CS363Week 14 - Friday

Last time

What did we talk about last time? Employer and employee rights Computer crime Other issues

Difficulty of prosecuting computer criminals

Questions?

Assignment 5

Project 3

Security tidbit of the day

Surveillance is getting cheaper and easier

Coversnitch is an art project that built an eavesdropping device out of a Raspberry Pi and a flower pot for less than $100

It is powered by a standard light bulb socket

It uploads audio through any unsecured wireless connection

Security tidbit continued

The audio is processed by Amazon's Mechanical Turk crowdsourcing platform

Then, snippets of (anonymized) conversations are posted on Coversnitch's Twitter account

Commercially, there is a $54 camera that hides in a smoke detector and an $80 one in an alarm clock and many other options

Follow the story:http://www.wired.com/2014/04/coversnitch-eavesdropping-lightbulb/

Privacy acts (mentioned already) U.S. Privacy Act

Enacted in 1974 to limit the amount and uses of personal information the government collects

U.S. Electronic Communications Privacy Act Enacted in 1986 to protect citizens from

government wiretapping without a warrant Gramm-Leach-Bliley

Enacted in 1999 to protect the privacy of customers of financial institutions

HIPAA Enacted in 1996 to protect the privacy of individual

medical records

More example statutes

USA Patriot Act Passed in 2001 in the wake of 9/11 Allows laws enforcement to wiretap if they can show to a court

that the target is probably the agent of a foreign power Amended the U.S. Computer Fraud and Abuse Act to make

damaging a protected computer a felony Controlling the Assault of Non-Solicited Pornography and

Marketing (CAN SPAM) Act Bans false or misleading SMTP headers Prohibits deceptive subject lines Requires commercial e-mails to give an opt-out method Bans the sale or transfer of e-mails of those who have opted out Requires commercial e-mails to be identified as advertisements Has no effect on spam coming from overseas

Other Computer Crime Issues

Computer criminals are hard to catch

Much of the crime is international, and there are no international computer laws Although many countries cooperate to catch

criminals, there are safe havens where they cannot be arrested

Technical problems make them hard to catch Attacks can be bounced through many

intermediaries, each requiring their own search warrant

The right network administrator has to be given the warrant (and he or she might not keep good records)

Cryptography and the law Many countries have controls on the use of cryptography

Governments want cryptography they can break so that they can catch criminals

Laws are hard to enforce for individuals, especially now that the instructions for coding up AES are widely available

Until 1998, export of cryptography in the US was covered under laws preventing the export of weapons of war This definition changed, although there are still export

restrictions There were never any restrictions on the use of cryptography in

the US Absurdly, the government said that object code was subject to

export restriction, but printed source code was an idea and therefore not

Escrowed cryptography

The government made proposals to relax export rules for escrowed encryption With escrowed encryption, the government is

given copies of all the keys used to protect all transmissions, but promises to use them only with court authorization

Three well known proposals for these systems were Clipper, Capstone, and Fortezza

These proposals were not adopted because of public distrust of what the government might do with all the keys

Current cryptographic policies In 1996, the National Research Council made the

following recommendations: No law should ban the use of any encryption inside the US Export controls should be relaxed 56-bit DES (and similar levels of encryption) should be easily

exportable Escrowed encryption isn't a mature technology Laws should be enacted to punish the use of encryption to

commit crimes In 1998, the government

Allowed export of DES virtually everywhere Allowed unlimited size encryption to 45 industrial countries

for financial institutions, medical providers, and e-commerce Made applying for permission to export a simpler process

Ethics and Computers

Law vs. ethics

We can't make laws to cover every single case

We rely on ethics and morals to help

An ethic is an objectively defined standard of right and wrong A set of ethical principles make an

ethical system We will not distinguish between

ethics and morals here Some authors use the terms

interchangeably or distinctly

Laws vs. ethics

Laws: Apply to everyone Courts determine which law applies or if one

supersedes another Laws and courts define what is right (legal) and what is

wrong (illegal) Laws are enforced

Ethics: Are personal Ethical positions often come into conflict with each

other There is no universal standard of right and wrong There is no systematic enforcement for ethical decisions

Issues with ethics

Ethics are a set of principles for justifying what is right or wrong in a situation Religion affects ethics because it makes strong

statements about moral principles However, two people with the same religion can have

different ethical philosophies and two people with different religions can have the same

Ethical values vary from society to society and within a society

Ethics do not provide answers Opposed positions may be ethically justifiable This is called ethical pluralism There is no ultimate ethical authority

Why study ethics?

