A question of ethics

[iblis]

JaNell made a comment in a locked thread that quite intrigued me:

Don't get me started on why I consider virus building and hacking (the bad kind) a class war issue.

Bah, I'd rather get you started. And everyone else, as well, with any luck.

So, what is everyone's opinion on the development of viruses, and / or cracking¹? Is it all that bad? Is it ethical to develop a virus, but not release it "into the wild", so to speak?

Furthermore, is it ethical to develop and distribute code that could be used for such an attack? For instance, a utility that, while its original use is benign and / or beneficial, could possibly be altered or misused to cause other people damages of arbitrary degrees.

I realize that some might think that this belongs in GothGeek, but I wanted opinions from both the technically and non-technically inclined on this issue. It is, after all, something that all netizens have to deal with at some point in time.

¹ Note: I still refer to the act of breaking into a private or semi-public machine as "cracking", and refer to the person committing such an act as a "cracker". Similarly, I'm prone to refer to coding - whether it's quick and dirty, or "masterpiece theater" style - as "hacking", and likewise I call such coders "hackers". Nonetheless, a rose by any other name...

[JaNell]

Will do. Thanks for giving us the correct term for the virus and information stealing hackers; I'd forgotten.

[Thrall]

A vast gulf exists between creating something that has the potential to do harm or damage and in actually using it for that purpose.

I am an accountant and hold a position of trust. A huge part of who i am as a person is my integrity. That being said there is nothing i enjoy more than figuring out how i could rob my employers blind and get away with it. I have never been tempted to put my plans into action nor do i think i will be.

Is there anything wrong with my thinking about how it could be done? Hell no! In fact it is productive. I can identify potential lapses in security and eliminate them, hopefully before someone else takes advantage.

thats my two cents

[iblis]

A vast gulf exists between creating something that has the potential to do harm or damage and in actually using it for that purpose.

I am an accountant and hold a position of trust. A huge part of who i am as a person is my integrity. That being said there is nothing i enjoy more than figuring out how i could rob my employers blind and get away with it. I have never been tempted to put my plans into action nor do i think i will be.

Is there anything wrong with my thinking about how it could be done? Hell no! In fact it is productive. I can identify potential lapses in security and eliminate them, hopefully before someone else takes advantage.

thats my two cents

I have to agree here; IMNSHO, there's nothing wrong with security analysis, in any field. Figuring out how to commit an unwanted action is quite different than actually going through with and acting on said knowledge.

But then, some people don't like the idea of themselves, their property, or their actions being inspected in such a fashion. Techies would call this mindset, "security through obscurity", which - again, IMNSHO - is just plain silly.

And stupid.

And harmful.

But I digress.

[junkie christ]

ibbie talking about ethics wigs me out
i tried typing a response to this but it got fucking huge so ill say this:
ask me on this topic in person.

[Wanderer]

I'd agree with the hacker vs. cracker comment, btw, but then yer showing your age in just how long you've been geekin'.

Anyways.

Cracking is illegal. There's reasons it's illegal. It *can* be used for good use. Killing the man who's mugging you is 'illegal' for murdering a person, but is considered self defense if you felt you were threatened. (Side note: You can't kill him for stealing, just for life threats... legally.) However, to make it more to the point, practicing your pistol and shooting people on the streets are a different thing. Creating virus on a contained system to practice your skills at both coding, and killing, of them is one thing. Releasing rabid dogs into kindergarten playgrounds is another.

As to develop and distribute code that could be used for such an attack, that is meant as benign and specifically meant to improve or give a piece of software to someone that they want is absolutely ethical. The fact that some scriptkiddy can take your inventive code and do something moronically damaging with it is like accusing p.i.l.l.o.w. manufacturers of killing people because they can be used to smother people.

Why can't I get the board to write p.i.l.l.o.w.?! What kind of curse word is p.i.l.l.o.w??? It keeps substituting the word rock...

[gray]

Ibbie is spot on. No matter his age.

As a general rule virus and worm writers are almost never benign. You get very rare instances where someone writes a virus or worm that patches holes. These antivirus are the only beneficial forms I have heard of in the wild. However let us note that the great majority of popular virus are really worms which exploit a security hole in a given application arrangement. For instance IE 6 and Outlook, which together provide access to a powerful scripting environment (WSH) that can be used to exploit the users machine. This is a functional example of attackers exploiting a software monoculture. Recently Dan Greer spearheaded a paper outlining the security concerns of a software monoculture and the how Micro$oft (which when normally spelled magically becomes "the most fetid evil in the known universe" on the board. ) fits into this picture. He was subsequently fired from his job at a software security firm. The reasons are not fully known. This is the kind of ethics you find in business that really piss me off.

