GuidesTotem and Taboo in Cyberspace

Totem and Taboo in Cyberspace

Fourth edition, April 2001

M. E. Kabay, PhD, CISSP
Security Leader, INFOSEC Group, AtomicTangerine Inc.

Reprinted with permission from Security Portal

Introduction

Cyberspace, the realm of computer networks, voice mail and long-distance telephone
calls, is increasingly important in our lives. Unfortunately, morally immature
phreaks, cyberpunks and criminal hackers are spoiling it for everyone. Security
professionals must speak out in the wider community and change the moral universe
to include cyberspace.

We are seeing today a period of exploration and development in a new realm
reminiscent of the colonization of North America by Europeans. As in the American
experience of the frontier, there are colonists and Amerinds, soldiers and outlaws,
priests and thieves. The frontier is cyberspace: that immaterial world where
we have phone conversations; where credit card information travels while we
wait for approval of a purchase; where our medical records and sometimes our
credit records paint a picture of our pains.

For an increasing number of us, cyberspace is also the place we meet new friends
and keep in touch with old ones, learn more about our hobbies and our professions,
and work for social and environmental change. Electronic bulletin board systems
have mushroomed throughout the world, ranging from country-clubs like CompuServe
and Prodigy through the grungy cafés of the hacker underground and on
into the pullulating bazaar of the great Internet, where philosophers rub shoulders
with dropouts and where age, gender and race are only as visible as you want
them to be.

Unfortunately, the spectacular growth of cyberspace has not been accompanied
by rules for civilized behavior. Cyberspace at the end of the twentieth century
resembles the frontier at the beginning of the eighteenth: bullies and criminals
swagger electronically through the commons, stealing what they want, breaking
what they don’t, and interfering with decent people’s activities. Far from helping
to set standards of mutual respect, some government agencies have been acting
like totalitarians rather than democrats. For all these reasons, we citizens
of cyberspace must evolve guidelines for civilizing our new frontier.

The Granddaddy of All Networks

The Internet is possibly the most complex and rapidly-growing construct humanity
has ever created. The cathedrals of medieval Europe pale in comparison with
the electronic edifice that is the Internet. The Internet grew out of ARPANET,
funded in the late 1960s by the Defense Advanced Research Projects Agency (DARPA).
This experimental network linked a few universities and research laboratories
electronically. ARPANET begat the Internet when the National Science Foundation
(NSF) decided to make internetworking possible for many more universities than
the first-tier institutions that had been in from the beginning. ARPANET itself
disappeared as a formal entity in 1990.

From the very beginning, the group inventing ARPANET had a refreshingly non-bureaucratic
attitude towards their work. For example, meetings of the network coordinators
at Bolt Beranek and Newman in 1968 had two ground rules: Anyone could say anything;
and nothing was official. The current management style of the Internet reflects
the belief in unhindered engineering excellence as the best way to find solid
solutions for technical problems. This tradition of frank criticism and unfettered
creativity has been misinterpreted by some newcomers to the Internet as an excuse
for frank rudeness and unfettered criminality.

The Internet today functions like a combined mail route, supermarket bulletin
board, and library. Electronic mail (e-mail) is much faster than paper mail
(‘snail mail’ as it’s derisively termed on the Net). Electronic Bulletin Board
Systems (BBSs), Special Interest Groups (SIGs) or Forums allow us to post electronic
notes asking for advice, help, friendship, and all the other dimensions of social
interactions. There are electronic equivalents of newspapers (‘news groups’)
and magazines (‘moderated news group digests’) dealing with interests from the
sublime to the prurient. Scientists from distant institutions collaborate fruitfully
on research without concern for geographical barriers. Textbooks and novels
are posted on ‘the Net’ (the affectionate term for the entire Internet and all
the networks connected to it in any way) for enjoyment and comment, sometimes
coming out better for the free flow of criticism and advice. So many repositories
of information are on the Net that doing research without using its resources
is unthinkable for a growing number of enthusiasts.

