Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Computer Owner - Guilty or Not Guilty?

Posted by Cliff on from the guilt-by-association-may-not-be-sufficient dept.

Von-at-Infosec_Writers asks: "It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime could become much more difficult especially since, as a recent CNN.com article stated, a hacker's legal defense can be: it wasn't me but my hijacked computer that committed the crime. 'In some cases, I do suspect there are people whose computer is taken over by third parties. It's also a clever defense to exculpate your client,' says Michael Allison of the Internet Crimes Group.What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?" As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?

12 of 539 comments (clear)

  1. Innocent Until Proven Clueful by RobertB-DC · · Score: 5, Insightful

    [...] their attorneys successfully argued that trojan programs found on their computers were to blame.
    In all three cases, no one has suggested that the verdicts were anything other than correct.

    I think it's going to be pretty easy to tell, within the law, whether the computer owner knew that a hack attack or illegal download was occurring on his/her computer. Most of the time, the court's answer will be "no".

    If a remote-control Trojan is on the PC, then the prosecution would have to prove that:

    * The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.

    * Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.

    While the defense attorney needs only argue that his client is just an average Joe(anne), and wouldn't know what a Trojan was if he/she bought one at the drugstore. The defense attorney should be facing a receptive audience. Remember, in the US at least, he'll be facing a jury of 12 average citizens who know as little about how computers work as I do about brain surgery.

    Or perhaps less. At least I know which box my brain is in.

    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
    1. Re:Innocent Until Proven Clueful by QueenOfSwords · · Score: 5, Insightful

      Problem is, of course, that if you're a CS student who has been a bit lax about security, you're probably screwed. People don't understand computers , so your jury won't understand that anybody who is studying computers or has *specific* knowledge isn't a super-1337 hax0r who is probably guilty.

      --
      -- INTX Grouch. http://www.midnightblue.net
    2. Re:Innocent Until Proven Clueful by Megor1 · · Score: 5, Insightful

      If a remote-control Trojan is on the PC, then the prosecution would have to prove that:

      * The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.

      * Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.

      Really you tell me how to detect a kernel level trojan on a windows box besides running your own seperate intrusion detection system that knows what way the trojan works. (So if its an unknown one you aint gonna find it). And if the person removes the trojan and overwrites itself you aint gonna find any evidence of it

      --
      Everyone that disagrees with me is a paid shill
    3. Re:Innocent Until Proven Clueful by markxsd · · Score: 5, Funny
      I have several friends who are CS majors and use Windows 98

      Prison is not an adequate punishment.

      ...I advocate death by SQL injection.

  2. The courts will work this out....eventually by dtolton · · Score: 5, Insightful

    Unfortunately, I think the "I didn't do it, my computer did"
    defense will be all too common. How can you hold people
    responsible for holes in their system while microsoft produces
    software with numerous holes in it, but is not held responsible.

    An interesting analogy is gun crimes. If someone owns a gun,
    and it is proven conclusively that the gun committed a crime,
    but it cannot be proven conclusively that the owner of the gun
    is the one who pulled the trigger (opportunity), then it is
    difficult to establish a case.

    I think a similar idea will work itself out with computer
    crime. The fact that your computer did something isn't enough,
    you have to be a willing participant in the incident.

    Perhaps there should be laws to punish people who leave
    unpatched, unprotected computers sitting on the internet. There
    are laws that punish irresponsible gun owners, should we also
    punish negligent computer owners? What about negligent
    programmers?

    As an aside, in the last court case I was involved in, e-mail
    was admissible in court. The only thing I had to do was produce
    some e-mail correspondence between myself and the other party.
    The lawyers and the judges all accepted them without a word.
    While the e-mails were in fact real, and the transmission could
    be verified by isp records, the simple fact that the opposing
    council didn't so much as raise an eyebrow shows me just how
    ignorant the legal system still is when it comes to technology.
    This happened less than a year ago.

    --

    Doug Tolton

    "The destruction of a value which is, will not bring value to that which isn't." -John Galt
    1. Re:The courts will work this out....eventually by gooberguy · · Score: 5, Insightful

      Should we fine and arrest people who keep vulnerable systems on the web? I think not. If your computer gets infected with a virus or worm, no one dies. Sure, damages may be done, but no amount of commercial loss compares with murder. Also, your idea would kill the Internet. The Internet is about freedom. Overall, it is the least regulated, most anonymous medium accesible to Joe Sixpack. If people fear getting arrested for merely being online, they will find something else to do.

      --


      Karma: Meh (Mostly from meh.)
  3. SIMPLE! by w3weasel · · Score: 5, Funny
    What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?
    Simple! Keylogger installed with every OS, mandatory by order of the DHS. All Keylogs submitted to a central government database for use only by the DHS, related departments, and companies funding beach houses for the high ranking officials in said offices! Won't you sleep better knowing that we will have the right man?
    --

    Just as irrigation is the lifeblood of the Southwest, lifeblood is the soup of cannibals. -- Jack Handy

  4. Breaking Point Chaos and Destruction Online by segment · · Score: 5, Interesting
    Been there done that

    It's actually very easy to frame someone online which will be (mark my word) the next big thing in divorce cases, criminal cases, etal. I won't comment anymore on these issues though. I've been through the whole shabang. One thing people should be aware of though is the ease of which someone could actually do something malicious to another person. Courts, well let's just say if you're the accused, pray you don't get a computer phobic (which the DA will try to ensure he selects the most of) jury.

    --
    MoFscker
  5. Re:If this were the case... by happyfrogcow · · Score: 5, Insightful

    would not there by logs of some sort to PROVE his computer had been Hijacked by a third party?

    if a computer is compromised, never believe the logs.

  6. Any hacker (cracker) with a clue by Michael+Crutcher · · Score: 5, Insightful
    .. just walks up to an apartment complex with a wireless card and initiates their hack from there. Toss the wireless card (bought in cash) or spoof the mac address (entirely possible) and poof, its not going to be traced. This is a sticky problem because only the dumbest crackers (script kiddies) aren't going to take these extremely simple precautions to avoid being caught.

    As long as wireless networks remain as insecure as they are right now its going to be cracker paradise. I don't see an easy solution to the problem, it almost seems like if a hack can be traced back to your computer you almost certainly didn't commit the crime (unless you're a complete asshat).

  7. WiFi as a defense by fmaxwell · · Score: 5, Interesting

    I have been waiting to see one of the RIAA lawsuit defendents use WiFi as a defense. If someone runs a WiFi 802.11a/b/g/etc. network and presents a defense in which they claim that the shared files must have been on a neighbor's computer, it would create the reasonable doubt necessary for the jury to find the defendent not guilty.

    I believe that it's only a matter of time and when it happens, it will put a real crimp in the RIAA's plans to sue every user of Kazaa.

    P.S. Don't waste bandwidth claiming that the defendent is legally responsible for the actions of others over their unsecured WiFi setup. That's not how the law works. If you leave your car unlocked and I steal it, you are not responsible if I smuggle drugs in your stolen vehicle.

  8. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion