SecuritySecurity

The act of gaining unauthorized access to computer systems should not be criminalized assuming that there is no damage.

Team Members: Desmund Collins, Rebecca Crotty, Jasmine Georges, Diana Massey, & Nikita Mazurov

Let’s define some terms…Let’s define some terms…

HACKER: “A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.” Or, “one who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming.”

CRACKER: “An individual who attempts to gain unauthorized access to a computer system. These individuals are often malicious and have many means at their disposal for breaking into a system.” It is interesting to note that “cracking does not usually involve some mysterious leap of hackerly brilliance, but rather persistence and the dogged repetition of a handful of fairly well-known tricks that exploit common weaknesses in the security of target systems. Accordingly, most crackers are only mediocre hackers.”

No damage = Not criminal

(According to the Free On-Line Dictionary of Computing available at http://foldoc.doc.ic.ac.uk/foldoc/index.html)

Vulnerability Discovery Helps Companies Vulnerability Discovery Helps Companies

and Protects Customersand Protects Customers A benign intruder discovers a vulnerability in the software used

by a company If the intruder’s actions (assuming no damage is done) are not

criminalized, intruder feels safe to make contact with the company.

Once the security hole is explained, the company can work on a solution, or even used one proposed by the intruder

Result: When a malignant intruder tries to penetrate the company’s security, he finds that the particular hole has already been patched thanks to the benign intruder

IF legal action could be taken against the benign intruder, the intruder wouldn’t feel comfortable contacting the company

Result: Malignant intruder successfully penetrates company’s security, gaining access to customer data such as SSNs, CC#s, Trade Secrets, etc.

Examples of the Benefits of Public Examples of the Benefits of Public Vulnerability AnnouncementVulnerability Announcement “As Muhammad Faisal Rauf Danka recalls it, he tried 10 times to call a

software maker about a devastating security flaw in one of its most popular programs….But nothing happened. Then he took his findings to a global audience — a worldwide mailing list devoted to exposing and exploring software bugs. Within days, Microsoft acknowledged that 200 million of its Passport accounts had been left open, apparently for months, allowing the easy hijacking of credit-card and other personal data. The company shut down the Passport system and fixed the hole.”[1] [1] Zorz, Mirko. Hackers, Software Companies Feud Over Disclosure of Weaknesses. 15 July 2003. Help Net Security. 01 April 2004. <http://www.net-security.org/news.php?id=3121>.

“I personally have experienced vendors who reply that they will not consider my findings because I am not registered as a customer.”[2] – Arne Vidstrom, columnist [2] Vidstrom, Arne. Full Disclosure of Vulnerabilities - Pros/Cons and Fake Arguments. Help Net Security. 01 April 2004 <http://www.net-security.org/article.php?id=86>.Weaknesses

By keeping benign intrusion legal, companies can be spurred to act to create software patches to keep the bad guys out.

Social BenefitsSocial Benefits Too strict regulations in this area will curb the “teenage hacker’s

unbounded inquisitiveness” which could be developed into “constructive learning and use” (Lee). Restrictions will be more effective at limiting technology growth and development, which benefits society greatly, than at limiting harmful activities.

FAMOUS HACKERS WHO BENEFITTED SOCIETY (from Lee):– Lee Felsenstein, who created the Osborne Computer– Steven Wozniak, who designed the Apple

Ethical hackers hold “that information-sharing is a powerful positive good, and that it is an ethical duty of hackers to share their expertise by writing free software and facilitating access to information and to computing resources wherever possible”(FOLDC). Furthermore, they support “the belief that [unauthorized system access] for fun and exploration is ethically OK as long as the cracker commits no theft, vandalism, or breach of confidentiality”(FOLDC).

FOR MORE INFO...

Lee, John, Gerald Segal and Rosalie Steiler. “Positive Alternatives: A report on an ACM panel on hacking.” Communications of the ACM. Vol. 29, No. 4. April 1986.

Cracking as a Form of Public Cracking as a Form of Public SafetySafety

If the information that someone is hiding can result in the harm of another person, then at some point the decision must be made to invade privacy in order to save that person. The government uses this type of logic with its policy in cases of clear and immanent danger.– (Example Situation)

In situations like 9/11, if there is a way to crack into the database of those plotting against the U.S. then we

should be able to do so as a matter of public safety.

Cracking: An Expression of One’s Cracking: An Expression of One’s 1st Amendment Right1st Amendment Right

Computers serve as a gateway to a world of information. Information that can be gained through the use of a computer should not be criminalized.– A matter of freedom of speech and access to

information– Information cannot be owned– Individual’s privacy vs. a corporation’s or the

government’s privacy. Is there a double standard?

““Crackers:”Crackers:” The Defamation of The Defamation of the Namethe Name Crackers have been given a bad name because

people tend to focus on the malicious acts that are brought to the public’s attention by the media.

A majority of crackers crack into systems simply to learn more about how the computer operates.

Rather than being seen as malicious criminals, they should be viewed as heroic figures helping to make computer systems more secure.

FOR MORE INFO...

Denning, Dorothy, E. “Concerning Hackers Who Break into Computer Systems.” http://www.sgrm.com/art-7.htm (An article presented at the 13th National Computer Security Conference in 1990.)

Hacktivism & Electronic Civil Hacktivism & Electronic Civil DisobedienceDisobedience Hacktivism is defined as the (sometimes) clandestine use of

computer hacking to help advance political causes”[1] Electronic Civil Disobedience entails the peaceful breaking of

unjust laws using the computer as a tool. It allows people to raise awareness of unjust laws, or prohibit

perceived unjust acts of individuals, corporations, organizations, and governments.

To be considered an act of civil disobedience an act must:– Be non-violent/cause no damage to persons or property– Not be for personal profit– Have some ethical motivation– Willingness to accept personal responsibility

People who intentionally hack websites to raise awareness should not receive the same felony charges as people who using “cracking” as a way to destroy computer systems, or even cause harm or death to the people who own them.

FOR MORE INFO...[1] Goodrum, Abby and Mark Manion. “Terrorism or Civil Disobedience: Toward a Hacktivist Ethic.” Computers and Society (June 2000): 14-19.

Examples of Successful Hacktivism Examples of Successful Hacktivism Against Government and CorporationsAgainst Government and Corporations

Several Chinese government websites were hacked to protest the targeting of Chinese and Indonesian citizens for torture, rape, and looting during the anti-Suharto riot of May of 1998. They altered web pages to include calling for full autonomy of East Timor and cessation of the harsh military crackdown on dissidents.

etoy.com Vs. EToys.com: Even though etoy.com, a Swiss artist group’s website existed first, Etoys.com a new US online toy store succeeded in shutting down etoy.com because it had a similar name, so etoy.com supporters fought back and managed to decrease EToys.com’s stock. This led to them getting to keep their domain name.

FOR MORE INFO...

Lemos, Robert . “Hacking for Human Rights”. http://news.com.com/2100-1001-269962.html?legacy=cnet (More examples of Electronic Civil Disobedience