Upload
jeffrey-barker
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
CS363Week 14 - Friday
Last time
What did we talk about last time? Employer and employee rights Computer crime Other issues
Difficulty of prosecuting computer criminals
Questions?
Assignment 5
Project 3
Security tidbit of the day
Surveillance is getting cheaper and easier
Coversnitch is an art project that built an eavesdropping device out of a Raspberry Pi and a flower pot for less than $100
It is powered by a standard light bulb socket
It uploads audio through any unsecured wireless connection
Security tidbit continued
The audio is processed by Amazon's Mechanical Turk crowdsourcing platform
Then, snippets of (anonymized) conversations are posted on Coversnitch's Twitter account
Commercially, there is a $54 camera that hides in a smoke detector and an $80 one in an alarm clock and many other options
Follow the story:http://www.wired.com/2014/04/coversnitch-eavesdropping-lightbulb/
Privacy acts (mentioned already) U.S. Privacy Act
Enacted in 1974 to limit the amount and uses of personal information the government collects
U.S. Electronic Communications Privacy Act Enacted in 1986 to protect citizens from
government wiretapping without a warrant Gramm-Leach-Bliley
Enacted in 1999 to protect the privacy of customers of financial institutions
HIPAA Enacted in 1996 to protect the privacy of individual
medical records
More example statutes
USA Patriot Act Passed in 2001 in the wake of 9/11 Allows laws enforcement to wiretap if they can show to a court
that the target is probably the agent of a foreign power Amended the U.S. Computer Fraud and Abuse Act to make
damaging a protected computer a felony Controlling the Assault of Non-Solicited Pornography and
Marketing (CAN SPAM) Act Bans false or misleading SMTP headers Prohibits deceptive subject lines Requires commercial e-mails to give an opt-out method Bans the sale or transfer of e-mails of those who have opted out Requires commercial e-mails to be identified as advertisements Has no effect on spam coming from overseas
Other Computer Crime Issues
Computer criminals are hard to catch
Much of the crime is international, and there are no international computer laws Although many countries cooperate to catch
criminals, there are safe havens where they cannot be arrested
Technical problems make them hard to catch Attacks can be bounced through many
intermediaries, each requiring their own search warrant
The right network administrator has to be given the warrant (and he or she might not keep good records)
Cryptography and the law Many countries have controls on the use of cryptography
Governments want cryptography they can break so that they can catch criminals
Laws are hard to enforce for individuals, especially now that the instructions for coding up AES are widely available
Until 1998, export of cryptography in the US was covered under laws preventing the export of weapons of war This definition changed, although there are still export
restrictions There were never any restrictions on the use of cryptography in
the US Absurdly, the government said that object code was subject to
export restriction, but printed source code was an idea and therefore not
Escrowed cryptography
The government made proposals to relax export rules for escrowed encryption With escrowed encryption, the government is
given copies of all the keys used to protect all transmissions, but promises to use them only with court authorization
Three well known proposals for these systems were Clipper, Capstone, and Fortezza
These proposals were not adopted because of public distrust of what the government might do with all the keys
Current cryptographic policies In 1996, the National Research Council made the
following recommendations: No law should ban the use of any encryption inside the US Export controls should be relaxed 56-bit DES (and similar levels of encryption) should be easily
exportable Escrowed encryption isn't a mature technology Laws should be enacted to punish the use of encryption to
commit crimes In 1998, the government
Allowed export of DES virtually everywhere Allowed unlimited size encryption to 45 industrial countries
for financial institutions, medical providers, and e-commerce Made applying for permission to export a simpler process
Ethics and Computers
Law vs. ethics
We can't make laws to cover every single case
We rely on ethics and morals to help
An ethic is an objectively defined standard of right and wrong A set of ethical principles make an
ethical system We will not distinguish between
ethics and morals here Some authors use the terms
interchangeably or distinctly
Laws vs. ethics
Laws: Apply to everyone Courts determine which law applies or if one
supersedes another Laws and courts define what is right (legal) and what is
wrong (illegal) Laws are enforced
Ethics: Are personal Ethical positions often come into conflict with each
other There is no universal standard of right and wrong There is no systematic enforcement for ethical decisions
Issues with ethics
Ethics are a set of principles for justifying what is right or wrong in a situation Religion affects ethics because it makes strong
statements about moral principles However, two people with the same religion can have
different ethical philosophies and two people with different religions can have the same
Ethical values vary from society to society and within a society
Ethics do not provide answers Opposed positions may be ethically justifiable This is called ethical pluralism There is no ultimate ethical authority
Why study ethics?
