Upload
linette-marion-mccoy
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
Cosc 4765
Ethics and security
Security
• Computer security crosses over legal and ethics lines in many places.– Hacking is pretty much always illegal.
• See next slides for some legal issues
– Hacking by some is considered ethical.• Depending on how it is done• This topic and more is covered by the rest of the
lecture.
Legal acts and computers
• Federal: US computer fraud and abuse act, 1984, prohibits– Unauthorized access to a computer
containing data protected by national defense or foreign relations concerns
• Also computers containing certain banking or financial information
• Access, use, modifications, destruction, or disclosure of a computer or information in a computer operated on behalf of the US government.
Legal acts and computers (2)
• Accessing without permission a “protected computer”– The courts now interprets to include any
computer connected to the Internet.
• Computer fraud
• Transmitting code that causes damage to a computer system or network
• Trafficking in computer passwords
Legal acts and computers (3)
• USA Patriot Act of 2001– Amendment to computer fraud and abuse act– Knowing causing the transmission of code resulting in
damage to a protected computer is a felony– Recklessly causing damage to a computer system as
a consequence of unauthorized access is a felony– Causing damage (even unintentionally) as
consequence of unauthorized access to a protected computer is a misdemeanor.
Legal acts and computers (4)
• US Electronic communications Privacy act, 1986– Protects against electronic wiretapping
• Allows law enforcement agencies to ask for a court ordered wiretap
• Requires ISPs to have equipment to allow for wiretapping
– Allows ISPs to read communications to maintain service or protect itself from damage
Law vs. Ethics
Law EthicsDescribed by formal, written documents
Described by unwritten principles
Interpreted by courts Interpreted by each individual
Established by legislatures Presented by philosophers, religions, professional groups
Applicable to everyone Personal choice
Priority determined by courts if 2 laws conflict
Priority determined by an individual if 2 principles conflict
Court is the final arbiter of “right” No external arbiter
Enforceable by police and courts Limited enforcement
Ethics
• Ethical pluralism recognizes that more than one position may be ethically justifiable.– In fields of Science and Tech, this type of
statement seems illogical.– There is no higher authority and there are no
“correct” answers.
Examining ethical issues
1. Understand the situation– Learn the facts of the situations
2. Know a several theories for ethical reasoning– You need to be able to justify your choices
3. List the ethical principles involved– What can be applied to the case?
4. Determine which principles outweigh others.– Subjective, but we need a logical conclusion or
determination.
Ethical principles and theories
• Most ethics break down into 2 school of thought.
1. Based on the good that results from the actions– Consequence-based principles
2. Based on certain prima facie duties of people• Rule-Based Principles
Consequence-Based principles
• Teleological theory focuses on consequences of an action– A action is chosen which results in the “greatest”
future good and least harm.• Egoism
– Based on positive benefits to person taking the action.• Utilitarianism
– Based on positive benefits of everyone (entire Universe actually).
• “The good of the many outweighs the good of the few or the one.” --Spock
Rule-based principles
• Deontology: which is founded in a sense of duty. Certain things are good in and of themselves, they need no higher justification– To name a few: truth, justice, peace, security,
freedom, honor, love, friendship, happiness, consciousness, beauty.
– Often stated as rights:• Right to know, right to privacy, right to fair
compensation for work.
Rule-based principles (2)
• Various duties incumbent on all human beings:– Fidelity, or truthfulness– Reparation, duty to recompense for a previous
wrongful act– Gratitude, thankfulness for previous services or kind
acts– Justice, distribution of happiness in accordance with
merit– Beneficence, the obligation to help other people or to
make their lives better– Nonmaleficence, not harming others– Self-improvement, to become continually better.
Applying ethics to security
• Many things are legal or illegal, The questions here are Ethical. – While it is legal of ISPs to read
communications, when is it ethical?– Security will at some point intrude on issues
of privacy. • When can you ethically read someone e-mail, look
through their files, etc, pretty much invade their privacy.
Applying ethics to security (2)
• What are the ethics of vulnerabilities– Searching for them– Reporting them to everyone, not just the
vendor.• There ethical arguments that vulnerabilities should
not be reported until a patch is available• And that vulnerabilities should be reported as soon
as possible– Full disclosure – including how it vulnerability works.– Partial disclosure – only how to protect the system.
Applying ethics to security
• Can they be an ethical argument for writing worms and viruses?
• How about password sniffing?
• And hacking: ethical hacking?– You look around and do not intend to damage
the system.• What is the case for ethical hacking?• What is the case where hacking is unethical?
Code of Ethics
• Varying computer groups have developed a code of ethics:– IEEE: Code of ethics– ACM: Code of Ethics and Professional
Conduct• to long to reprint in this lecture.
– The Computer Ethics Institute.• The Ten Commandments of Computer Ethics.
IEEE Code of ethics1. To accept responsibly in making engineering decisions
consistent with the safety, health, and welfare of the public, and to disclose promptly factors that might endanger the public or the environment
2. To avoid real or perceived conflicts of interest wherever possible, and to disclose them to affected parties when they exist.
3. To be honest and realistic in stating claims or estimates based on available data
4. To reject bribery in all of it forms5. To improve understanding of technology, its
appropriate application, and potential consequences
IEEE Code of ethics (2)
6. To maintain and improve our technical competence and to undertake technological tasks for others only if qualified by training or experience, or after full disclosure of pertinent limitations
7. To seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, and to credit properly the contributions of others
8. To treat fairly all persons regardless of such factors as race, religion, gender, disability, age, or national origin
9. To avoid injuring others, their property, reputation, or employment by false or malicious actions
10. To assist colleagues and coworkers in their professional development and to support them in following this code of ethics.
Ten Commandments of Computer Ethics
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.5. Thou shalt not use a computer to bear false
witness6. Thou shalt not copy or use proprietary
software for which you have not paid
Ten Commandments of Computer Ethics (2)
7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people intellectual output
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.
QA&