People make ethical judgments all the time

If you know what is right to do and what is wrong to do in a situation, ethics can help you justify your choice

If you don't know what to do, a study of ethics can help you find the right choice

Examining an ethical choice

1. Understand the situation Learn all the facts about the situation first

2. Know several theories of ethical reasoning There may be many ways to justify different

choices3. List the ethical principles involved

What different philosophies could be applied?4. Determine which principles outweigh others

This is the hard part where you have to make a subjective valuation

Consequence-based principles One school of ethical thought examines that

good (or bad) that could result from actions This is called the teleological theory of ethics

In a consequence-based system of ethics, you must weigh the positive consequences against the negative consequences

Egoism is the form of teleology that seeks to maximize the good for the person taking the action

Utilitarianism is the form that seeks to maximize the good for everyone

Rule-based principles

Another school of ethical reasoning is deontology, which assumes that some things are good in and of themselves

Individuals have a duty to promote these things Examples of intrinsically good things in some

deontological systems: Truth, knowledge, understanding, wisdom Justice Pleasure, satisfaction, happiness, life Peace, security, freedom Good reputation, honor, love, friendship Beauty

Rule-deontology

Rule-deontology proposes that there are universal natural laws that we should adhere to In so doing, we ensure the rights of others

Some examples of these duties: Truthfulness Making up for a previous wrongful act Thankfulness Distribution of happiness according to merit Helping other people Not harming others Improving oneself

Your system of duties might come from a religion or be even more individualized

Case Studies of Ethics

Case I: Use of Computer Services Dave works as a programmer by day His company does batch processing at night He discovers that he could program at night

without affecting the batch processing He comes in at night to code software to

manage his stock portfolio Issues:

Ownership of resources Effect on others Utilitarianism principle Possibility of punishment

How would it change if…

Dave began a business managing other people's portfolios for profit

Dave's salary was below average for his background Perhaps computer use is a reasonable perk

Dave's employer knew of other employees doing the same thing and did not stop them

Dave worked for a government office and reasoned that the computer are owned "by the people"

Case II: Privacy Rights

Donald keeps computer records for the county Ethel has been granted access to numerical records

without identifying information for research purposes Ethel finds some interesting data, but needs to follow

up by contacting the individuals Should Donald release the data? Issues:

Job responsibility Authorized use of data Possible misuse Confidentiality Tacit permission Propriety

Extensions

Donald was the person who decided allowable access to the files

If Ethel gets the data, is it ethical for her to contact the people?

What if Ethel contacts the people to get their permission to use their data One third give permission One third deny permission One third do not respond What if one half of the people are needed to

have a valid study?

Case III: Denial of Service Charlie is working on an assignment which, because

of a bug in the system that is not his fault, crashes the campus computer system

He reports the problem to campus IT and tries to change his program so that it works without crashing the system

The system crashes 10 more times, sometimes when his program is running and sometimes not

Carol is discovered to have had a program running 8 out of those 10 times, exploiting the same weakness as Charlie's original code

The IT director suspends Carol's account; she gets a D in the course and drops out of school

Analysis

Do you need any additional information to make a judgment?

Who has rights in this case and what are they? Who has a responsibility to protect those rights?

Has Charlie acted ethically? Has Carol acted ethically? Has the director of IT acted ethically? How could anyone have acted

differently?

Case IV: Ownership of Programs Greg is a programmer at Star Computers, an aerospace

company that works on government contracts He writes some utility programs that he was not assigned to

write but help make his job easier He decides to market them Greg's manager Cathy has to tell him not to market them, even

though she thinks he has the right to Cathy quits Star and gets a job at their competitor Purple

Computers She brings copies of Greg's programs and gives them to her

coworkers Because of the software, Purple has increased productivity and

gives Cathy a bonus Greg hears about this and contacts Cathy Cathy claims that the software belongs to the public domain

because Star worked mostly from government contracts

Analysis

What are the rights of Greg, Cathy, Star, and Purple?

