lecture 02 –ethics - cs.uic.edu · pdf fileadapted from michael bailey’s ece 422....
TRANSCRIPT
Lecture02– Ethics
StephenCheckoway
UniversityofIllinoisatChicago
CS487– Fall2017
AdaptedfromMichaelBailey’sECE422
Thankgoodnessforsecurityexperts
Security“Research”totheRescue!
• Researcherswanttohelp,tobenefittheinternetcommunity• …butoh,thetemptations!
Firsttopublish;dosomethingnew;showhow1337youare;fightfor
funding;endsjustifythemeans
• …andtheconflicts
Affectingotherresearch;impactingLEinvestigations;thwarting
mitigationefforts;protectingrights;helpingthebadguys;lessrisky
(andlesssexy)options?
Whatareethics?
• “Thefieldofethics(ormoralphilosophy)involvessystematizing,
defending,andrecommendingconceptsofrightandwrong
behavior.”
• Normativeethics,isconcernedwithdevelopingasetofmoralsor
guidingprinciplesintendedtoinfluencetheconductofindividuals
andgroupswithinapopulation(i.e.,aprofession,areligion,or
societyatlarge).
– Consequentialism:Consequencesarethemostimportantconsideration
– Deontology(duty-basedethics):Followingrulesismostimportant
– Virtueethics:Anindividual’scharacterismoreimportantthaneither
actionsorconsequences
Philosophy101-levelethicsproblem
• Situation:You’vebeencapturedalongwith10otherpeople
andyourcaptorsgiveyouachoice:Shootoneofthe10people
yourselfandeveryoneelselivesorshootnooneandyour
captorswillkillall10.
• Deontological(duty-based)ethicsmayhavearule,“donotkill”
sotheethicalthingtodoiskillnoone(butthen10peopledie)
• Consequentialismmaydictatethatonedeadpersonisabetter
outcomethan10deadpeoplesotheethicalthingtodoisto
shoot
ComputerEthics
“Atypicalproblemincomputerethicsarisesbecausethereisa
policyvacuumabouthowcomputertechnologyshouldbe
used.Computersprovideuswithnewcapabilitiesandtheseinturngiveusnewchoicesforaction.Often,eithernopoliciesforconductinthesesituationsexistorexistingpoliciesseem
inadequate.Acentraltaskofcomputerethicsistodetermine
whatweshoulddoinsuchcases,i.e.,toformulatepoliciesto
guideouractions.”
-Moor
Ethics!=Law
• “Lawcanbedefinedasaconsistentsetofuniversalrulesthat
arewidelypublished,generallyaccepted,andusually
enforced”
• Interrelatedbutbynomeansidentical(e.g.,legalbutnot
ethical,ethicalbutnotlegal)
– Adherencetoethicalprinciplesmayberequiredtomeetregulatoryrequirementssurrounding
academicresearch
– Alawmayilluminatethelinebetweenbeneficialactsandharmfulones.
– Ifthecomputersecurityresearchcommunitydevelopsethicalprincipalsandstandardsthatare
acceptabletotheprofessionandintegratesthoseasstandardpractice,itmakesiteasierfor
legislaturesandcourtstoeffectivelyperformtheirfunctions.
IANAL
• ComputerFraudandAbuseAct(CFAA)
– "itisillegaltointentionallyaccessacomputerwithoutauthorizationorinexcessofauthorizationand
therebyobtaininginformationfromanyprotectingcomputer."
• DigitalMillenniumCopyrightAct(DMCA)
– “Nopersonshallcircumventatechnologicalmeasurethateffectivelycontrolsaccessto[aworkprotected
bycopyrightlaw]”
• ElectronicCommunicationsPrivacyAct(ECPA)
– WiretapAct
– PenRegisterStatute
– StoredCommunicationsAct
• StateandLocalLaws
– Illinois;720ILCS§ 5/17-50to-55(e.g.,Computerfraud,Computertampering)
• Computersandnetworksmaycarrydataforavarietyofinstitutionssuchashospitals,libraries,
universities,andK-12organizations
– FamilyEducationalRighttoPrivacyAct(FERPA)
– FederalStandardsforPrivacyofIndividuallyIdentifiableHealthInformation(implementstheprivacy
requirementsHIPAA)
ContractsandPolicies
• EndUserLicenseAgreements(EULA)
– Donotcriticizethisproductpublicly– Usingthisproductmeansyouwillbemonitored
– Donotreverse-engineerthisproduct–Wearenotresponsibleifthisproductmessesupyourcomputer
• OrganizationalPolicies
UICPolicyDocuments
• AcceptableUsePolicy
http://accc.uic.edu/policy/acceptable-use-policy
• UICStandardsofconduct
https://dos.uic.edu/docs/Standards%20of%20Conduct.pdf
ExistingEthicsStandards
• 1947NurembergCode
• HelsinkiDeclaration1964
• TheIEEE,ACM,etc:CodesofEthics
• TheBelmontReport,theNationalResearchAct,andInstitutional
ReviewBoards(IRB)
– 45CFR46
• “RulesofEngagement”
– TheLawofArmedConflict
– Dittrich/Himma:ActiveResponseContinuum
• OtherOrganizationalCodes(Universities,Corporations,etc.)
