263 lines
13 KiB
Plaintext
263 lines
13 KiB
Plaintext
|
|
ESTABLISHING ETHICS
|
|
IN THE
|
|
COMPUTER VIRUS ARENA
|
|
|
|
|
|
|
|
Paul W. Ferguson, Jr.
|
|
September, 1992
|
|
|
|
|
|
|
|
ABSTRACT
|
|
|
|
|
|
The introduction of the computer into our already complex
|
|
arsenal of tools has opened a door to a world in which the limits
|
|
are seemingly boundless. The possibilities of electronic
|
|
information and data exchange alone are enough to boggle the mind.
|
|
However, with the computer's acceptance and its growing
|
|
implementation, a debate has arisen concerning the manner in which
|
|
it is being utilized.
|
|
|
|
Today, we have a virtual stone wall separating two basic
|
|
trains of thought. On one hand, there are those who wish to make
|
|
all computer information and resources publicly available, regardless
|
|
of impact or damage afforded to unwitting users. On the other hand,
|
|
we have computer professionals, advocates and users who think
|
|
potentially damaging information should be more effectively managed
|
|
and controlled, disallowing damaging code to escape into the public
|
|
domain.
|
|
|
|
|
|
THE GRASSROOTS MOVEMENT OF COMPUTER ETHICS
|
|
|
|
|
|
Perhaps the birthplace of computer ethics was the at
|
|
Massachusetts Institute of Technology. The addition of a discarded
|
|
Lincoln Labs TX-0 in 1958 created a more personal and casual
|
|
brotherhood in the computing environment at MIT. It was soon after
|
|
this machine was introduced that many of the more inquiring minds
|
|
attending the university became enthralled with it's presence [1].
|
|
"There was no one moment when it started to dawn on the TX-0 hackers
|
|
that by devoting their technical abilities to computing with a
|
|
devotion rarely seen outside of monasteries they were the vanguard
|
|
of a daring symbiosis between man and machine", wrote Steven Levy, in
|
|
his landmark book, "Hackers: Heroes of the Computer Revolution".
|
|
This devotion to the computer led to their version of what they dubbed
|
|
"The Hacker Ethic". This "ethic" had became an honor code that
|
|
outlined ground rules for the usage of the computer resources and has
|
|
survived to this day as the foundation of what is honorable in the
|
|
computer community. Although it has been twisted and mired in its
|
|
journey into the 1990's, its inception was sincere and beneficial to
|
|
those who created it during the early days. Levy outlined five
|
|
platform values that comprised the Hacker Ethic:
|
|
|
|
"Access to computers - and anything which might teach you something
|
|
about the way the world works -- should be unlimited and total.
|
|
Always yield to the Hands-On Imperative!"
|
|
|
|
As Steven Levy outlines in his book, this was the primary
|
|
basis for computer hacker values in the early days of computerdom.
|
|
Hackers, as defined in the above statement, have always felt that
|
|
whatever environment exists, they should be afforded the freedom to
|
|
optimize it. Whether it is reprogramming an existing operating
|
|
system or establishing their own set of behavioral protocols, it is
|
|
the freedom that they seek to define their own desirable environment.
|
|
|
|
"All information should be free."
|
|
|
|
The principle idea is that if you do not know how to obtain
|
|
the information, how could you benefit or pose a threat to others who
|
|
may utilize the same resources? The primary ideal that all
|
|
information should be free has landed many of its advocates in
|
|
unprecedented litigation. Is it appropriate that anyone has the right
|
|
to examine your credit report? Or your E-Mail? Or your medical
|
|
history? These ultimately fall into the category of "information",
|
|
by this definition.
|
|
|
|
"Mistrust Authority -- Promote Decentralization."
|
|
|
|
This is an ethical factor that is still adhered to rather
|
|
strictly by hacker purists. In its beginnings, authority figures in
|
|
the computer community were inept or simply did not exist. Most
|
|
could not afford them the computing freedom they demanded. This
|
|
problem still exists and unfortunately the boundary between what
|
|
constitutes an acceptable computer ethic and activities that pose
|
|
a threat to the computer community is more complex than ever. We
|
|
have as many or more inept system administrators in the present
|
|
day computer network world.
|
|
|
|
"Hackers should be judged by their hacking, not bogus criteria such
|
|
as degrees, age, race or position."