People make ethical judgments all the time
If you know what is right to do and what is wrong to do in a situation, ethics can help you justify your choice
If you don't know what to do, a study of ethics can help you find the right choice
Examining an ethical choice
1. Understand the situation Learn all the facts about the situation first
2. Know several theories of ethical reasoning There may be many ways to justify different
choices3. List the ethical principles involved
What different philosophies could be applied?4. Determine which principles outweigh others
This is the hard part where you have to make a subjective valuation
Consequence-based principles One school of ethical thought examines that
good (or bad) that could result from actions This is called the teleological theory of ethics
In a consequence-based system of ethics, you must weigh the positive consequences against the negative consequences
Egoism is the form of teleology that seeks to maximize the good for the person taking the action
Utilitarianism is the form that seeks to maximize the good for everyone
Rule-based principles
Another school of ethical reasoning is deontology, which assumes that some things are good in and of themselves
Individuals have a duty to promote these things Examples of intrinsically good things in some
deontological systems: Truth, knowledge, understanding, wisdom Justice Pleasure, satisfaction, happiness, life Peace, security, freedom Good reputation, honor, love, friendship Beauty
Rule-deontology
Rule-deontology proposes that there are universal natural laws that we should adhere to In so doing, we ensure the rights of others
Some examples of these duties: Truthfulness Making up for a previous wrongful act Thankfulness Distribution of happiness according to merit Helping other people Not harming others Improving oneself
Your system of duties might come from a religion or be even more individualized
Case Studies of Ethics
Case I: Use of Computer Services Dave works as a programmer by day His company does batch processing at night He discovers that he could program at night
without affecting the batch processing He comes in at night to code software to
manage his stock portfolio Issues:
Ownership of resources Effect on others Utilitarianism principle Possibility of punishment
How would it change if…
Dave began a business managing other people's portfolios for profit
Dave's salary was below average for his background Perhaps computer use is a reasonable perk
Dave's employer knew of other employees doing the same thing and did not stop them
Dave worked for a government office and reasoned that the computer are owned "by the people"
Case II: Privacy Rights
Donald keeps computer records for the county Ethel has been granted access to numerical records
without identifying information for research purposes Ethel finds some interesting data, but needs to follow
up by contacting the individuals Should Donald release the data? Issues:
Job responsibility Authorized use of data Possible misuse Confidentiality Tacit permission Propriety
Extensions
Donald was the person who decided allowable access to the files
If Ethel gets the data, is it ethical for her to contact the people?
What if Ethel contacts the people to get their permission to use their data One third give permission One third deny permission One third do not respond What if one half of the people are needed to
have a valid study?
Case III: Denial of Service Charlie is working on an assignment which, because
of a bug in the system that is not his fault, crashes the campus computer system
He reports the problem to campus IT and tries to change his program so that it works without crashing the system
The system crashes 10 more times, sometimes when his program is running and sometimes not
Carol is discovered to have had a program running 8 out of those 10 times, exploiting the same weakness as Charlie's original code
The IT director suspends Carol's account; she gets a D in the course and drops out of school
Analysis
Do you need any additional information to make a judgment?
Who has rights in this case and what are they? Who has a responsibility to protect those rights?
Has Charlie acted ethically? Has Carol acted ethically? Has the director of IT acted ethically? How could anyone have acted
differently?
Case IV: Ownership of Programs Greg is a programmer at Star Computers, an aerospace
company that works on government contracts He writes some utility programs that he was not assigned to
write but help make his job easier He decides to market them Greg's manager Cathy has to tell him not to market them, even
though she thinks he has the right to Cathy quits Star and gets a job at their competitor Purple
Computers She brings copies of Greg's programs and gives them to her
coworkers Because of the software, Purple has increased productivity and
gives Cathy a bonus Greg hears about this and contacts Cathy Cathy claims that the software belongs to the public domain
because Star worked mostly from government contracts
Analysis
What are the rights of Greg, Cathy, Star, and Purple?