IRBandtheBelmontreport
• TheprimarygoaloftheInstitutionalReviewBoard(IRB)istoassurethat,inresearch
involvinghumansubjects,therightsandwelfareofthesubjectsareadequatelyprotected.
• "EthicalPrinciplesandGuidelinesfortheProtectionofHumanSubjectsofResearch”,United
StatesDepartmentofHealth,Education,andWelfare,April18,1979(BelmontReport)
• Respectforpersons
– Individualsshouldbetreatedautonomously
– Informedconsentshouldbefreelygiven
• Beneficence
– Donoharm
– Maximizepossiblebenefits/minimizerisks
• DistributiveJustice
– Equitableselectionofresearchsubjects
ProfessionalEthicalCodes
• IEEECodeofEthics(2006)
– commitsmembers”tothehighestethicalandprofessionalconduct”.
Membersagreetoavoidconflictsofinterest,behonest,engagein
responsibledecisionmaking,acceptcriticismofwork,etc
• ACMCodeofEthicsandProfessionalconduct(1992)
– “contributetosocietyandhumanwell-being”,“avoidharmto
others”,alongwithsixotherprinciples(e.g.,don’tdiscriminate,be
honest,respectprivacy).
CaseStudy:Botnets
• Botnets,briefly
– Botsarecompromisedcomputersunderthecontrolofsome3rdparty
– Collectionofbotscompriseabotnet
– Botscommunicatewithcommand&controlserverswhichprovide
instructions,e.g.,DDOSahost,sendspam,findnewmachinesto
infect
– (Almost)everymajorsecurityincidenttodayinvolvesbotnets
CaseStudy:Botnets
• Aresearcherconstructsabenignbotnetoutofcompromised
routersandusesittomeasuretheentireInternet;data
releasedpubliclyandanonymously
• Isthisethical?
• Whatarethepotentialissues?
CaseStudy:Honeypots
• Researcherscreatearesearchtestbeds,connectedtothe
Internet,whichenablestestbedmachinestobecomeinfected.
Honeypot
CaseStudy:Honeypots
• Why?Capturemalware,seeexactlywhatfilesit
creates/modifies/deletes,seeitsnetworktraffic,findits
commandandcontrolservers
• Isthisethical?
• Whatarepotentialissues?
CaseStudy:Hackback
• Organizationsgethackedallthetime.Sometimestheonly
(feasible)waytoidentifytheattackersorpreventfuture
attacksistohackback
• Isthisethical?
• Potentialissues?
CaseStudy:ReverseEngineering,Vulnerability
Disclosure?
• Researchersreverseengineerasystem,discoveravulnerability,
andgenerateaworkingexploit(attack).
• Lotsofdebateabouthowandifoneshoulddisclosethe
vulnerability
– Fulldisclosure:gopublicimmediately
– Givevendoradeadlinebeforedisclosure– Coordinatedisclosurewiththevendor– (lotsofotheroptions)
CaseStudy:ReverseEngineering,Vulnerability
Disclosure?
• Isthissortofreverse-engineeringworkethical?
• Potentialissues?
WirelessEavesdropping
• Astudentinclasscreatesawirelessnetworkaccesspointwith
noencryptionorauthenticationandobservesuserswho
connecttoit.
• Isthisethical?
• Potentialissues?
Movingforward
• Inthisclassyouwillnotbeaskedtodoanythingthatisillegal,
unethical,oragainstuniversitypolicy,somaybeyoushouldn’t
…
• Askpermission notforgiveness
• Principleofleastsurprise
ToLearnMore…
• http://www.icir.org/vern/cs261n/papers/burstein_legal_leet.pdf
• DavidDittrich,MichaelBailey,SvenDietrich.BuildinganActive
ComputerSecurityEthicsCommunity.
• Dittrich,DavidandKenneally,ErinandBailey,Michael,Applying
EthicalPrinciplestoInformationandCommunicationTechnology
Research:ACompaniontotheMenloReport
• https://www.acm.org/about/code-of-ethics
• http://www.ieee.org/about/corporate/governance/p7-8.html
• https://www.eff.org/pages/grey-hat-guide
• http://www.cam.illinois.edu/viii/viii-1.1.htm
Questions?