (Mostly from meh.)
I think the subject says it all here folks.
To relate a story that happened about 2 years ago when big red or sobig, I forget which, was running rampant, my local ISP was having a major portion of his bandwidth being used up by one machine, a server in an insurance office in a neighboring county seat town.
They were warned that their machine was infected by telephone on several occasions, and disconnected for a few hours several times in attempting to get them to reload the computer and put in the patches. Each time they were disconnected, their lawyer called in 30 minutes or so of opening hours threatening action for breach of contract.
I believe they were disconnected for good after the rest of the system covering a good portion of the state had been severely crippled for about a month. The ISP had to countersue to get them out of the ISP's collective hair. I don't know if they ever admitted their machine was at fault, or fixed it.
But this is a prime example of a situation where the machine owner WAS repeatedly notified and took no action. That to me, makes them 200% liable for the losses their poorly maintained machine cost each of the other thousands of victims.
Had they shut it down and yelled for their network guru to come and fix it immediately on the first notification, then I'm inclined to think they should not be held responsible. But that wasn't the case as that would have impinged on their own ability to do business. But their attitude was that "we are working, screw the world".
My $0.02, adjusted for inflation.
--
CHeers, Gene