Slashdot Mirror
The Computer Owner - Guilty or Not Guilty?
Von-at-Infosec_Writers asks: "It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime could become much more difficult especially since, as a recent CNN.com article stated, a hacker's legal defense can be: it wasn't me but my hijacked computer that committed the crime. 'In some cases, I do suspect there are people whose computer is taken
over by third parties. It's also a clever defense to exculpate your client,' says Michael Allison of the Internet Crimes Group.What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?" As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?
[...] their attorneys successfully argued that trojan programs found on their computers were to blame.
In all three cases, no one has suggested that the verdicts were anything other than correct.
I think it's going to be pretty easy to tell, within the law, whether the computer owner knew that a hack attack or illegal download was occurring on his/her computer. Most of the time, the court's answer will be "no".
If a remote-control Trojan is on the PC, then the prosecution would have to prove that:
* The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.
* Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.
While the defense attorney needs only argue that his client is just an average Joe(anne), and wouldn't know what a Trojan was if he/she bought one at the drugstore. The defense attorney should be facing a receptive audience. Remember, in the US at least, he'll be facing a jury of 12 average citizens who know as little about how computers work as I do about brain surgery.
Or perhaps less. At least I know which box my brain is in.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
Unfortunately, I think the "I didn't do it, my computer did"
defense will be all too common. How can you hold people
responsible for holes in their system while microsoft produces
software with numerous holes in it, but is not held responsible.
An interesting analogy is gun crimes. If someone owns a gun,
and it is proven conclusively that the gun committed a crime,
but it cannot be proven conclusively that the owner of the gun
is the one who pulled the trigger (opportunity), then it is
difficult to establish a case.
I think a similar idea will work itself out with computer
crime. The fact that your computer did something isn't enough,
you have to be a willing participant in the incident.
Perhaps there should be laws to punish people who leave
unpatched, unprotected computers sitting on the internet. There
are laws that punish irresponsible gun owners, should we also
punish negligent computer owners? What about negligent
programmers?
As an aside, in the last court case I was involved in, e-mail
was admissible in court. The only thing I had to do was produce
some e-mail correspondence between myself and the other party.
The lawyers and the judges all accepted them without a word.
While the e-mails were in fact real, and the transmission could
be verified by isp records, the simple fact that the opposing
council didn't so much as raise an eyebrow shows me just how
ignorant the legal system still is when it comes to technology.
This happened less than a year ago.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
in the US, if your car is going down the freeway and your brakes fail because you didnt do routine maintenance, you end up crashing and killing someone, you are at fault.
on the other hand, if someone cuts your brake lines, you crash and kill someone, you are not at fault.
I would think that viruses and trojans and worms and such would fall more under the 'someone cuts your brake lines' category.
IANAL, but: To put a rather brutal, but analogous comparison in place. If someone breaks into your house, steals a gun, and then shoots someone on the street. The owner of the house would not be guilty of murder. They may be guilty of negligent storage of a firearm, but not much else.
And since there currently is no crime for keeping a computer unsecured on the internet, I doubt there is much that can be done.
Ok, I give up, why you?
Just as irrigation is the lifeblood of the Southwest, lifeblood is the soup of cannibals. -- Jack Handy
It's actually very easy to frame someone online which will be (mark my word) the next big thing in divorce cases, criminal cases, etal. I won't comment anymore on these issues though. I've been through the whole shabang. One thing people should be aware of though is the ease of which someone could actually do something malicious to another person. Courts, well let's just say if you're the accused, pray you don't get a computer phobic (which the DA will try to ensure he selects the most of) jury.
MoFscker
If you're driving a car, and the car malfunctions and you hit and kill someone, you shouldn't be held responsible. If you say the car was broken and it wasn't, then it's fraud and you get charged with vehicular manslaughter or whatever.
If your computer was hijacked and you did nothing to prevent it, its YOUR fault. If you ran antivirus/firewall/whatever, then it's the fault of the hacker, and you shouldn't be held responsible.
Of course, we need a good definition of a "good faith attempt at computer security", but that's a grey legal line. Personally, I think that if a patch has been available for more than, say, 2 months, and you aren't patched, its your damn fault. If you installed a program explicitly, then it's your fault (even if it was spyware)-- the analogy, if you get super-duper-hood-attachments for your car and they fly off and impale someone, its your fault.
Of course, that sucks, but it's the only way I can see to segment culpability for crimes in this case.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
> How much responsibility does the owner of an
> Internet-connected computer have for crimes
> committed using their equipment
None, unless they have responsibility for
the use itself.
> and what are ways we can best determine
> their involvement, or lack of it, in said
> crimes?
Firstly, you don't want to. You don't want
to live in a world where people can't
speak freely on the Internet. Therefore
you don't want to live in a world where
it is easy to hunt down and kill anyone
who criticizes you.
Secondly, in the U.S., you need proof beyond
a reasonable doubt to convict of a crime.