|
|
|
|
An ethic that is perhaps one of the least threatening to
|
|
other computer enthusiasts. It is also one of the most respectable
|
|
values, considering what the true sense of hacking really is.
|
|
|
|
"You can create art and beauty on a computer."
|
|
|
|
The early hackers spent substantial resources and time
|
|
developing fractals and other display-specific tricks that were
|
|
indicative of that era. Development and extensive enhancements of
|
|
the SPACE WAR program on the early PDPs at MIT is legendary.
|
|
|
|
In the simplest sense, the early computer pioneers were
|
|
rebels in their own right -- they wanted no one to restrict their
|
|
ability to get computer time or make necessary enhancements or
|
|
adjustments to the system as they saw fit. Such is our computer
|
|
world today, to many who take it very seriously. However, one
|
|
key factor has been added -- to avoid inflicting damage. In the
|
|
strictest interpretation, it correlates to never intentionally
|
|
damaging any information that you access. Or propagating
|
|
damaging programs into an unsuspecting public domain. A true
|
|
hacker is someone who thirsts for knowledge and wishes to make
|
|
the information available to others who may not have the good
|
|
fortune or skill to acquire it otherwise.
|
|
|
|
Without getting too in-depth into the development and
|
|
progress of computers in our environment, we should address what
|
|
we have experienced in the past few years with computer viruses
|
|
and how they have affected our domain. The decision that
|
|
remains concerns our code of ethical and moral computer conduct.
|
|
|
|
|
|
COMPUTER ETHICS AND COMPUTER VIRUSES
|
|
|
|
|
|
What impact did computer viruses have on ethics in the
|
|
computer community? With the explosion of the number of computer
|
|
viruses, this remains an unanswered question. In the years since
|
|
viruses first appeared in the MS/PC-DOS computing environment,
|
|
they have grown in both numbers and complexity at an alarming
|
|
rate. They have become not only commonplace, but also extremely
|
|
difficult to defend against. The virus creators have designed,
|
|
compiled and released encrypting viruses, multipartite viruses,
|
|
stealth viruses and viruses employing encryption techniques
|
|
so bizarre that it warrants immediate concern. The scope of the
|
|
problem has grown to the point where computer users are desperate
|
|
for answers to their questions and solutions to the computer
|
|
virus dilemma.
|
|
|
|
The computer ethics situation at present is as distorted
|
|
and convoluted as it could have ever been imagined. Some of the
|
|
more disturbing activities in the virus information channels
|
|
recently, have been irresponsible postings of source code, DEBUG
|
|
scripts of live viruses and overall disregard of computer ethics
|
|
and morals. To complicate matters, virus exchange BBSs have
|
|
cropped up where viruses and virus source code are freely
|
|
exchanged. The people who engage in these activities have
|
|
successfully shown their disregard for the remainder of the
|
|
computing public. Perhaps these individuals have not given ample
|
|
thought to the consequences of their actions. By allowing live
|
|
computer viruses to freely filter into the public domain,
|
|
they are ultimately responsible for any damage inflicted, either
|
|
directly or indirectly, due to their negligence or disregard.
|
|
Perhaps they do not care. In any event, it is time for us to
|
|
reclaim control of our computing environment and establish a set
|
|
of guidelines that define what is unacceptable behavior. We
|
|
should be able to gate the damaging material that is passed
|
|
amongst those who effectively abuse the privilege. A privilege,
|
|
mind you, not a right.
|
|
|
|
|
|
|
|
INHERENT RIGHTS vs. ACQUIRED PRIVILEGES
|
|
|
|
|
|
There has evolved the question of where do we draw the line
|
|
between the free exchange of ideals and information and disallowing
|
|
damaging code to be freely exchanged to all requesters? Although
|
|
the line has not been defined, several important factors should be
|
|
considered. When considering each alternative, the "greater good"
|
|
syndrome consistently comes into play. And a myriad of questions
|
|
surface with its contemplation. Who makes these "greater good"
|
|
decisions, anyway? Is this a case of 1st Amendment rights versus
|
|
control of damaging or potentially damaging information or code?
|
|
Can legislation be enacted to absolve system administrators and forum
|
|
moderators of the burden of making ethical and morality decisions and
|
|
being inundated with charges of inhibiting someone else's rights?
