cryptography and network security chapter 23 fifth edition by william stallings lecture slides by...
TRANSCRIPT
Cryptography and Cryptography and Network SecurityNetwork Security
Chapter 23Chapter 23
Fifth EditionFifth Edition
by William Stallingsby William Stallings
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Chapter 23 – Chapter 23 – Legal and Legal and Ethical AspectsEthical Aspects
touch on a few topics including:touch on a few topics including: cybercrime and computer crimecybercrime and computer crime intellectual property issuesintellectual property issues privacy privacy ethical issuesethical issues
Cybercrime / Computer CrimeCybercrime / Computer Crime
““criminal activity in which computers or computer criminal activity in which computers or computer networks are a tool, a target, or a place of criminal networks are a tool, a target, or a place of criminal activity”activity”
categorize based on computer’s role:categorize based on computer’s role: as targetas target as storage deviceas storage device as communications toolas communications tool
more comprehensive categorization seen in more comprehensive categorization seen in Cybercrime Convention, Computer Crime SurveysCybercrime Convention, Computer Crime Surveys
Law Enforcement ChallengesLaw Enforcement Challenges
Intellectual PropertyIntellectual Property
CopyrightCopyright
protects tangible or fixed expression of an idea protects tangible or fixed expression of an idea but not the idea itselfbut not the idea itself
is automatically assigned when createdis automatically assigned when created may need to be registered in some countriesmay need to be registered in some countries exists when:exists when:
proposed work is originalproposed work is original creator has put original idea in concrete formcreator has put original idea in concrete form e.g. literary works, musical works, dramatic works, e.g. literary works, musical works, dramatic works,
pantomimes and choreographic works, pictorial, pantomimes and choreographic works, pictorial, graphic, and sculptural works, motion pictures and graphic, and sculptural works, motion pictures and other audiovisual works, sound recordings, other audiovisual works, sound recordings, architectural works, software-related works.architectural works, software-related works.
Copyright RightsCopyright Rights
copyright owner has these exclusive copyright owner has these exclusive rights, protected against infringement:rights, protected against infringement: reproduction rightreproduction right modification rightmodification right distribution rightdistribution right public-performance rightpublic-performance right public-display rightpublic-display right
PatentsPatents grant a property right to the inventorgrant a property right to the inventor
to exclude others from making, using, offering for sale, to exclude others from making, using, offering for sale, or selling the inventionor selling the invention
types:types: utility - any new and useful process, machine, article of utility - any new and useful process, machine, article of
manufacture, or composition of mattermanufacture, or composition of matter design - new, original, and ornamental design for an design - new, original, and ornamental design for an
article of manufacturearticle of manufacture plant - discovers and asexually reproduces any distinct plant - discovers and asexually reproduces any distinct
and new variety of plantand new variety of plant
e.g. RSA public-key cryptosystem patente.g. RSA public-key cryptosystem patent
TrademarksTrademarks
a word, name, symbol, or device a word, name, symbol, or device used in trade with goodsused in trade with goods indicate source of goods indicate source of goods to distinguish them from goods of othersto distinguish them from goods of others
trademark rights may be used to:trademark rights may be used to: prevent others from using a confusingly similar markprevent others from using a confusingly similar mark but not to prevent others from making the same but not to prevent others from making the same
goods or from selling the same goods or services goods or from selling the same goods or services under a clearly different markunder a clearly different mark
Intellectual Property Issues Intellectual Property Issues and Computer Securityand Computer Security
software programssoftware programs protect using copyright, perhaps patentprotect using copyright, perhaps patent
database content and arrangementdatabase content and arrangement protect using copyrightprotect using copyright
digital content audio / video / media / webdigital content audio / video / media / web protect using copyrightprotect using copyright
algorithmsalgorithms may be able to protect by patentingmay be able to protect by patenting
U.S. Digital Millennium U.S. Digital Millennium Copyright ACT (DMCA)Copyright ACT (DMCA)
implements WIPO treaties to strengthens implements WIPO treaties to strengthens protections of digital copyrighted materialsprotections of digital copyrighted materials
encourages copyright owners to use encourages copyright owners to use technological measures to protect their technological measures to protect their copyrighted works, including:copyrighted works, including: measures that prevent access to the work measures that prevent access to the work measures that prevent copying of the workmeasures that prevent copying of the work
prohibits attempts to bypass the measuresprohibits attempts to bypass the measures have both criminal and civil penalties for thishave both criminal and civil penalties for this
DMCA ExemptionsDMCA Exemptions
certain actions are exempted from the certain actions are exempted from the DMCA provisions:DMCA provisions: fair usefair use reverse engineeringreverse engineering encryption researchencryption research security testingsecurity testing personal privacypersonal privacy
considerable concern exists that DMCA considerable concern exists that DMCA inhibits legitimate security/crypto researchinhibits legitimate security/crypto research
Digital Rights Management Digital Rights Management (DRM)(DRM)
systems and procedures ensuring digital rights systems and procedures ensuring digital rights holders are clearly identified and receive holders are clearly identified and receive stipulated payment for their worksstipulated payment for their works may impose further restrictions on their usemay impose further restrictions on their use
no single DRM standard or architectureno single DRM standard or architecture goal often to provide mechanisms for the goal often to provide mechanisms for the
complete content management lifecyclecomplete content management lifecycle provide persistent content protection for a provide persistent content protection for a
variety of digital content types / platforms / variety of digital content types / platforms / media media
DRM ComponentsDRM Components
DRM System ArchitectureDRM System Architecture
PrivacyPrivacy
overlaps with computer securityoverlaps with computer security have dramatic increase in scale of info have dramatic increase in scale of info
collected and storedcollected and stored motivated by law enforcement, national motivated by law enforcement, national
security, economic incentivessecurity, economic incentives but individuals increasingly aware of but individuals increasingly aware of
access and use of personal / private infoaccess and use of personal / private info concerns on extent of privacy compromise concerns on extent of privacy compromise
