Ethics, Privacy, and Hacking 2

[CajunCenturion]

We've seen over the past several weeks quite a few statements regarding the importance of the "right to privacy" and the "right to anonymity". Understandably, violations of privacy are deemed to be unethical.

We've also seen a few people adopt the position that there is nothing ethically wrong with benignly hacking into another's system.

Can we reconcile these two positions? Can it be okay to ethically hack into someone's system and at the same time, not unethically violate their right to privacy?

Or is there a heirarchy of these ethical conumdrums? and if so, what is the order of precendence and why?

Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[sleipnir214]

We're talking about permission issues here.

My right to privacy is my ability to grant or withdraw the permission of others to examine the activities of my life. If I want you to see pictures of my kids, I will offer to show them to you -- it would be an ethical violation of my permissions to demand that I present the photos. And the withdrawl of permissions requires that I take a deliberate action to revoke the right. I cannot have sex in the front windows of my house and expect privacy without closing the curtains.

Hacking a system the another facet of the same issue. I have the authority to grant or withdraw permissions to my system, and to violate that authority is an unethical act.

And there is no such thing as a right to anonymity. Anonymity is the expectation that you can have privacy without making the action of withdrawl of permission to your life. It is unreasonable to think that you can have sex on a public street and no one will look.

The problem is digital security as it intersets with my privacy rights. I must delegate to others the authority to grant or revoke permission to view the records of the activities of my life. When someone hacks a computer system that houses my records, it is a violation of my privacy because that person has violated the authority of the server administrators and because the server admins derive their authority, either explicitly or implicitly, from my and others' proxy of our right to grant or control access.

For me to say, "I was just looking" when I hack a system is immaterial. The very act of my having violated the permissions by breaking in is the ethical violation.


Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[skiflyer]

I agree with sleipnir for the most part (I only add that caveat in case I didn't read closely enough )... that's the reason "ethical hacking", involves hackers who are solicited by an individual to break, or attempt to break, the security on their system.

Performing security checks of your own volition to help people is not ethical. Comparing this to a house makes it so simple. If an individual comes into your house and does nothing but stand in your foyer, they're still obviously going to upset you and are causing you fear if nothing else.

IMO, The sticky widget comes in on going in and doing something specifically helpful (IOW, "just looking doesn't cut it&quot. I have on several occasions gone into unlocked cars to turn off their headlights, I see no ethical violation here, at the same time, if the individual spotted me reaching into their car, I would expect that I need to explain myself. Is there a comparison in the computer world? I'm not sure... obviously if the cars owner were nearby I would've notified them of the headlights rather than going in the car, when looking at computers, is there ever a situation where you should do something instead of just notifying the owner, I can't see it... but then again I can't even see the situation where I should absolutely know they don't want their computer to be in a certain state, whereas I feel safe assuming the man who parked outside the movie theatre doesn't want a dead battery when he returns.

-Rob

 

[sleipnir214]

There is something close the "turning off the headlights" metaphor -- suppose that I built a device that find cars with their headlights on and turns them off automatically?

How about a worm that plugs the vulnerabilties exploited by other worms?

http://www.linuxsecurity.com/articles/network_security_article-3061.html

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[skiflyer]

And that link says just way that could still be a bad idea.

So now what would the ethics be if that worm just notified the administrator of that box rather than trying to plug the hole? Then what're your responsibilities if someone grabs your code thats crawling around noticing certain vulnerabilities and uses it to exploit them instead, or notify a ne'er do good of all the machines which are compromised rather than the machine's owner.

Here, as in many ethical arguments, the ethics cross quickly with pragmatism, and what may not be a direct ethical violation, may lead to a pragmatic exploit of the situation.

I hope I'm making sense.

-Rob

 

[manarth]

Sleipnir says:
"I cannot have sex in the front windows of my house and expect privacy without closing the curtains."

As difficult a metaphor as it is (!) - I would suggest that leaving a telnet server running on your machine which doesn't require a password is tantamount to leaving the curtains open. Sticking a video camera through the window may be a bit rude, but glancing through the open window is hardly criminal!

Alas, the difficulty with IT is too many people leaving not just the curtains, but also the front door wide open and a bunch of signs in the street saying "open house this way".


