Totem and Taboo in Cyberspace
Credit records are relatively easy for criminal hackers to find, although it's much harder to modify them. Patient files are supposed to be protected yet many hospitals have rudimentary safeguards that do not deter determined hackers. On another front, government employees have disclosed confidential information such as tax files and criminal records. In some cases the theft of data was for money (a few dollars for reports to unethical private investigators) and in others merely for fun (printing tax files of the rich and famous to impress one's friends). These are the electronic equivalent of breaking and entry in the physical world.
Another area of concern is eavesdropping. Industrial espionage is growing as competition heats up, especially across international borders. In the U.S., Symantec and Borland have been at loggerheads over the alleged theft of confidential information by an executive who defected from one company to the other. In Europe, General Motors and Volkswagen have been denouncing each other over allegations of a similar theft by a high-placed official.
The last decade has witnessed a troubling proliferation of malicious software such as viruses, worms, Trojan Horses, and logic bombs. A computer virus is a program which adds itself to executable code (programs and boot sectors on diskettes and disks). When the infected code is loaded into main memory (usually on a microcomputer such as an IBM-compatible PC or an Apple Macintosh), the virus can both reproduce by infecting other programs and also deliver its payload. Virus payloads range from the merely annoying (e.g., the STONED viruses usually put a plea for the legalization of marijuana on the screen) through the irritating (the Autumn viruses make the letters on one's screen drop to the bottom like so many leaves) to the destructive (viruses written by Bulgaria's Dark Avenger tend to cause random changes in data and programs anywhere on disk, leading to unpredictable and pernicious damage).
Depending on how one judges variations to be different, there are from two to four thousand recognizable viruses circulating in cyberspace. About 30 virus types account for almost all the virus infections that ordinary users are likely to encounter. STONED and JERUSALEM alone account for about five sixths of all infections. Unfortunately, criminals have put virus-writing kits into the underground networks, so now even incompetent programmers can create mutating ('polymorphic') viruses that employ sophisticated techniques ('stealth') to avoid detection.
Recent industry surveys suggest that the risk of virus infection of microcomputers (PCs and Macintosh) is a few percent per year per computer. There are currently no viruses found on user systems which infect large (mainframe) computers. There are only a few which affect UNIX operating systems or local area network operating systems.
The most widespread computer crime is software theft. Estimated rates of theft range from about 35-40% in the USA to 99% stolen in Thailand. Robert Holleyman, president of the Business Software Alliance, reports that more than 80% of the computer programs in China are pirated, making it one of the worst stealers of software in Asia and costing the worldwide industry US$500 million a year. Sometimes stolen programs are available in Asia before they are released legally.
Apparently China is now concerned about copyright violations in part because its own software industry is being harmed. Yang Tianxin, chief of the computer division of the ministry of electronic industry, claims that China is just beginning to attack this problem using criminal penalties and education.
Western nations also need to integrate respect for intellectual property into
normal morality. Too many managers, teachers, technicians and just plain users
are stealing software by making unauthorized copies of copyrighted programs.
It's no wonder children trade pirated copies of computer games with no awareness
of doing wrong.
Most computer crimes are not perpetrated by criminal hackers. Recent surveys suggest that about 85% of all computer-related crimes are committed by personnel authorized to use the computers they abused. The probability of being attacked by outsiders is only about 1 or 2% per system per year.
Within organizations, programmers occasionally write malicious software. 'Trojan Horses' are programs which have secret functions (e.g., keeping a record of passwords) along with their ostensible purposes. The AIDS Information Diskette which circulated worldwide a few years ago was a Trojan which pretended to offer information about the dread disease, but then scrambled the user's disk directory and tried to extort payment for a recovery utility. Trap Doors involve programming secret entry points for later unauthorized use; the password 'Joshua' was part of a trap door left by the creator of a top-secret government system in the movie 'War Games.'