have seen a range of responseshave seen a range of responses
EU Privacy LawEU Privacy Law
European Union Data Protection Directive European Union Data Protection Directive was adopted in 1998 to:was adopted in 1998 to: ensure member states protect fundamental ensure member states protect fundamental
privacy rights when processing personal infoprivacy rights when processing personal info prevent member states from restricting the prevent member states from restricting the
free flow of personal info within EUfree flow of personal info within EU organized around principles of:organized around principles of:
notice, consent, consistency, access, security, notice, consent, consistency, access, security, onward transfer, enforcementonward transfer, enforcement
US Privacy LawUS Privacy Law
have Privacy Act of 1974 which:have Privacy Act of 1974 which: permits individuals to determine records keptpermits individuals to determine records kept permits individuals to forbid records being permits individuals to forbid records being
used for other purposes used for other purposes permits individuals to obtain access to recordspermits individuals to obtain access to records ensures agencies properly collect, maintain, ensures agencies properly collect, maintain,
and use personal info and use personal info creates a private right of action for individualscreates a private right of action for individuals
also have a range of other privacy lawsalso have a range of other privacy laws
Organizational ResponseOrganizational Response ““An organizational data protection and privacy policy should be An organizational data protection and privacy policy should be
developed and implemented. This policy should be developed and implemented. This policy should be communicated to all persons involved in the processing of communicated to all persons involved in the processing of personal information. Compliance with this policy and all personal information. Compliance with this policy and all relevant data protection legislation and regulations requires relevant data protection legislation and regulations requires appropriate management structure and control. Often this is best appropriate management structure and control. Often this is best achieved by the appointment of a person responsible, such as a achieved by the appointment of a person responsible, such as a data protection officer, who should provide guidance to data protection officer, who should provide guidance to managers, users, and service providers on their individual managers, users, and service providers on their individual responsibilities and the specific procedures that should be responsibilities and the specific procedures that should be followed. Responsibility for handling personal information and followed. Responsibility for handling personal information and ensuring awareness of the data protection principles should be ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and dealt with in accordance with relevant legislation and regulations. Appropriate technical and organizational measures regulations. Appropriate technical and organizational measures to protect personal information should be implemented.”to protect personal information should be implemented.”
Common Criteria Privacy ClassCommon Criteria Privacy Class
Privacy and Data SurveillancePrivacy and Data Surveillance
Ethical IssuesEthical Issues have many potential misuses / abuses of have many potential misuses / abuses of
information and electronic communication information and electronic communication that create privacy and security problemsthat create privacy and security problems
ethics:ethics: a system of moral principles relating benefits a system of moral principles relating benefits
and harms of particular actions to rightness and harms of particular actions to rightness and wrongness of motives and ends of themand wrongness of motives and ends of them
ethical behavior here not uniqueethical behavior here not unique but do have some unique considerationsbut do have some unique considerations
in scale of activities, in new types of entitiesin scale of activities, in new types of entities
Ethical HierarchyEthical Hierarchy
Ethical Issues Related to Ethical Issues Related to Computers and Info Systems Computers and Info Systems some ethical issues from computer use:some ethical issues from computer use:
repositories and processors of informationrepositories and processors of information producers of new forms and types of assetsproducers of new forms and types of assets instruments of actsinstruments of acts symbols of intimidation and deceptionsymbols of intimidation and deception
those who understand / exploit technology, and those who understand / exploit technology, and have access permission, have power over thesehave access permission, have power over these
issue is balancing professional responsibilities issue is balancing professional responsibilities with ethical or moral responsibilitieswith ethical or moral responsibilities
Ethical Question ExamplesEthical Question Examples
whistle-blowerwhistle-blower when professional ethical duty conflicts with when professional ethical duty conflicts with
loyalty to employerloyalty to employer e.g. inadequately tested software producte.g. inadequately tested software product organizations and professional societies organizations and professional societies
should provide alternative mechanismsshould provide alternative mechanisms potential conflict of interestpotential conflict of interest
e.g. consultant has financial interest in vendor e.g. consultant has financial interest in vendor which should be revealed to client which should be revealed to client
Codes of ConductCodes of Conduct ethics not precise laws or sets of factsethics not precise laws or sets of facts many areas may present ethical many areas may present ethical
ambiguityambiguity many professional societies have ethical many professional societies have ethical
codes of conduct which can:codes of conduct which can:1.1. be a positive stimulus and instill confidencebe a positive stimulus and instill confidence2.2. be educationalbe educational3.3. provide a measure of supportprovide a measure of support4.4. be a means of deterrence and disciplinebe a means of deterrence and discipline5.5. enhance the profession's public imageenhance the profession's public image
Codes of ConductCodes of Conduct
see ACM, IEEE and AITP codessee ACM, IEEE and AITP codes place emphasis on responsibility other peopleplace emphasis on responsibility other people have some common themes:have some common themes:
1.1. dignity and worth of other peopledignity and worth of other people2.2. personal integrity and honestypersonal integrity and honesty3.3. responsibility for workresponsibility for work4.4. confidentiality of informationconfidentiality of information5.5. public safety, health, and welfarepublic safety, health, and welfare6.6. participation in professional societies to improve participation in professional societies to improve
standards of the professionstandards of the profession7.7. the notion that public knowledge and access to the notion that public knowledge and access to
technology is equivalent to social powertechnology is equivalent to social power
SummarySummary
reviewed a range of reviewed a range of topics:topics: cybercrime and computer crimecybercrime and computer crime intellectual property issuesintellectual property issues privacy privacy ethical issuesethical issues