Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Computer Owner - Guilty or Not Guilty?

Cliff posted more than 10 years ago | from the guilt-by-association-may-not-be-sufficient dept.

Security 539

Von-at-Infosec_Writers asks: "It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime could become much more difficult especially since, as a recent CNN.com article stated, a hacker's legal defense can be: it wasn't me but my hijacked computer that committed the crime. 'In some cases, I do suspect there are people whose computer is taken over by third parties. It's also a clever defense to exculpate your client,' says Michael Allison of the Internet Crimes Group.What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?" As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?

cancel ×

539 comments

Sorry! There are no comments related to the filter you selected.

Innocent Until Proven Clueful (5, Insightful)

RobertB-DC (622190) | more than 10 years ago | (#7468929)

[...] their attorneys successfully argued that trojan programs found on their computers were to blame.
In all three cases, no one has suggested that the verdicts were anything other than correct.


I think it's going to be pretty easy to tell, within the law, whether the computer owner knew that a hack attack or illegal download was occurring on his/her computer. Most of the time, the court's answer will be "no".

If a remote-control Trojan is on the PC, then the prosecution would have to prove that:

* The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.

* Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.

While the defense attorney needs only argue that his client is just an average Joe(anne), and wouldn't know what a Trojan [trojancondoms.com] was if he/she bought one at the drugstore. The defense attorney should be facing a receptive audience. Remember, in the US at least, he'll be facing a jury of 12 average citizens who know as little about how computers work as I do about brain surgery.

Or perhaps less. At least I know which box my brain is in.

Re:Innocent Until Proven Clueful (3, Funny)

rjelks (635588) | more than 10 years ago | (#7468955)

"Hey Mr. FBI, I don't even know what a DDOS thingy is. I only have AOL, does the DDOS cost extra?"

Re:Innocent Until Proven Clueful (5, Insightful)

QueenOfSwords (179856) | more than 10 years ago | (#7468980)

Problem is, of course, that if you're a CS student who has been a bit lax about security, you're probably screwed. People don't understand computers , so your jury won't understand that anybody who is studying computers or has *specific* knowledge isn't a super-1337 hax0r who is probably guilty.

Re:Innocent Until Proven Clueful (0)

Anonymous Coward | more than 10 years ago | (#7469040)

Maybe they wouldn't be responsible for the act itself, but a charge of criminal negligence is possible if they didn't take reasonable methods to protect themselves.

Re:Innocent Until Proven Clueful (5, Insightful)

Megor1 (621918) | more than 10 years ago | (#7469162)

If a remote-control Trojan is on the PC, then the prosecution would have to prove that:

* The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.

* Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.

Really you tell me how to detect a kernel level trojan on a windows box besides running your own seperate intrusion detection system that knows what way the trojan works. (So if its an unknown one you aint gonna find it). And if the person removes the trojan and overwrites itself you aint gonna find any evidence of it

Re:Innocent Until Proven Clueful (2, Insightful)

sporty (27564) | more than 10 years ago | (#7469163)

What if the trojan hacks someone's computer and then makes itself scarce, ala a rootkit?

First, Get An Elementary School Education (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7469165)

"it wasn't me
but my hijacked computer that
committed the crime."

Can't you lamerz at Slashdot do anything right?

"it wasn't me" should read "it wasn't I".

Now go back dreaming up more bogus stories.

Seditiously yours,
Kilgore Trout

Re:Innocent Until Proven Clueful (1)

milkman_matt (593465) | more than 10 years ago | (#7469212)

Hmmm, maybe that damned bonzi buddy CAN come in handy...

-matt

Mummify my cock in a coffin of chode, Fent (-1)

(TK2)Dessimat0r (669581) | more than 10 years ago | (#7468931)

-PENIS--PENIS--PENIS--PENIS-
P_______________________8..P
E__Bow down to the_____#~..E
N__Lord's penis_______8.',-N
I_____________________#',-.I
S__Jesus wants your__8',-..S
-__anus, and he_____#~',-..-
P__wants it NOW! ___8_',-..P
E__________________##',-',-E
N__An original_____8',-',";N
I__TrollKore______##',-',";I
S__work of art.___8',-',";.S
-__By Dessimat0r ##',-',";.-
P________________8',-',";,.P
E_______________#'',-',";,.E
N______________8(',-',";,..N
I_____________#(',-',";,.,.I
S__________#8#8_',-',";,.,.S
-_________#',-.8',-',";,.,.-
P________8~',-..#',-',";,..P
E_______#'',-',";8_',-',";.E
N_____8=',-',";.+#+',-',";.N
I____#=',-',";,._8',-',";,.I
S___#=',-',";,..(#',-',";.8S
-__8(',-',CMDR,.(8',-',";s#-
P_8(',-',.TACO.";#',-',-s8_P
E_#z',-','WOZ',";8',-..s#__E
N_8_.,#',"ERE',";~#,..88___N
I_#.##',-,',',,";~8,8#_____I
S_8##',-+~'',-',-~#'8______S
-_#.,..-',-',";.'=8#_______-
P_.8+_',-',";,.'88_________P
E___888',-',";~8___________E
N______8#888#88____________N
I__________________________I
S____.oO TrollKore Oo._____S
-_At the head of the game._-
P__________________________P
-PENIS--PENIS--PENIS--PENIS-

Get the code to the TrollKore ASCII penis here... [slashdot.org]

All you cock-loving fuckers out there, here is a special treat for you bastards, take a look at this knob. NOW SUCK IT, MOTHERFUCKERS!