Because the Net has grown by cooperation and consensus rather than legislation
and government regulation, there is no way to know exactly how many people use
how many computers on this fishnet of the mind. Generally-accepted estimates
are that there are about 13 million regular users linked via roughly 1.3 million
computers (‘hosts’). Registration of hosts has exploded since the Internet community
agreed to allow commercial firms to join.

According to a document, (named, in typical style, ‘/infosource/internet_info_for_everybody
/ how-big-is-the-internet/domain-survey-jan93’) from the Network Information
Systems Center at SRI International in Palo Alto, California, there was an 80.6%
increase in the number of hosts in 1992. Of the 1,313,000 hosts, 410,940 or
about a third were in the educational (‘.edu’) domain. Some 347,486, or about
a quarter, were in the commercial (‘.com’) domain. The annual growth rate in
1992 for .edu was 69%, but the growth in .com was 92%. The advent of users from
.com has elicited howls of protest from some quarters on the Internet; however,
commercial users may bring new standards of behavior to the Net.

The total rate of information transfer in the Internet is unknown; however,
it appears to be Tibibytes (Tb) per day. This number, 1,125,899,906,842,624
bytes, cannot reasonably be apprehended. A byte corresponds approximately to
a character of text. This article has about 50 thousand bytes. A 1,000 page
textbook might have a few million bytes (mebibytes, or Mb) of text; that there
are a million Mb in a Tb. Even more astounding, the total traffic is growing
by about 25% every month a 14-fold increase in a year.

A Moral Vacuum

Cyberspace is growing fast, and the values which inform our lives in physical
communities have not yet found their way into cyberspace. Just as in the physical
world, unethical, immoral, and illegal behavior threatens the agreements that
allow people to live and work together in peace.

Many users of cyberspace are well-behaved. They are sensitive to nuance, capable
of expressive and articulate prose, careful not to hurt feelings, and responsible
in spreading verified information and not rumor.

However, we also find the cyberspace equivalents of slum lords, drug pushers,
boors and bully-boys. There are people running private BBSs that cater to thieves,
drug users, Nazis, and pedophiles. People who might never think of insulting
a stranger to her face write nasty and juvenile notes.

Different service providers adopt different stances about the content of communications
on their network. For example, the commercial value-added networks (VANs) Prodigy
and CompuServe are among the most custodial in their attitude towards the message
base. These services employ system operators (Sysops), volunteers who manage
specific sections by monitoring traffic, responding to questions and cooling
tempers. Some Sysops on commercial services and private BBSs explicitly censor
unacceptable or irrelevant contributions, usually to howls of protest and hyperbolic
invective from the censored authors. These howls are then themselves removed
from view, prompting yet more appeals to First Amendment rights. As a Sysop
myself, I have had to explain that the Forum or SIG is not public and that the
Sysop has a responsibility to maintain a professional tone and to prevent abuses
such as posting text files or software without permission of the copyright holders.
Some moderated news groups on the Internet also have strict enforcement. For
example, the RISKS Forum Digest is tightly controlled by its moderator, who
personally determines whether any given message reaches the members.

At the other extreme, there are networks, Forums, SIGs and BBSs where anarchy
reigns. Contributions are unfiltered, unfettered, frequently ungrammatical,
and sometimes illegal. Some boards and groups pander to unusual sexual orientations,
with hundreds of pornographic text and picture files available online. Others
specialize in stolen or malicious software, and instructions on picking locks,
stealing services and building bombs.

Such rude, unethical, immoral and illegal behavior puts the entire Net at risk
from self-appointed as well as legally-delegated guardians of public morality
and corporate interests. I fear that politicians looking for an easy target
may impose restrictions on the content of electronic communications. Legislative
interference would likely include requirements for paperwork and would render
the volunteer job of Sysop impossibly demanding. The ultra-religious forces
of intolerance could also seize the opportunity to attack a new den of iniquity,
whipping up their doctrinaire supporters to acts of harassment, sabotage and
even physical violence.

