BIS2060 Ethical, Legal and Professional Issues of Computing 2000/2001 

 
 
 
 
 
Week 2: Unauthorized Access (Computer Hacking) 
Lecturer: Harjinder Rahanu

 
 
 
 
 
contents 
hacking definition

definition of a hacker

psychological profile of a hacker

hackers: democratic versus totalitarian state, inc. the political philosophy of Confucius

hackers: security consultants

worms, trojan horses and time bombs

legal constraints: computer misuse act, 1990

legal constraints: the computer fraud and abuse act

professional constraints: ACM code of ethics and professional conduct

ethical position on hacking


seminar activity

 
 
 
 
 
hacking definition
The computer ethicist Duncan Langford views hacking as an emotive term. He states that back in the 1960s and 1970s hacking was used to describe an individual working with computers who was technically gifted. In these infant times for computing there was perceived to be no implication that someone known as a computer hacker would act illegally. However, the social and computing environment has greatly changed since, and as tends to be with language, the use of the term hacker ‘expanded and its definition broadened’. 

Langford (1995) argues that despite historical claims his definition of hacking is 
obtaining and exploiting unofficial access to a computer system’ 
return to the top of the page

 
 
 
 
 
definition of a hacker
In The Hacker's Dictionary (Forestor and Morrison, 1990) the authors outline at least seven different definitions of a hacker: 
  • A person who enjoys learning the details of computer systems and how to stretch their capabilities, as opposed to most computer users, who prefer to learn only the minimum amount necessary
  • One who programs enthusiastically, or who enjoys programming rather than just theorizing about programming
  • A person capable of appreciating the hacker ethic*
  • A person who is good at programming quickly
  • An expert on a particular program, or one who frequently does work using it or on it
  • An expert of any kind
  • A malicious inquisitive meddler who tries to discover information by poking around. For example, a password hacker is one who tries, possibly by deception or illegal means, to discover other peoples' computer passwords. A network hacker is one who tries to learn about the computer network is one who tires to learn about the computer network, possibly because he / she wants to improve it or possibly because he / she wants to interfere
The currently accepted view of a hacker is someone who uses a specialized knowledge of computer systems to obtain illegal access to them. Probably, too, once they have obtained access to a system, a hacker would be expected to steal and corrupt data (Langford 1995).
*There are five principal values comprising the Hacker Ethic: 
  • Access to computers, and anything which might teach you something about the way the world works, should be unlimited and total. Always yield to the hands-on imperative
  • All information should be free
  • Mistrust authority - promote decentralization
  • Hackers should be judged by their hacking, not bogus criteria such as academic excellence, age, race or position
  • You can create art and beauty on a computer
The focus of the Hacker Ethic is, perhaps understandably in the circumstances, on the hacker. Among the areas left out are the rights of owners and users of computer systems, and consideration of a computer scientist's responsibilities to them. 
return to the top of the page

 
 
 
 
 
psychological profile of a hacker
‘Typical actions taken by hackers include breaking into both public and private databases, sometimes just to see if it is possible, sometimes for more serious reasons, for example, altering grades in a school computer or altering credit rating. Information on how to accomplish these and other tasks is sometimes posted - anonymously, of course - to specialist bulletin boards. Serious hackers may use a succession of computers as staging posts, to route a continuing series of attacks on different systems. The book Cuckoo's Egg, by Clifford Stohl describes how military computers in the USA were attacked by hackers in Germany through a whole series of staging posts. It is obviously much more difficult to trace an attack made in this way to its source’ (Langford, 1995) 

A recent PriceWaterhouseCoopers study revealed that 59 percent of all companies with Websites experienced one or more security break-ins during 1997. Moreover, this figure is probably too low because many of these incidents usually go unreported. One of the more notorious and widely publicised security breaches happened to the New York Times on September 13, 1998. Their website server was invaded by a group of belligerent hackers who posted pornographic material and printed this threatening message for all to see: FIRST OFF, WE HAVE TO SAY . . . . WE OWN YOUR DUMB ASS. 
S3COND, TH3R3 AR3 SO MANY LOS3RS H3R3. ITZ HARD TO PICK 
WHICH TO INSULT MOST. The site had to be closed for nine hours while IT personnel cleaned up the offensive messages and plugged the hole. (Spinello, 2000) 

To answer the question as to why do hackers hack and offer explanations for the behavouir described above, clearly some amount of intellectual challenge may be involved. Analogous to solving an elaborate crossword, the guessing of passwords and inventing means of bypassing file protections poses intriguing problems that some individuals will go to enormous lengths to solve (Forestor and Morrison, 1990). In other instances, hacking has involved acts of vengeance, usually by a disgruntled employee against a former employer. For others, hacking represents a lifestyle that rests upon severe social inadequacy among otherwise intellectually capable individuals - so called computer nerd syndrome.
Computer Nerd Syndrome
The computer nerd syndrome particularly affects male adolescents between the ages of 14 and 16. For psychologists such as Sherry Turke of MIT, hackers are individuals who use computers as people substitutes, basically because computers do not require the kind of mutuality and complexity that human relationships tend to demand. 