That will never happen without human
witnesses to substatiate the accuracy of
data submitted in evidence, since all data
is equally possible to fabricate on demand.
So, in brief, only on the testimony of
disinterested witnesses can responsibility
for a digitally intermediated act be
proven or refuted.
-I like my women like I like my tea: green-
Its not that simple beleive me you. :) A good forensics expert can slice and kill your false I-was-hacked defense in a matter of days.
Homeowners can be jailed when trespassers drown in their pool, because the pool falls under the heading of, "Attractive Nuisance." It thus falls to the homeowner to properly secure access to the pool, or risk getting sued when some vagrant wanders in and gets hurt.
I can see this concept being extended to the Internet: By placing an unsecured box on the network, you have introduced an Attractive Nuisance, and it can be argued that the machine's owner bear responsibility for collateral damage.
Trouble is, can the machine's owner really be held responsible for such consequences when the OS vendor willfully misrepresented the concordant hazards and responsibilities of placing their product on the open Internet?
Schwab
Editor, A1-AAA AmeriCaptions
would not there by logs of some sort to PROVE his computer had been Hijacked by a third party?
if a computer is compromised, never believe the logs.
How DO you prove whether or not a person had the capability to do the hack? Character witness comes into huge play here, and I have a feeling that as this defense becomes more and more difficult to prosecute in criminal course, we'll see cases popping up where civil suits are being filed against people. In a criminal case you are innocent until proven guilt, while if a civil suit were filed for damages from a specific person's computer, all that has to be proven is that they are the most likely person to have committed the infraction.
I'm waiting for a case to set precedent in this realm. What happens when grandma is on the hook for $250,000 in damages because she was judged for "willful neglect" in not actively taking responsibility to ensure that her computer was adequately protected against trojans? I feel it's only a matter of time before someone proposes that owning a computer carries the same ramifications and responsibilities as owning a gun.
I hope such a thing never actually holds up, but I still fully expect to see it proposed.
Damon,
http://actionPlant.com
"It sets a precedent now in the judicial system where a hacker can just claim somebody took over his computer, the program vanished and he's free and clear," he said
...
Right. So if you want to do something illegal, install the version of Windows that's currently most targetted by viruses and worms (XP these days I presume), be very careful *not* to install any service patch, and commit all your crimes with the default Windows telnet client. If you're caught, pretend your computer was hacked and it'll be very plausible. To complete the picture and look even more innocent, pepper a couple of letters to Grandpa, checking account spreadsheets and windows_tips.doc files in your "My Documents" folder.
Of course, don't get caught doing your deeds on a *nix box or your fake computer-loser attitude will appear a lot more suspicious in court
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Look at the rest of society, outside of the context of computing.
If I have a knife and I leave it on a table, and a neighborhood kid comes over and stabs himself in the head, I'll probably get sued (and lose) even though I didn't do the stabbing.
If I leave the keys to my car and somebody steals it, drives all over town and runs over a group of teenagers, I'll probably get sued as being somewhat responsible because I provided the car (indirectly).
If I'm a parent with a house full of handguns, and my child finds one and blows his sister's head off, I'll probably end up in jail even though I didn't pull the trigger.
I can't think of too many examples where our society wouldn't sue the hell out of anyone, even if you're just a by-stander, when something goes wrong. Whether or not that's "right" or "the way things should be", it certainly is. So why should it be any different if my computer is used to do something malicious or damaging? I say stick with the established precedent and blame the computer owner, even if he had nothing to do with the crime. It might not be fair, but at least it would be consistent. We don't live in a society of fairness anyway, we live in a society of blame and accusation.
As long as wireless networks remain as insecure as they are right now its going to be cracker paradise. I don't see an easy solution to the problem, it almost seems like if a hack can be traced back to your computer you almost certainly didn't commit the crime (unless you're a complete asshat).
I have been waiting to see one of the RIAA lawsuit defendents use WiFi as a defense. If someone runs a WiFi 802.11a/b/g/etc. network and presents a defense in which they claim that the shared files must have been on a neighbor's computer, it would create the reasonable doubt necessary for the jury to find the defendent not guilty.
I believe that it's only a matter of time and when it happens, it will put a real crimp in the RIAA's plans to sue every user of Kazaa.
P.S. Don't waste bandwidth claiming that the defendent is legally responsible for the actions of others over their unsecured WiFi setup. That's not how the law works. If you leave your car unlocked and I steal it, you are not responsible if I smuggle drugs in your stolen vehicle.
If my auto-downloader gets the Linux kernel,
then a Microsot Word macro virus alters it,
then an Outlook worm sends it everywhere,
who exactly is liable for infringement on SCO?
Comment removed based on user account deletion
Might it be best to make computer owners responsible for all harm caused by their computers, no excuses allowed? People would become much more security conscious. Insurers could include computer liability insurance with home or business coverage, with "good driver"-like discounts if you can show you use proper safeguards.
