Computer damage liability ...
Posted: 2003-11-13 07:49pm
There's an interesting post on /. about liability for computer attacks. It deals with computer users whose boxes were found at the originating end of a remote attack. Some defendants in these cases have begun arguing that trojans were put on their computers (obviously without their knowledge), and that other people used their machines to carry the attack out remotely. There is some concern over whether this will become a "get out of jail free" card for anyone accused of a computer crime.
So what kind of burden of proof should we impose on prosecutors seeking to convict someone of a computer crime? Well, here's what I propose.
1. The prosecutor must prove that the person in question had sufficient working knowledge of computers to carry out such an attack. This is the big one. Many remote attacks are carried out without the user's knowledge. An attacker will wait until system activity has dropped to the point where it's safe to assume that the user is away from his computer, so the attacker will then do his dirty work. I'd wager that a few attackers are good enough to carry out their work while the user is sitting at his machine without the unwitting user noticing.
2. Because of the widespread nature of remote exploits and using a proxy machine to carry out attacks, IP logs tracing an attack to a specific address cannot be treated as irrefutable evidence or proof positive by themselves. Any good attacker will erase the logs of his attack, as well, so the absence of log entries detailing an incriminating remote connection cannot be treated as evidence or proof positive, either. They can only be a pointer in which direction to look, not necessarily implicating the owner of the machine they point to.
By the way, G&C mods, if you feel that this belongs in SLAM, feel free to move it there.
So what kind of burden of proof should we impose on prosecutors seeking to convict someone of a computer crime? Well, here's what I propose.
1. The prosecutor must prove that the person in question had sufficient working knowledge of computers to carry out such an attack. This is the big one. Many remote attacks are carried out without the user's knowledge. An attacker will wait until system activity has dropped to the point where it's safe to assume that the user is away from his computer, so the attacker will then do his dirty work. I'd wager that a few attackers are good enough to carry out their work while the user is sitting at his machine without the unwitting user noticing.
2. Because of the widespread nature of remote exploits and using a proxy machine to carry out attacks, IP logs tracing an attack to a specific address cannot be treated as irrefutable evidence or proof positive by themselves. Any good attacker will erase the logs of his attack, as well, so the absence of log entries detailing an incriminating remote connection cannot be treated as evidence or proof positive, either. They can only be a pointer in which direction to look, not necessarily implicating the owner of the machine they point to.
By the way, G&C mods, if you feel that this belongs in SLAM, feel free to move it there.