Defining Computer Security cybertechnology security can be thought of in terms of various counter measures: (i) unauthorized access to systems (ii) alteration.

Defining Computer Security

cybertechnology security can be thought of in terms of various counter measures:

(i) unauthorized access to systems (ii) alteration of data that resides in and is

transmitted between computer systems (iii) disruption, vandalism, and sabotage of

computers systems and networks.

Defining Computer Security (continued)

Confidentiality: protecting against un- authorized disclosure of information to third parties.

Integrity: preventing unauthorized modification of files.

Availability: preventing unauthorized withholding of information from those who need it when they need it. DOS

Figure 6-1

Computer Security

System Security Data Security

Resident Data Transmitted Data

vulnerability to "malicious programs" (viruses and worms).

vulnerability to access of data.

Don’t Hack. Hacking is bad.

And what is good?

Hackers and Ethics

The original Hacker Ethic • 50s and 60s: Informal ethical code by hackers of MIT

and Stanford (SAIL).

• The first generation of programmers: time-sharing terminal access to 'dumb' mainframes,

• Confronted bureaucratic interference in exploring technological systems (computers, model trains, steam tunnels, phone systems, etc.).

• The ethic reflects their resistance to these obstacles, and their ideology of the liberating power of technology.

“Hacker Ethic” Steven Levy – 1984 Hackers: Heroes of the Computer Revolution

describes the following beliefs:• (i)  Access to computers should be unlimited

and total.• Rather than limited to big business and elite

• (ii)  All information should be free.• freedom of movement = no censorship

• without control (freedom of change/evolution = no ownership or authorship, no intellectual property

• without monetary value (no cost.)

Hacker Ethic

• (iii)  Mistrust Authority - Promote Decentralization: • Distrust large institutions (The State, corporations,

the IBM 'priesthood‘)

• (iv)  Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or position.

• (v)  You can create art and beauty on a computer.

• (vi)  Computers can change life for the better.

New Hacker Ethics "Above all else, do no harm" Do not

damage computers or data if at all possible. • based on intent. • what constitutes "harm" is left open. pranks and

practical jokes harmless? Protect Privacy: control over personal

information. • Still no codified right to privacy for U.S. citizens, • Supreme Court -- implicit in judgments (legalizing

distribution of birth control and the right to abortion). • Means a certain kind of information should not be

free --contradiction to the original hacker ethic.

New Hacker Ethic

"Waste not, want not." Computers should not lie idle and wasted.

"joy riders' ethic"

If you borrow someone's car, and return it with no damage, a full tank of gas, improvements…?

Is it an ethical to make a set of keys for yourself so you can borrow it whenever you feel like? (sysadmin privileges).

New Hacker Ethic

Exceed Limitations • "Extropians" universal force of expansion and growth,

inverse to entropy, which they call "extropy."

• Falsificationism: Should seek it’s own demise – flaws, weaknesses

The Communicational Imperative:• Right to communicate with their peers freely.

• 1st amendment rights to communication and assembly -- for the free flow of information.

• Phreakers: people (poor), right to communicate cheaply .

New Hacker Ethic

Leave No Traces:• Keep quiet, so everyone can enjoy what you have

• to protect other hackers from being caught or losing access.

Share! • Information increases in value by sharing

• Don't hoard, don't hide

• Just because it wants to be free, does not mean you must give it to as many people as possible. Pirates are NOT freeloaders

New Hacker Ethic Self Defense: be vigilant against cyber-tyranny and

• Cyberpunk Future Hacking

• to overcome more powerful forces that can control their lives.

• If governments and corporations know they can be hacked, then they will not overstep their power to afflict the citizenry.

Hacking Helps Security • "Tiger team ethic": it is useful and courteous to find security

holes, and then tell people how to fix them. Trust, but Test! security and system integrity

• lest it fail when it is most needed (like the AT & T phone switches did in 1990.)

3 Principles in Hacker Ethic:

(1) Information should be free; (2) Hackers provide society with a useful

and important service; (3) Activities in cyberspace are virtual in

nature and thus do not harm real people in the real (physical) world. 

“Information Wants to Be Free”

Eugene H. Spafford "Spaf“ (1992) CS Purdue, leading computer security expert.

Idealistic, romantic, naïve If information were free, privacy would not be

possible It would not be possible to ensure integrity and

accuracy of the information Would we permit someone to start a fire in a

shopping mall in order to test the sprinkler system? Would you thank a burglar who shows that your

home security system was inadequate?

Can Computer Break-ins Ever Be Ethically Justified?

Spafford (1992) believes that in certain extreme cases, breaking into a com- puter could be the "right thing to do." • e.g., breaking into a computer to get medical

records to save one’s life. He also argues that computer break-ins

always cause harm; and from this point, he infers that hacker break-ins are never ethically justifiable.

Hacktivism

Manion and Goodrum (2000) questioned whether some cyber-attacks might not be better understood as acts of hacktivism.

They consider the growing outrage on the part of some hackers and political activists over an increasingly "commodified Internet.“

They also question whether this behavior suggests a new form of civil disobedience, which they describe as hacktivism.

Hacktivism (continued)

Hacktivism integrates the talent of traditional computer hackers with the interests and social consciousness of political activists.

