2. Spafford’s Points
Against Hacking:
1. Ethics should be measured by an act itself,
not its consequences.
2. Hacker break-ins are immoral acts.
3. They are never ethical regardless of
circumstances.
4. Computer professionals need to spread the
word.
4. Morris Worm
• Reason--
Supposedly to
expose security
flaws
• Unexpected
Result-- The
worm ran amok
• Consequence--
Expensive
damage at
hundreds of
locations
5. Morris was sentenced to three years
probation, 400 hours community
service, a fine of $10k, and costs of
damage.
7. Why ethics theories?
• Spafford reminds us that to say something is
right/wrong, we need to know why…
• Intuitions are unreliable.
8. Two Big Ethics Theories Here
1. Consequentialism
• An act is right or wrong based on its effects
1. Deontology
• The act itself is right/wrong
• Effects don’t matter
12. Deontology
The act itself can be deemed right/wrong, independent of
consequences.
Why is this
wrong?
13. Deontology
Also has problems:
1.Under-determines actions
• “treat workers like human beings”
• Can’t use workers as means– business problems?
2.Counter-intuitive results
• “are there Jews in your attic?”
14. Harder than it looks:
1. The problems are similar, and
2. Spafford says he likes deontology…
• But all of his arguments are
consequentialist.
15. From Spafford---
“A system of ethics that considered primarily only the results of our
actions would not allow us to evaluate our current activities at the
time when we would need such guidance; if we are unable to
discern the appropriate course of action prior to its commission,
then our system of ethics is of little or no value to us. To obtain
ethical guidance, we must base our actions primarily on evaluations
of the actions and not on the possible results.”
“We cannot know, for instance, if increased security awareness and
restrictions are better for society in the long-term, or whether these
additional restrictions will result in greater costs and annoyance
when using computer systems. We also do not know how many of
these changes are directly traceable to incidents of computer break-
ins.”
19. Problems:
• Consider bank balances, medical records,
credit history, employment records, etc.
• The problem is both a matter of theft and of
being able to alter information.
• If everyone has access, how can we trust it to be
unaltered?
20. But notice:
• You still need a
theory of privacy
and property.
• Closed/proprietary
may be bad for
security.
• Room for a middle:
CC licenses, etc.
21. They say: Hacker Ethic
“We show security problems to a
community that will not otherwise
notice.”
22. Spafford says:
People care about security – just report it!
“Your
sprinklers
don’t
work!”
So I set a fire to show you…?
23. They say: Hacker Ethic
“Exposing security flaws is a service.”
Is this a service?
What could be the consequences?
24. Spafford says:
1. “Assumes there is some compelling need to force
users to install fixes” and
2. This need justifies break-ins
• Consider– Would it be justifiable to break in to a home
repeatedly to demonstrate its lack of security?
• Deontology– It must be universalizable (hints at this
through analogies, but never really says it…)
Let’s grant that (2) is false…
25. Spafford says:
“The claim is made that without highly-visible break-
ins, vendors will not produce or distribute necessary
fixes to software. This attitude is naive, and is neither
economically feasible nor technically workable.
Certainly, vendors should bear some responsibility for
the adequacy of their software, but they should not be
responsible for fixing every possible flaw in every
possible configuration.”
26. They say: Hacker Ethic
They are making use of idle machines not being
used anywhere near their capacity.
Therefore, they are entitled to use them.
27. Spafford says:
1) These systems are not meant for general use;
they serve specific purposes.
2) There is no other circumstance where
someone can buy and maintain a product and
then have others claim a right to it.
• What if someone stole your car and claimed that
you weren’t using it enough?
28. They say: Hacker Ethic
• Student Hackers claim to do know harm– they
are merely learning how systems work.
• Furthering education
• Cost Effective
• Harmless
29. Spafford says:
1) Writing vandalware and breaking into a
system has nothing to do with education.
2) People who are “learning” or “looking
around” can’t possibly guarantee that they
are not making changes or causing harm.
30. They say: Hacker Ethic
Some hackers break into systems to watch for data abuse
are actually protectors with good intentions.
•“Keeping ‘Big Brother’ a bay”
Sounds noble---
31. Spafford says:
*Spafford agrees that there may be misuse of personal
data by both corporations and government.*
However—
1)This could actually cause more secrecy from such
agencies. (further restrictions to access such data)
2)Do we want hackers protecting us? Shouldn’t we be
relying on professionals and designers concerns with
our rights?
32. A complication:
While widely read and cited, Spafford’s paper is
from 1992.
How may the situation have changed since then?
33. A complication:
• Institutions hired
security staff, but
• Most computers were
less vulnerable then:
• Internet was
dial-up
• Through
proprietary or
exclusive
networks
34. A complication:
Today’s “massive set of always-on, powerful
PCs, many with high-speed Internet
connections and run by unskilled users, is a
phenomenon new to the twenty-first century.”
35. A complication:
Today, there may very well be a reason to “force
users to install security fixes.”
You owe it to me
to get your
vaccines.
36. Spafford also says:
• Not every site has the resources to patch software.
• Vendors can’t be responsible for everything users do.
• It would likely raise costs and be unappealing to users.
“It is unreasonable to expect the user community to
sacrifice flexibility and pay a much higher cost per unit
simply for faster corrections to the occasional security
breach. That assumes it was even possible for the
manufacturer to find those customers and supply them
with fixes in a timely manner, something unlikely in a
market where machines and software are often
repackaged, traded, and resold.”
40. In sum:
1. Internet security is a real problem.
2. The nature of the problem changes with the
technology.
3. Solving it requires balancing values like
privacy, property, openness, etc.
4. Ethics helps give us the tools to do that.
41. What do you think?
Should we consider some acts of hacking as
ethically permissible based on consequences?
Should we consider this action unethical in all
circumstances?