Crimes in Cyberspace

What kinds of problems are there? The issues boil down to theft of services
and software, invasion of privacy, outright damage, and the threat of terrorism.
In a landmark study, John Haugh and his colleagues at Telecommunications Advisors
Inc. in Seattle, WA, have recently built up a staggering picture of the extent
of toll fraud (using someone else’s telephone services illegally) and telabuse
(using one’s employer’s phone service without authorization). Haugh et al. consider
that the total losses to the economy from toll fraud and abuse of corporate
telephone systems are in the $2-8 billion range per year. Toll fraud rings using
stolen telephone credit card numbers have been operating virtually unchecked
in all major urban centers. The cycle often begins with ‘shoulder surfing,’
in which someone watches as a victim punches their access codes into a public
telephone in a public place. Organized gangs of youths have been caught in New
York’s Grand Central Station and La Guardia Airport. Within days, the credit
card can be used for hundreds of long-distance phone calls generating thousands
of dollars of expense for the victim. Although the phone companies generally
do not insist on repayment, these calls do cost the U.S. economy something:
inter-carrier charges must be paid to the national telephone services of the
countries of destination. Most of the stolen calls go to South American drug
havens, certain Caribbean islands, and to the Indian subcontinent.

Some criminals use control codes or special tone generators (‘Blue Boxes’ and
others) to steal telephone services; others dial into corporate phone switches
using public 800 numbers, then use outbound lines for long-distance calls. Some
victims have had more than a quarter million dollars of calls placed in a single
weekend. The invoices from the phone companies sometimes fill several crates
with thousands of call details — all fraudulent.

Voice mail subversion is another tactic used by ‘phone phreaks.’ Voice mail
systems allow callers to leave messages for specific employees. Unless supervisors
pay close attention to usage statistics, a voice-mail system can become host
to dozens of unauthorized accounts for strangers, thus putting an unexpected
load on phone lines and consuming storage space on the voice-mail computers.

By far the greatest problem caused by criminal hackers is the loss of confidence
in system integrity. Take for example a computer system used for production
of mission-critical information. There can be no tolerance for error. Programs
written for such a system are subjected to strict quality-assurance procedures;
every program must pass extensive testing. When the operating system (the software
that coordinates communication among programs and regulates access to different
kinds of computer resources) has to be changed (‘updated’), many system managers
run acceptance tests over an entire weekend to ensure that there will be no
glitches once production starts up again. It is considered normal to forbid
programmers to modify production databases; and careful audit trails are usually
kept to track exactly which specific user altered what specific records at any
give time in the files.

Discovering unauthorized use causes chaos in the production shop. A hospital
pharmacy discovers the transposition of two digits in its pharmacy database,
leading to potentially fatal errors in drug administration for patients. A faulty
program in a telephone switching center disrupts phone service over an entire
geographical region. Since there is no way of knowing what intruders have done
(criminal hackers do not leave neat system alteration notices), the only reasonable
response to intrusion is to audit the entire production system. That means time-consuming,
mind-numbing labor to run verification programs on all the data, careful comparison
of every program with a known-good copy to see if it has been altered illegally,
and hours of overtime for quality-assurance and system management personnel.

Credit records are relatively easy for criminal hackers to find, although it’s
much harder to modify them. Patient files are supposed to be protected yet many
hospitals have rudimentary safeguards that do not deter determined hackers.
On another front, government employees have disclosed confidential information
such as tax files and criminal records. In some cases the theft of data was
for money (a few dollars for reports to unethical private investigators) and
in others merely for fun (printing tax files of the rich and famous to impress
one’s friends). These are the electronic equivalent of breaking and entry in
the physical world.

Another area of concern is eavesdropping. Industrial espionage is growing as
competition heats up, especially across international borders. In the U.S.,
Symantec and Borland have been at loggerheads over the alleged theft of confidential
information by an executive who defected from one company to the other. In Europe,
General Motors and Volkswagen have been denouncing each other over allegations
of a similar theft by a high-placed official.

