Hackers Get Novel Defense; the Computer Did It
Mon Oct 27, 7:56 PM ET Add Technology - Reuters
Internet Report to My Yahoo!
By Elinor Mills Abreu
SAN FRANCISCO (Reuters) - Prosecutors looking to throw
the book at accused computer hackers have come across
a legal defense expected to become even more
widespread in an era of hijacked PCs and laptops that
threatens to blur the lines of personal
responsibility: the computer did it.
In one case that was being watched as a bellwether by
computer security experts, Aaron Caffrey, 19, was
acquitted earlier this month in the United Kingdom on
charges of hacking into the computer system of the
Houston Pilots, an independent contractor for the Port
of Houston, in September 2001.
Caffrey had been charged with breaking into the system
and crippling the server that provides scheduling
information for all ships entering the world's
sixth-largest port.
Although authorities traced the hack back to Caffrey's
computer, he said that someone must have remotely
planted a program, called a "trojan," onto his
computer that did the hacking and that could have been
programed to self destruct.
In two other cases, British men were accused of
downloading child pornography but their attorneys
successfully argued that trojan programs found on
their computers were to blame.
In all three cases, no one has suggested that the
verdicts were anything other than correct.
Some legal and security experts say the trojan defense
is a valid one because computer hijacking occurs all
the time and savvy hackers can easily cover their
tracks.
"I've seen cases where there is a similar defense and
it could work or not work based on corroborating
evidence" such as how technical the defendant is, said
Jennifer Stisa Granick, clinical director of the
Sanford Law Center for Internet and Society.
It is relatively easy to trace a hack back to a
particular computer, but proving that a specific
person committed the crime is much more difficult, she
and others said.
Someone other than the computer owner could use the
machine, either by gaining physical access or remotely
installing trojan software that was slipped onto the
computer via an e-mail sent to the computer owner or
downloaded from a malicious Web site, they said.
"On the one hand, this is 100 percent correct that you
can not make that jump from computer to keyboard to
person," said Bruce Schneier, chief technology officer
at Counterpane Internet Security based in Cupertino,
California. "On the other hand, this defense could (be
used) to acquit everybody.
"It makes prosecuting the guilty harder, but that's a
good thing," he added.
Mark Rasch, former head of the U.S. Department of
Justice (news - web sites) computer crime unit,
agreed.
"The more difficult problem is people could actually
go to jail for something they didn't do" as a result
of trojan programs, said Rasch, chief security counsel
for computer security provider Solutionary. "If I want
to do something illegal I want to do it on someone
else's machine."
But Dave Morrell, a computer consultant for the
Houston Pilots who worked with the FBI (news - web
sites) after the attack, said the defense also opened
the door to hackers.
"It sets a precedent now in the judicial system where
a hacker can just claim somebody took over his
computer, the program vanished and he's free and
clear," he said
Michael Allison, chief executive of computer forensics
firm Internet Crimes Group in Princeton, New Jersey,
said experts should have been able to prove if there
had been a trojan on the computer in question.
"In some cases, I do suspect there are people whose
computer is taken over by third parties," he said.
"It's also a clever defense to exculpate your client."
The defense is likely to become more widespread
especially given the increasing use of "spyware"
programs that can be used by hackers to steal
passwords and essentially eavesdrop on a computer
user, experts said.
"The emergence of spyware will only enhance these
claims," said Michael Geist, a law professor at the
University of Ottawa Law School in Canada. "We're
going to have to sort through the level of
responsibility a person has for operating their own
computer."
The trojan defense has not yet been put to the test in
the United States.
(Additional reporting by Bernhard Warner in London)
=====
associate editor, _sidereality
http://www.sidereality.com/
——–
http://www.lewislacook.com/
tubulence artist studio: http://turbulence.org/studios/lacook/index.html
__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/
Hackers Get Novel Defense; the Computer Did It
-
Type: discussion