You are not logged in. You can log in now using the Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you want replies to your comments sent to you, consider logging in or creating an account. Problems regarding accounts or comment posting should be sent to CowboyNeal the convenient form below, or Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you want replies to your comments sent to you, consider logging in or creating an account. Problems regarding accounts or comment posting should be sent to CowboyNeal

If this were the case... (1)

OtakuHawk (682073) | more than 10 years ago | (#7468936)

would not there by logs of some sort to PROVE his computer had been Hijacked by a third party?

Re:If this were the case... (1)

Carnildo (712617) | more than 10 years ago | (#7468979)

When my computer's running Windows, you know what it keeps in the way of logs? A log of when Scandisk was last run, that's it. How is that going to prove or disprove that the computer was hacked?

Re:If this were the case... (1)

Rick the Red (307103) | more than 10 years ago | (#7469030)

I think he meant the ISP's logs.

Re:If this were the case... (1)

Carnildo (712617) | more than 10 years ago | (#7469081)

What sort of ISP logs could be used for that? The only thing I can think of that would be useful would be packet-level logging, and without a court order, I doubt an ISP would go to the effort needed to store that much data.

Re:If this were the case... (1)

Popsikle (661384) | more than 10 years ago | (#7469084)

ISP Logs of all traffic?
Lets see, I can push 1mbps down all day long, and my ISP has hundreds of thousands of users, do you really want to do the math on that? The ISP's want nothing to do with the courts, so they DONT keep logs, besides it is ALOT of space.

Think about it, if you dont keep logs, how can you get called to court and asked to explain what the logs mean to the jury who half the time think linux is someones pet penguin!

Re:If this were the case... (5, Insightful)

happyfrogcow (708359) | more than 10 years ago | (#7469029)

would not there by logs of some sort to PROVE his computer had been Hijacked by a third party?

if a computer is compromised, never believe the logs.

Re:If this were the case... (1)

AVee (557523) | more than 10 years ago | (#7469068)

It's just that people hijacking computers prefer not to be found in logs. If they successfully take over a computer they will be able to edit log accordingly. If the computer in question is running windows (like most 'Joe Average' computers) there likely won't be usefull logs anyway, as a previous poster already noted.

Re:If this were the case... (1)

BuckaBooBob (635108) | more than 10 years ago | (#7469156)

Hmm... I would find it hard to belive you have never ran a Windows 9x system.... The only logs it has are of it crashing during boot up or during install.

The courts will work this out....eventually (5, Insightful)

dtolton (162216) | more than 10 years ago | (#7468944)

Unfortunately, I think the "I didn't do it, my computer did"
defense will be all too common. How can you hold people
responsible for holes in their system while microsoft produces
software with numerous holes in it, but is not held responsible.

An interesting analogy is gun crimes. If someone owns a gun,
and it is proven conclusively that the gun committed a crime,
but it cannot be proven conclusively that the owner of the gun
is the one who pulled the trigger (opportunity), then it is
difficult to establish a case.

I think a similar idea will work itself out with computer
crime. The fact that your computer did something isn't enough,
you have to be a willing participant in the incident.

Perhaps there should be laws to punish people who leave
unpatched, unprotected computers sitting on the internet. There
are laws that punish irresponsible gun owners, should we also
punish negligent computer owners? What about negligent
programmers?

As an aside, in the last court case I was involved in, e-mail
was admissible in court. The only thing I had to do was produce
some e-mail correspondence between myself and the other party.
The lawyers and the judges all accepted them without a word.
While the e-mails were in fact real, and the transmission could
be verified by isp records, the simple fact that the opposing
council didn't so much as raise an eyebrow shows me just how
ignorant the legal system still is when it comes to technology.
This happened less than a year ago.

Re:The courts will work this out....eventually (5, Insightful)

gooberguy (453295) | more than 10 years ago | (#7469042)

Should we fine and arrest people who keep vulnerable systems on the web? I think not. If your computer gets infected with a virus or worm, no one dies. Sure, damages may be done, but no amount of commercial loss compares with murder. Also, your idea would kill the Internet. The Internet is about freedom. Overall, it is the least regulated, most anonymous medium accesible to Joe Sixpack. If people fear getting arrested for merely being online, they will find something else to do.

Re:The courts will work this out....eventually (1)

Popsikle (661384) | more than 10 years ago | (#7469102)

Do people get arrested for keeping a gun in reach of a child? Does that kill the NRA and gun toatin people of the world?

Re:The courts will work this out....eventually (1)

Deanasc (201050) | more than 10 years ago | (#7469136)

Interesting you and I both used guns as an analogy. But in the real world the tool alone isn't responsible for the crime. There has to be a person to pin the crime on. Leaving dangerous objects lying around is a crime but are computers that dangerous yet? If someone hacked my home security attack robot and it killed the paperboy then I could see making a big deal out of this but computer crimes are still just economic at worse. Nobody dies.

Re:The courts will work this out....eventually (0)

Anonymous Coward | more than 10 years ago | (#7469148)

Yes, it is a shame that "innocent until proven guilty" still holds such weight. Now the terrorists will surely win.

Re:The courts will work this out....eventually (4, Insightful)

southpolesammy (150094) | more than 10 years ago | (#7469194)

If I leave my car unlocked with the keys in the ignition, and someone steals my car, packs it fulls of C4, and blows up a building with it, hopefully, my alibi is good enough to show that I wasn't the one that perpetrated such a heinous act.

The problem with computer crime is that the alibi part of the equation is harder for the computer owner to prove. He may very well have been actively using the computer in question that hacked the Bank of North Elbonia at the time of the crime, but that doesn't mean he did it. In spite of that, proving that he wasn't the perp is difficult. Most other alibis work because of physical bias placing the individual in some other place than the crime in question. This is harder to prove in a virtual setting.

well (4, Insightful)

JeanBaptiste (537955) | more than 10 years ago | (#7468957)

in the US, if your car is going down the freeway and your brakes fail because you didnt do routine maintenance, you end up crashing and killing someone, you are at fault.

on the other hand, if someone cuts your brake lines, you crash and kill someone, you are not at fault.