The last decade has witnessed a troubling proliferation of malicious software
such as viruses, worms, Trojan Horses, and logic bombs. A computer virus is
a program which adds itself to executable code (programs and boot sectors on
diskettes and disks). When the infected code is loaded into main memory (usually
on a microcomputer such as an IBM-compatible PC or an Apple Macintosh), the
virus can both reproduce by infecting other programs and also deliver its payload.
Virus payloads range from the merely annoying (e.g., the STONED viruses usually
put a plea for the legalization of marijuana on the screen) through the irritating
(the Autumn viruses make the letters on one’s screen drop to the bottom like
so many leaves) to the destructive (viruses written by Bulgaria’s Dark Avenger
tend to cause random changes in data and programs anywhere on disk, leading
to unpredictable and pernicious damage).

Depending on how one judges variations to be different, there are from two
to four thousand recognizable viruses circulating in cyberspace. About 30 virus
types account for almost all the virus infections that ordinary users are likely
to encounter. STONED and JERUSALEM alone account for about five sixths of all
infections. Unfortunately, criminals have put virus-writing kits into the underground
networks, so now even incompetent programmers can create mutating (‘polymorphic’)
viruses that employ sophisticated techniques (‘stealth’) to avoid detection.

Recent industry surveys suggest that the risk of virus infection of microcomputers
(PCs and Macintosh) is a few percent per year per computer. There are currently
no viruses found on user systems which infect large (mainframe) computers. There
are only a few which affect UNIX operating systems or local area network operating
systems.

The most widespread computer crime is software theft. Estimated rates of theft
range from about 35-40% in the USA to 99% stolen in Thailand. Robert Holleyman,
president of the Business Software Alliance, reports that more than 80% of the
computer programs in China are pirated, making it one of the worst stealers
of software in Asia and costing the worldwide industry US$500 million a year.
Sometimes stolen programs are available in Asia before they are released legally.

Apparently China is now concerned about copyright violations in part because
its own software industry is being harmed. Yang Tianxin, chief of the computer
division of the ministry of electronic industry, claims that China is just beginning
to attack this problem using criminal penalties and education.

Western nations also need to integrate respect for intellectual property into
normal morality. Too many managers, teachers, technicians and just plain users
are stealing software by making unauthorized copies of copyrighted programs.
It’s no wonder children trade pirated copies of computer games with no awareness
of doing wrong.
Most computer crimes are not perpetrated by criminal hackers. Recent surveys
suggest that about 85% of all computer-related crimes are committed by personnel
authorized to use the computers they abused. The probability of being attacked
by outsiders is only about 1 or 2% per system per year.

Within organizations, programmers occasionally write malicious software. ‘Trojan
Horses’ are programs which have secret functions (e.g., keeping a record of
passwords) along with their ostensible purposes. The AIDS Information Diskette
which circulated worldwide a few years ago was a Trojan which pretended to offer
information about the dread disease, but then scrambled the user’s disk directory
and tried to extort payment for a recovery utility. Trap Doors involve programming
secret entry points for later unauthorized use; the password ‘Joshua’ was part
of a trap door left by the creator of a top-secret government system in the
movie ‘War Games.’

Logic bombs are sections of program which check for particular conditions and
then wreak havoc in the system. In the film, Single White Female, a programmer
leaves a logic bomb in her code to wipe out her creepy client’s entire fashion
database because he hasn’t paid her full fee. In November 1993, a Manhattan
programmer and his technician were accused of planting a logic bomb in a client’s
software when he refused to pay the full cost of the package. Some programmers
insert logic bombs in their code as a matter of course.

The cyberspace equivalent of vandalism occurs when intruders or disgruntled
employees deliberately damage or destroy information. The 414 Gang (so named
from the area code of their Milwaukee homes) damaged clinical research data
in their forays through the networks in the early 1980s. Two teenagers from
Staten Island caused $2.1 million of damage to the voice-mail system of a publisher
by erasing orders for advertising and leaving obscene messages which offended
clients. When they were finally tracked down and arrested, the 14 and 17 year-olds
admitted that their depredations were revenge for having failed to receive a
promised poster from the publisher.

In a report at the 16th National Computer Security Conference in Baltimore,
MD in September 1993, an investigator whose team tracks the underground BBSs
revealed that detailed instructions for weapons of terrorism are freely available
in cyberspace. The published recipes for home-made bombs were evaluated by professionals
from military special forces and were pronounced to be workable, albeit dangerous
for amateurs.

