The Computer Owner - Guilty or Not Guilty?

Von-at-Infosec_Writers asks: "It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime could become much more difficult especially since, as a recent CNN.com article stated, a hacker's legal defense can be: it wasn't me but my hijacked computer that committed the crime. 'In some cases, I do suspect there are people whose computer is taken over by third parties. It's also a clever defense to exculpate your client,' says Michael Allison of the Internet Crimes Group.What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?" As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?

Innocent Until Proven Clueful

[RobertB-DC]

[...] their attorneys successfully argued that trojan programs found on their computers were to blame.
In all three cases, no one has suggested that the verdicts were anything other than correct.

I think it's going to be pretty easy to tell, within the law, whether the computer owner knew that a hack attack or illegal download was occurring on his/her computer. Most of the time, the court's answer will be "no".

If a remote-control Trojan is on the PC, then the prosecution would have to prove that:

* The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.

* Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.

While the defense attorney needs only argue that his client is just an average Joe(anne), and wouldn't know what a Trojan was if he/she bought one at the drugstore. The defense attorney should be facing a receptive audience. Remember, in the US at least, he'll be facing a jury of 12 average citizens who know as little about how computers work as I do about brain surgery.

Or perhaps less. At least I know which box my brain is in.

Re:Innocent Until Proven Clueful

[rjelks]

"Hey Mr. FBI, I don't even know what a DDOS thingy is. I only have AOL, does the DDOS cost extra?"

Re:Innocent Until Proven Clueful

[QueenOfSwords]

Problem is, of course, that if you're a CS student who has been a bit lax about security, you're probably screwed. People don't understand computers , so your jury won't understand that anybody who is studying computers or has *specific* knowledge isn't a super-1337 hax0r who is probably guilty.

Re:Innocent Until Proven Clueful

[Megor1]

If a remote-control Trojan is on the PC, then the prosecution would have to prove that:

* The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.

* Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.

Really you tell me how to detect a kernel level trojan on a windows box besides running your own seperate intrusion detection system that knows what way the trojan works. (So if its an unknown one you aint gonna find it). And if the person removes the trojan and overwrites itself you aint gonna find any evidence of it

Re:Innocent Until Proven Clueful

[EverDense]

Yes, I think we can all agree that saying "AOL" will be a "get out of jail free" card.

Re:Innocent Until Proven Clueful

[cyt0plas]

I've had this happen to me personally. I was in a class where 5 people's grades were changed, including mine. The instructor basically said "you're the only one smart enough, so you're it." And being the CS student who has been paid to do security audits doesn't help.

Re:Innocent Until Proven Clueful

[Qrlx]

I have several friends who are CS majors and use Windows 98 with no virus protection or firewall.

Typically the only people who know anything about security are the same people who have built a complete system from parts. It's sad but a lot of CS people aren't hackers (in the hackers-with-a-dumb-glider-logo sense of the word).

Come to think of it the only programmer I know who actually went to school and got a CS degree is my mom, and it was her second degree -- she went back to school to pursue a well-paying career. I still remember the shoeboxes full of punch cards. She is clueless about Internet security, but pretty 1337 with COBOL and JCL, if such a thing is possible.

Re:Innocent Until Proven Clueful

[Maestro4k]

• Problem is, of course, that if you're a CS student who has been a bit lax about security, you're probably screwed. People don't understand computers , so your jury won't understand that anybody who is studying computers or has *specific* knowledge isn't a super-1337 hax0r who is probably guilty.

The sad thing is, I could easily see many CS students managing to get infected. When I got my degree, most of my classmates were good at programming, but couldn't admin or secure a paper bag, much less their personal computers.

The scary part is the general public would assume a CS student knows how to secure their computer like you said, while it isn't something taught in many CS programs. (I know mine was focused on programming and theory, there was not a single required course that focused on security of any kind, even on coding securely.)

Re:Innocent Until Proven Clueful

[pyros]

A hacking attempt should have a well documented time, and if the defendent can show they were doing something else at the time they should get a non guilty verdict easily.

That's right, because there is no such thing as batch jobs and scheduled tasks. Any "expert" witness the prosecution calls upon to talk about such things must be getting bribed to do so.