I would think that viruses and trojans and worms and such would fall more under the 'someone cuts your brake lines' category.

Re:well (3, Insightful)

j0keralpha (713423) | more than 10 years ago | (#7469025)

Reasonable Mitigation. There is very little you can do to prevent someone from cutting your brakelines. A lot of Computer Zombification stems from users not proactively patching AV and OS (lets not even talk about applications). Slammer (yes i know this was a server-worm) and Blaster are excellent examples. The world at large had 6 months and 1.5 months respectively to prevent the nightmare from happening, but nobody takes responsibility for (to extend your car analogy) Changing the oil and other basic maintenance on their computers. If a users computer causes x amount in damages and they had a reasonable ability to patch the problem and mitigate it, then they should be held responsible. This obviously doesnt apply for 0-day takeovers. The problem then lies in showing HOW the computer was compromised, and the question is: 'Is the burden of proof upon the user to show they are not at fault, or the attack victim to show that they are?'

Re:well (1)

Popsikle (661384) | more than 10 years ago | (#7469140)

Most users dont know they have to patch/update. How many people knew to change the oil in thier cars when Ford introduced them to the public? What we NEED is a global education on the dangers of running ANY Operating System Unpatched.

Re:well (1)

mikeswi (658619) | more than 10 years ago | (#7469088)

I don't think analogies are the best way to consider this. They can cut both ways.

If I leave home and forget to lock the door, I am not responsible for someone breaking in and taking potshots at pedestrians from the upstairs window. In a sane world anyway. Who knows about some of the laws in my country (usa) these days.

For a real world example, there was a man in England who lost custody of his child and nearly went to prison as a pedophile recently. Someone called the cops and they found images of child porn in his browser cache and arrested him. He wasn't surfing for child porn, his computer was infected with a browser hijacker that was popping up porn pop-ups.

He could have done some things to prevent being hijacked, but it doesn't make him a pedophile because his computer was infected.

Re:well (1)

mikeswi (658619) | more than 10 years ago | (#7469108)

Bah...... Guilty... Didn't RTFA. It mentions that exact case in England.

Re:well (1)

Rick the Red (307103) | more than 10 years ago | (#7469137)

And I would think that failing to apply the latest security patches, thus allowing the infection by viruses and trojans, would fall more under the 'you didn't do routine maintenance' category. Or it should. If more people were held responsible for their own inaction maybe fewer PCs would be trojaned.

Personally, I'd blame my ISP. They won't let me behave as if my PC is directly connected to the internet (e.g., they won't let me run my own mail server or web server or FTP server; they won't give me a static IP address, and they threaten legal action if I use a dynamic DNS service; etc.) so as far as I'm concerned they take responsibility for shielding me from the internet. But no, their position is that I'm not allowed to let anyone in (no servers), therefore it's my fault if anyone gets in (trojans). Double win for them, double lose for their customers. It's as if GM said I'm not allowed to drive their cars on the highway, but if I do then seatbelts are my responsiblity.

Re:well (1)

TomV (138637) | more than 10 years ago | (#7469187)

An alternative analogy might be the situation where someone (Mr 'Black Hat') breaks into your home with his gun (trojan) and shoots someone out of your bedroom window before sneaking away, leaving the gun behind. You'd be very heavily investigated, you'd need a pretty good alibi, but you wouldn't actually be culpable, even if your house was left unlocked with the windows open.

For better or worse a pretty valid argument (2, Insightful)

h2oliu (38090) | more than 10 years ago | (#7468969)

IANAL, but: To put a rather brutal, but analogous comparison in place. If someone breaks into your house, steals a gun, and then shoots someone on the street. The owner of the house would not be guilty of murder. They may be guilty of negligent storage of a firearm, but not much else.

And since there currently is no crime for keeping a computer unsecured on the internet, I doubt there is much that can be done.

Re:For better or worse a pretty valid argument (1)

bloatboy (170414) | more than 10 years ago | (#7469147)

I agree with the analogy, but let me add something.

If you have taken reasonable steps to prevent the gun from being stolen, e.g. locked the doors, kept it in a place of concealment, etc, you would generally not be held accountable if a burglar steals it and commits a crime with it.

On the other hand, if your doors and windows are wide open, with large neon signs saying "Unprotected firearms in the hall closet!" and other (non-reasonable) things, you will be held somewhat accountable.

Since the actual thing we are speaking of are zombie pc's on the internet, we have a situation that is usually between the two.

We will have some people who use a very secure OS, keep it patched, have it tuned for security, specifically intrusion protection. These people are akin to firearms owners who have locked doors, windows, an alarm system, dogs inside, and a roving flock of geese outside (to warn of intruders).

We will also have some people with a not-very-secure OS, who keep it patched as best is available, and thusly, will absolve themselves of allegations of wrongdoing, since they will have done the best that is reasonably possible.

We will also have some people with a not-very-secure OS, who do not patch and have no eye to security. These people, since they are (sorta) using balsa wood doors on a straw house, may find themselves bearing legal resposibility for attacks and will have little legal recourse since they did nothing to even attempt to mitigate potential damage.

Of course, I am not a lawyer (ianal) but that's my take on it.

Re:For better or worse a pretty valid argument (0)

Anonymous Coward | more than 10 years ago | (#7469171)

Wow everyone had guns on the brain.

come now (0, Offtopic)

AsimovBesterClarke (701529) | more than 10 years ago | (#7468972)

This isn't a poll? And it lends itself so well to a 'cowboyneal' response......