Other researchers at Carnegie-Mellon University have provided evidence that partially supports this view: Sara Kiesler and her co-workers have investigated the social psychology of computer mediated communication and found that this medium removes status cues such as sitting at the head of a table, body language, and provides a kind of social anonymity that changes the way people make decisions in groups. Their investigations into computer conferencing and electronic mail highlighted that group decision making discussions using this medium exhibited more equal participation and a larger coverage of issues. 

However, despite this, the limited bandwidth of the computer screen, i.e. its lack of feedback in the form of body language, etc. often causes users to seek substitutes for it. For example, in the absence of any other non-verbal mechanisms to communicate their emotions, electronic mail users often substitute depiction of their face to represent how they are feeling or how their message should be interpreted. The following collection of keyboard characters are often used to represent a smile, a wink and a sad face respectively:  |:-)               |;-)               |:-( 
Forestor and Morrison (1990) conclude: 
the form of communication that computers require, even when communicating with other human beings, may indeed be attractive to those who feel less competent in face-to-face settings where the subtleties of voice, dress, mannerisms and vocabulary are mixed in complex ways. Those who are less skilled in dealing with these sources of information may therefore retreat to more concrete and anonymous forms of interaction with a machine, while those who are limited by these communication modes attempt to extend them to incorporate more naturalistic features of communication when dealing remotely with other human beings.’ 
return to the top of the page

 
 
 
 
hackers: democratic versus totalitarian state, inc. the political philosophy of Confucius
Democratic versus Totalitarian State
It is argued that for the sake of balance a truly democratic society should possess a core of technically gifted but recalcitrant people. Given that more and more information about individuals is now being stored on computers, often without our knowledge or consent, is it not reassuring that some citizens are able to penetrate these databases to ascertain what is going on? Thus it could be argued that hackers represent one way in which we can help avoid the creation of a more centralized, even totalitarian government. 

Indeed, at the time of the Chernobyl nuclear power station disaster in the former Soviet Union, hackers from the Chaos Computer Club released more information to the public about the developments than did the then West German government itself. All the information was gained by illegal break-ins carried out in government computer installations. 

Hacking as the potential to cause enormous harm by utilizing resources that have tremendous power. Yet we should not forget that there are other, equally powerful and much older ways in which similar powers can be unleashed (Forestor and Morrison, 1990). Leaks to the press, espionage of all kinds and high quality investigative journalism, for example, such as that which uncovered Watergate and the Iran-Contra affair, have the power to break a government's control of information flow to the public, and can even destroy corporations or governments that have been shown to be guilty of unethical or criminal activities.
Political philosophy of Confucianism
There is a remarkable parallel between Confucius and Plato, both of whom were deeply immersed in philosophizing about the ideal state in which justice would be administered by a wise and virtuous ruler, and in which the concept of the common good, benevolently supervised, would form the governing consideration. They differed to this extent, that whereas Plato advocated the principle of guardianship whereby a ruling class would be educated and fashioned to rule the state without fear of contradiction in their just rule, Confucius considered the populous as an intelligent and critical check against wrong tendencies in government. 

Confucius' theory of government was at once paternal and democratic. The ruler is father of his people, and his right to rule is the order of nature. He is moreover responsible in detail for the welfare, both material and moral, of his people. On the other hand, the highest source of wisdom is the people themselves - they know what is good for them - vox populi, vox dei. His humblest subject is the ruler's equal, and revolution against tyranny is a duty. 