<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[sleipnir214]

Yes, you're making sense.

But if you take my position that any unauthorized hacking is unethical, there is no ethical/pragmatic quandry.

Let's build a hypothetical app. If and only if this app is a 'bot, and it can detect whether a given machine is vulnerable without actually attempting to exploit the vulnerability, it presents the notification to the given machine's admin by email, then I think it would not be unethical to fire it up.


Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[TheVampire]

Suppose you did build a device that finds cars with their headlights on and turns them off automatically. How would it know if the owner intended to leave them on or not?

Suppose the car in question is parked on the sholder of a road at night, and the owner has left the lights on to illuminate a vehicle in front that is changing a flat tire ( or tyre if you're in Europe .

Along comes your magic device, and shuts the headlights off at a critical moment, the jack slips because they can't see what they are doing, and the person is entrapped ( or worse ) beneath the other car?

But, back to the topic at hand, the question was : Can it be okay to ethically hack into someone's system and at the same time, not unethically violate their right to privacy?

I would say that it is not possible. I don't even think that it's possible to ethically hack into *someone's elses* system in the first place.

But, let me ask a question. In my car, the ECU ( Computer ) for the car had a speed limiter in it, that would automatically reduce the speed if it went over 140 MPH. This was fairly easily defeated by removing a specific resistor from the circuit board. Was I &quot;hacking&quot; the system, even though it was my own vehicle? Do you think this is ethical?

What if I went so far as to modify the ECU so that, when connected to an emmisions control tester ( using OBD III testing built into all newer cars ), that it would automatically give out data that would have the vehicle pass the test no matter what the actual emmisions were?

Robert

 

[manarth]

&quot;If and only if this app is a 'bot, and it can detect whether a given machine is vulnerable without actually attempting to exploit the vulnerability,&quot;

ah, utopia...what a world

<bot hypothesis>
- you can monitor / log traffic hitting you.
- some of the traffic may exhibit symtoms of a vulnerable system (e.g. a remote PC seemingly attemting malicious script against your web server)
- however, there is (as far as I'm aware) no way to ascertain the vulnerability of a remote system without taking action against it (port scan, etc).
</bot>

- if you could then log into the remote PC, say via telnet - w/o p/w - or log in using the relevant worm's standard p/w.
(bear in mind many worms / trojans are controlled via telnet or similar)
- if successful you have affirmed the vulnerability.

- this may or may not be considered &quot;exploiting&quot; the vulnerability - you ARE accessing the remote machine at this stage. But this is a way to confirm the vulnerability without actually invading the remote system.

Remember, the above hypothesis is not malicious in any way, it merely confirms the presence of a specific (pre-detected) vulnerability.
Despite this, these potential actions ARE ILLEGAL in many countries.

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[skiflyer]

On the car issues, I don't think the issues are the hacking, it's the ensuing usage, hence the reason you hacked the system. And further, you need to take into effect reasonable and likely uses for the system you've hacked. It doesn't count if you designed a chemical for the defense department with the intent of simplifying cleaning ovens, but it has this little side affect of being able to wipe out millions of lives.

So, if you want to take your car to the track, or otherwise drive it responsibly over 140 MPH, and you're the only one with access to the vehicle (security always makes ethics more fun doesn't it? especially in the computer world), there's not really an ethical issue there.

If you hack the emmisions with the intent to deceive an emmisions tester, then I think the obvious problem comes out as soon as you read the word deceive (assuming we don't want to debate the ethics of emmisions testing).

 

[manarth]

to respond to the original question:
&quot; Can it be okay to ethically hack into someone's system and at the same time, not unethically violate their right to privacy?&quot;

lots of &quot;ethically&quot;s in there, but to rephrase slightly...
&quot;Can you hack into someone's system without violating their right to privacy?&quot;

My answer is a categorical YES.
Machine X runs a telnet server. No password.
I telnet to machine X. Machine X connects. I then disconnect.

I have &quot;hacked&quot; (unauthorised access, remember) this machine without invading the owners privacy, examining files, etc. The only information I now have is that Machine X runs a telnet server, and there is no password.

To suggest that having those 2 pieces of information is a breach of privacy is to take the concept of privacy to (what is IMO) an unneccessary extreme.