Next step for DRM (1)

FreakerSFX (256894) | more than 10 years ago | (#7468974)


Ostensibly for security purposes, biometrics will be used to identify computer users....coded into the CPUs. That'll help the RIAA and MPAA....

there - that should be a good karma wh.....um never mind.....

Re:Next step for DRM (0, Offtopic)

Popsikle (661384) | more than 10 years ago | (#7469034)

There are enough nerds in high places to keep this from happening across the world. DRM is a DReaM of the big companies. It wont ever make it into 100% use.

This is why we need Palladium! (0)

Anonymous Coward | more than 10 years ago | (#7468977)

For all the heat it takes, it does have some useful attributes.

Re:This is why we need Palladium! (1)

FreakerSFX (256894) | more than 10 years ago | (#7469010)

ha ha ha - check out my previous comment - that's so funny. Yes this will protect computer users by identifying who it was. And then we'll put biometrics and cameras into automobiles and on guns and and and

SIMPLE! (5, Funny)

w3weasel (656289) | more than 10 years ago | (#7468987)

What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?
Simple! Keylogger installed with every OS, mandatory by order of the DHS. All Keylogs submitted to a central government database for use only by the DHS, related departments, and companies funding beach houses for the high ranking officials in said offices! Won't you sleep better knowing that we will have the right man?

Re:SIMPLE! (1)

lcde (575627) | more than 10 years ago | (#7469077)

OS's can be cracked. Use a hardware keylogger directly in the bios. A second harddrive will keep the most resent key strokes from the past 7 yrs. I think after 7 yrs you cant be held accountable for certain crimes.

Re:SIMPLE! (1)

petwalrus (645792) | more than 10 years ago | (#7469203)

...but what if I can hack into your computer using only the mouse!?

Responsibility (1, Insightful)

Frambooz (555784) | more than 10 years ago | (#7468988)

How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment...?

I don't know. How responsible are you for a drive-by shooting, done with your stolen car?

Computer Owners... (1)

clifgriffin (676199) | more than 10 years ago | (#7468991)

Are nearly always guilty in part.

So that's that.

And you can ask anyone and they will tell you I'm right.

Blogzine [blogzine.net]
Fortress of Insanity? [homeunix.org]

Re:Computer Owners... (0)

Anonymous Coward | more than 10 years ago | (#7469046)

Well... it can even happen to professionals.

Local IT consulting group had their IIS server hijacked by a porn meister, who set up a kiddie porn site on the hacked IIS server... it ran for 3 months undiscovered till the bandwidth usage was noticed... about the same time the feds showed up....!

Re:Computer Owners... (0)

Anonymous Coward | more than 10 years ago | (#7469123)

Their fault for running IIS. If anything, not patching software should be a crime.

Blogzine [blogzine.net]
Fortress of Insanity [homeunix.org]

Breaking Point Chaos and Destruction Online (5, Interesting)

segment (695309) | more than 10 years ago | (#7468998)

Been there done that [politrix.org]

It's actually very easy to frame someone online which will be (mark my word) the next big thing in divorce cases, criminal cases, etal. I won't comment anymore on these issues though. I've been through the whole shabang. One thing people should be aware of though is the ease of which someone could actually do something malicious to another person. Courts, well let's just say if you're the accused, pray you don't get a computer phobic (which the DA will try to ensure he selects the most of) jury.

How about cars? (1, Redundant)

jon787 (512497) | more than 10 years ago | (#7469000)

How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment?

Same as with someone's car.

Proving who is on the machine is very difficult though.

Re:How about cars? (1)

BuckaBooBob (635108) | more than 10 years ago | (#7469179)

It some extent... You are not responcible for murders done with our car... While you are responcible for tickets.. Criminal activity is another case.

Competence? (1)

domodude (613072) | more than 10 years ago | (#7469002)

Competence?
The court can look at the computer skill/intelligence of that individual and tell quite readily. No 80 year old grandma who can barely work AOL will have the 'skillz' to hack whitehouse.gov. A CS/EE major with lots of hacking programs on his computer would. Since the computer would be seized to evidence, they could look at the installed programs (mainly those executed frequently and readily accessible). The true problem comes when the hacker does the hacking using a removable disk drive or on a public computer.

Re:Competence? (1)

Carnildo (712617) | more than 10 years ago | (#7469131)

Or an encrypted loopback device, or a non-formatted partition, or any of a number of other ways of hiding stuff.

Security, by popular demand. (1)

Leroy_Brown242 (683141) | more than 10 years ago | (#7469004)

If there is a threat of loss of money or freedom by allowing your PC to become hijacked, popular demand will force computers to be more secure.

If people know they will have to pay money, or serve jail time, the public will fall all over themselves to get security products.

Soon, the money will be behind security, and even Microsoft will put out secure OSes.

More demand will demand more supply.

Re:Security, by popular demand. (1)

GreyPoopon (411036) | more than 10 years ago | (#7469073)

If people know they will have to pay money, or serve jail time, the public will fall all over themselves to get security products.

No, the public will more likely fall all over themselves to get off the internet.

Re:Security, by popular demand. (1)

Leroy_Brown242 (683141) | more than 10 years ago | (#7469091)

All the more reason to focus on tranparent security.

Same as in a car! (3, Insightful)

scovetta (632629) | more than 10 years ago | (#7469005)

If you're driving a car, and the car malfunctions and you hit and kill someone, you shouldn't be held responsible. If you say the car was broken and it wasn't, then it's fraud and you get charged with vehicular manslaughter or whatever.