Thus it could be argued that hackers represent the humblest subject whose duty is to revolt against the tyranny of a totalitarian state. The hacker, in the true sense of Confucianism, helps avoid the creation of a more centralized and totalitarian government. This relates to the third principle of the Hacker Ethic in promoting decentralisation.
George Orwell, Nineteen Eighty Four
George Orwell, novelist, essayist and critic famous for his savagely angry satirical novels Animal Farm and Nineteen Eighty Four. His distrust of authority and all political parties inspired Nineteen Eighty Four, an elaborate satire on modern politics prophesying a world perpetually laid waste by warring dictators. The novel above all pictures the horrors of totalitarianism pursued to the limit, the very horrors that hackers help avoid.
From an Ethical Perspective
  • From an ethical perspective, does the outlawing of hacking bear any resemblance to attempts to outlaw the politically extreme parties?
  • Is it equivalent to criminalizing investigative journalism just because journalists have been known to obtain information unlawfully?
return to the top of the page

 
 
 
 
hackers: security consultants
Security Consultation
In many instances the breaching of systems can provide more effective security in future, so that other, presumably less well intentioned, hackers are prevented from causing real harm. Given the possibility of  terrorist acts becoming more and more technologically sophisticated, perhaps we can also look to hackers as a resource to be used to foil such acts and to improve our existing security arrangements. Forestor and Morrison (1990) highlight that 
to some extent this is already happening: in the US, convicted hackers are regularly approached by security and intelligence agencies with offers to join them in return for amelioration or suspension of sentences. Other hackers have used their notoriety to establish computer security firms and to turn their covertly gained knowledge to the benefit of commercial and public institutions.’ 
return to the top of the page

 
 
 
 
worms, trojan horses and time bombs
Some individuals, often describing themselves as hackers, anonymously release destructive software known (because of both the manner and ease with which they spread) as computer viruses
Trojan Horse
The term comes from Homer's Iliad. In the Trojan War, the Greeks presented the citizens of Troy with a large wooden horse in which they had secretly hidden their warriors. During the night, the warriors emerged from the wooden horse and overran the city. In computers, a Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk. A Trojan horse can be considered a virus if it is widely redistributed.
Logic Bomb or Time Bomb
A program which is triggered to act upon detecting a certain sequence of events or after a particular period of time has elapsed. For example, a popular form of logic bomb monitors employment files and initiates systems damage, for example, erasure of hard discs or secret corruption of key programs, once the programmer's employment as been terminated. A simple variation on the theme is to have a logic bomb virus, that is, a virus that begins to replicate and destroy a system once triggered by a time lapse, a set of pre-programmed conditions coming into existence, or by by remote control using the appropriate password.
Virus
A virus is a piece of programming code inserted into other programming to cause some unexpected and, for the victim, usually undesirable event. Viruses can be transmitted by downloading programming from other sites or be present on a diskette. The source of the file you're downloading or of a diskette you've received is often unaware of the virus. The virus lies dormant until circumstances cause its code to be executed by the computer. Some viruses are playful in intent and effect ("Happy Birthday, Ludwig!") and some can be quite harmful, erasing data or causing your hard disk to require reformatting.
Vaccine or Disinfectant
Vaccine or Disinfectant software is a class of program that searches your hard drive and floppy disks for any known or potential viruses. The market for this kind of program has expanded because of Internet growth and the increasing use of the Internet by businesses concerned about protecting their computer assets. Here are three of the most popular anti virus programs. You can download free trial copies from their sites.  Some vaccines are general purpose programs which search for a wide range of viruses, while others are more restricted and are only capable of identifying a particular virus type. Other forms of virus protection include isolation of the infected system(s), use of non-writable system discs so that viruses cannot copy themselves there and testing of unknown software (particularly public domain software downloaded from bulletin boards) on a minimal, isolated system.
Worm
A worm is a type of virus or replicative code that situates itself in a computer system in a place where it can do harm. There are viruses (such as Melissa) that don't ‘worm themselves in’ to a place where they can do much harm and simply replicate themselves by e-mail to many computers. Like most computer viruses, worms usually come in Trojan horses. Worms tend to exist in memory and are non permanent, whereas viruses tend to reside on disc where they are permanent until eradicated. In addition, worms are network orientated, with 'segments' of the worm inhabiting different machines and being cognizant of the existence of the other segments in other nodes of the network. Worms actively seek out idle machines and retreat when machine load increases.
Tempest
The term refers to the electronic emissions that computers generate as they work. With the right equipment, these transmissions can be monitored , stored and analysed to help discover what the computer was doing. 
return to the top of the page

 
 