Re:Innocent Until Proven Clueful

[zorander]

I'm a CS student and I can't cound the numberr of people I know who leave BackOrifice installed on their machines for the very reason of deniability in this sense. For them, it's so they can blame their p2p activity on 'evil hackers'...of course, it's a flawed plan since the university just cuts you for 45 days if they are able to download from you (They only make an attempt after the RIAA notifies them that your IP is delinquent. If they fail, they tell the RIAA that they were wrong. If they succeed, they take away your connection and tell the RIAA that the problem was resolved on the inside...up until this point, this has done a pretty good job of protecting the students here from litigation).

Brian

Re:Innocent Until Proven Clueful

[markxsd]

I have several friends who are CS majors and use Windows 98

Prison is not an adequate punishment.

...I advocate death by SQL injection.

Re:Innocent Until Proven Clueful

[Durandal64]

Being a CS student does not necessarily grant one a good working knowledge of networks. I've seen plenty of CS students and experienced programmers who wouldn't know how to properly secure their systems. Now, if the person in question is a Network Infrastructure student or Novell-certified, it's almost a no-brainer that he should know how to secure his machine.

Of course, is it really right to hold someone liable for damages that result in an intrinsically harmless slip-up? Say I forget to patch SSH or Apache and someone launches an attack from my box. Should I be held liable? If so, why? Because I should know better? That may be true, but I can always argue that I'd intended to patch but just hadn't found the time to do so, and someone by chance, found my box. If my schedule in a particular week isn't amenable to patching a particular aspect of my system, but I need SSH or Apache during that week, why should I be held liable for damages resulting from someone illegally hijacking my computer? Let's keep the blame where it belongs, here.

Re:Innocent Until Proven Clueful

[techno-vampire]

"Jane is a techie, if her computer was infected she must have done it herself?"

I worked for several years as a support tech for an ISP. When Mellissa came around, most of the techs were running around like chickens with their heads cut off, while I laughed. Same thing with the Love Bug. Why? Because unlike everybody else, I used Eudora for email, not Outlook. It doesn't have the well-known security holes, so it's safe from the trojans aimed at Outlook. (OK; that's not the only reason, or the main reason I use it. But it was what kept me safe.)

The point here is, that techs are just as likely to follow the path of least effort as anybody else, and either use vulnerable software or not bother to secure what they have. Not only that, but just working as a tech doesn't mean you actually know what you're doing; I could tell numerous horror stories about techs using Reply All to ask a question about a message sent to a number of people, using "fixes" known to cause the issue to get worse, and otherwise proving that having a job as a tech doesn't make you one.

No, just proving the defendant worked in a tech field or as a tech or was studying CS isn't going to be enough, at least if the defense lawyer is any good. You're going to have to prove that he or she knew enough to have installed the trojan, had access to it and had a reason to do so. Just like with any other crime, Motive Means and Opportunity have to be demonstrated.

Re:Innocent Until Proven Clueful

[Dr+Damage+I]

Of course, is it really right to hold someone liable for damages that result in an intrinsically harmless slip-up? Say I forget to patch SSH or Apache and someone launches an attack from my box. Should I be held liable? If so, why? Because I should know better? That may be true, but I can always argue that I'd intended to patch but just hadn't found the time to do so, and someone by chance, found my box

The issue I have here, is that frequently the offender is using an unprotected computer to exploit a hole in the security of the target computer. Is it really fair to assess damages against someone in favor of a victim who was equally negligent?

The courts will work this out....eventually

[dtolton]

Unfortunately, I think the "I didn't do it, my computer did"
defense will be all too common. How can you hold people
responsible for holes in their system while microsoft produces
software with numerous holes in it, but is not held responsible.

An interesting analogy is gun crimes. If someone owns a gun,
and it is proven conclusively that the gun committed a crime,
but it cannot be proven conclusively that the owner of the gun
is the one who pulled the trigger (opportunity), then it is
difficult to establish a case.

I think a similar idea will work itself out with computer
crime. The fact that your computer did something isn't enough,
you have to be a willing participant in the incident.

Perhaps there should be laws to punish people who leave
unpatched, unprotected computers sitting on the internet. There
are laws that punish irresponsible gun owners, should we also
punish negligent computer owners? What about negligent
programmers?