If your computer was hijacked and you did nothing to prevent it, its YOUR fault. If you ran antivirus/firewall/whatever, then it's the fault of the hacker, and you shouldn't be held responsible.

Of course, we need a good definition of a "good faith attempt at computer security", but that's a grey legal line. Personally, I think that if a patch has been available for more than, say, 2 months, and you aren't patched, its your damn fault. If you installed a program explicitly, then it's your fault (even if it was spyware)-- the analogy, if you get super-duper-hood-attachments for your car and they fly off and impale someone, its your fault.

Of course, that sucks, but it's the only way I can see to segment culpability for crimes in this case.

Answers to your questions. (2, Interesting)

aminorex (141494) | more than 10 years ago | (#7469007)

> How much responsibility does the owner of an
> Internet-connected computer have for crimes
> committed using their equipment

None, unless they have responsibility for
the use itself.

> and what are ways we can best determine
> their involvement, or lack of it, in said
> crimes?

Firstly, you don't want to. You don't want
to live in a world where people can't
speak freely on the Internet. Therefore
you don't want to live in a world where
it is easy to hunt down and kill anyone
who criticizes you.

Secondly, in the U.S., you need proof beyond
a reasonable doubt to convict of a crime.
That will never happen without human
witnesses to substatiate the accuracy of
data submitted in evidence, since all data
is equally possible to fabricate on demand.
So, in brief, only on the testimony of
disinterested witnesses can responsibility
for a digitally intermediated act be
proven or refuted.

Just a matter of good forensics (3, Interesting)

rxed (634882) | more than 10 years ago | (#7469009)

Its not that simple beleive me you. :) A good forensics expert can slice and kill your false I-was-hacked defense in a matter of days.

Re:Just a matter of good forensics (1)

Carnildo (712617) | more than 10 years ago | (#7469181)

I could set up a good "I was hacked" defense easily enough: just break into one of my own computers and compromise it, leaving just one step (such as making it the DMZ box from my NAT router) to automatically complete if I don't periodically cancel it.

Subpeona everyone now! (0, Offtopic)

abe_is_fun (320753) | more than 10 years ago | (#7469012)

How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment

Just ask the RIAA and SCO. They'll tell you.

NEGLIGENCE! (1)

anaphora (680342) | more than 10 years ago | (#7469015)

I think it should carry a hefty fine to use that defense. I think a good solution would be a law created that can fine users if their computer is left open to the world. There would be no way to bring someone in on this charge, because the only way to find out that it's open is to hack it, and that's illegal search and seizure. The only way this law would apply would be to people using the "My computer was hijacked" defense, since they're essentially admitting guilt to that charge.

Get the law passed on basis of negligence.

Who knows? (1)

curtlewis (662976) | more than 10 years ago | (#7469016)

I don't know how it will all go down in the end, but IMO this is how it should work:

- You are completely responsible for the actions taken using your computer, by ANYONE.... unless

- ... unless it can be PROVEN you had a trojan or something that hijacked your system.

This means you can't get off by saying your little brother did it (lame excuse), but can if you were hacked. You could possibly get off if you coluded with the hacker to perpetrate the crime, but the hacker had better be able to make damn sure he's untrackable. An exception to the exception should be made for this instance.

Re:Who knows? (1)

JohnnyKlunk (568221) | more than 10 years ago | (#7469090)

Not following the reasoning here. You are completely responsible. Unless you are hacked. If the hacker is untraceable, you get off?
The problem here is that you can root shedloads of boxes on the net if you can guess any of about 5 passw0rds - do your dirty work, clean up your evidence and the owner goes to jail?? Just because they're my parents and think passw0rd is a reasonable password? or apples1?

Just look at automobiles ... (0, Redundant)

El Cubano (631386) | more than 10 years ago | (#7469018)

... it wasn't me but my hijacked computer that committed the crime.

If I run somebody over with my car and kill them, I am guilty of vehicular manslaughter (or worse). If someone steals my car and does the same, they are guilty. No matter that I am the owner and someone got the plate number from the scene. I may be considered a suspect, but I did not commit the crime. Whether the American justice system can tell the difference in the case of a hacker (especially when you throw in the technological aspect) remains to be seen.

Re:Just look at automobiles ... (1)

Mycroft_514 (701676) | more than 10 years ago | (#7469129)

There is currently no way to prove who used a computer at any given time. And thus your analogy of the car will become the law of the land.

I guess. (0)

Anonymous Coward | more than 10 years ago | (#7469021)

I guess if you take time to turn off WU-FTPD, patch Windows RPC, and remove Kazaa, you won't have to worry about it being owned, now would you?

Blogzine [blogzine.net]
Fortress of Insanity [homeunix.org]

"Attractive Nuisance" (4, Interesting)

ewhac (5844) | more than 10 years ago | (#7469024)

Homeowners can be jailed when trespassers drown in their pool, because the pool falls under the heading of, "Attractive Nuisance." It thus falls to the homeowner to properly secure access to the pool, or risk getting sued when some vagrant wanders in and gets hurt.

I can see this concept being extended to the Internet: By placing an unsecured box on the network, you have introduced an Attractive Nuisance, and it can be argued that the machine's owner bear responsibility for collateral damage.

Trouble is, can the machine's owner really be held responsible for such consequences when the OS vendor willfully misrepresented the concordant hazards and responsibilities of placing their product on the open Internet?

Schwab

i didn't post this (0, Funny)

edrugtrader (442064) | more than 10 years ago | (#7469027)

goatse goatse goatse.

dont mod me down. i didn't post this.

goatse goatse goatse.

i've been hijacked.............. don't mod me down......