Logic bombs are sections of program which check for particular conditions and then wreak havoc in the system. In the film, Single White Female, a programmer leaves a logic bomb in her code to wipe out her creepy client's entire fashion database because he hasn't paid her full fee. In November 1993, a Manhattan programmer and his technician were accused of planting a logic bomb in a client's software when he refused to pay the full cost of the package. Some programmers insert logic bombs in their code as a matter of course.
The cyberspace equivalent of vandalism occurs when intruders or disgruntled employees deliberately damage or destroy information. The 414 Gang (so named from the area code of their Milwaukee homes) damaged clinical research data in their forays through the networks in the early 1980s. Two teenagers from Staten Island caused $2.1 million of damage to the voice-mail system of a publisher by erasing orders for advertising and leaving obscene messages which offended clients. When they were finally tracked down and arrested, the 14 and 17 year-olds admitted that their depredations were revenge for having failed to receive a promised poster from the publisher.
In a report at the 16th National Computer Security Conference in Baltimore, MD in September 1993, an investigator whose team tracks the underground BBSs revealed that detailed instructions for weapons of terrorism are freely available in cyberspace. The published recipes for home-made bombs were evaluated by professionals from military special forces and were pronounced to be workable, albeit dangerous for amateurs.
Some administrators at universities with Internet connections have been put under opposing pressures because of the availability of graphic pornography graphics. There have been threats of lawsuits for allowing such materials to enter the campus systems and threats of lawsuits for forbidding such materials to enter the campus systems. Some pedophile BBS operators have been found to use their systems to entice youngsters into meetings by offering illicit files and cheap stolen hardware and software. It is easy to create false identities through electronic mail. Some denizens of cyberspace use one or more pseudonyms ('handles'). A major hacker conference was announced on the Internet by 'email@example.com' with no other identification made available. Some 'cypherpunks' insist that there should be no interference with this practice, arguing that any attempt to enforce identification would be a gross infringement of their privacy.
Advocates of anonymous and pseudonymous postings defend their preference by pointing to the long-standing acceptance of pseudonyms in print. I wonder if they would defend wearing face masks during face-to-face conversations?
Who Are the Technopaths?
Because of the shadowy nature of the computer underground, where real names are few and role-playing is the norm, it is hard to find reliable statistics about the demographics of what famed Bulgarian antivirus researcher Vesselin Bontchev (later at the University of Hamburg) has called 'technopaths.' The consensus in the computer underground is that they are predominantly teenaged boys and young men. These maladapted, undersocialized, emotionally-underdeveloped individuals adopt noms-de-guerre ('handles') like Phiber Optik, Acid Phreak, Dark Avenger, The Leftist, The Prophet, The Urvile, and Necron 99. They form electronic gangs with ludicrous names like Masters of Deception and Legion of Doom. Much of this is adolescent posturing; as one member of the latter group commented, 'We couldn't very well call ourselves the Legion of Flower-Pickers.'
Several popular books have provided insights into the psychology of criminal hackers. One of the best is by Katie Hafner and John Markoff, Cyberpunk: Outlaws and Hackers on the Computer Frontier. (Touchstone Books, Simon & Schuster (New York, 1991). ISBN 0-671-77879-X. 368 pp. Index).
Sarah Gordon of the IBM T. J. Watson Research Center has written extensively on her interviews with virus writers (see http://www.av.ibm.com/InsideTheLab/Bookshelf/ScientificPapers/Gordon/GenericVirusWriter.html). Her main point is that the virus-writing community (and probably the criminal hacker community) should not be viewed as monolithic, but rather that it is composed of a wide variety of personality types and stages of moral development.
Are Some Hackers Crazy?
The standard reference work on psychiatric disorders (Diagnostic and Statistical Manual, American Psychiatric Association) defines the Narcissistic Personality Disorder in these terms:
The essential feature is a Personality Disorder... in which there are a grandiose sense of self-importance or uniqueness; preoccupation with fantasies of unlimited success; exhibitionistic need for constant attention and admiration; characteristic responses to threats to self-esteem; and characteristic disturbances in interpersonal relationships, such as feelings of entitlement, interpersonal exploitativeness, relationships that alternate between the extremes of overidealization and devaluation, and lack of empathy....