As an aside, in the last court case I was involved in, e-mail
was admissible in court. The only thing I had to do was produce
some e-mail correspondence between myself and the other party.
The lawyers and the judges all accepted them without a word.
While the e-mails were in fact real, and the transmission could
be verified by isp records, the simple fact that the opposing
council didn't so much as raise an eyebrow shows me just how
ignorant the legal system still is when it comes to technology.
This happened less than a year ago.

Re:The courts will work this out....eventually

[gooberguy]

Should we fine and arrest people who keep vulnerable systems on the web? I think not. If your computer gets infected with a virus or worm, no one dies. Sure, damages may be done, but no amount of commercial loss compares with murder. Also, your idea would kill the Internet. The Internet is about freedom. Overall, it is the least regulated, most anonymous medium accesible to Joe Sixpack. If people fear getting arrested for merely being online, they will find something else to do.

Re:The courts will work this out....eventually

[southpolesammy]

If I leave my car unlocked with the keys in the ignition, and someone steals my car, packs it fulls of C4, and blows up a building with it, hopefully, my alibi is good enough to show that I wasn't the one that perpetrated such a heinous act.

The problem with computer crime is that the alibi part of the equation is harder for the computer owner to prove. He may very well have been actively using the computer in question that hacked the Bank of North Elbonia at the time of the crime, but that doesn't mean he did it. In spite of that, proving that he wasn't the perp is difficult. Most other alibis work because of physical bias placing the individual in some other place than the crime in question. This is harder to prove in a virtual setting.

well

[JeanBaptiste]

in the US, if your car is going down the freeway and your brakes fail because you didnt do routine maintenance, you end up crashing and killing someone, you are at fault.

on the other hand, if someone cuts your brake lines, you crash and kill someone, you are not at fault.

I would think that viruses and trojans and worms and such would fall more under the 'someone cuts your brake lines' category.

Re:well

[j0keralpha]

Reasonable Mitigation. There is very little you can do to prevent someone from cutting your brakelines. A lot of Computer Zombification stems from users not proactively patching AV and OS (lets not even talk about applications). Slammer (yes i know this was a server-worm) and Blaster are excellent examples. The world at large had 6 months and 1.5 months respectively to prevent the nightmare from happening, but nobody takes responsibility for (to extend your car analogy) Changing the oil and other basic maintenance on their computers. If a users computer causes x amount in damages and they had a reasonable ability to patch the problem and mitigate it, then they should be held responsible. This obviously doesnt apply for 0-day takeovers. The problem then lies in showing HOW the computer was compromised, and the question is: 'Is the burden of proof upon the user to show they are not at fault, or the attack victim to show that they are?'

SIMPLE!

[w3weasel]

What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?

Simple! Keylogger installed with every OS, mandatory by order of the DHS. All Keylogs submitted to a central government database for use only by the DHS, related departments, and companies funding beach houses for the high ranking officials in said offices! Won't you sleep better knowing that we will have the right man?

Breaking Point Chaos and Destruction Online

[segment]

Been there done that

It's actually very easy to frame someone online which will be (mark my word) the next big thing in divorce cases, criminal cases, etal. I won't comment anymore on these issues though. I've been through the whole shabang. One thing people should be aware of though is the ease of which someone could actually do something malicious to another person. Courts, well let's just say if you're the accused, pray you don't get a computer phobic (which the DA will try to ensure he selects the most of) jury.

Re:Breaking Point Chaos and Destruction Online

[mveloso]

It's already easy for this to happen. Think about your workplace - the IT guys (you guys, mostly) can put whatever the hell you want on someone's box, and they'd have no idea.

For example:

Staffer: "Hey, I have no idea where that child pr0n came from!"

Manager: "Look, don't make this harder than it has to be. Just pack up your stuff and we won't tell your wife or the paper."

Staffer: "But I never saw that before!"

Manager: "That's what they all say."

With a careful admin, even browser history and caches can be faked. And there's not a thing that the poor staffer could do about it.

Same as in a car!

[scovetta]

If you're driving a car, and the car malfunctions and you hit and kill someone, you shouldn't be held responsible. If you say the car was broken and it wasn't, then it's fraud and you get charged with vehicular manslaughter or whatever.