 
 
 
legal constraints: computer misuse act, 1990
Historical perspective
‘It had long been assumed in the UK that hacking was illegal; but in 1988 the House of Lords eventually decided to the contrary. Concern following this decision led to the Law Commission Working Paper on Computer Misuse. This paper, after a general examination of the problems, made several specific recommendations for changes in the law. In 1989the Tory MP Emma Nicholson promoted a Private Member's Bill to combat hacking but later withdrew it, following Government promises to legislate. However, despite these promises, no official Government measures were taken. In 1990 another private member, Michael Colvin, introduced a second private bill on computer misuse. Although this bill incorporated recommendations from the Law Commission paper, the penalties recommended by the Commission were greatly increased. The Bill eventually became the Computer Misuse Act in August 1990.’ (Langford, 1995)
The Act introduces three new criminal offences: 
  • Unauthorized access to computer material Described as simple hacking - that is, using a computer without permission. This now carries a penalty of up to six months in prison or a £2000 fine, and is tried in a Magistrate's Court
  • Unauthorized access to computer material with the intent to commit or facilitate commission of further offences This section of the Act covers actions such as attempting to use the contents of an email message for blackmail. This is viewed as a more serious offence; the penalty is up to five years' imprisonment and an unlimited fine
  • Unauthorized modification of computer material This section of the Act covers distributing a computer virus, or malicious deletion of files, as well as direct actions such as altering an account to obtain fraudulent credit
The later two offences are tried before a jury. The act also includes the offence of conspiracy to commit and incitement to commit the three main offences. This aspect of the Act makes even discussion of specific actions which are in breach of the main sections questionable practice. It is sufficient to be associated with an offender in planning the action, or to suggest carrying out an action which is illegal under the Act, to be in a position to be charged.
International Computer Crime (Jurisdiction)
The Act attempts to cover international computer crime. An individual can be prosecuted in the UK under the 1990 Misuse Act as long as there is at least one 'significant link' with the UK. For example, 
hacking into a computer in Milan from a computer terminal in London is illegal, as is hacking into London from Milan. Interestingly, using the UK as a staging post is also illegal under the Act - breaking into the Pentagon from Milan via a UK university is illegal, and could result in UK prosecution, even if the hacker had never been in England.’ (Langford 1995) 
return to the top of the page

 
 
 
 
 
 
legal constraints: the computer fraud and abuse act
‘The Computer Fraud and Abuse Act (CFAA), was last amended in late 1996, is evidence that the US legal system has began to take the issue of unauthorised access more seriously. The provisions of the act protect the confidentiality of proprietary information and make it crime to "knowingly access a computer without or in excess of authority to obtain classified information". The statute also makes it a crime to access any "protected computer" without authorisation and has a result of such access to defraud victims of property or to recklessly cause damage. Protected computers include those used by the government, financial institutions, or any business engaged in interstate or international commerce. Thus, trespass is a federal crime if one does so to pilfer classified information, to perpetrate fraud, or to cause damage (for example, to destroy files or disable an operating system). The only strict trespass provision of the statute protects computers used on a full time or part time basis by the government from unauthorised access, even if no damage is done and no information is stolen.’ 

‘All the states, with the exception of Vermont, have also enacted their own computer crime statutes, which, in some cases, go beyond the scope of the Computer Fraud and Abuse Act. Specifically, most state laws make unauthorised use of computers a crime regardless of the circumstances.’(Spinello, 2000) 
return to the top of the page

 
 
 
 
 
 
professional constraints: ACM code of ethics and professional conduct
General Moral Imperative 2.8: Access computing and communication resources only when authorized to do so 

Theft or destruction of tangible and electronic property is prohibited by imperative 1.2 - "Avoid harm to others" Trespassing and unauthorized use of a computer or communication system is addressed by this imperative. Trespassing includes accessing communication networks and computer systems, or accounts and/or files associated with those systems, without explicit authorization to do so. Individuals and organizations have the right to restrict access to their systems so long as they do not violate the discrimination principle (*imperative 1.4). No one should enter or use another individual's computer system, software, or data files without permission. One must always have appropriate approval before using system resources, including communication ports, file space, other system peripherals, and computer time. 


*imperative 1.4: The values of equality, tolerance, respect for others, and the principles of equal justice govern this imperative. Discrimination on the basis of race, sex, religion, age, disability, national origin, or other such factors is an explicit violation of ACM policy and will not be tolerated

return to the top of the page

 
 
 
 
ethical position on hacking
Simple Hacking
When a hacker gains access to a system and rummages around in a company's files without actually altering anything, what damage has he / she caused? Have they simply stolen a few thousandths of a penny's worth of electricity (Theft Act of 1968)? Indeed, if the hacker informs a company of their lax security procedures, is he / she creating a public benefit by performing a service that they might otherwise have to pay for? In some countries, for example, Canada, it is not an offence to walk into somebody's residence, then look around and leave - as long as nothing has been altered or damaged. Can a hacker's walk through of a system be considered in similar terms?
Information Ownership
Should information about me be owned by me? Or should I, as a database operator, own any information that I have paid to be gathered and stored? On the other hand, given that the storage of information is so pervasive and the very functioning of modern society relies upon computer based data storage, does the public have a right to demand absolute security in these systems? Finally should some hackers be regarded as our unofficial investigative journalists, finding out who holds what information on whom and for what purposes; checking if corporations are indeed adhering to the data protection laws; and exposing flagrant abuses that the government cannot or will not terminate? 