Manion and Godrum note that while hackers continue to be portrayed as vandals, terrorists, and saboteurs, hardly anyone has considered the possibility that at least some of these individuals might be "electronic political activists" or hacktivists.

Activism, Hacktivism, and Cyberterrorism

Activism includes the normal, non-disruptive use of the Internet to support a cause. • e.g, an activist could use the Internet to discuss

issues, form coalitions, and plan and coordinate activities.

Activists could engage in a range of activities from browsing the Web to sending e-mail, posting material to a Web site, constructing a Web site dedicated to their political cause or causes, and so forth.

Activism, Hacktivism, and Cyberterrorism (continued)

Hacktivism: activism and hacking• target sites with intent to disrupt normal

operations

• but without intending to cause serious damage.

"e-mail bombs" and "low grade" viruses cause only minimal disruption and would

not result in severe economic damage or loss of life.

Activism, Hacktivism, and Cyberterrorism (continued)

Cyberterorism consists of operations that are intended to cause • great harm such as loss of life

• or severe economic damage, or both.

e.g., attempt to bring down stock market or take control of a transportation unit in

order to cause trains to crash.

Table 6-1: Hacktivism, Cyberterrorism,

and Information Warfare

Hacktivism The convergence of political activism and computer hacking techniques to engage in a new form of civil disobedience.

Cyberterrorism The convergence of cyber-technology and terrorism for carrying acts of terror in (or via) cyberspace.

Information Warfare Using information to deceive the enemy; and using conventional warfare tactics to take out an enemy's computer and information systems.

Four Types of Security Countermeasures

Firewalls Anti-Virus Software Encryption Tools Anonymity Tools

Others?? Security through obscurity

New Security Problems ?

Collaboration • Multi-User Applications

Ubiquitous / Wireless Net• Limiting access (e.g. in schools)

Others ???

Encryption Tools (Continued)

An encrypted communication will be only as secure and private as its key.

In private-key encryption, both parties use the same encryption algorithm and the same private key.

Public cryptography uses two keys: one public and the other private.

Encryption (Continued) – public Cryptography If A wishes to communicate with B, A uses B's

public key to encode the message. That message can then only be decoded with

B's private key, which is secret. Similarly when B responds to A, B uses A's

public key to encrypt the message. That message can be decrypted only by using

A's private key. Although information about an individual's public key is accessible to others, that individual's ability to communicate encrypted information is not compromised.

Anonymity Tools

Users want to secure the integrity and confi- dentiality of their electronic communications.

They also wish to protect their identity while engaging in on-line activities.

Anonymity tools such as the Anonymizer, and pseudonymity agents such as Lucent's Personalized Web Assistant, enable users to roam the Web either anonymously or pseudonymously.

Anonymity Tools (Continued)

able to navigate the Internet without personal identity being revealed.

e.g., the user cannot be identified beyond certain technical information such as • the user's IP (Internet protocol) address,

• ISP, and so forth.

Code of Network Ethics for Security (continued)

Would you would be willing to purchase an automobile that could not be locked (secured) and thus protected against theft?

Steele points out that there are no adequate "locks" for computers.

He blames Microsoft and other large computer corporations for not ensuring and guaranteeing that the computer software products are more secure.

Code of Network Ethics for Security (Continued)

Steele also believes that corporations that produce computer software should assume full responsibility, legal and moral, for any insecure software products they sell.

He concludes that we need a "Code of Network Ethics" with a "due diligence" clause, which would spell out specific requirements for businesses engaged in the production of software.

Criticism of Steele’s Argument for a Network Code of Ethics

We can agree with Steele's assumptions that consumers desire reliable products and that they expect dependable computer systems.

We can also question whether the analogy that Steele draws between computer systems and automobiles is a useful one, or whether it breaks down in certain crucial respects.

It is not yet possible to test computer systems for reliability in the same way that we can test automobile systems.

Total Security in Cyberspace

Can total security in cyberspace be achieved? If so, would it be a desirable goal? When asked if we would prefer a secure

cyberspace, we would likely answer "yes." But we might not be willing to accept the

consequences of such a level of security. • e.g., more secure systems might require certain

additional features in cyber-technology that would result in computer systems being less friendly and thus more difficult for ordinary users to operate.

Viewing Security as a Process Rather Than as a Product

Scheier (2000) claims that anyone who promises a totally secure or "hacker proof" system is selling "snake oil.“

Many security experts assume we simply need to find the right technology or the foolproof encryption device or the right security countermeasures.

Security as a Process (continued)

For Schneier, security is a process, not a product.

Schneier believes that an important element in that process is risk assessment.

Seeking perfect security would make a system useless, because "anything worth doing requires some risk."

Computer Security and Risk Analysis

Risk analysis is a methodology used to come to an informed decision about the most cost-effective controls to limit the risks to your assets vis-à-vis the spectrum of threats.

Banks and credit card companies can tolerate a considerable amount of credit risk and fraud because they know how to anticipate loses and price their services accordingly.

What is the acceptable level of risk in computer systems? How can we assess it?

Risk Assessment (Continued)

Many of the ethical issues surrounding computer security are not trivial.

They have implications for public safety that can result in the deaths of significant numbers of persons.

So it is not clear that all computer security issues can be understood simply in terms of the risk analysis model advocated by Schneier.