Testing our Assumptions about Ethics
in Computing: Hackers
February 5, 2003
(video available in library
+ web site is VERY good http://www.pbs.org/wgbh/pages/frontline/shows/hackers/
Overview of lecture:
1. Review of “Ethics in Computing Site Map”
2. Are hackers different from other
law-breakers?
3. How do hackers justify their actions?
4. recent examples of hackers’ work (see video + Internet attacks
in Nov. and Jan.)
5. What solutions have been proposed
to combat hackers’ activities?
Review of what we mean by “ethics: Robert Steele: (security consultant
shown in “Hackers” video)
“ Why is ethics important? Ethics is about
building for the common good. Ethics
is about establishing due diligence standards, so that when you buy a car, the
bolts on the wheels are
actually screwed on. Bill Gates is selling
computers without wheels. They crash a lot.”
2. Are hackers different from other
law-breakers?
What if computers have NOT given
us new kinds of criminals…they’re just in a new environment
using new tools.
Is it that although some of the
same
crimes are carried out via computer,
the guilty seem less guilty?
Traditional Crime |
Computer-facilitated Crime |
Vandalism |
Plan worms ("Sapphire")/viruses |
Thievery |
Steal Software/Intellectual Property |
Espionage |
Steal Corporate Information |
Sabotage |
Destroy Competitors Information |
Fraud |
Identity Theft |
Why might we see differences between RL crime
and computer crime?
BECAUSE
1. we can’t put a face to the criminal? They’re
invisible, or hiding behind a “hacker ethic”?
2. crime is represented as “white collar” rather
than crimes of “unemployed drug pushers”?
3. in the case of theft, because we don’t think it’s
really theft?
“
among all the things of the world, information
is the hardest to guard, since it can be stolen without removing
it.” (Goffman)
4. the damage doesn’t physically harm anyone? (“it’s
big business, etc.”)
5. some hackers claim they’re not criminals
(see below)
3. How do hackers justify
their actions? (as opposed to deliberate
criminal hackers/ “crackers”)
Who are hackers?“
it takes a certain kind of mind to break
things all day. It takes a certain kind of person, and that
kind of attracts a counter-culture mentality. ” (from “Hackers” video)
Johnson
(Computer Ethics, 2001) notes 4 arguments used by hackers
to defend
their actions of unauthorized access
to computers:
1. Information should be free.
2. Break-ins
illustrate security holes to the authorities.
3. Hackers are not doing harm; they
are learning about computer systems.
4. Hackers break in to expose instances
of data abuse.
Which argument is the most compelling:
does any argument justify their actions?
Range of actions:
*
mere hacking into a “secure” system (see
video for examples)
*
to seizing control of Web pages (for
political purposes--examples of “hackivists” who
seize web pages of corporations
they allege are oppressing people – not shown
in video) malevolent activities:
*
to political “terrorist groups” – example
of Japanese doomsday sect – in video)
*
to outright acts of vandalism (see November
and January “Sapphire” /”slammer”Internet
attacks)
January 25, 2003 – internet worm “using a well-know
flaw in a Microsoft SQL database program: the worm didn’t
delete files or harm computers,
but overwhelmed systems with huge numbers
of requests for information…
5. Compare different solutions
to combating hackers’ behaviour online:
1. Technology solution - develop
secure systems to keep out hackers…
BUT clearly a reliance on technology to solve the problems is not adequate--hackers
are challenged to test the technology
1. Johnson’s solutions (from
Computer Ethics, 3rd edition):
- Legislation: stiffer laws to prosecute
hackers
- “good neighbour conventions”: “attitudes
and social conventions surrounding
computing must make it clear to users that certain forms of [unethical] behaviour
are unacceptable”
- educate hackers about the negative effects
they are having.
2. From Robert Steele (as quoted
from the PBS film on “Hackers”):
(focus NOT on hackers but on lack
of private and public controls
of software and our own negligence)
-
the government has to legislate what
comprises "due diligence." Software has
to meet certain standards of
safety and stability and reliability
and transparency.
- the government has to test and certify
software, so that as a commonwealth
interest, software is validated by the government as meeting those standards.
-
the third and most important part is that the proprietors
of the computers
themselves must live up to a new standard
of responsibility. You can't leave your
computer connected to the world
and not have firewalls. You can't send
documents without encryption or other protection
and expect them to remain private ….
But our responsibility, although
the most important, is only the
third step. The first two steps
have to be taken by government
and by the private sector. ”
3.
a hacker’s (Kevin Mitnick’s) recommendations to
cut down on hacking: here the focus is on the
user’s
responsibilities:
*
Confirm that someone is who they say
they are before giving out
information (issue of “social
engineering” – a social engineer manipulates
people to reveal information
that gives the attacker unauthorized
access)
* Don't pick easy passwords or ones that
are real words (password-cracking
tools can easily figure them out). .
* Use shredders that destroy documents
so they can't be reassembled.
* Physically destroy CDs and diskettes,
because deleted or erased data
can be recovered. (Plus hard drives!)
* Corporations need to install patches
+ not install computer systems
with default configurations.’
More at http://www.washingtonpost.com/wp-srv/liveonline/02/special/sp_technews_mitnick100302.htm |