SLASHDOT PROMOTES OFFSHORING! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7469028)

There is a VA Software advert that is showing up on the main Slashdot page that is promoting offshoring! Specificly a white paper about "avoiding the hidden costs" of offshore development.

It's great to know that Slashdot is promoting a practice that is causing HUNDREDS of THOUSANDS of American techs and developers to LOSE THEIR JOBS... especially when evidence is showing that the practice is HURTING the companies that are supposed to be benefiting from it. Thank you, Slashdot, for promoting destructive corporate practices that are destroying families and that will trash the American economy in the long run.

Come on TACO. Remove this avert from the site! You're all snug as a bug because you have a good job... why promote a practice that is causing other techies to lose theirs?

If this advert isn't removed then we should BOYCOTT SLASHDOT!

Please copy this note onto other threads... editors are putting a -1 on this quickly to avoid discussion of this subject.

AT LEAST CHANGE THE BANNERS!!! (0)

Anonymous Coward | more than 10 years ago | (#7469196)

these fucking sidebar banners, they leave a whole screen of whitespace in between the sidebars, annoying, ads at the top are fine, we see them, if we're interested we click them, which probably happens more often on this site than others, go back to the old banners

How 'bout if (0, Redundant)

smcavoy (114157) | more than 10 years ago | (#7469032)

Someone stole my car without my knowledge, and commited a crime with it? Would this situation not apply to a computer being comprimised without the users knowledge? A person wouldn't (shouldn't) be held liable for a crime commited with their car, without their knowledge, because they left it unlocked...

Maybe I'm over simplfying..

Re:How 'bout if (1)

Carnildo (712617) | more than 10 years ago | (#7469213)

Yes, you are oversimplifying. Extending your analogy, leaving an unsecured computer on the net would be like leaving your car unlocked with the keys in the ignition, and a sign saying "free to all use".

B1ll Gat3s r00t k1t (1)

joeszilagyi (635484) | more than 10 years ago | (#7469039)

"Your honor, it wasn't my computer that was responsible. It was the poorly designed code that had `x` number of security flaws. Microsoft is at fault!"

Or, "Your honor, Bill Gates 0wnz y0u!"

Hmmm (2, Insightful)

ActionPlant (721843) | more than 10 years ago | (#7469047)

How DO you prove whether or not a person had the capability to do the hack? Character witness comes into huge play here, and I have a feeling that as this defense becomes more and more difficult to prosecute in criminal course, we'll see cases popping up where civil suits are being filed against people. In a criminal case you are innocent until proven guilt, while if a civil suit were filed for damages from a specific person's computer, all that has to be proven is that they are the most likely person to have committed the infraction.

I'm waiting for a case to set precedent in this realm. What happens when grandma is on the hook for $250,000 in damages because she was judged for "willful neglect" in not actively taking responsibility to ensure that her computer was adequately protected against trojans? I feel it's only a matter of time before someone proposes that owning a computer carries the same ramifications and responsibilities as owning a gun.

I hope such a thing never actually holds up, but I still fully expect to see it proposed.

Damon,

Nope, the owner is responsible. (0)

Anonymous Coward | more than 10 years ago | (#7469050)

Whether they committed the act or not, the owner of the computer system needs to be punished. Not severely, but a 5-10 year prison sentence would be very reasonable and a $5,000-$10,000 fine for a corporation.

l33t are less likely to use the defense? (1)

Corporate Drone (316880) | more than 10 years ago | (#7469055)

I'm not sure I'd buy that one... in fact, if I were some hacker's defense attorney, I'd sure argue that my client's skills placed him/her squarely in the crosshairs of a jealous rival who wished to do him/her harm by planting a trojan ... *and* making sure it led back to him/her!

ahh... aren't conspiracy theories beautiful?

and, it seems clear that your average jury of 12 AOLers will glaze over about five minutes into the heavy tech testimony, thus giving the creative defense attorney more than enough room to sell "reasonable doubt", or at least to befuddle anyone trying to weigh a "preponderance of evidence" ...

Simple (0)

Anonymous Coward | more than 10 years ago | (#7469058)

Step 1: Prove the crime was committed by the computer in question.

Step 2: Prove the defendent was the one that committed the crime by a preponderance of the evidence (or beyond a reasonable doubt, if it's a criminal court). How? Your most likely way of doing that would be to find emails, chat logs, phone logs, wiretaps, etc., where the defendent discusses the crime, just like in "real life." If you can't do that, you'd get an expert to examine the hard drive for clues, files that were deleted, etc. Or you could setup a sting if you suspect an individual of computer crime. Wiretap them, put keyboard loggers in place, wait for them to strike again.

Twinkie Defense (1)

Mont_the_Hoople (723868) | more than 10 years ago | (#7469059)

I would rather use the defense that my sugar and starch intake from twinkies made me do it. I bet Senator Feinstein [google.com] would buy it.

Looking for a night of hot anal sex! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7469060)

Write me!

CHRIS@jobstorestaffing.com
CHRIS@jobstorestaffi ng.com
Come on Taco.. I want it!
CHRIS@jobstorestaffing.com
CHRIS@jobstoresta ffing.com
Come on Hemos! I need it!
CHRIS@jobstorestaffing.com
CHRIS@jobstoresta ffing.com
CHRIS@jobstorestaffing.com
Come on Timothy.. I'm big!

library (0)

Anonymous Coward | more than 10 years ago | (#7469061)

Well, if all else fails most public librarys have computers with low security and free unrecorded access... not that i'm promoting hacking or anything.