|
|
|
|
These questions are only the tip of the proverbial iceberg.
|
|
Each question has it's validity and weaknesses. To use particular
|
|
examples, unfortunate instances of computer virus source code, and
|
|
even more damaging -- DEBUG scripts, readily able to be reassembled
|
|
by even the most neophyte computer user, have been posted in the
|
|
FidoNet public virus conference forums, and even more questionable
|
|
practices have been witnessed on other publicly accessible networks.
|
|
To those who posted them, it may have been an innocent act on their
|
|
part to make the information available to others in a public forum.
|
|
For whatever reason, posting of code that has the ability to
|
|
replicate (or even destroy) on an unsuspecting user's system is,
|
|
in my opinion, inherently wrong. And the assistance in propagating
|
|
it is equally guilty. Many of the virus authors and couriers hold
|
|
the belief that what they dabble and propagate is completely legal
|
|
and beneficial. Actually, they are only half right. There are
|
|
currently no laws that specifically target computer virus
|
|
distribution. The legislation that does exist, dates back to the
|
|
Computer Fraud and Abuse Act (1986) and is rather outdated.
|
|
The CFAA does not address certain topics that have become an issue
|
|
in recent years.
|
|
|
|
Several bills have been introduced into legislation that
|
|
would, indeed, have made it a criminal offense to propagate computer
|
|
viruses in a fashion that would endanger the public. In a recent
|
|
attempt to enhance the existing law, Senator Patrick Leahy (D-Ver.)
|
|
spearheaded an effort to enact an addendum to the existing CFAA [2].
|
|
Language contained within the bill (S 1322) specifically addressed
|
|
computer abusers; those which intentionally introduce computer
|
|
viruses or damaging code to systems. The proposed law would have
|
|
provided an avenue to prosecute those who never gained access to
|
|
a remote system, in the conventional sense. Misdemeanors would have
|
|
been punishable by up to one year in prison and a $5,000 fine.
|
|
Felonies would carry a maximum fine of $250,000 and a prison term
|
|
of up to five years. The bill was killed and never made it
|
|
into law.
|
|
|
|
Are there any measures in place to effectively deal with the
|
|
distribution of potentially damaging information? Yes and no.
|
|
Computer professionals around the world have independently
|
|
established casual associations of virus researchers when it became
|
|
apparent that the virus problem was something that would not resolve
|
|
itself. More recently, formal and professional organizations have
|
|
been formed that deal specifically with computer virus research,
|
|
user education and antivirus product development. This cannot
|
|
resolve the overall problem.
|
|
|
|
|
|
MAKING THE TOUGH DECISIONS
|
|
|
|
|
|
Many view virus creators as angst-ridden computer users with
|
|
an axe to grind. Many see them as rebellious teenagers wishing to
|
|
leave their graffiti on whatever computer resources they can access.
|
|
Whatever the reason, a set of moral and ethical standards need to be
|
|
created that dictate what is unacceptable behavior in the computer
|
|
community. Underground computer virus creation groups have avowed
|
|
to continue writing and distributing viruses with disregard. Is this
|
|
a protected activity under the First Amendment? Or is it just
|
|
reckless endangerment to the computer community at large? The
|
|
"greater good" rationale dictates making every effort on our part
|
|
to protect unsuspecting computer users and formulate a logical
|
|
method for stemming the flow of damaging code into the public domain.
|
|
If we sit idly by, the problem will only worsen. We may eventually
|
|
find ourselves the victims of our own procrastination.
|
|
|
|
____________________________________________________________________
|
|
|
|
|
|
[1] HACKERS - Heroes of the Computer Revolution; Steven Levy; Anchor
|
|
Press/Doubleday, 1984, ISBN 0-385-19195-2
|
|
|
|
[2] Proposed addendum to the Computer Fraud and Abuse Act (CFAA);
|
|
Margaret M. Seaborn; Government Computer News, August 5, 1991
|
|
|
|
|
|
Paul Ferguson | "Government, even in its best state,
|
|
Network Integrator | is but a necessary evil; in its worst
|
|
Centreville, Virginia USA | state, an intolerable one."
|
|
fergp@sytex.com | - Thomas Paine, Common Sense
|
|
|
|
I love my country, but I fear its government.
|