Lecture February 5, 2003

Testing our Assumptions about Ethics in Computing: Hackers
February 5, 2003

(video available in library + web site is VERY good http://www.pbs.org/wgbh/pages/frontline/shows/hackers/

Overview of lecture:

1. Review of “Ethics in Computing Site Map”
2. Are hackers different from other law-breakers?
3. How do hackers justify their actions?
4. recent examples of hackers’ work (see video + Internet attacks in Nov. and Jan.)
5. What solutions have been proposed to combat hackers’ activities?

Review of what we mean by “ethics: Robert Steele: (security consultant shown in “Hackers” video)
“ Why is ethics important? Ethics is about building for the common good. Ethics is about establishing due diligence standards, so that when you buy a car, the bolts on the wheels are actually screwed on. Bill Gates is selling computers without wheels. They crash a lot.”

2. Are hackers different from other law-breakers?

What if computers have NOT given us new kinds of criminals…they’re just in a new environment using new tools.

Is it that although some of the same
crimes are carried out via computer,
the guilty seem less guilty?

Traditional Crime Computer-facilitated Crime
Vandalism Plan worms ("Sapphire")/viruses
Thievery Steal Software/Intellectual Property
Espionage Steal Corporate Information
Sabotage Destroy Competitors Information
Fraud Identity Theft

 

Why might we see differences between RL crime and computer crime?

BECAUSE

1. we can’t put a face to the criminal? They’re invisible, or hiding behind a “hacker ethic”?

2. crime is represented as “white collar” rather than crimes of “unemployed drug pushers”?

3. in the case of theft, because we don’t think it’s really theft?
“ among all the things of the world, information is the hardest to guard, since it can be stolen without removing it.” (Goffman)

4. the damage doesn’t physically harm anyone? (“it’s big business, etc.”)

5. some hackers claim they’re not criminals (see below)

 

3. How do hackers justify their actions? (as opposed to deliberate criminal hackers/ “crackers”)

Who are hackers?“ it takes a certain kind of mind to break things all day. It takes a certain kind of person, and that kind of attracts a counter-culture mentality. ” (from “Hackers” video)

Johnson (Computer Ethics, 2001) notes 4 arguments used by hackers to defend their actions of unauthorized access to computers:

1. Information should be free.

2. Break-ins illustrate security holes to the authorities.

3. Hackers are not doing harm; they are learning about computer systems.

4. Hackers break in to expose instances of data abuse.

Which argument is the most compelling: does any argument justify their actions?

Range of actions:

* mere hacking into a “secure” system (see video for examples)
* to seizing control of Web pages (for political purposes--examples of “hackivists” who seize web pages of corporations they allege are oppressing people – not shown in video)

malevolent activities:

* to political “terrorist groups” – example of Japanese doomsday sect – in video)
* to outright acts of vandalism (see November and January “Sapphire” /”slammer”Internet attacks)

January 25, 2003 – internet worm “using a well-know flaw in a Microsoft SQL database program: the worm didn’t delete files or harm computers, but overwhelmed systems with huge numbers of requests for information…

5. Compare different solutions to combating hackers’ behaviour online:

1. Technology solution - develop secure systems to keep out hackers…

BUT clearly a reliance on technology to solve the problems is not adequate--hackers are challenged to test the technology

1. Johnson’s solutions (from Computer Ethics, 3rd edition):
- Legislation: stiffer laws to prosecute hackers
- “good neighbour conventions”: “attitudes and social conventions surrounding computing must make it clear to users that certain forms of [unethical] behaviour are unacceptable”
- educate hackers about the negative effects they are having.

2. From Robert Steele (as quoted from the PBS film on “Hackers”):
(focus NOT on hackers but on lack of private and public controls of software and our own negligence)

- the government has to legislate what comprises "due diligence." Software has to meet certain standards of safety and stability and reliability and transparency.

- the government has to test and certify software, so that as a commonwealth interest, software is validated by the government as meeting those standards.

- the third and most important part is that the proprietors of the computers themselves must live up to a new standard of responsibility. You can't leave your computer connected to the world and not have firewalls. You can't send documents without encryption or other protection and expect them to remain private ….

But our responsibility, although the most important, is only the third step. The first two steps have to be taken by government and by the private sector. ”

3. a hacker’s (Kevin Mitnick’s) recommendations to cut down on hacking: here the focus is on the user’s responsibilities:

* Confirm that someone is who they say they are before giving out information (issue of “social engineering” – a social engineer manipulates people to reveal information that gives the attacker unauthorized access)
* Don't pick easy passwords or ones that are real words (password-cracking tools can easily figure them out). .
* Use shredders that destroy documents so they can't be reassembled.
* Physically destroy CDs and diskettes, because deleted or erased data can be recovered. (Plus hard drives!)
* Corporations need to install patches + not install computer systems with default configurations.’

More at http://www.washingtonpost.com/wp-srv/liveonline/02/special/sp_technews_mitnick100302.htm

This page last revised 9/17/02