What's the problem? (1)

Nucleon500 (628631) | more than 10 years ago | (#7469062)

Obviously, the cracker is responsible for his crimes, regardless of whose computer he uses. Yes, accused people might say "someone else used my computer," just as one might say "someone else used my gun." Obviously, the court would need to decide whether or not that is true. The grey area, of course, is when someone agrees to let a cracker use their computer for attacks. But again, unless such collusion can be proven, only the hacker is responsible. So if you know your system's been cracked, you're responsible to turn it off. But I don't think people should be liable simply for running insecure systems - all systems are insecure to some degree.

A modest proposal (1)

Faust7 (314817) | more than 10 years ago | (#7469067)

their attorneys successfully argued that trojan programs found on their computers were to blame. In all three cases, no one has suggested that the verdicts were anything other than correct.
Who exactly were the attorneys arguing to? A jury/judge with little to no specific technical education regarding the matter? People perhaps ill-equipped to know what is and is not possible with viruses or trojans?

To be assured of a fair decision, the decision-makers in these cases must be people that both display no bias, as is already requisite, and have some understanding of what an unknown third party can and cannot do with someone's computer. If that narrows down the jury selection, so be it. In cases where the question of guilt can be so finely tuned to just a few technical bits, such perceptive ability is absolutely essential, lest computer criminals walk free.

It seems pretty clear to me (1)

tsg (262138) | more than 10 years ago | (#7469074)

Just to use a simplified analogy...

If someone steals a car and uses it to commit a crime, is the owner of the car guilty of the crime?

"It sets a precedent now in the judicial system where a hacker can just claim somebody took over his computer, the program vanished and he's free and clear,"

To extend my analogy a little more, the owner of the car used to commit the crime could claim the car was stolen and returned.

Just because it's hard to catch the person who actually committed the crime doesn't mean someone else should be punished for it. It just means that law enforcement is going to have to work harder to catch the guilty party.

Brick and Mortar Crimes (1)

Deanasc (201050) | more than 10 years ago | (#7469076)

If a mobster dumps his bodies in a hole behind your barn and you didn't know about it are you guilty of murder? Is it the gun that murders or the person pulling the trigger? Now what if the gun is used and then put back without the owner knowing? Is the rental car company guilty of hit and run? I think there's precident in the real world for this kind of thing.

I would liken computer crimes to that of bringing the gun back to the owner. An educated gun owner will know if his gun is fired or kept clean. A sloppy computer owner will never know why his computer is slightly slower then normal. In either case it's the owners responsibility to keep their property safe but at some point it's impossible to keep everything safe. I'd say if the owner can show they made a good faith effort to secure their property they should be let go.

But in the real world we know it's never so black and white.

Re:Brick and Mortar Crimes (1)

forsetti (158019) | more than 10 years ago | (#7469158)

I like the analogy, but, you need a license to get a gun. This means you must have a certain baseline amount of gun knowledge to own a gun. Since a baseline precedent has already been set, it could be adjusted higher if necessary, to the point where a gun owner would definitely know if his gun was fired.

Computer's have no such license requirement, and as such, no baseline requirement. Since there is no baseline, imposing one would be very difficult. Especially imposing a baseline knowledge requirement high enough for a user to detect hacker activities.

Two words, (0)

Anonymous Coward | more than 10 years ago | (#7469085)

"Trusted Computing."

Re:Two words, (0)

Anonymous Coward | more than 10 years ago | (#7469161)

Two more

"Bull and shit"

Application security (0)

Anonymous Coward | more than 10 years ago | (#7469086)

then in the same sense shouldn't application developers be as guilty if they have written weak code that has allowed these vulnrabilities and have done nothing to patch the problem within a reasonable (read: short) timeframe?

Finally something Windows is good for (2, Funny)

Rosco P. Coltrane (209368) | more than 10 years ago | (#7469093)

"It sets a precedent now in the judicial system where a hacker can just claim somebody took over his computer, the program vanished and he's free and clear," he said

Right. So if you want to do something illegal, install the version of Windows that's currently most targetted by viruses and worms (XP these days I presume), be very careful *not* to install any service patch, and commit all your crimes with the default Windows telnet client. If you're caught, pretend your computer was hacked and it'll be very plausible. To complete the picture and look even more innocent, pepper a couple of letters to Grandpa, checking account spreadsheets and windows_tips.doc files in your "My Documents" folder.

Of course, don't get caught doing your deeds on a *nix box or your fake computer-loser attitude will appear a lot more suspicious in court ...

computer forensics (1)

chmilar (211243) | more than 10 years ago | (#7469111)

One thing investigators can do is to look for evidence that the accused's computer has been "hacked".

If no evidence is found, it is unlikely that the computer was hacked. It is doubtful that the intruder could completely cover his tracks.

The accused may plant evidence of hacking on his own computer, but it may be possible for a forensic analyst to detect this.

Guilty by precedent (4, Insightful)

kaan (88626) | more than 10 years ago | (#7469113)

Look at the rest of society, outside of the context of computing.

If I have a knife and I leave it on a table, and a neighborhood kid comes over and stabs himself in the head, I'll probably get sued (and lose) even though I didn't do the stabbing.

If I leave the keys to my car and somebody steals it, drives all over town and runs over a group of teenagers, I'll probably get sued as being somewhat responsible because I provided the car (indirectly).

If I'm a parent with a house full of handguns, and my child finds one and blows his sister's head off, I'll probably end up in jail even though I didn't pull the trigger.

I can't think of too many examples where our society wouldn't sue the hell out of anyone, even if you're just a by-stander, when something goes wrong. Whether or not that's "right" or "the way things should be", it certainly is. So why should it be any different if my computer is used to do something malicious or damaging? I say stick with the established precedent and blame the computer owner, even if he had nothing to do with the crime. It might not be fair, but at least it would be consistent. We don't live in a society of fairness anyway, we live in a society of blame and accusation.