It's a harsh position, I know, but it seems like it might work.
When all you have is a hammer, everything looks like a skull.
People throw the idea of a private trusted internet around all the time but I can say in the case of the university there are damn few people in my research group (chemistry) who know or care to secure the computers. We want them to be tools and don't want to spend any time worrying about updates and security. Someone will connect to the university and they will be the lowest common denominator. Who's to say the average guy on the street wouldn't be smarter? I'll stick to the one internet and keep closing that window telling me there are new updates available. I don't have time to wait for that crap to install.
I've hit Karma 50 and gotten a Score:5, Troll... I win!
I'm sure Microsoft will save the day. They'll integrate a keystroke logger, packet sniffer, and disk imager into the Longhorn kernel, with an added feature that it sends all data gathered back to a centralized Microsoft database (running on BSD of course) every hour. That way there will always be a pristine, completely unadulterated record of everything everyone did on their computers, in case the courts need to get involved. And politicians who look at kiddie porn can have that part erased from their data for a small (infinitely recurring) fee.
Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
Unless you have failsafe tamper proof user interfaces that use biometrics to constantly authenticate the user (i.e. fingerprint and body temerature signature recognising keyboards and mice) along with RFID readers to detect the proximity of the user to the machine (based on the RFID chips implanted in the user's body, naturally) along with digitally signing the network traffic generated by the user of the machine with the biometric data of that user in a way that it could not be tampered with, along with video cameras constantly filming what the user is doing, then the trojan case will always be available...
I belive computer owners who have systems connected to the internet should be held acountable even if theyre pc was hijacked, unless, they can prove haven takeing resonable steps to protect there computer. like, antivirus software, fire wall, being a well educated computer user. Something i dont think many people understand or would agree w/ , is that owning a computer that is conected to the interner, has a certain resposibility w/ it. like owning a car, or a gun, caries great resposibility, im not equating the two. ignorant computer users, who knowingly or unknowing contribute to virus propogation, shoule be held accountable for it. just like if you dont keep your car well maintained, and it causes and accedent, you will be held accountable, becasue of you negligence. it is very easy to porotect your computer from virus's and other unwanted programs, as im shure most /. readers will a gree, the problem is the general public, and average computer users dont know how easy it is. you have to have a license to to everyting in the us, exept own a computer, and have a kid, maybee its time to start on those too.
less morons, and less morons useing computers.
--The Titanic was built by proffesionals. --The Ark was built by Amatures.
Anyone reading slashdot is by definition in a vanishingly tiny minority. We, and only we, have a relatively good sense of how how to defend ourselves.
The rest of the population are a bit like my neighbour. He has a Windows 2000 laptop (that's what it came with) and recently got an ADSL connection. His ADSL link went live about 10:30 one morning; by 12:15 he had been blocked by his ISP for spreading Blaster.
That's when he knocked on my door. I printed out his task list (i.e. things that couldn't even be bothered to cloak themselves). Including Blaster, he had already been compromised five ways. A hacked copy of Dameware was in there, plus a ratio-based FTP server. I can't remember what the other two were.
The point is, he could have unknowingly been carrying gigabytes of warez or child porn on the same day he bought his shiny new ADSL modem.
So I'm inclined to take very seriously the "it wasn't me" defence. For almost everyone, it's true.
If someone died, it would be the fault of the virus writer. You are saying something similar to this: If people leave their doors unlocked and get robbed, it's their own fault. Sounds a little funny now that your logic has been applied to a real world situation. The last time I got robbed, the police didn't blame me, they blamed the robber, and rightfully so. Just because someone is stupid and doesn't patch their systems doesn't mean they are at fault if they get hacked. I'm not saying people should stop patching, not at all, but they shouldn't be blamed just because they are asking to be hacked. Whoever writes the virus is responsible.
Karma: Meh (Mostly from meh.)
I have to say that I disagree with most of the highly moderated posts here so far.
A legal precedent for this type of defense is already set. This type of case should not be considered differently from other crimes.
If my car is stolen and later used in a bank robbery I am not culpable in any way. I was not an accomplice before, during or after the fact, I did not commit the crime. In fact, I am one of the victims. My lack of culpability remains intact weather I am aware of my care being stolen or not, and wither I report it stolen or not.
In all such cases regardless of the items used to commit the crime or how they where obtained the burden of proof lies with the prosecution to demonstrate that it was in fact the defendant who was in control of the items at the time, and therefore the guilty party.
The only complicating factor in computer cases is that the computer may be in the virtual control of one person while in the physical control of another. This has the net effect of slightly shifting the burden of proof towards the diffident; his control of the computer is implied. This is, in my opinion, unfortunate and I hope that future cases will set precedent that shifts the burden back to the prosecution.
In a truly free country the legal system must expend most of its effort keeping innocent people free, not punishing the guilty.
Naturally, a different set of guidelines exist for civil cases.