Fortunately the hacker vs. cracker terminology has at least been replaced by the white hat vs. black hat monikers. This provides for gray hat, which is not a Gandalf look alike carrying a WAR driver laptop. Gray Hats are something like Adrian Lamo, the 22yr old being sued by NYT for exposing security holes in their website. Mr. Lamo has actually been travelling around randomly hacking sites and then politely notifying the site owner of the security holes he finds. His reasons? Anybody's guess, but chances are it is a mixture of the fame and the challenge involved. Since he reports his findings to the site owner is he a criminal or a good samaritan? Now that is a heated debate. Technically the guy is a software criminal. On the other hand, he provides fixes to the people who own the sites he cracks. Is this a good or bad thing? Only time will tell.

Currently software security is in shambles. Somewhat due in part to the legal manipulations businesses use to protect their public image. Take for instance a company that wants a security audit. All they have to do is contact a lawyer and arrange the services through the lawyer. Now none of the acquired security info can be distributed to the effected parties. In fact only those items which have a large enough cost analysis are corrected and mentioned. Anything else is quietly overlooked. This creates a reactionary approach to security assessment and ruins any pretense of preparedness. Oh but it gets worse. Since you have to arrange the audit, the auditor often has to announce the audit period. This is dumb because your admins use temporary measures to improve their system security report. Why? Because management wants it that way. Ideally you would be audited in private without warning. Then you would be given the report so you can patch your leaky ship. Not that admins are given nearly enough time to do so, but that is a seperate can of worms. In the end businesses often lack the impetus to track and fix the security concerns in their software.

Well that's much more than enough of my rambling...Laters,

[Jack]

I just want to say that whoever created the Swen virus is a fucking asshole and deserves to have his hands cut off.

[JaNell]

Here's why I consider viruses and such a class war issue:

As far as I know, most "crackers" or virus building/releasing jerks are young white males living with their Mommy & Daddy or the equivalent. They develop these viruses on computers that Mommy & Daddy bought for them. When they release a destructive virus, three things happen:

Corporations either have good enough virus protection to filter the virus out, or, they can afford techs to fix the problem or replace the computer.

Upper middle class and wealthy people can replace the computer or afford to have it all fixed.

Working class & poor people, the ones who've had to go into debt or scrimp to afford even a basic computer to improve their lives or help their children, get screwed. There's no replacing the hardrive, no money for a tech to fix things.

Now, to my mind, people releasing viruses may claim to be doing some heroic attack on Big Business, but the person they're really hurting is several notches down the economic system from them.

Anywho, that's my simplified thoughts on it.

[karmakaze]

Here's why I consider viruses and such a class war issue:

As far as I know, most "crackers" or virus building/releasing jerks are young white males living with their Mommy & Daddy or the equivalent. They develop these viruses on computers that Mommy & Daddy bought for them. When they release a destructive virus, three things happen:

not really, its just that the younger ones are better at getting caught. + when you buy your own equipment you tend to get better hardware than what most parents would buy their child. or at least all i had was a p120 16mg ram packard bell until i built myself a decent computer.

Upper middle class and wealthy people an replace the computer or afford to have it all fixed.

the people who get paid to fix and replace computer crap are usually the ones at home surfing the h/p/a/v/c sites and writing malicious code.

somewhere in a major corporations help desk department:

geek1 - "hey bob, looks like they are going to lay off a few of us tecks"
geek2 - "really? hmmm..."
geek1 - "looks like we should hurry up and finish the code on that new ultra mega destructive worm that we have been working on.
geek2 - "yeah, job insurance man.

Working class & poor people, the ones who've had to go into debt or scrimp to afford even a basic computer to improve their lives or help their children, get screwed. There's no replacing the hardrive, no money for a tech to fix things.

very rarely does any hardware damage stem from a virus, and if it does, its because the computer sucks and was going to die soon anyway. also, the only real risk is information loss, which most the time can be recovered anyway. worst case scenario is that you have to format and reinstall your OS of choice. (using the disks that came with your computer) (if you want you can always play it safe and run linux or mac OS )

[JaNell]

Here's why I consider viruses and such a class war issue:

As far as I know, most "crackers" or virus building/releasing jerks are young white males living with their Mommy & Daddy or the equivalent. They develop these viruses on computers that Mommy & Daddy bought for them. When they release a destructive virus, three things happen:

not really, its just that the younger ones are better at getting caught. + when you buy your own equipment you tend to get better hardware than what most parents would buy their child. or at least all i had was a p120 16mg ram packard bell until i built myself a decent computer.

I'm sure that an upper class or upper middle class computer geek could manage to get what they want for Christmas, just like they get those price-of-a-house cars...

