Cosc 4765

Ethics and security

Security

• Computer security crosses over legal and ethics lines in many places.– Hacking is pretty much always illegal.

• See next slides for some legal issues

– Hacking by some is considered ethical.• Depending on how it is done• This topic and more is covered by the rest of the

lecture.

Legal acts and computers

• Federal: US computer fraud and abuse act, 1984, prohibits– Unauthorized access to a computer

containing data protected by national defense or foreign relations concerns

• Also computers containing certain banking or financial information

• Access, use, modifications, destruction, or disclosure of a computer or information in a computer operated on behalf of the US government.

Legal acts and computers (2)

• Accessing without permission a “protected computer”– The courts now interprets to include any

computer connected to the Internet.

• Computer fraud

• Transmitting code that causes damage to a computer system or network

• Trafficking in computer passwords

Legal acts and computers (3)

• USA Patriot Act of 2001– Amendment to computer fraud and abuse act– Knowing causing the transmission of code resulting in

damage to a protected computer is a felony– Recklessly causing damage to a computer system as

a consequence of unauthorized access is a felony– Causing damage (even unintentionally) as

consequence of unauthorized access to a protected computer is a misdemeanor.

Legal acts and computers (4)

• US Electronic communications Privacy act, 1986– Protects against electronic wiretapping

• Allows law enforcement agencies to ask for a court ordered wiretap

• Requires ISPs to have equipment to allow for wiretapping

– Allows ISPs to read communications to maintain service or protect itself from damage

Law vs. Ethics

Law EthicsDescribed by formal, written documents

Described by unwritten principles

Interpreted by courts Interpreted by each individual

Established by legislatures Presented by philosophers, religions, professional groups

Applicable to everyone Personal choice

Priority determined by courts if 2 laws conflict

Priority determined by an individual if 2 principles conflict

Court is the final arbiter of “right” No external arbiter

Enforceable by police and courts Limited enforcement

Ethics

• Ethical pluralism recognizes that more than one position may be ethically justifiable.– In fields of Science and Tech, this type of

statement seems illogical.– There is no higher authority and there are no

“correct” answers.

Examining ethical issues

1. Understand the situation– Learn the facts of the situations

2. Know a several theories for ethical reasoning– You need to be able to justify your choices

3. List the ethical principles involved– What can be applied to the case?

4. Determine which principles outweigh others.– Subjective, but we need a logical conclusion or

determination.

Ethical principles and theories

• Most ethics break down into 2 school of thought.

1. Based on the good that results from the actions– Consequence-based principles

2. Based on certain prima facie duties of people• Rule-Based Principles

Consequence-Based principles

• Teleological theory focuses on consequences of an action– A action is chosen which results in the “greatest”

future good and least harm.• Egoism

– Based on positive benefits to person taking the action.• Utilitarianism

– Based on positive benefits of everyone (entire Universe actually).

• “The good of the many outweighs the good of the few or the one.” --Spock

Rule-based principles

• Deontology: which is founded in a sense of duty. Certain things are good in and of themselves, they need no higher justification– To name a few: truth, justice, peace, security,

freedom, honor, love, friendship, happiness, consciousness, beauty.

– Often stated as rights:• Right to know, right to privacy, right to fair

compensation for work.

Rule-based principles (2)

• Various duties incumbent on all human beings:– Fidelity, or truthfulness– Reparation, duty to recompense for a previous

wrongful act– Gratitude, thankfulness for previous services or kind

acts– Justice, distribution of happiness in accordance with

merit– Beneficence, the obligation to help other people or to

make their lives better– Nonmaleficence, not harming others– Self-improvement, to become continually better.

Applying ethics to security

• Many things are legal or illegal, The questions here are Ethical. – While it is legal of ISPs to read

communications, when is it ethical?– Security will at some point intrude on issues

of privacy. • When can you ethically read someone e-mail, look

through their files, etc, pretty much invade their privacy.

Applying ethics to security (2)

• What are the ethics of vulnerabilities– Searching for them– Reporting them to everyone, not just the

vendor.• There ethical arguments that vulnerabilities should

not be reported until a patch is available• And that vulnerabilities should be reported as soon

as possible– Full disclosure – including how it vulnerability works.– Partial disclosure – only how to protect the system.

Applying ethics to security

• Can they be an ethical argument for writing worms and viruses?

• How about password sniffing?

• And hacking: ethical hacking?– You look around and do not intend to damage

the system.• What is the case for ethical hacking?• What is the case where hacking is unethical?

Code of Ethics

• Varying computer groups have developed a code of ethics:– IEEE: Code of ethics– ACM: Code of Ethics and Professional

Conduct• to long to reprint in this lecture.

– The Computer Ethics Institute.• The Ten Commandments of Computer Ethics.

IEEE Code of ethics1. To accept responsibly in making engineering decisions

consistent with the safety, health, and welfare of the public, and to disclose promptly factors that might endanger the public or the environment

2. To avoid real or perceived conflicts of interest wherever possible, and to disclose them to affected parties when they exist.

3. To be honest and realistic in stating claims or estimates based on available data

4. To reject bribery in all of it forms5. To improve understanding of technology, its

appropriate application, and potential consequences

IEEE Code of ethics (2)

6. To maintain and improve our technical competence and to undertake technological tasks for others only if qualified by training or experience, or after full disclosure of pertinent limitations

7. To seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, and to credit properly the contributions of others

8. To treat fairly all persons regardless of such factors as race, religion, gender, disability, age, or national origin

9. To avoid injuring others, their property, reputation, or employment by false or malicious actions

10. To assist colleagues and coworkers in their professional development and to support them in following this code of ethics.

Ten Commandments of Computer Ethics

1. Thou shalt not use a computer to harm other people.

2. Thou shalt not interfere with other people’s computer work.

3. Thou shalt not snoop around in other people’s computer files.

4. Thou shalt not use a computer to steal.5. Thou shalt not use a computer to bear false

witness6. Thou shalt not copy or use proprietary

software for which you have not paid

Ten Commandments of Computer Ethics (2)

7. Thou shalt not use other people’s computer resources without authorization or proper compensation.

8. Thou shalt not appropriate other people intellectual output

9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.

10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.

QA&