are computer hacker break-ins ethical -- spafford
DESCRIPTION
Are Computer Hacker Break-ins Ethical -- SpaffordTRANSCRIPT
“Are Computer Hacker Break-ins
Ethical?”Eugene Spafford
Spafford’s Points Against Hacking:
1. Ethics should be measured by an act itself, not its consequences.
2. Hacker break-ins are immoral acts.
3. They are never ethical regardless of circumstances.
4. Computer professionals need to spread the word.
In 1988…
Robert T. Morris released the firstInternet worm
Morris Worm
• Reason-- Supposedly to expose security flaws• Unexpected Result-- The worm ran amok• Consequence--Expensive damage at hundreds of locations
Morris was sentenced to three years
probation, 400 hours community
service, a fine of $10k, and costs of
damage.
Ethics Theories
Why ethics theories?
• Spafford reminds us that to say something is right/wrong, we need to know why…• Intuitions are unreliable.
Two Big Ethics Theories Here
1. Consequentialism• An act is right or wrong based on its effects
1. Deontology• The act itself is right/wrong• Effects don’t matter
Consequentialism
Why is this wrong?
Consequentialism
Spafford does not like consequentialism.
1. Effects are unpredictable.
What are effects of GMO’s?
Consequentialism
Spafford does not like
consequentialism
2. Counter intuitive-results.
Execution of smokers…
Deontology
The act itself can be deemed right/wrong, independent of consequences.
Why is this wrong?
Deontology
Also has problems:
1.Under-determines actions• “treat workers like human beings”• Can’t use workers as means– business problems?
2.Counter-intuitive results• “are there Jews in your attic?”
Harder than it looks:
1. The problems are similar, and
2. Spafford says he likes deontology…
• But all of his arguments are consequentialist.
From Spafford---
“A system of ethics that considered primarily only the results of our actions would not allow us to evaluate our current activities at the time when we would need such guidance; if we are unable to discern the appropriate course of action prior to its commission, then our system of ethics is of little or no value to us. To obtain ethical guidance, we must base our actions primarily on evaluations of the actions and not on the possible results.”
“We cannot know, for instance, if increased security awareness and restrictions are better for society in the long-term, or whether these additional restrictions will result in greater costs and annoyance when using computer systems. We also do not know how many of these changes are directly traceable to incidents of computer break-ins.”
Spafford’s arguments
They say: Hacker ethic
“Information wants to be free.”
Should people be allowed to own information? What kind?
Spafford says:
“Destroys Privacy and Property”
Problems:
• Consider bank balances, medical records, credit history, employment records, etc.
• The problem is both a matter of theft and of being able to alter information.
• If everyone has access, how can we trust it to be unaltered?
But notice:
• You still need a theory of privacy and property.
• Closed/proprietary may be bad for security.
• Room for a middle: CC licenses, etc.
They say: Hacker Ethic
“We show security problems to a community that will not otherwise
notice.”
Spafford says:
People care about security – just report it!
“Your sprinklers don’t work!”
So I set a fire to show you…?
They say: Hacker Ethic
“Exposing security flaws is a service.”
Is this a service?
What could be the consequences?
Spafford says:
1. “Assumes there is some compelling need to force users to install fixes” and
2. This need justifies break-ins• Consider– Would it be justifiable to break in to a home
repeatedly to demonstrate its lack of security?• Deontology– It must be universalizable (hints at this
through analogies, but never really says it…)
Let’s grant that (2) is false…
Spafford says:
“The claim is made that without highly-visible break-ins, vendors will not produce or distribute necessary fixes to software. This attitude is naive, and is neither economically feasible nor technically workable. Certainly, vendors should bear some responsibility for the adequacy of their software, but they should not be responsible for fixing every possible flaw in every possible configuration.”
They say: Hacker Ethic
They are making use of idle machines not being used anywhere near their capacity.
Therefore, they are entitled to use them.
Spafford says:
1) These systems are not meant for general use; they serve specific purposes.
2) There is no other circumstance where someone can buy and maintain a product and then have others claim a right to it.• What if someone stole your car and claimed that
you weren’t using it enough?
They say: Hacker Ethic
• Student Hackers claim to do know harm– they are merely learning how systems work.
• Furthering education• Cost Effective• Harmless
Spafford says:
1) Writing vandalware and breaking into a system has nothing to do with education.
2) People who are “learning” or “looking around” can’t possibly guarantee that they are not making changes or causing harm.
They say: Hacker Ethic
Some hackers break into systems to watch for data abuse are actually protectors with good intentions.•“Keeping ‘Big Brother’ a bay”
Sounds noble---
Spafford says:
*Spafford agrees that there may be misuse of personal data by both corporations and government.*
However—
1)This could actually cause more secrecy from such agencies. (further restrictions to access such data)
2)Do we want hackers protecting us? Shouldn’t we be relying on professionals and designers concerns with our rights?
A complication:
While widely read and cited, Spafford’s paper is from 1992.
How may the situation have changed since then?
A complication:
• Institutions hired security staff, but
• Most computers were less vulnerable then:
• Internet was dial-up
• Through proprietary or exclusive networks
A complication:
Today’s “massive set of always-on, powerful PCs, many with high-speed Internet
connections and run by unskilled users, is a phenomenon new to the twenty-first century.”
A complication:
Today, there may very well be a reason to “force users to install security fixes.”
You owe it to me to get your vaccines.
Spafford also says:
• Not every site has the resources to patch software.• Vendors can’t be responsible for everything users do.• It would likely raise costs and be unappealing to users.
“It is unreasonable to expect the user community to sacrifice flexibility and pay a much higher cost per unit simply for faster corrections to the occasional security breach. That assumes it was even possible for the manufacturer to find those customers and supply them with fixes in a timely manner, something unlikely in a market where machines and software are often repackaged, traded, and resold.”
An obvious solution:
Auto-updates, remote server software, etc.
Nobody likes this…
(an early search result for WGA)
The openness of the net is a major source of its value.
In sum:
1. Internet security is a real problem.
2. The nature of the problem changes with the technology.
3. Solving it requires balancing values like privacy, property, openness, etc.
4. Ethics helps give us the tools to do that.
What do you think?
Should we consider some acts of hacking as ethically permissible based on consequences?
Should we consider this action unethical in all circumstances?