Some administrators at universities with Internet connections have been put
under opposing pressures because of the availability of graphic pornography
graphics. There have been threats of lawsuits for allowing such materials to
enter the campus systems and threats of lawsuits for forbidding such materials
to enter the campus systems. Some pedophile BBS operators have been found to
use their systems to entice youngsters into meetings by offering illicit files
and cheap stolen hardware and software. It is easy to create false identities
through electronic mail. Some denizens of cyberspace use one or more pseudonyms
(‘handles’). A major hacker conference was announced on the Internet by ‘[email protected]
with no other identification made available. Some ‘cypherpunks’ insist that
there should be no interference with this practice, arguing that any attempt
to enforce identification would be a gross infringement of their privacy.

Advocates of anonymous and pseudonymous postings defend their preference by
pointing to the long-standing acceptance of pseudonyms in print. I wonder if
they would defend wearing face masks during face-to-face conversations?

Who Are the Technopaths?

Because of the shadowy nature of the computer underground, where real names
are few and role-playing is the norm, it is hard to find reliable statistics
about the demographics of what famed Bulgarian antivirus researcher Vesselin
Bontchev (later at the University of Hamburg) has called ‘technopaths.’ The
consensus in the computer underground is that they are predominantly teenaged
boys and young men. These maladapted, undersocialized, emotionally-underdeveloped
individuals adopt noms-de-guerre (‘handles’) like Phiber Optik, Acid Phreak,
Dark Avenger, The Leftist, The Prophet, The Urvile, and Necron 99. They form
electronic gangs with ludicrous names like Masters of Deception and Legion of
Doom. Much of this is adolescent posturing; as one member of the latter group
commented, ‘We couldn’t very well call ourselves the Legion of Flower-Pickers.’

Several popular books have provided insights into the psychology of criminal
hackers. One of the best is by Katie Hafner and John Markoff, Cyberpunk: Outlaws
and Hackers on the Computer Frontier. (Touchstone Books, Simon & Schuster
(New York, 1991). ISBN 0-671-77879-X. 368 pp. Index).

Sarah Gordon of the IBM T. J. Watson Research Center has written extensively
on her interviews with virus writers (see http://www.av.ibm.com/InsideTheLab/Bookshelf/ScientificPapers/Gordon/GenericVirusWriter.html).
Her main point is that the virus-writing community (and probably the criminal
hacker community) should not be viewed as monolithic, but rather that it is
composed of a wide variety of personality types and stages of moral development.

Are Some Hackers Crazy?

The standard reference work on psychiatric disorders (Diagnostic and Statistical
Manual, American Psychiatric Association) defines the Narcissistic Personality
Disorder in these terms:

The essential feature is a Personality Disorder… in which there are a grandiose
sense of self-importance or uniqueness; preoccupation with fantasies of unlimited
success; exhibitionistic need for constant attention and admiration; characteristic
responses to threats to self-esteem; and characteristic disturbances in interpersonal
relationships, such as feelings of entitlement, interpersonal exploitativeness,
relationships that alternate between the extremes of overidealization and
devaluation, and lack of empathy….

…In response to criticism, defeat or disappointment, there is either a
cool indifference or marked feelings of rage, inferiority, shame, humiliation,
or emptiness…. Entitlement, the expectation of special favors without assuming
reciprocal responsibilities, is usually present. For example, surprise and
anger are felt because others will not do what is wanted; more is expected
from people than is reasonable.

Sound like hackers?

