Lecture02– Ethics

StephenCheckoway

UniversityofIllinoisatChicago

CS487– Fall2017

AdaptedfromMichaelBailey’sECE422

Thankgoodnessforsecurityexperts

Security“Research”totheRescue!

• Researcherswanttohelp,tobenefittheinternetcommunity• …butoh,thetemptations!

Firsttopublish;dosomethingnew;showhow1337youare;fightfor

funding;endsjustifythemeans

• …andtheconflicts

Affectingotherresearch;impactingLEinvestigations;thwarting

mitigationefforts;protectingrights;helpingthebadguys;lessrisky

(andlesssexy)options?

Whatareethics?

• “Thefieldofethics(ormoralphilosophy)involvessystematizing,

defending,andrecommendingconceptsofrightandwrong

behavior.”

• Normativeethics,isconcernedwithdevelopingasetofmoralsor

guidingprinciplesintendedtoinfluencetheconductofindividuals

andgroupswithinapopulation(i.e.,aprofession,areligion,or

societyatlarge).

– Consequentialism:Consequencesarethemostimportantconsideration

– Deontology(duty-basedethics):Followingrulesismostimportant

– Virtueethics:Anindividual’scharacterismoreimportantthaneither

actionsorconsequences

Philosophy101-levelethicsproblem

• Situation:You’vebeencapturedalongwith10otherpeople

andyourcaptorsgiveyouachoice:Shootoneofthe10people

yourselfandeveryoneelselivesorshootnooneandyour

captorswillkillall10.

• Deontological(duty-based)ethicsmayhavearule,“donotkill”

sotheethicalthingtodoiskillnoone(butthen10peopledie)

• Consequentialismmaydictatethatonedeadpersonisabetter

outcomethan10deadpeoplesotheethicalthingtodoisto

shoot

ComputerEthics

“Atypicalproblemincomputerethicsarisesbecausethereisa

policyvacuumabouthowcomputertechnologyshouldbe

used.Computersprovideuswithnewcapabilitiesandtheseinturngiveusnewchoicesforaction.Often,eithernopoliciesforconductinthesesituationsexistorexistingpoliciesseem

inadequate.Acentraltaskofcomputerethicsistodetermine

whatweshoulddoinsuchcases,i.e.,toformulatepoliciesto

guideouractions.”

-Moor

Ethics!=Law

• “Lawcanbedefinedasaconsistentsetofuniversalrulesthat

arewidelypublished,generallyaccepted,andusually

enforced”

• Interrelatedbutbynomeansidentical(e.g.,legalbutnot

ethical,ethicalbutnotlegal)

– Adherencetoethicalprinciplesmayberequiredtomeetregulatoryrequirementssurrounding

academicresearch

– Alawmayilluminatethelinebetweenbeneficialactsandharmfulones.

– Ifthecomputersecurityresearchcommunitydevelopsethicalprincipalsandstandardsthatare

acceptabletotheprofessionandintegratesthoseasstandardpractice,itmakesiteasierfor

legislaturesandcourtstoeffectivelyperformtheirfunctions.

IANAL

• ComputerFraudandAbuseAct(CFAA)

– "itisillegaltointentionallyaccessacomputerwithoutauthorizationorinexcessofauthorizationand

therebyobtaininginformationfromanyprotectingcomputer."

• DigitalMillenniumCopyrightAct(DMCA)

– “Nopersonshallcircumventatechnologicalmeasurethateffectivelycontrolsaccessto[aworkprotected

bycopyrightlaw]”

• ElectronicCommunicationsPrivacyAct(ECPA)

– WiretapAct

– PenRegisterStatute

– StoredCommunicationsAct

• StateandLocalLaws

– Illinois;720ILCS§ 5/17-50to-55(e.g.,Computerfraud,Computertampering)

• Computersandnetworksmaycarrydataforavarietyofinstitutionssuchashospitals,libraries,

universities,andK-12organizations

– FamilyEducationalRighttoPrivacyAct(FERPA)

– FederalStandardsforPrivacyofIndividuallyIdentifiableHealthInformation(implementstheprivacy

requirementsHIPAA)

ContractsandPolicies

• EndUserLicenseAgreements(EULA)

– Donotcriticizethisproductpublicly– Usingthisproductmeansyouwillbemonitored

– Donotreverse-engineerthisproduct–Wearenotresponsibleifthisproductmessesupyourcomputer

• OrganizationalPolicies

UICPolicyDocuments

• AcceptableUsePolicy

http://accc.uic.edu/policy/acceptable-use-policy

• UICStandardsofconduct

https://dos.uic.edu/docs/Standards%20of%20Conduct.pdf

ExistingEthicsStandards

• 1947NurembergCode

• HelsinkiDeclaration1964

• TheIEEE,ACM,etc:CodesofEthics

• TheBelmontReport,theNationalResearchAct,andInstitutional

ReviewBoards(IRB)

– 45CFR46

• “RulesofEngagement”

– TheLawofArmedConflict

– Dittrich/Himma:ActiveResponseContinuum

• OtherOrganizationalCodes(Universities,Corporations,etc.)