Where do these rights come from? Which rights take precedence? What additional information is needed to
make a judgment? What could Greg have done differently? What could Cathy have done differently? What could Purple have done differently
after learning it had Star programs? What could Star have done differently?
Case V: Proprietary Resources Suzie owns a copy of Photoshop which she
bought legitimately As you know, the software is copyrighted,
and the documentation contains a license agreement that the software is for the purchaser only
Suzie invites Luis to look at the software to see if it will fit his needs
Luis examines the software on Suzie's computer and likes it
He wants to try it in a longer test
Different outcomes
What are the ethical issues in each of the following separate scenarios: Suzie offers to copy the disk for Luis to use Suzie copies the disk for Luis to use, and he uses it for
some period of time Suzie copies the disk for Luis to use, and he uses it for
some period of time and then buys a copy Suzie copies the disk for Luis to try overnight with the
understanding that he must bring it back tomorrow without copying it, and he complies
Suzie does the same, but Luis makes a copy anyway Suzie does the same, Luis makes a copy, but he eventually
buys a copy Suzie does the same, but Luis never returns the copy
Case VI: Fraud
Alicia is a programmer for a corporation Her supervisor Ed tells her to write a program that
allows people to edit company accounting information directly
Alicia knows that programs that can edit company accounts usually have several steps with checks in them
This program would allow anyone to change the books without a trace
Alicia mentions these issues to Ed Ed says that her job is the write the software she's told
to write He says that this software can be used to correct
mistakes made
Analysis
Is a programmer responsible for the programs he or she writes?
Is a programmer an employee who follows orders unthinkingly?
What degree of personal risk is an employee obliged to accept for opposing an improper action?
Would a program like the one here ever be justified? When?
How could a program like this one be controlled? Would the ethical issues be changed if Alicia
wrote this program on her own?
Case VII: Accuracy of Information
Emma is a researcher who is analyzing the nutritional content of a cereal called Raw Bits
She gets a statistical programmer Paul to analyze the data
His analysis shows that Raw Bits is not nutritious and may be harmful
He suggests that another set of correlations could show Raw Bits in a more favorable light He claims he could argue any side of any issue
with statistics
Analysis
Is it ethical for Paul to suggest analyzing data to support two different conclusions?
Is Paul obligated to present both positive and negative analyses? Is he responsible for their use?
Is it ethical for Emma to accept positive or negative conclusions if she doesn't understand the statistics?
She suspects that the company will Get a new researcher if she sends them only the negative
results Publicize only the positive results if she sends them both
What course of action should she take?
Case VIII: Ethics of Hacking or Cracking
Goli is an independently wealthy computer security specialist She works only for fun
She attacks commercial products for vulnerabilities and is good at finding them
She probes systems on the Internet and, when she finds vulnerabilities, she contacts the owners of the sites to offer her services to fix them
She loves good pastry and plants programs that slow the performance of web sites of bakeries that don't use enough butter in their pastries
Analysis
Is it ethical for Goli to probe for vulnerabilities in systems?
What if her probing sometimes causes failures or performance problems?
How much and to whom should she report the vulnerabilities she finds?
What if she damaged websites based on an issue more serious than butter? What if she only damaged websites for
companies with records of human rights abuses?
Codes of Ethics
Codes of ethics
Many computer organizations have their own codes of ethics IEEE ACM Computer Ethics Institute
Partly, they created these because that's what organizations do
I believe you can be kicked out of the organization if you flagrantly violate its ethics
10 Commandments of Computer Ethics
I like these the best out of the three because they are short and clear:
1. Thou shalt not use a computer to harm other people.2. Thou shalt not interfere with other people's computer work.3. Thou shalt not snoop around in other people's computer files.4. Thou shalt not use a computer to steal.5. Thou shalt not use a computer to bear false witness.6. Thou shalt not copy or use proprietary software for which you
have not paid.7. Thou shalt not use other people's computer resources without
authorization or proper compensation.8. Thou shalt not appropriate other people's intellectual output.9. Thou shalt think about the social consequences of the program
you are writing or the system you are designing.10. Thou shalt always use a computer in ways that insure
consideration and respect for your fellow human beings.
Upcoming
Next time…
Review up to Exam 1
Reminders
Review Chapters 1, 2, and 12 Finish Assignment 5
Due tonight before midnight Keep cracking each other's Project 3