If your computer was hijacked and you did nothing to prevent it, its YOUR fault. If you ran antivirus/firewall/whatever, then it's the fault of the hacker, and you shouldn't be held responsible.

Of course, we need a good definition of a "good faith attempt at computer security", but that's a grey legal line. Personally, I think that if a patch has been available for more than, say, 2 months, and you aren't patched, its your damn fault. If you installed a program explicitly, then it's your fault (even if it was spyware)-- the analogy, if you get super-duper-hood-attachments for your car and they fly off and impale someone, its your fault.

Of course, that sucks, but it's the only way I can see to segment culpability for crimes in this case.

Just a matter of good forensics

[rxed]

Its not that simple beleive me you. :) A good forensics expert can slice and kill your false I-was-hacked defense in a matter of days.

"Attractive Nuisance"

[ewhac]

Homeowners can be jailed when trespassers drown in their pool, because the pool falls under the heading of, "Attractive Nuisance." It thus falls to the homeowner to properly secure access to the pool, or risk getting sued when some vagrant wanders in and gets hurt.

I can see this concept being extended to the Internet: By placing an unsecured box on the network, you have introduced an Attractive Nuisance, and it can be argued that the machine's owner bear responsibility for collateral damage.

Trouble is, can the machine's owner really be held responsible for such consequences when the OS vendor willfully misrepresented the concordant hazards and responsibilities of placing their product on the open Internet?

Schwab

Re:If this were the case...

[happyfrogcow]

would not there by logs of some sort to PROVE his computer had been Hijacked by a third party?

if a computer is compromised, never believe the logs.

Guilty by precedent

[kaan]

Look at the rest of society, outside of the context of computing.

If I have a knife and I leave it on a table, and a neighborhood kid comes over and stabs himself in the head, I'll probably get sued (and lose) even though I didn't do the stabbing.

If I leave the keys to my car and somebody steals it, drives all over town and runs over a group of teenagers, I'll probably get sued as being somewhat responsible because I provided the car (indirectly).

If I'm a parent with a house full of handguns, and my child finds one and blows his sister's head off, I'll probably end up in jail even though I didn't pull the trigger.

I can't think of too many examples where our society wouldn't sue the hell out of anyone, even if you're just a by-stander, when something goes wrong. Whether or not that's "right" or "the way things should be", it certainly is. So why should it be any different if my computer is used to do something malicious or damaging? I say stick with the established precedent and blame the computer owner, even if he had nothing to do with the crime. It might not be fair, but at least it would be consistent. We don't live in a society of fairness anyway, we live in a society of blame and accusation.

Any hacker (cracker) with a clue

[Michael+Crutcher]

.. just walks up to an apartment complex with a wireless card and initiates their hack from there. Toss the wireless card (bought in cash) or spoof the mac address (entirely possible) and poof, its not going to be traced. This is a sticky problem because only the dumbest crackers (script kiddies) aren't going to take these extremely simple precautions to avoid being caught.

As long as wireless networks remain as insecure as they are right now its going to be cracker paradise. I don't see an easy solution to the problem, it almost seems like if a hack can be traced back to your computer you almost certainly didn't commit the crime (unless you're a complete asshat).

WiFi as a defense

[fmaxwell]

I have been waiting to see one of the RIAA lawsuit defendents use WiFi as a defense. If someone runs a WiFi 802.11a/b/g/etc. network and presents a defense in which they claim that the shared files must have been on a neighbor's computer, it would create the reasonable doubt necessary for the jury to find the defendent not guilty.

I believe that it's only a matter of time and when it happens, it will put a real crimp in the RIAA's plans to sue every user of Kazaa.

P.S. Don't waste bandwidth claiming that the defendent is legally responsible for the actions of others over their unsecured WiFi setup. That's not how the law works. If you leave your car unlocked and I steal it, you are not responsible if I smuggle drugs in your stolen vehicle.

Can we ask Daryl about this?

[joelparker]

If my auto-downloader gets the Linux kernel,
then a Microsot Word macro virus alters it,
then an Outlook worm sends it everywhere,
who exactly is liable for infringement on SCO?

Comment removed

[account_deleted]

Comment removed based on user account deletion