Where do these rights come from? Which rights take precedence? What additional information is needed to

make a judgment? What could Greg have done differently? What could Cathy have done differently? What could Purple have done differently

after learning it had Star programs? What could Star have done differently?

Case V: Proprietary Resources Suzie owns a copy of Photoshop which she

bought legitimately As you know, the software is copyrighted,

and the documentation contains a license agreement that the software is for the purchaser only

Suzie invites Luis to look at the software to see if it will fit his needs

Luis examines the software on Suzie's computer and likes it

He wants to try it in a longer test

Different outcomes

What are the ethical issues in each of the following separate scenarios: Suzie offers to copy the disk for Luis to use Suzie copies the disk for Luis to use, and he uses it for

some period of time Suzie copies the disk for Luis to use, and he uses it for

some period of time and then buys a copy Suzie copies the disk for Luis to try overnight with the

understanding that he must bring it back tomorrow without copying it, and he complies

Suzie does the same, but Luis makes a copy anyway Suzie does the same, Luis makes a copy, but he eventually

buys a copy Suzie does the same, but Luis never returns the copy

Case VI: Fraud

Alicia is a programmer for a corporation Her supervisor Ed tells her to write a program that

allows people to edit company accounting information directly

Alicia knows that programs that can edit company accounts usually have several steps with checks in them

This program would allow anyone to change the books without a trace

Alicia mentions these issues to Ed Ed says that her job is the write the software she's told

to write He says that this software can be used to correct

mistakes made

Analysis

Is a programmer responsible for the programs he or she writes?

Is a programmer an employee who follows orders unthinkingly?

What degree of personal risk is an employee obliged to accept for opposing an improper action?

Would a program like the one here ever be justified? When?

How could a program like this one be controlled? Would the ethical issues be changed if Alicia

wrote this program on her own?

Case VII: Accuracy of Information

Emma is a researcher who is analyzing the nutritional content of a cereal called Raw Bits

She gets a statistical programmer Paul to analyze the data

His analysis shows that Raw Bits is not nutritious and may be harmful

He suggests that another set of correlations could show Raw Bits in a more favorable light He claims he could argue any side of any issue

with statistics

Analysis

Is it ethical for Paul to suggest analyzing data to support two different conclusions?

Is Paul obligated to present both positive and negative analyses? Is he responsible for their use?

Is it ethical for Emma to accept positive or negative conclusions if she doesn't understand the statistics?

She suspects that the company will Get a new researcher if she sends them only the negative

results Publicize only the positive results if she sends them both

What course of action should she take?

Case VIII: Ethics of Hacking or Cracking

Goli is an independently wealthy computer security specialist She works only for fun

She attacks commercial products for vulnerabilities and is good at finding them

She probes systems on the Internet and, when she finds vulnerabilities, she contacts the owners of the sites to offer her services to fix them

She loves good pastry and plants programs that slow the performance of web sites of bakeries that don't use enough butter in their pastries

Analysis

Is it ethical for Goli to probe for vulnerabilities in systems?

What if her probing sometimes causes failures or performance problems?

How much and to whom should she report the vulnerabilities she finds?

What if she damaged websites based on an issue more serious than butter? What if she only damaged websites for

companies with records of human rights abuses?

Codes of Ethics

Codes of ethics

Many computer organizations have their own codes of ethics IEEE ACM Computer Ethics Institute

Partly, they created these because that's what organizations do

I believe you can be kicked out of the organization if you flagrantly violate its ethics

10 Commandments of Computer Ethics

I like these the best out of the three because they are short and clear:

1. Thou shalt not use a computer to harm other people.2. Thou shalt not interfere with other people's computer work.3. Thou shalt not snoop around in other people's computer files.4. Thou shalt not use a computer to steal.5. Thou shalt not use a computer to bear false witness.6. Thou shalt not copy or use proprietary software for which you

have not paid.7. Thou shalt not use other people's computer resources without

authorization or proper compensation.8. Thou shalt not appropriate other people's intellectual output.9. Thou shalt think about the social consequences of the program

you are writing or the system you are designing.10. Thou shalt always use a computer in ways that insure

consideration and respect for your fellow human beings.

Upcoming

Next time…

Review up to Exam 1

Reminders

Review Chapters 1, 2, and 12 Finish Assignment 5

Due tonight before midnight Keep cracking each other's Project 3