During the 1990 December holiday season, some 250 hackers gathered for their
‘Christmas Con’ in a hotel near Houston airport. After consuming too many beers
and pulling fire alarms, the group was evicted from the hotel. This sort of
behavior is associated with the Antisocial Personality Disorder, whose ‘…essential
feature is… a history of continuous and chronic antisocial behavior in which
the rights of others are violated….’ (DSM III; APA, 1980). In 1993, some of
the 200 attendees at HoHoCon in Austin pulled fire alarms after a night of drunken
carousing and viewing pornographic movies. In the Austin HoHoCon in December
1993, criminal hackers discussed cracking cellular phones, shared information
on new techniques for stealing long-distance services, and boasted of posting
anarchist files on BBSs. When I challenged "Deth Vegetable" for having
posted instructions on how to make bombs out of household cleaning supplies,
his friends glared angrily at me and hissed, "It wasn’t illegal. He had
a right to post whatever he wanted." Deth Vegetable rejected responsibility
for the consequences of his actions; although he regretted that two children
had recently destroyed their hands in an explosion while following the details
of his file, he sneered that perhaps it was evolution in action. He admitted
that maybe it seemed wrong, but he didn’t know why. "And anyway,"
he shrugged, "who’s to say if it’s right or wrong?" "Who’s to
say??" I asked. "You are. I am. We are."
The culture of criminal hackers seems to glorify behavior which would be classified
as sociopathic or frankly psychotic. These behaviors must not become normative.

Technical Solutions

Technical approaches to behavioral problems have a limited scope. Some attempts
to protect cyberspace concentrate on making it harder to do harm. For example,
system managers are supposed to pay strict attention to how people can enter
their systems and networks; this area of concern is known as access control.
Some of the more successful methods currently in use include one-time password
generators. Such hand-held units, about the size of a credit card, generate
random-looking codes which can be used for logging into computer systems and
networks, but which are valid for only one minute.

Modems which garble transmissions make it impossible to crack systems using
brute-force methods. Instead of trying hundreds of passwords without hindrance,
criminal hackers would be forced to turn to the much slower techniques of lying
and spying (social engineering). Even if criminal hackers were to enter a secure
system, encrypted data would severely interfere with their ability to cause
trouble. Unfortunately, encryption is still not in general use in the business
community.

Finally, if more victims of computer crime were to report what happened, the
computer security industry could develop the same kind of shared expertise as
the insurance industry’s actuaries. It would help immeasurably to have a library
of documented case studies of computer crime available for study by computer
science students, sociologists, criminologists and security experts. All organizations
hit by computer criminals are encouraged to report what happened to the Computer
Emergency Response Team Coordination Center (CERT-CC) at Carnegie Mellon University
in Pittsburgh, PA.

Human Solutions

Technical solutions appeal to the rational propensities of security specialists.
But since people are at the core of computer crime, psychosocial factors must
be at the core of efforts to contain it.

Security is the tooth-flossing of the computer world: it’s boring and repetitive,
slightly distasteful, and has no obvious, immediate benefits. Even worse, the
better the implementation, the less frequently problems arise. Security cannot
be achieved by superficial changes of style. Just as the Total Quality Management
movement emphasizes that the concern for quality must pervade all aspects of
working culture, information security must become part of the corporate culture.

Security professionals have to deal with the psychological difficulties of
trying to change long-rooted patterns of social behaviour. For example, a typical
security policy states that no one may allow another employee to ‘piggyback’
into a secure area; that is, each person entering through a secured door must
use their own access-control device. However, politeness dictates the opposite:
we hold a door open and invite our friends and colleagues to enter before we
do. To learn new habits, it is useful to address the conflict directly: acknowledging
that the policy will be uncomfortable at first is a good step to making it less
uncomfortable. For example, employees should participate in role-playing exercises.
First, they can practice refusing access to colleagues who accept the policies
graciously, then move on to arguments with less-friendly colleagues. Finally
they can learn to deal with confrontations with colleagues who pretend to be
higher-rank and hostile. Managers should practise being refused access to secured
areas.

In grade schools, high schools, colleges and universities, students are introduced
early to computer systems and expected to master and use computers in their
studies. All too often, however, ethical issues about computer usage are neglected.
Some instructors blatantly steal copyrighted software or tell their young charges
to do so (‘Here, copy this diskette and return the original’). Other children
entrain their younger contemporaries into the glitzy world of computer virus
exchanges and virus writing. There’s always the allure of computerized pornography
on local bulletin boards — an allure enhanced by the lack of knowledge of parents
and teachers about the very existence of such sources.

