It bears an interesting relationship to ISP's and offshore gambling ...
If there was significant harm (generally financial) caused by the hacker
(graffitti is a misdemeanor unless you spray paint a federal facility's
web site) or if there was real damage to someone's name or reputation
then ...
The computer owners would probably be held harmless in criminal
proceedings. They could be hauled before the courts in a civil
proceedings however ... be VERY scared of civil proceedings ... recall
that OJ Simpson was found not guilty of criminal activity in criminal
court but was stripped naked in civil court and that this sort of civil
court activity happens frequently.
The underlying issues are what precedences apply to the circumstances
under which a tool (can of paint, rock, gun, computer, dynamite) was
used to commit a crime. As noted, these are generally matters of civil
rather than criminal law, and civil law tends to favour the injured
party (whose site was damaged) over the owner (of the computers used to
hack the injured party). If the owner failed to excercise due caution,
then the owner could be subject to the laws of contributory negligence.
If the owner did excercise reasonable caution, then the owner's
attorney's will be in a good position to argue the owner should be held
harmless. Note that the injured party does NOT have to excercise any
such due caution (e.g. you are not contributing if you leave your doors
unlocked, but beware the somewhat deprecated "attractive nuisance"
laws!).
It also depends on the state (or country?) in which the injured party,
the hacker, and the computer owner reside. Note that it is NOT necessary
that the parties be in the same state. Depending on the country(s), it
isn't even necessary for all to be in the same countries.
If the hacker used the computers without the knowledge of the computer's
owners, then there is an interesting twist associated with current
awareness of the scenario you describe and "reasonable caution": if the
activity on the systems would have been identified by a reasonable
systems administration, the computer owners was apprised of the risk,
and did NOT excercise reasonable business practices by having such
resources on their staff, some states (California) have laws that could
arguably hold the employer liable for civil (not criminal) damages.
To the best of my knowledge, the scenario has not occurred where
sufficient damage was caused to justify the legal expenses (or at least
where one party couldn't be identified with sufficiently deep pockets).
There have been some proto-exceptions in the case of off-shore gambling
and child pornography.
D Clyde Williamson wrote:
>
> Brian Steele wrote:
> >
> > Slightly off-topic: - could the owner of a LAN (be it company, university
> > or whatever) be held responsible for a hack attack on another computer
> > system originating from one of the computers on its network?
> >
> > The reason I ask this question is that I get the impression that people are
> > paying the most attention to what comes IN through the Firewall, and little
> > if any attention to what goes OUT through the same doorway.
> >
> > Brian Steele
> >
> > [ Grommet's House - http://www.spiceisle.com/homepages/brian/ ]
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
> WARNING IANAL (I am not a lawyer)
>
> I set in on an interetsing FBI discussion of this matter. There's a
> really nasty leagl thing called "downstream liablity". Which basically
> means that if you did you best and still got used as an attack
> platform... you're safe. However, if the victim can show that you did
> not attempt to secure yourself as a platform (or if you had been warned
> about odd things comming form your network and did nothing) you could be
> liable.
>
> You can never be to paranoid. ;-)
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Daemeon Reiydelle
Systems Engineer, Anthropomorphics Inc.
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
