Ethics in Internet Security

Prabhaker Mateti

Abstract: We describe our statement of ethics, and present a brief discussion of what ethics is in the context of Internet security. We include for reference the codes of ethics of ACM, and IEEE.

Table of Contents

  1. Recognizing Our Ethical Responsibilities
    1. The Meaning of Ethics
    2. Private or Community?
    3. That Which is Not Yours
    4. Sharing that Which is Yours
    5. Protecting that Which is Yours
    6. Tit for Tat
    7. Squealing?
  2. Ethics in Internet Security
    1. What is: Intrusion? Hijacking? Privacy Invasion?
    2. Reasons for Hacking
    3. The Hacker's Code
    4. Hacktivism
    5. Example Questions of Ethics
    6. Our Statement of Ethics
  3. A List of Recent Ethical Dilemmas
  4. ACM Code of Ethics and Professional Conduct
  5. IEEE Code of Ethics
  6. Acknowledgements
  7. References

Educational Objectives

  1. Raise the level of conscience regarding ethics particularly in the context of network security.
  2. To distinguish between what is illegal versus unethical.

Ethics in Internet Security

We describe our statement of ethics, and present a brief discussion of what ethics is in the context of Internet security. In this article, there are many more questions than there are answers. Our goal in including the topic of ethics in a course on Internet security is not to provide answers to ethical dliemmas you may have but to raise your level of awareness.

Recognizing Our Ethical Responsibilities

Engineering education always includes a course or two on ethics. A course like ours must include a discussion even if we cannot deliver satisfactory answers.

The Meaning of Ethics

From www.merriam-webster.com: Main Entry: eth·ic Pronunciation: 'e-thik Function: noun Etymology: Middle English ethik, from Middle French ethique, from Latin ethice, from Greek EthikE, from Ethikos Date: 14th century 1 plural but singular or plural in construction : the discipline dealing with what is good and bad and with moral duty and obligation 2 a : a set of moral principles or values b : a theory or system of moral values <the present-day materialistic ethic> c plural but singular or plural in construction: the principles of conduct governing an individual or a group; < professional ethics> d: a guiding philosophy

The Macquarie Dictionary says: ethics - a system of moral principles, by which human actions and proposals may be judged good or bad or right or wrong (may refer to a particular class of actions - e.g. professional) [derived from a Greek word meaning moral] morals - principles or habits with respect to right or wrong conduct [derived from a Latin word meaning manners or customs]

A few years ago, sociologist Raymond Baumhart asked business people "What does ethics mean to you?" [from www.scu.edu/ethics/] Among their replies were the following:

"Ethics has to do with what my feelings tell me is right or wrong."
"Ethics has to do with my religious beliefs."
"Being ethical is doing what the law requires."
"Ethics consists of the standards of behavior our society accepts."
"I don't know what the word means."

These replies might be typical of our own. The meaning of "ethics" is hard to pin down, and the views many people have about ethics are difficult to articulate. Like Baumhart's first respondent, many people tend to equate ethics with their feelings. But being ethical clearly is not a matter of following one's feelings. A person following his or her feelings may recoil from doing what is right. In fact, feelings frequently deviate from what is ethical.

Ethics and religion are often coupled in ones mind because of our upbringing. But ethics is not confined to religion, nor is it the same as religion. Most religions, of course, advocate high ethical standards. Ethics applies as much to the behavior of an atheist as to that of the saint.

Being ethical also is not following the law. The law often incorporates ethical standards to which most citizens subscribe. But laws, like feelings, can deviate from what is ethical. American pre-Civil-War slavery laws and the apartheid laws of South Africa, are grotesquely obvious examples of laws that deviate from what is ethical.

As you can see, these paragraphs are not helpful in distinguishing between "ethics" and "morals".

Practical ethics through basic philosophy includes three elements: ethical thought; ethical definition; and ethical values. If a person conceives of, say, engineering activity, as only making money, for example, then one's definition of practical ethics, one's actions and values will, be guided by this basic philosophical position. Ethics is defined as a set of rules that clarify right conduct from wrong conduct.

Is Ethics Private or Community Based?

Being ethical is not the same as doing "whatever our society accepts." In any society, most people accept standards that are, in fact, ethical. But standards of behavior in society can deviate from what is ethical. An entire society can become ethically corrupt. Nazi Germany is a good example of an ethically corrupt society.

That Which is Not Yours

Ownership of many things, such as your car, books, computer, etc., is usually quite clear. Do you own the air? When you buy a piece of software, what is it that you own? The use of it? -- anything beyond that? If you could reverse engineer the source code of the program, is the source now yours?