...In response to criticism, defeat or disappointment, there is either a cool indifference or marked feelings of rage, inferiority, shame, humiliation, or emptiness.... Entitlement, the expectation of special favors without assuming reciprocal responsibilities, is usually present. For example, surprise and anger are felt because others will not do what is wanted; more is expected from people than is reasonable.
Sound like hackers?
During the 1990 December holiday season, some 250 hackers gathered for their
'Christmas Con' in a hotel near Houston airport. After consuming too many beers
and pulling fire alarms, the group was evicted from the hotel. This sort of
behavior is associated with the Antisocial Personality Disorder, whose '...essential
feature is... a history of continuous and chronic antisocial behavior in which
the rights of others are violated....' (DSM III; APA, 1980). In 1993, some of
the 200 attendees at HoHoCon in Austin pulled fire alarms after a night of drunken
carousing and viewing pornographic movies. In the Austin HoHoCon in December
1993, criminal hackers discussed cracking cellular phones, shared information
on new techniques for stealing long-distance services, and boasted of posting
anarchist files on BBSs. When I challenged "Deth Vegetable" for having
posted instructions on how to make bombs out of household cleaning supplies,
his friends glared angrily at me and hissed, "It wasn't illegal. He had
a right to post whatever he wanted." Deth Vegetable rejected responsibility
for the consequences of his actions; although he regretted that two children
had recently destroyed their hands in an explosion while following the details
of his file, he sneered that perhaps it was evolution in action. He admitted
that maybe it seemed wrong, but he didn't know why. "And anyway,"
he shrugged, "who's to say if it's right or wrong?" "Who's to
say??" I asked. "You are. I am. We are."
The culture of criminal hackers seems to glorify behavior which would be classified as sociopathic or frankly psychotic. These behaviors must not become normative.
Technical approaches to behavioral problems have a limited scope. Some attempts to protect cyberspace concentrate on making it harder to do harm. For example, system managers are supposed to pay strict attention to how people can enter their systems and networks; this area of concern is known as access control. Some of the more successful methods currently in use include one-time password generators. Such hand-held units, about the size of a credit card, generate random-looking codes which can be used for logging into computer systems and networks, but which are valid for only one minute.
Modems which garble transmissions make it impossible to crack systems using brute-force methods. Instead of trying hundreds of passwords without hindrance, criminal hackers would be forced to turn to the much slower techniques of lying and spying (social engineering). Even if criminal hackers were to enter a secure system, encrypted data would severely interfere with their ability to cause trouble. Unfortunately, encryption is still not in general use in the business community.
Finally, if more victims of computer crime were to report what happened, the computer security industry could develop the same kind of shared expertise as the insurance industry's actuaries. It would help immeasurably to have a library of documented case studies of computer crime available for study by computer science students, sociologists, criminologists and security experts. All organizations hit by computer criminals are encouraged to report what happened to the Computer Emergency Response Team Coordination Center (CERT-CC) at Carnegie Mellon University in Pittsburgh, PA.
Technical solutions appeal to the rational propensities of security specialists. But since people are at the core of computer crime, psychosocial factors must be at the core of efforts to contain it.
Security is the tooth-flossing of the computer world: it's boring and repetitive, slightly distasteful, and has no obvious, immediate benefits. Even worse, the better the implementation, the less frequently problems arise. Security cannot be achieved by superficial changes of style. Just as the Total Quality Management movement emphasizes that the concern for quality must pervade all aspects of working culture, information security must become part of the corporate culture.
Security professionals have to deal with the psychological difficulties of trying to change long-rooted patterns of social behaviour. For example, a typical security policy states that no one may allow another employee to 'piggyback' into a secure area; that is, each person entering through a secured door must use their own access-control device. However, politeness dictates the opposite: we hold a door open and invite our friends and colleagues to enter before we do. To learn new habits, it is useful to address the conflict directly: acknowledging that the policy will be uncomfortable at first is a good step to making it less uncomfortable. For example, employees should participate in role-playing exercises. First, they can practice refusing access to colleagues who accept the policies graciously, then move on to arguments with less-friendly colleagues. Finally they can learn to deal with confrontations with colleagues who pretend to be higher-rank and hostile. Managers should practise being refused access to secured areas.