Lonnie Moore is computer security manager at the Lawrence Livermore National
Laboratory. With the help of Gale Warshawsky, an employee who happens to be
an experienced puppeteer, Moore has created an appealing and entertaining security
awareness video for children in elementary schools. The heroes are Chip, the
friendly computer, and Gooseberry, the hapless untrained user. The villain is
Dirty Dan, the nasty hacker. Dan drops crumbs into Chip’s keyboard, destroys
files and makes Chip cry, then makes Chip dizzy by feeding him a virus from
another computer. Moore explains, ‘What we’re trying to do is learn from the
mistakes that have been made. They understand good guys and bad guys. We also
teach them to try to have some feeling for the others involved.’

A major telephone company in the U.S. has created a video for middle-school
children which addresses telephone fraud in an entertaining and informative
way.

Ten Cyber-Commandments

The Computer Ethics Institute in Washington, DC, has published the Ten Commandments
of Computer Ethics:

  1. Thou shalt not use a computer to harm other people.

  2. Thou shalt not interfere with other people’s computer work.

  3. Thou shalt not snoop around in other people’s computer files.

  4. Thou shalt not use a computer to steal.

  5. Thou shalt not use a computer to bear false witness.

  6. Thou shalt not copy or use proprietary software for which you have not
    paid.

  7. Thou shalt not use other people’s computer resources without authorization
    or proper compensation.

  8. Thou shalt not use other people’s intellectual output [without due acknowledgement].

  9. Thou shalt think about the social consequences of the program you are writing
    or the system you are designing.

  10. Thou shalt always use a computer in ways that demonstrate consideration
    and respect for your fellow humans.

Efforts such as these are the beginning of a response to lawlessness in cyberspace.
Operating at the human level, they are ultimately as important as technical
solutions to computer crime.

The Moral Universe of Computer Users

It takes time to integrate morality into our technological universe. Twenty
years ago, many drivers felt that driving under the influence of alcohol was
adventurous. Today most people feel that it’s stupid and irresponsible. Smoking
in public is becoming rare. Many of us in northern cities have witnessed exiled
smokers huddled together in the cold outside buildings where they once lit up
with impunity.

Similarly, we need a consensus on good behavior in cyberspace.

Criminal hackers who break into computer systems and roam through users’ private
files should be viewed as Peeping Toms. Criminals using computers to extort
money or steal services should be recognized as thieves. Those who destroy records,
leave logic bombs, and write viruses should be viewed as vandals. Hackers who
smear obscenities in source code should be seen as twisted personalities in
need of punishment and therapy. Government agencies proposing to interfere in
electronic communications should be subject to scrutiny and intense lobbying.

Beyond such prohibitions and inhibitions of taboos, cyberspace needs the electronic
equivalent of Emily Post. We need to discuss the immorality of virus writing,
the ethical implications of logic bombs, and the criminality of electronic trespassing.
We should teach children how to be good citizens of cyberspace — and not just
in schools. We should sit down with computer-using youngsters and follow them
through their adventures in cyberspace. Parents should ask their teenaged whiz-kids
about hacking, viruses, software theft and telephone fraud. We must bring the
perspective and guidance of adult generations to bear on a world that is evolving
faster than most of us can imagine.

Participants in the National Computer Security Conferences [now the National
Information Systems Security Conference] should be at the forefront of efforts
to reach out into the wider community. If experts in security cannot express
their values, who will?

The adolescent confraternity of criminal hackers and virus writers have already
begun developing totems: the personae of Dark Avenger and Acid Phreak loom over
youngsters much as Robin Hood once did for another generation.

What we need now are taboos to match the totems.


For Further Reading

The ICSA Web Site
http://www.icsa.net

The COAST Hotlist
http://www.cs.purdue.edu/coast/hotlist/

Forester, T. & P. Morrison (1990). Computer Ethics: Cautionary Tales and
Ethical Dilemmas in Computing. MIT Press (Cambridge, MA). ISBN 0-262-06131-7.
vi + 193. Index.

Goodell, J. (1996). The Cyberthief and the Samurai: The True Story of Kevin
Mitnick — and the Man Who Hunted Him Down. Dell (New York). ISBN 0-440-22205-2.
xix + 328.

