Security by dandanhuanghuang

VIEWS: 11 PAGES: 10

									    Security

   The act of gaining unauthorized access to computer systems
  should not be criminalized assuming that there is no damage.



Team Members: Desmund Collins, Rebecca Crotty, Jasmine Georges, Diana
Massey, & Nikita Mazurov
    Let’s define some terms…
    (According to the Free On-Line Dictionary of Computing available at
    http://foldoc.doc.ic.ac.uk/foldoc/index.html)

   HACKER: “A person who enjoys exploring the details of programmable
    systems and how to stretch their capabilities, as opposed to most users,
    who prefer to learn only the minimum necessary.” Or, “one who programs
    enthusiastically (even obsessively) or who enjoys programming rather
    than just theorizing about programming.”

   CRACKER: “An individual who attempts to gain unauthorized access to a
    computer system. These individuals are often malicious and have many
    means at their disposal for breaking into a system.” It is interesting to note
    that “cracking does not usually involve some mysterious leap of hackerly
    brilliance, but rather persistence and the dogged repetition of a handful of
    fairly well-known tricks that exploit common weaknesses in the security of
    target systems. Accordingly, most crackers are only mediocre hackers.”

                            No damage = Not criminal
Vulnerability Discovery Helps Companies
and Protects Customers
   A benign intruder discovers a vulnerability in the software used
    by a company
   If the intruder’s actions (assuming no damage is done) are not
    criminalized, intruder feels safe to make contact with the
    company.
   Once the security hole is explained, the company can work on
    a solution, or even used one proposed by the intruder
   Result: When a malignant intruder tries to penetrate the
    company’s security, he finds that the particular hole has
    already been patched thanks to the benign intruder
   IF legal action could be taken against the benign intruder, the
    intruder wouldn’t feel comfortable contacting the company
   Result: Malignant intruder successfully penetrates company’s
    security, gaining access to customer data such as SSNs, CC#s,
    Trade Secrets, etc.
Examples of the Benefits of Public
Vulnerability Announcement
   “As Muhammad Faisal Rauf Danka recalls it, he tried 10 times to call a
    software maker about a devastating security flaw in one of its most
    popular programs….But nothing happened. Then he took his findings to a
    global audience — a worldwide mailing list devoted to exposing and
    exploring software bugs. Within days, Microsoft acknowledged that 200
    million of its Passport accounts had been left open, apparently for months,
    allowing the easy hijacking of credit-card and other personal data. The
    company shut down the Passport system and fixed the hole.”[1]
    [1] Zorz, Mirko. Hackers, Software Companies Feud Over Disclosure of
    Weaknesses. 15 July 2003. Help Net Security. 01 April 2004.
    <http://www.net-security.org/news.php?id=3121>.

   “I personally have experienced vendors who reply that they will not
    consider my findings because I am not registered as a customer.”[2] –
    Arne Vidstrom, columnist [2] Vidstrom, Arne. Full Disclosure of
    Vulnerabilities - Pros/Cons and Fake Arguments. Help Net Security. 01
    April 2004 <http://www.net-security.org/article.php?id=86>.Weaknesses

   By keeping benign intrusion legal, companies can be spurred to act to
    create software patches to keep the bad guys out.
  Social Benefits
      Too strict regulations in this area will curb the “teenage hacker’s
       unbounded inquisitiveness” which could be developed into
       “constructive learning and use” (Lee). Restrictions will be more
       effective at limiting technology growth and development, which
       benefits society greatly, than at limiting harmful activities.
      FAMOUS HACKERS WHO BENEFITTED SOCIETY (from Lee):
        – Lee Felsenstein, who created the Osborne Computer
        – Steven Wozniak, who designed the Apple
      Ethical hackers hold “that information-sharing is a powerful
       positive good, and that it is an ethical duty of hackers to share
       their expertise by writing free software and facilitating access to
       information and to computing resources wherever
       possible”(FOLDC). Furthermore, they support “the belief that
       [unauthorized system access] for fun and exploration is ethically
       OK as long as the cracker commits no theft, vandalism, or breach
       of confidentiality”(FOLDC).
          FOR MORE INFO...
Lee, John, Gerald Segal and Rosalie Steiler. “Positive Alternatives: A report on an ACM panel on hacking.”
Communications of the ACM. Vol. 29, No. 4. April 1986.
Cracking as a Form of Public
Safety
   If the information that someone is hiding can
    result in the harm of another person, then at
    some point the decision must be made to invade
    privacy in order to save that person. The
    government uses this type of logic with its policy
    in cases of clear and immanent danger.
    – (Example Situation)
        In situations like 9/11, if there is a way to crack into the
        database of those plotting against the U.S. then we
        should be able to do so as a matter of public safety.
Cracking: An Expression of One’s
1st Amendment Right
   Computers serve as a gateway to a world
    of information. Information that can be
    gained through the use of a computer
    should not be criminalized.
    – A matter of freedom of speech and access to
      information
    – Information cannot be owned
    – Individual’s privacy vs. a corporation’s or the
      government’s privacy. Is there a double
      standard?
“Crackers:” The Defamation of
the Name
 Crackers have been given a bad name because
  people tend to focus on the malicious acts that
  are brought to the public’s attention by the
  media.
 A majority of crackers crack into systems
  simply to learn more about how the computer
  operates.
 Rather than being seen as malicious criminals,
  they should be viewed as heroic figures helping
  to make computer systems more secure.
      FOR MORE INFO...

Denning, Dorothy, E. “Concerning Hackers Who Break into Computer Systems.”
http://www.sgrm.com/art-7.htm (An article presented at the 13th National Computer
Security Conference in 1990.)
Hacktivism & Electronic Civil
Disobedience
   Hacktivism is defined as the (sometimes) clandestine use of
    computer hacking to help advance political causes”[1]
   Electronic Civil Disobedience entails the peaceful breaking of
    unjust laws using the computer as a tool.
   It allows people to raise awareness of unjust laws, or prohibit
    perceived unjust acts of individuals, corporations, organizations,
    and governments.
   To be considered an act of civil disobedience an act must:
     –   Be non-violent/cause no damage to persons or property
     –   Not be for personal profit
     –   Have some ethical motivation
     –   Willingness to accept personal responsibility
   People who intentionally hack websites to raise awareness should
    not receive the same felony charges as people who using
    “cracking” as a way to destroy computer systems, or even cause
    harm or death to the people who own them.
       FOR MORE INFO...
[1] Goodrum, Abby and Mark Manion. “Terrorism or Civil Disobedience: Toward a
Hacktivist Ethic.” Computers and Society (June 2000): 14-19.
Examples of Successful Hacktivism
Against Government and Corporations
    Several Chinese government websites were hacked to
     protest the targeting of Chinese and Indonesian citizens for
     torture, rape, and looting during the anti-Suharto riot of May
     of 1998. They altered web pages to include calling for full
     autonomy of East Timor and cessation of the harsh military
     crackdown on dissidents.
    etoy.com Vs. EToys.com: Even though etoy.com, a Swiss
     artist group’s website existed first, Etoys.com a new US
     online toy store succeeded in shutting down etoy.com
     because it had a similar name, so etoy.com supporters
     fought back and managed to decrease EToys.com’s stock.
     This led to them getting to keep their domain name.

       FOR MORE INFO...

 Lemos, Robert . “Hacking for Human Rights”. http://news.com.com/2100-1001-
 269962.html?legacy=cnet (More examples of Electronic Civil Disobedience

								
To top