We are also usually clear that we must not enter someone's house just because they left their back door wide open. If my files are read open, should you assume that you are allowed to read? What if they were also writeable? If my computer account has no password, should you login as me?

Sharing that Which is Yours

This is a commonly held belief that there is nothing wrong in sharing something that "is yours." Whereas loaning a book or a CD to a friend is never considered unethical, to place the content of the same on the web and share it is often considered unethical and illegal.

Protecting that Which is Yours

Nearly all present day effort in Internet security in "securing" computer systems, networks, web sites, etc. hopes to protect that which is theirs.

You stole it from me, so I can steal it back. Is this attitude ethical?

Tit for Tat

From Wikipedia : "Tit for tat is an English saying meaning "equivalent retaliation". It is also a highly effective strategy in game theory for the iterated prisoner's dilemma. It was first introduced by Anatol Rapoport in Robert Axelrod's two tournaments, held around 1980. An agent using this strategy will initially cooperate, then respond in kind to an opponent's previous action. If the opponent previously was cooperative, the agent is cooperative. If not, the agent is not. This is similar to superrationality and reciprocal altruism in biology."

Squealing

Suppose you have come across a behavior of a colleague that in your mind is clearly unethical. Should you squeal? Why is it that squealing has such a negative connotation?

Under what circumstances is it either permissible or required for a technician repairing a computer to report the contents of files found there? A case of firing of a dean of the Harvard Divinity School who had pornographic files on his university-owned computer [Journal of Information Systems Education, 11, Summer-Fall 2000, 121-126] raises questions of privacy and whistle-blowing.

In the context of security and privacy, let us focus on ethics only, not on morality.

Ethics in Internet Security

What is: Intrusion? Hijacking? Privacy Invasion?

Reasons for Hacking

To computer wizards, the term "hacker" is reserved for unusually clever programmers. To them, the electronic burglars who break into computers aren't hackers but intruders, attackers or "crackers."

Theft of services: Every system offers some type of service, and if a hacker has a use for it, they will hack the system. Examples of such systems are on-line information networks. The question of entitlement may not occur to them.

Take valuable files: The second reason a hacker may hack into a system is to take valuable files, e.g., credit-card numbers, or info on operation of telecommunication etc. systems. Such hackers are clearly aware that their activity is unlawful and they can get prosecuted.

Vengeance and hate: Another reason for hacking is vengeance and hatred. Causing harm to people and systems belongs here.

Thrill and excitement: The forth reason hackers break into systems is for the thrill and excitement of being somewhere you are not authorized to be. This accounts for the vast majority of "true hacking".

For knowledge and experiment: The final reason why hackers do what they do is just for knowledge and experiment. Hackers learn great deal every time they break into a new type of system.

Hackers: Heroes of the Computer Revolution

Steven Levy published this book in 1984. Editorial Reviews at Amazon.com describes the book as follows.

"Steven Levy's classic book explains why the misuse of the word "hackers" to describe computer criminals does a terrible disservice to many important shapers of the digital revolution. Levy follows members of an MIT model railroad club--a group of brilliant budding electrical engineers and computer innovators--from the late 1950s to the mid-1980s. These eccentric characters used the term "hack" to describe a clever way of improving the electronic system that ran their massive railroad. And as they started designing clever ways to improve computer systems, "hack" moved over with them. These maverick characters were often fanatics who did not always restrict themselves to the letter of the law and who devoted themselves to what became known as "The Hacker Ethic." The book traces the history of hackers, from finagling access to clunky computer-card-punching machines to uncovering the inner secrets of what would become the Internet. This story of brilliant, eccentric, flawed, and often funny people devoted to their dream of a better world will appeal to a wide audience."

Levy in this book lists the following hacker tenets:

  1. Access to computers should be unlimited and total.
  2. Always yield to the Hands-On Imperative
  3. All information should be free.
  4. Mistrust authority -- promote decentralization.
  5. Hackers should be judged by their hacking.
  6. You can create art and beauty on a computer.
  7. Computers can change your life for the better.

Do you subscribe to any of them? Why? Why not?

The Hacker's Code

Gregory Newby wrote a draft in 2000 reproduced below.

Preamble: Hackers are diverse, from all cultures and backgrounds. Every hacker is unique, yet we all share some characteristics. While not every hacker follows this Code, many believe it is a fair description of our shared traditions, goals and values.