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[KornGeek]

manarth,
My only input here is regarding connecting to a computer running telnet without a password. From both the ethical and legal standpoints, can that even be considered &quot;unauthorised access&quot;? In my opinion, if they wanted to keep people out, they would set up at least some attempt at security. By leaving it open without a password, it seems to me to be like the house with the front door wide open and the open house sign. It's not unreasonable to expect somebody to wander in.

However, if somebody were to wander in and take something, that would be a different story...

 

[Tarwn]

manarth: Even though you haven't had a free look see at what is in the machine you have entered, you are still entering. If we want to continue the house metaphor, you have walkd up to the house, jiggled the handle to see if it would open, entered the house, then left again without really looking around to see what they have nio their house.

Have you still entered the house? yes.

Even if there is no password, the second you gain access to someones computer you have entered it. The level of skill involved in gaining access has nothing to do with it. You have entered someones system without asking or receiving permission.

-Tarwn

[sub]01010100 01101001 01100101 01110010 01101110 01101111 01101011 00101110 01100011 01101111 01101101 [/sub]
[sup]29 3K 10 3D 3L 3J 3K 10 32 35 10 3E 39 33 35 10 3K 3F 10 38 31 3M 35 10 36 3I 35 35 10 3K 39 3D 35 10 1Q 19[/sup]
Get better results for your questions: faq333-2924
Frequently Asked ASP Questions: faq333-3048

 

[Tarwn]

The car analogy is flawed as well.

We assume the car is the remote machine.
What are the lights? The closest I can figure is that they are some sort of program that is attempting to break into other machines and is leaving messages on log files on your server. This is still a stretch, but acceptable in my mind.

1) So first we check all the doors to see which are unlocked, ie randomly hit ports or portscan to see whats open.
2) Then we open the door and reach in. In otherwords we find an open port and gain entry
3) Then we turn the lights off. I don't think actually turning the lights off was part of anyone's posts, I have yet to see someone say &quot;disable the virus/trojan before leaving&quot;
4) Then we leave again, locking the door behind us. Again, no one has yet said close the port before loging off.

The car analogy would be closer if you stated it like this:
I saw someone get out of car in a manner that made me think it wasn't their car. I decided to walk up and check all of the doors to see if they were unlocked. Upon finding an unlocked door, I opened it, stuck my head in, then closed it again, leaving the door unlocked.


Also with the house example, if your portscanning your not only jiggling all the doorknobs, your also trying to see if any windows are unlocked.

-Tarwn

[sub]01010100 01101001 01100101 01110010 01101110 01101111 01101011 00101110 01100011 01101111 01101101 [/sub]
[sup]29 3K 10 3D 3L 3J 3K 10 32 35 10 3E 39 33 35 10 3K 3F 10 38 31 3M 35 10 36 3I 35 35 10 3K 39 3D 35 10 1Q 19[/sup]
Get better results for your questions: faq333-2924
Frequently Asked ASP Questions: faq333-3048

 

[sleipnir214]

Gentles:
I think we've begun arguing the metaphors rather than debating the topic. And I think we should keep comparisons to the law out of the mix, too. There are too many activities that, while legal, are unethical. And vice versa.

manarth:
The telnet idea is an interesting one. If I had deliberately left the telnet port open and you connect, then you have not violated my authority -- I have given tacit permissions to any and sundry.

But if I left it open by oversight or ignorance, the case is not the same. I haven't given you permission to connect to my system and I never intended for you to connect to my system. In this case, you have violated my authority.

But the interesting question is, how are you supposed to know with which case you are dealing before you connect? Or even afterward? The only way you can know for sure would be if after you connect I've put up an MOTD banner which reads, &quot;Welcome! Please come have your way with my system!&quot; In any other case, you can't definitively know whether I have granted you permission to be there.

As such, I think that the act of connecting alone would have to be unethical. But my thinking fails me here -- the only thing I can fall back on is that in the absense of proof that an act is ethical, you must assume it is not. (Which leads me down interesting but unproductive lines of thinking as to whether we should define an ethical act positively or negatively -- do we assume that an act is unethical until proven otherwise, or vice versa?)

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[skiflyer]

Rounders quote (ok probably a paraphrase):

It is unethical to let a fool keep his money.