There was a reent case in Britain... (1)

gsdali (707124) | more than 10 years ago | (#7469114)

Where someone was acquitted for hacking the Port of Houston using the defence that his computer was infected by a Trojan that was used as a springboard. Information here [guardian.co.uk] , I feel I have to apologise for the idiot journalist who wrote this; 'Trojanism - computer language for an outside takeover of his PC'

problem with the car analogy (1)

happyfrogcow (708359) | more than 10 years ago | (#7469127)

A lot of people are using a car analogy. However, if Ford sells a car that blows up if you open the door, they issue a recall and presumably pay for any damages that occured due to the malfunction.

Where is the liability of the software manufacturer? Everyone here is blaming either the computer user or the malicious virus writer. Thats like blaming the car owner above for opening the door and blowing his girlfriend to peices, or blaming a theif who stole the car and opened the doors for blowing up his partner in crime.

I used this in a class once (1)

f0rtytw0 (446153) | more than 10 years ago | (#7469130)

I loan my hammer to my neighbor. He goes and uses it to break into store. Should I be arrested for breaking and entering? Should I be arrested for aiding in a crime?

Computers as a Tool (1)

Houn (590414) | more than 10 years ago | (#7469132)

To me, this is an easy answer. If I pick up my hammer, bash you in the head with it... I go to jail. If I steal your brother's hammer, and bash you in the head with it... I go to jail.

The computer is an object, a tool, one with thousands (millions?) of legitamate, productive uses. And just as any other tool can be taken and used to break laws or harm others, one cannot hold the owner of a tool responsible when the hands of another are wielding it.

Of course, that makes sense to ME. Which means that it probably has no bearing at all in the way things will play out.

Use this against the RIAA! (1)

nherc (530930) | more than 10 years ago | (#7469135)

This would be the arguement I'd use against the RIAA if I were ever dragged to court. In fact, once the first person actually argues this and wins, it will take ALL of the wind out of their sails as far as harassing P2P users goes.

If you doubt this arguement would hold... the first P2P MP3 archiving worm will truly make this a valid argument.

I'm really suprised nothing like that is out there already. *hint* *hint*

More problems to sort out (1)

Pofy (471469) | more than 10 years ago | (#7469143)

Everyone seems to think there is always *a* owner to a ocomputer and on top of that, that no one else ever uses that computer. In a typical household there are several persons, so how would you go about telling who in the househild is the guilty one? Perhaps outsiders (friends, family and so on visiting you) is using the computer? It is normally very hard to tie a specific person to a specific time and use of a computer.

Right to Bear Technology (0)

Anonymous Coward | more than 10 years ago | (#7469164)

Others have said it, and I'm starting to agree. We need to push for the Right to Bear Technology. The very fact that this question is asked is eveidence of that. Take all the various 'car' examples above this post. It seems to me that it's pretty clear that just because silicone is involved, it isn't necessarily a different crime. Negligence is negligence. Murder is murder. Theft is theft. Does crime by computer make it any worse? No, and it's frightening evidence of the slippery slope we're headed down that some think it does. We need an amendment that forbids laws to consider technology as a factor in crime, or the special interests and FUD-masters are going to beat us about the head with our own PC's.

... and shoot those that leave open relays/proxies (1)

Preach the Good Word (723957) | more than 10 years ago | (#7469180)

I would like to see a highly publicized case of holding some home broadband user responsible for the fact that their machine was hijacked to send spam or participate in some DDoS.

I've talked to too many people who've said, "I don't need to bother securing my home system because I've got nothing anyone would want." I've answered, "They want to use your machine to attack me." But the message doesn't sink in.

While these end users are being provided with crap systems, there is a market out there. If their choice of bad systems gets them severly spanked, they will start making demands of their providers.

All it would take would be a couple of high profile cases.

No proof of trojans (1)

gorbachev (512743) | more than 10 years ago | (#7469183)

The UK case where the "hacker" claimed a trojan was responsible for the hacking attempts on the US server is very interesting.

The teenager and his lawyers presented no evidence whatsoever about the existance of the trojan on his computer. Based on the press coverage on the case they didn't even identify which trojan had supposedly infected his home computer.

In fact, based on press coverage, experts working for the prosecutors even stated for the record that there was no evidence to suggest there ever was a trojan.

How on earth did he not get convicted???

Any hacker (cracker) with a clue (5, Insightful)

Michael Crutcher (631990) | more than 10 years ago | (#7469195)

.. just walks up to an apartment complex with a wireless card and initiates their hack from there. Toss the wireless card (bought in cash) or spoof the mac address (entirely possible) and poof, its not going to be traced. This is a sticky problem because only the dumbest crackers (script kiddies) aren't going to take these extremely simple precautions to avoid being caught.

As long as wireless networks remain as insecure as they are right now its going to be cracker paradise. I don't see an easy solution to the problem, it almost seems like if a hack can be traced back to your computer you almost certainly didn't commit the crime (unless you're a complete asshat).

I've often thought... (1)

herrvinny (698679) | more than 10 years ago | (#7469206)

...about this scenario. It might actually be better if innocent people are on the line for damages. It would show people that, yes, you have that wonderful cable/adsl line, but you also have the responsibility to use it wisely. Meaning you should put firewalls, antivirus, etc on your computer.

Think about it. People would be forced to become more computer literate, and with more firewalls and security conscious people, there would be less zombies firing away at SPEWS and stuff. Okay, true, US law doesn't reach out to Asia, Europe, etc, but I have to problem banning all traffic from all foreign IPs.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>