  1. Hackers share and are willing to teach their knowledge.
  2. Hackers are skilled. Many are self-taught, or learn by interacting with other hackers.
  3. Hackers seek knowledge. This knowledge may come from unauthorized or unusual sources, and is often hidden.
  4. Hackers are tinkerers. They like to understand how things work, and want to make their own improvements or modifications.
  5. Hackers often disagree with authority, including parents, employers, social customs and laws. They often seek to get around authority they disagree with.
  6. Hackers disagree with each other. Different hackers have different values, and come from all backgrounds. This means that what one hacker is opposed to might be embraced by another.
  7. Hackers are persistent, and are willing to devote hours, days and years to pursuing their individual passions.
  8. This Code is not to prescribe how hackers act. Instead, it is to help us to recognize our own diversity and identity.
  9. Every hacker must make his or her own decisions about what is right or wrong, and some might do things they believe are illegal, amoral or anti-social.
  10. Hackers' motivations are their own, and there is no reason for all hackers to agree.
  11. Hackers have a shared identity, however, and many shared interests.
  12. By reading this Code, hackers can recognize themselves and each other, and understand better the group they are a part of.

Hacktivism

Hacktivism now has entry in the Wikipedia. As with any controversial topic, we should understand their views. Hacktivists believe in a form of altruistic justice.

Example Questions of Ethics

Here are a few examples. Each of you need to discover your own answers, and the answers that our community gives, and how they change over the years.

  1. Inserting oneself into a communication link between two other users, without their knowledge, is ok to do if the two users are terrorists.
  2. I was looking at my professor's .emacs to learn how he setup his Emacs. Then, I noticed that his Exams/ directory was read-open. All the files were those of previous terms. So I made a copy of his directory.
  3. I bought a PC that came with a Windows 2000 CD. I don't care for Win 2000, so I reformatted my hard disk and installed Linux on it. I gave my CD to a friend who wanted to upgrade from Win 98.
  4. I was curious how Nessus would work. On a real network. So, I tried it from a lab. Unplugged a PC, plugged in my laptop and started the scan. Wow! How many alerts that it showed! Ooops! It also crashed a few machines.
  5. Three years ago Diane started her own consulting business. She has been so successful that she now has several people working for her and many clients. Their consulting work includes advising on how to network microcomputers, designing database management systems, and advising about security.

    Presently she is designing a database management system for the personnel office of'a medium-sized company. Diane has involved the client in the design process, informing the CEO, the director of computing, and the director of personnel about the progress of the system. It is now time to make decisions about the kind and degree of security to build into the system. Diane has described several options to the client. Because the system is going to cost more than they planned, the client has decided to opt for a less secure system. She believes the information they will be storing is extremely sensitive. It will include performance evaluations, medical records for filing insurance claims, salaries, and so forth.

    With weak security, employees working on microcomputers may be able to figure out ways to get access to this data, not to mention the possibilities for on-line access from hackers. Diane feels strongly that the system should be much more secure. She has tried to explain the risks, but the CEO, director of computing and director of personnel all agree that less security will do. What should she do? Should she refuse to build the system as they request? (Adapted from: Johnson, D. G. Computer Ethics, Second Ed. Prentice Hall, Englewood Cliffs, N.J., 1993.) [From http://www.onlineethics.org/privacy/scene3.html]

Our Statement of Ethics

I expect all those attending our class to abide by the following statement. I welcome improvements to the statement.

In this course I am learning network and computer security principles. It is a 10-week long course, with a prerequisite of general understanding of operating systems and computer networks. I realize that this learning is just a beginning.



Name of the student
 
Signature and Date

A List of Recent Ethical Dilemmas

ACM Code of Ethics and Professional Conduct

See References. Required Reading.

IEEE Code of Ethics

See References. Required Reading.

Acknowledgements

These lecture materials are gleaned from many sources. All are presented after careful reading. In some cases, I may have neglected proper attribution. I assure the reader it is not because I claim authorship. Indeed, in the lectures there is hardly any thing new that I have contributed. Suggestions for improvement are always welcome.

References

  1. Dissident, "The Ethics of Hacking." [local copy] An opinion on hacking ethically. 1999? Required Reading. Also do http://packetstormsecurity.org/ search/?q=ethics
  2. onlineethics.org "Instructional Resources in Engineering Ethics, Computer Ethics & Research Ethics," an excellent web site. Recommended visit.
  3. ethics.csc.ncsu.edu "Ethics in Computing," Recommended visit.
  4. Damon Horowitz, "Moral Operating System", a TED talk, http://www.ted.com/ talks/ damon_horowitz.html, June 2011. Required watching.
  5. ACM, ACM Code of Ethics and Professional Conduct, 1992. Required Reading.
  6. ACM/IEEE, Software Engineering Code of Ethics and Professional Practice, 1999. Required Reading.

Copyright © 2012 • pmateti@wright.eduInternet Security Lectures