IRBandtheBelmontreport

• TheprimarygoaloftheInstitutionalReviewBoard(IRB)istoassurethat,inresearch

involvinghumansubjects,therightsandwelfareofthesubjectsareadequatelyprotected.

• "EthicalPrinciplesandGuidelinesfortheProtectionofHumanSubjectsofResearch”,United

StatesDepartmentofHealth,Education,andWelfare,April18,1979(BelmontReport)

• Respectforpersons

– Individualsshouldbetreatedautonomously

– Informedconsentshouldbefreelygiven

• Beneficence

– Donoharm

– Maximizepossiblebenefits/minimizerisks

• DistributiveJustice

– Equitableselectionofresearchsubjects

ProfessionalEthicalCodes

• IEEECodeofEthics(2006)

– commitsmembers”tothehighestethicalandprofessionalconduct”.

Membersagreetoavoidconflictsofinterest,behonest,engagein

responsibledecisionmaking,acceptcriticismofwork,etc

• ACMCodeofEthicsandProfessionalconduct(1992)

– “contributetosocietyandhumanwell-being”,“avoidharmto

others”,alongwithsixotherprinciples(e.g.,don’tdiscriminate,be

honest,respectprivacy).

CaseStudy:Botnets

• Botnets,briefly

– Botsarecompromisedcomputersunderthecontrolofsome3rdparty

– Collectionofbotscompriseabotnet

– Botscommunicatewithcommand&controlserverswhichprovide

instructions,e.g.,DDOSahost,sendspam,findnewmachinesto

infect

– (Almost)everymajorsecurityincidenttodayinvolvesbotnets

CaseStudy:Botnets

• Aresearcherconstructsabenignbotnetoutofcompromised

routersandusesittomeasuretheentireInternet;data

releasedpubliclyandanonymously

• Isthisethical?

• Whatarethepotentialissues?

CaseStudy:Honeypots

• Researcherscreatearesearchtestbeds,connectedtothe

Internet,whichenablestestbedmachinestobecomeinfected.

Honeypot

CaseStudy:Honeypots

• Why?Capturemalware,seeexactlywhatfilesit

creates/modifies/deletes,seeitsnetworktraffic,findits

commandandcontrolservers

• Isthisethical?

• Whatarepotentialissues?

CaseStudy:Hackback

• Organizationsgethackedallthetime.Sometimestheonly

(feasible)waytoidentifytheattackersorpreventfuture

attacksistohackback

• Isthisethical?

• Potentialissues?

CaseStudy:ReverseEngineering,Vulnerability

Disclosure?

• Researchersreverseengineerasystem,discoveravulnerability,

andgenerateaworkingexploit(attack).

• Lotsofdebateabouthowandifoneshoulddisclosethe

vulnerability

– Fulldisclosure:gopublicimmediately

– Givevendoradeadlinebeforedisclosure– Coordinatedisclosurewiththevendor– (lotsofotheroptions)

CaseStudy:ReverseEngineering,Vulnerability

Disclosure?

• Isthissortofreverse-engineeringworkethical?

• Potentialissues?

WirelessEavesdropping

• Astudentinclasscreatesawirelessnetworkaccesspointwith

noencryptionorauthenticationandobservesuserswho

connecttoit.

• Isthisethical?

• Potentialissues?

Movingforward

• Inthisclassyouwillnotbeaskedtodoanythingthatisillegal,

unethical,oragainstuniversitypolicy,somaybeyoushouldn’t

…

• Askpermission notforgiveness

• Principleofleastsurprise

ToLearnMore…

• http://www.icir.org/vern/cs261n/papers/burstein_legal_leet.pdf

• DavidDittrich,MichaelBailey,SvenDietrich.BuildinganActive

ComputerSecurityEthicsCommunity.

• Dittrich,DavidandKenneally,ErinandBailey,Michael,Applying

EthicalPrinciplestoInformationandCommunicationTechnology

Research:ACompaniontotheMenloReport

• https://www.acm.org/about/code-of-ethics

• http://www.ieee.org/about/corporate/governance/p7-8.html

• https://www.eff.org/pages/grey-hat-guide

• http://www.cam.illinois.edu/viii/viii-1.1.htm

Questions?