With regards to the private sector we might even question what right does a company have to hold information on individuals and what right do they have to deny individuals access to that information? For example, many commercial institutions tap into databases which hold the credit ratings of hundreds of thousands of people. The providers of these databases have collected information from a huge range of sources and organized it so that it constitutes a history and an assessment of our trustworthiness as debtors. Who gave these companies the right to gather such information? Who gave them the right to sell it, which they do, along with subscription lists, name and addresses? What limits are there on the consequences of this information for the quality of our lives? What rights should we have in ensuring that our particulars are correct? 

Now, if we imagine a hacker penetrating a system so that he / she can correct the records of those who have denied correction of incorrect data, which of these entities, the database owner or the hacker has committed the greatest ethical error, or are they both equally guilty?
Computers: material possessions?
‘If computers are viewed as material possessions, then electronic entry to a computer system can be looked on as very similar to physical entry into an office or home. Unless there is a specific invitation, or previous permission to enter, this is trespass, if not unlawful entry. Hackers have a typical defence though: they are entering to test for loopholes in the software. Is this realistic? If challenged, many hackers claim to know a friend of a friend, who was paid by a large company to test its computer systems for security loopholes. This is, of course, comparable to paying a burglar to attack your home in the hope that the burglar may reveal security weaknesses.’ 

Langford pursues the analogy further and argues 
‘What would most people think of someone who broke into your home and went through your desk, reading whatever letters and personal material they happened to find? On the face of it, there seems, so far, to be a clear legal and ethical case against hacking into someone else's computer system.’

However, Langford does highlight a second position on hacking which follows the contention that computers are not to be viewed as material possessions, belonging to one business, or another. There is, the view runs 
‘an undefined global community of computing , where the physical ownership of each machine is secondary to the benefit of its users. Sometimes, taking the Internet as a limited example, supporters claim that exploring this electronic world is somehow above such considerations as yours or mine - electrons belong to no one. If there is a cost, big business can afford to pay it.’ 

Langford elaborates 
‘There are clear strengths to the idea, particularly in view of the advantages of openness. The general enrichment which tends to come from wide information distribution may mean developers never have to reinvent the wheel, or needlessly design from scratch which already exists elsewhere.’ 

return to the top of the page

 
 
 
 
 
seminar activity
Activities:
  • 1. Read Chapter 8, Legal Constraints in (Langford, 1995). How is the Data Protection Act, 1998 invoked in cases of computer hacking?
  • 2. Read Chapter 6: Securing the Electronic Frontier (Spinello, 2000). How are the property rights of Web site owners transgressed?
  • 3. You are encouraged to the consult the website www.jbpub.com for additional resources. List 4 general works on computer hacking.
Review Questions:
1. What are the characteristics that define a computer hacker?
2. From an ethical perspective, is the outlawing of hacking equivalent to criminalising investigative journalismk just because journalists have been known to obtain information unlawfully?
3. There is a long history of the state protecting people from information they ought not to possess. Do you think there is information the citizen ought not to have? Who decides what it is, and on what grounds?
4. List forms of destructive software a computer hacker can release.
5. What legal remedies are available for cases of unauthorised access?
6. Would you permit a stranger to walk into your residence, then look around and leave with altering and damaging nothing? Think through your reasons for this response.

 

return to the top of the page


REFERENCES

CORNWALL, H (1985)
The Hacker’s Handbook
Century Communications

FORESTOR, T. AND MORRISON, P. (1994)
Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing
London: MIT Press

HSU, L.S. (1975)
The Political Philosophy of Confucianism
London: Curzon Press

LANGFORD, D. (1995)
Practical Computer Ethics
London: McGraw Hill Inc.

LANGFORD, D. (1999)
Business Computer Ethics
Addison-Wesley, pp. 116-118.

SPINELLO, R. (2000)
Cyber ethics: Morality and Law in Cyberspace
Jones and Bartlett Publishers


 
 
return to the BIS2060 abstract and learning outcomes page