In grade schools, high schools, colleges and universities, students are introduced early to computer systems and expected to master and use computers in their studies. All too often, however, ethical issues about computer usage are neglected. Some instructors blatantly steal copyrighted software or tell their young charges to do so ('Here, copy this diskette and return the original'). Other children entrain their younger contemporaries into the glitzy world of computer virus exchanges and virus writing. There's always the allure of computerized pornography on local bulletin boards -- an allure enhanced by the lack of knowledge of parents and teachers about the very existence of such sources.
Lonnie Moore is computer security manager at the Lawrence Livermore National Laboratory. With the help of Gale Warshawsky, an employee who happens to be an experienced puppeteer, Moore has created an appealing and entertaining security awareness video for children in elementary schools. The heroes are Chip, the friendly computer, and Gooseberry, the hapless untrained user. The villain is Dirty Dan, the nasty hacker. Dan drops crumbs into Chip's keyboard, destroys files and makes Chip cry, then makes Chip dizzy by feeding him a virus from another computer. Moore explains, 'What we're trying to do is learn from the mistakes that have been made. They understand good guys and bad guys. We also teach them to try to have some feeling for the others involved.'
A major telephone company in the U.S. has created a video for middle-school children which addresses telephone fraud in an entertaining and informative way.
The Computer Ethics Institute in Washington, DC, has published the Ten Commandments of Computer Ethics:
Thou shalt not use a computer to harm other people.
Thou shalt not interfere with other people's computer work.
Thou shalt not snoop around in other people's computer files.
Thou shalt not use a computer to steal.
Thou shalt not use a computer to bear false witness.
Thou shalt not copy or use proprietary software for which you have not paid.
Thou shalt not use other people's computer resources without authorization or proper compensation.
Thou shalt not use other people's intellectual output [without due acknowledgement].
Thou shalt think about the social consequences of the program you are writing or the system you are designing.
Thou shalt always use a computer in ways that demonstrate consideration and respect for your fellow humans.
Efforts such as these are the beginning of a response to lawlessness in cyberspace. Operating at the human level, they are ultimately as important as technical solutions to computer crime.
The Moral Universe of Computer Users
It takes time to integrate morality into our technological universe. Twenty years ago, many drivers felt that driving under the influence of alcohol was adventurous. Today most people feel that it's stupid and irresponsible. Smoking in public is becoming rare. Many of us in northern cities have witnessed exiled smokers huddled together in the cold outside buildings where they once lit up with impunity.
Similarly, we need a consensus on good behavior in cyberspace.
Criminal hackers who break into computer systems and roam through users' private files should be viewed as Peeping Toms. Criminals using computers to extort money or steal services should be recognized as thieves. Those who destroy records, leave logic bombs, and write viruses should be viewed as vandals. Hackers who smear obscenities in source code should be seen as twisted personalities in need of punishment and therapy. Government agencies proposing to interfere in electronic communications should be subject to scrutiny and intense lobbying.
Beyond such prohibitions and inhibitions of taboos, cyberspace needs the electronic equivalent of Emily Post. We need to discuss the immorality of virus writing, the ethical implications of logic bombs, and the criminality of electronic trespassing. We should teach children how to be good citizens of cyberspace -- and not just in schools. We should sit down with computer-using youngsters and follow them through their adventures in cyberspace. Parents should ask their teenaged whiz-kids about hacking, viruses, software theft and telephone fraud. We must bring the perspective and guidance of adult generations to bear on a world that is evolving faster than most of us can imagine.
Participants in the National Computer Security Conferences [now the National Information Systems Security Conference] should be at the forefront of efforts to reach out into the wider community. If experts in security cannot express their values, who will?
The adolescent confraternity of criminal hackers and virus writers have already begun developing totems: the personae of Dark Avenger and Acid Phreak loom over youngsters much as Robin Hood once did for another generation.