Working class & poor people, the ones who've had to go into debt or scrimp to afford even a basic computer to improve their lives or help their children, get screwed. There's no replacing the hardrive, no money for a tech to fix things.

very rarely does any hardware damage stem from a virus, and if it does, its because the computer sucks and was going to die soon anyway. also, the only real risk is information loss, which most the time can be recovered anyway. worst case scenario is that you have to format and reinstall your OS of choice. (using the disks that came with your computer) (if you want you can always play it safe and run linux or mac OS )

A computer that sucks to you may be a very big deal to most people. Also, the majority of people who use computers don't know anything about data recovery. You're looking at things from the perspective of someone who knows about computers, not your average person who got it so that they could have email and let their kids use it for school stuff. They're trying to better themselves and here comes some jerk-off who likes destroying things for their own ego...

I don't see much differance between that and kids who smash car windows for fun. Yeah, some people have insurance to cover it - after the deductable. A lot don't. Viruses are vandalism.

[Jack]

A lot don't. Viruses are vandalism.

Worse yet, they're shenanigans.

[gray]

Virus and Worms are already recognised as vandalism. This is part of why they are called attacks. However I don't think class war applies. Rude coders are common throughout the social strata. Likewise so are people who get a kick out of others misery. It is more common in the younger social strata, but you will find that older coders can be equally cocky, arrogant, elitist, and overbearing. Indeed some are happy to let loose virus attacks directed at a give company or group of individuals. Fortunately there are nearly as many positive developers out there as well, so the whole thing is a ongoing tug of war. Trouble is you have to give up a large amount of freedom for a totally secure machine.

On that note, don't buy into the new IBM "dedicated security chip" bullcrap that has been included in a lot of the newer Thinkpads. These "security chips" may help you secure local data, but they also help the Big Brother Media Groups to have more control on what you run on your machine. Both Palladium and TCPA are affronts to your liberty. Feel free to do the research.

[JaNell]

A lot don't. Viruses are vandalism.

Worse yet, they're shenanigans.

And we all know what shenanigans lead to...

[Jack]

And we all know what shenanigans lead to...

Wasn't it Yoda that said, "Horseplay leads to tomfoolery. Tomfoolery leads to shenangians. Shenanigans leads to drama!

Resist the power of the Dark Side.

[blindboy]

A computer that sucks to you may be a very big deal to most people. Also, the majority of people who use computers don't know anything about data recovery. You're looking at things from the perspective of someone who knows about computers, not your average person who got it so that they could have email and let their kids use it for school stuff. They're trying to better themselves and here comes some jerk-off who likes destroying things for their own ego...

I don't see much differance between that and kids who smash car windows for fun. Yeah, some people have insurance to cover it - after the deductable. A lot don't. Viruses are vandalism.

if you own a computer you should know how to back up and install your software period. I think that is all ben was saying.

As far as hackers go I think they serve a VERY important role in software evolution. Hackers and crackers force software companies to make their product better by pointing out its flaws. If the most fetid evil in the known universe would release software that actually had some security there would be virtually no need for hackers today. also you would have very few script kiddies.

[Seraph Antaine]

OK, but class war kind of implies that the script kiddies/crackers/hackers have a grudge against the poor. I think it's more of an innocent bystander/collateral damage thing. Script kiddies don't even really know that there are poor. They don't even really know how the pizza came to their door. My contribution to this war: I have a son coming. I will teach him to build his own computers. Also, I will teach him to mug script kiddies for the cash.

[JaNell]

if you own a computer you should know how to back up and install your software period.

That's nice in theory - but I should tell you that I know for a fact that there is one poster on this board to whom I had to explain how to save an image emailed to them, and there's another who can't figure out how to use email. I don't think that they should be excluded from using the computer if they're willing to learn. I owned a car long before I learned how to change a tire.

Also, I will teach him to mug script kiddies for the cash.

[blindboy]

That is why I put the word should in that sentence.

[Jack]

Let me propose an analogy based on JaNell's "car" analogy:

Malicious hackers (not "crackers", as ibbie pointed out) are basically doing things which would equate, in the car world, to cutting the brake lines or putting sugar in the gas tanks of millions of cars.

Yes, most viruses are little more than a pain in the ass, but many are very, very bad things which only a pissed-off 13-year-old Linkin Park fan would dream up, most likely due to vast free time and alienation.

It's not OK for a pissed-off kid to shoot people in school; by the same token, it is not acceptable for for a pissed-off kid to randomly infect the Internet with shit.

Just because an ex-Windows employee is pissed at the company is no reason to take it out on said system's users.

That's like getting fired from McDonald's and then putting rat poison in their Coke machine.