The Ethics of Computer Security

At first blush, it seems odd to ask if computer security is ethical. We are, in fact, comfortable with
what we are doing, but that is because we have asked the question of ourselves, and then answered
it to our own satisfaction.
There are several different aspects to the question. The first, of course, is whether or not
computer security is a proper goal. We think so; if you disagree with us about that, there is
probably a deep philosophical chasm between you and us, one that we may not be able to bridge.
We will therefore settle for listing our reasons, without any attempt to challenge yours.
First, in a technological era, computer security is fundamental to individual privacy. A great
deal of very personal information is stored on computers. If these computers are not safe from
prying eyes, neither is the data they hold. Worse yet, some of the most sensitive data—credit
histories, bank balances, and the like—lives on machines attached to very large networks. We
hope that our work will in some measure contribute to the protection of these machines.
Second, and more important, computer security is a matter of good manners. If people want to
be left alone, they should be, whether or not you think their attitude makes sense. Our employer
demonstrably wants its computer systems to be left in peace. That alone should suffice, absent an
exceedingly compelling reason for feeling otherwise.
Third, more and more of modern society depends on computers, and on the integrity of the
programs and data they contain. These range from the obvious (the financial industry comes to
mind) to the ubiquitous (the entire telephone system is controlled by a vast network of computers)
to the life-critical (computerized medical devices and medical information systems). The problems
caused by bugs in such systems are legion; the mind boggles at the harm that could be caused—
intentionally or not!—by unauthorized changes to any such systems. Computer security is as
important in the information age as were walled cities a millennium ago.
A computer intrusion has even been blamed for loss of life. According to Scotland Yard, an
attack on a weather computer stopped forecasts for the English Channel, and that led to the loss
of a ship at sea [Markoff, 1993b].
That the hackers behave badly is no excuse for us doing the same. We can and must do better.

Consider the question of “counterintelligence,” the activities we undertake to learn who has
been pounding on our door. Clearly, it is possible to go too far in that direction. We do not, and
will not, attempt to break into the malefactor’s system in order to learn more about the attacks.
Similarly, when we found that our machine was being used as a repository for pirated software,
we resisted the temptation to replace those programs with virus-infected versions. (But we did
joke about it.)
On the other hand, we do engage in activities that ring alarms if someone does the same thing
to us. For example, given that we log finger attempts, and trace back rusers calls, are we justified
in using those protocols ourselves? We also use telnet to connect to various services in an attempt
to learn a usable machine name. Is this an unethical probe of someone else’s system? On occasion,
we have had mail to a site administrator bounce; we have had to resort to things like hand-entered
VRFY commands on the SMTP port to determine where the mail should be sent. Is that proper?
Lures are somewhat more problematic. For example, our finger daemon will inform the
curious that guest is logged in, which is not the case; we have no real guest login. But the dummy
message tends to generate lots of attempts to use this nonexistent account, which in turn generates
lots of noise in our log files. Are we entrapping folks? This is a borderline case (though we
should note that real guest accounts are extremely rare these days); we are careful not to send our
usual warning notes in response to isolated attempts. Even repeated attempts are more likely to
generate a “please stop it; the log messages are bothering us” than a complaint to the site’s system
administrator.
The ethical issues go even further. Some people have suggested that in the event of a successful
attack in progress, we might be justified in penetrating the attacker’s computers under the doctrine
of self-defense. That is, it may be permissible to stage our own counterattack in order to stop an
immediate and present danger to our own property. The legal status of such an action is quite
murky, although analogous precedents do exist. Regardless, we have not carried out any such
action, and we would be extremely reluctant to. If nothing else, we would prefer to adhere to a
higher moral standard than might be strictly required by law.
Overall, we are satisfied with what we are doing. Within the bounds set by legal restrictions
(see Chapter 12), we do not regard it as wrong to monitor our own machine. It is, after all, ours;
we have the right to control how it is used, and by whom. (More precisely, it is a company-owned
machine, but we have been given the right and the responsibility to ensure that it is used in
accordance with company guidelines.) Most other sites on the Internet feel the same way. We are
not impressed by the argument that idle machine cycles are being wasted. They are our cycles:
we will use them as we wish. Most individuals’ needs for computing power can be met at a
remarkably modest cost. Finally, given the current abysmal state of host security, we know of no
other way to ensure that our firewall itself is not compromised.
Equally important, the reaction from system administrators whom we have contacted has
generally been quite positive. In most cases, we have been told that either the probe was innocent,
in which case nothing is done, or that the attacker was in fact a known troublemaker. In that case,
the very concept of entrapment does not apply, since by definition entrapment is an inducement to
commit a violation that the victim would not otherwise have been inclined to commit. In a few
cases, a system administrator has learned, through our messages, that his or her system was itself
WARNING 17
compromised. Our peers—the electronic community of which we are a part—do not feel that we
have abused their trust.