What we need now are taboos to match the totems.
For Further Reading
The ICSA Web Site
The COAST Hotlist
Forester, T. & P. Morrison (1990). Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing. MIT Press (Cambridge, MA). ISBN 0-262-06131-7. vi + 193. Index.
Goodell, J. (1996). The Cyberthief and the Samurai: The True Story of Kevin Mitnick -- and the Man Who Hunted Him Down. Dell (New York). ISBN 0-440-22205-2. xix + 328.
Gordon, S. (1994). Technologically enabled crime: Shifting paradigms for the
year 2000. Originally published in Computers and Security.
Gordon, S. (1994). The generic virus writer. First presented at 4th International
Virus Bulletin Conference.
Hafner, K. & J. Markoff (1991). Cyberpunk: Outlaws and Hackers on the Computer Frontier. Touchstone Books, Simon & Schuster (New York). ISBN 0-671-77879-X. 368. Index.
Hutt, A. E., S. Bosworth & D. B. Hoyt, editors (1995). Computer Security Handbook, Third Edition. John Wiley & Son (New York). ISBN 0-471-01907-0 (cloth; $125); 0-471-11854-0 (paper; $60).
Kabay, M. E. (1996). The NCSA Guide to Enterprise Security: Protecting Information Assets. McGraw-Hill (New York). ISBN 0-07-033147-2. xii + 388 pp. Index.
Kabay, M. E. (1996). The InfoSec Year in Review 1996.
Kabay, M. E. (1997). The InfoSec Year in Review 1997.
Kabay, M. E. (1998). Anonymity and Pseudonymity in Cyberspace: Deindividuation, Incivility and Lawlessness Versus Freedom and Privacy. http://www.icsa.net/library/research/anonymity.shtml
Kallman, E. A. & J. P. Grillo (1996). Ethical Decision Making and Information Technology: An Introduction with Cases, Second Edition. ISBN 0-07-034090-0. xiv + 138. Index.
Levy, S. (1994). Hackers: Heroes of the Computer Revolution. Delta. ISBN: 0-385-31210-5.
Littman, J. (1996). The Fugitive Game: Online with Kevin Mitnick -- The Inside Story of the Great Cyberchase. Little, Brown and Company (Boston). ISBN 0-316-5258-7. x + 383.
Marsh, R. T. (1997), chair. Critical Foundations: Protecting America's Infrastructures. The Report of the President's Commission on Critical Infrastructure Protection. See http://www.pccip.gov/info.html for details and ordering information.
Parker, D. B. (1998) Fighting Computer Crime: A New Framework for Protecting Information. Wiley (NY) ISBN 0-471-16378-3. xv + 500 pp; index
Schwartau, W. (1991). Terminal Compromise (novel). Inter.Pact Press (Seminole, FL). ISBN 0-962-87000-5. 562 pp.
Schwartau, W. (1996). Information Warfare, Second Edition. Thunder's Mouth Press (New York). ISBN 1-56025-132-8. 768 pp. Index.
Shimomura, T. & J. Markoff (1996). Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw -- by the Man Who Did It. Hyperion (New York). ISBN 0-7868-6210-6. xii + 324. Index.
Slatalla, M. & J. Quittner (1995). Masters of Deception: The Gang that Ruled Cyberspace. HarperCollins (New York). ISBN 0-06-017030-1. 225 pp.
Smith, G. (1994). The Virus Creation Labs: A Journey into the Underground. American Eagle Publications (Tucson, AZ). ISBN 0-929408-09-8. 172 pp.
Sterling, B. (1992). The Hacker Crackdown: Law and Disorder on the Electronic Frontier. Bantam Doubleday Dell (New York). ISBN 0-553-08058-X. xiv + 328. Index.
Stoll, C. (1989). The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. Pocket Books (Simon & Schuster, New York). ISBN 0-671-72688-9. viii + 356.
SecurityPortal is the world's foremost on-line resource and services
provider for companies and individuals concerned about protecting their
information systems and networks.
The Focal Point for Security on the Net (tm)
Page 2 of 2