Gordon, S. (1994). Technologically enabled crime: Shifting paradigms for the
year 2000. Originally published in Computers and Security.

http://www.av.ibm.com/InsideTheLab/Bookshelf/ScientificPapers/Gordon/Crime.html

Gordon, S. (1994). The generic virus writer. First presented at 4th International
Virus Bulletin Conference.

http://www.av.ibm.com/InsideTheLab/Bookshelf/ScientificPapers/Gordon/GenericVirusWriter.html

Hafner, K. & J. Markoff (1991). Cyberpunk: Outlaws and Hackers on the Computer
Frontier. Touchstone Books, Simon & Schuster (New York). ISBN 0-671-77879-X.
368. Index.

Hutt, A. E., S. Bosworth & D. B. Hoyt, editors (1995). Computer Security
Handbook, Third Edition. John Wiley & Son (New York). ISBN 0-471-01907-0
(cloth; $125); 0-471-11854-0 (paper; $60).

Kabay, M. E. (1996). The NCSA Guide to Enterprise Security: Protecting Information
Assets. McGraw-Hill (New York). ISBN 0-07-033147-2. xii + 388 pp. Index.

Kabay, M. E. (1996). The InfoSec Year in Review 1996.
http://www.icsa.net/library/research/isecyir.shtml

Kabay, M. E. (1997). The InfoSec Year in Review 1997.
http://www.icsa.net/library/research/iyir.shtml

Kabay, M. E. (1998). Anonymity and Pseudonymity in Cyberspace:
Deindividuation,
Incivility and Lawlessness Versus Freedom and Privacy. http://www.icsa.net/library/research/anonymity.shtml

Kallman, E. A. & J. P. Grillo (1996). Ethical Decision Making and Information
Technology: An Introduction with Cases, Second Edition. ISBN 0-07-034090-0.
xiv + 138. Index.

Levy, S. (1994). Hackers: Heroes of the Computer Revolution. Delta. ISBN: 0-385-31210-5.

Littman, J. (1996). The Fugitive Game: Online with Kevin Mitnick — The Inside
Story of the Great Cyberchase. Little, Brown and Company (Boston). ISBN 0-316-5258-7.
x + 383.

Marsh, R. T. (1997), chair. Critical Foundations: Protecting America’s Infrastructures.
The Report of the President’s Commission on Critical Infrastructure Protection.
See http://www.pccip.gov/info.html
for details and ordering information.

Parker, D. B. (1998) Fighting Computer Crime: A New Framework for Protecting
Information. Wiley (NY) ISBN 0-471-16378-3. xv + 500 pp; index

Schwartau, W. (1991). Terminal Compromise (novel). Inter.Pact Press (Seminole,
FL). ISBN 0-962-87000-5. 562 pp.

Schwartau, W. (1996). Information Warfare, Second Edition. Thunder’s Mouth
Press (New York). ISBN 1-56025-132-8. 768 pp. Index.

Shimomura, T. & J. Markoff (1996). Takedown: The Pursuit and Capture of
Kevin Mitnick, America’s Most Wanted Computer Outlaw — by the Man Who Did It.
Hyperion (New York). ISBN 0-7868-6210-6. xii + 324. Index.

Slatalla, M. & J. Quittner (1995). Masters of Deception: The Gang that
Ruled Cyberspace. HarperCollins (New York). ISBN 0-06-017030-1. 225 pp.

Smith, G. (1994). The Virus Creation Labs: A Journey into the Underground.
American Eagle Publications (Tucson, AZ). ISBN 0-929408-09-8. 172 pp.

Sterling, B. (1992). The Hacker Crackdown: Law and Disorder on the Electronic
Frontier. Bantam Doubleday Dell (New York). ISBN 0-553-08058-X. xiv + 328. Index.

Stoll, C. (1989). The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer
Espionage. Pocket Books (Simon & Schuster, New York). ISBN 0-671-72688-9.
viii + 356.


SecurityPortal is the world’s foremost on-line resource and services
provider for companies and individuals concerned about protecting their
information systems and networks.
http://www.SecurityPortal.com
The Focal Point for Security on the Net ™

Latest Posts

Related Stories