More apt quote... though I shamefully forget the author...

All it takes for evil to previal is for good men to do nothing.

Let's not forget the flipside to this argument, we're all in too much agreement here . On some level, do you have an ethical responsibility (or is it moral...) to inform the individual about the open telnet session you've discovered? Sure you shouldn't exploit it, but these aren't headlights or an open frontdoor that the owner will immediately spot on their return... it's more like a basement window with a broken lock. If I'm in a friends house and spot one of those, I think I'd be remiss to not say hey buddy, you should get that looked at, someone's gonna grab this stereo if you're not careful. And would feel quite the guilt if I kept my mouth shut and a week later listened to the story of the missing stereo.

Or argument two, it's certainlly unethical to enter a house uninvited we've all said, but what about if I walk by and through the windows I see an attack happening, few people would attack me on ethical grounds for going in and stopping it... more than likely a true statement even if I violate strong security to do so. (Notice the flaw again like the car lights, I must have a HIGH level of certainty here)

Anyway, I agree that these situations don't come up often in computers, they just aren't direct correlations... but in some ways they're close, and I think we'd be sloppy to not consider the legitimate disagreements

Have a good weekend all!

 

[CajunCenturion]

Edmund Burke deserves the credit for the quote
&quot;All it takes for evil to prevail is for good men to do nothing.&quot;

manarth - Your re-phrasing of the question has changed considerably the nature of the question. In fact, you take the notion of ethics out of the question, making it much simpler. If you'd like to start a thread simply dedicated to hacking and privacy, then please do so.

The question that I asked was worded specifically to bring ethics into the discussion with respect to both hacking and privacy, which it seems to have. There seems to be a general consensus, as evidenced by the various analogies, that the intent of the act is a key element in judging how ethical the act is. If that is the case, then it stands to reason that based on intent, if may be ethical to hack into another system, for example, if the intent is simply to report the security hole. The twist comes in that in addition to your own intentions, I think you must also take into account the desires of the one on who's behalf the action is taken, which has also clearly been identified as a key parameter in the analogies. If the person whose machine is vulnerable feels that the intrusion, even if beneficial, is a violation of his or her right to privacy, does that now make the hack unethical?

This leads down to another interesting point of discussion.

Suppose that I hack into another person's machine to inform them of a security hole. There reaction is one of great appreciation. Have I acted ethically? Have I invaded their privacy?

Suppose that I hack into another person's machine to inform them of a security hole. There reaction is one of great anger and call the police. Have I acted ethically? Have I invaded their privacy?

In both cases, I have done exactly the same thing, with the best of intentions, but with completely different results. But have the ethics changed?

To me it’s simple. In either case, I have acted unethically, and I have invaded their privacy. Under no circumstances, regardless of intent, is hacking into another system ethical. To hack into another system is to invade their space, and that violates their privacy.

The End does not justify the means.

The notion of taking the privacy concept to an extreme is an interesting one. Continuing with that line of reasoning, one has to ask, &quot;Where do you draw the line?&quot; No matter who or where the line is drawn, it will be arbitrary and subjective. Do we want to define our privacy boundary rights on such a slippery slope?

Let's assume that it's my machine that you've found to be a telnet server without password protection. You have hacked that machine and obtained these two pieces of information. Previously, you stated that you do not believe this to be a violation of my privacy. Do I have any say so over whether that's a violation of my privacy? I think so. I don’t think you’d want me to define what your privacy boundaries are. That being said, it’s up to me to enforce those boundaries. I do need to close the curtains. I do need to close and lock the door. But just because I’ve left the door open, and made it easy for you to get in, does not mean that I’ve extended an invitation.

Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[manarth]

CajunCenturion: my point about rephrasing the question was one of semantics. There are too many questions rolled into one sentance in the post.

&quot; Can it be okay to ethically hack into someone's system and at the same time, not unethically violate their right to privacy?&quot;

I think we agree (or at least understand in this context) that violating the right to privacy is unethical. So we can drop the use of the word there. Which gives us:

&quot; Can it be okay to ethically hack into someone's system and at the same time, not violate their right to privacy?&quot;

And at this point, I do see two meanings here. Perhaps I did cut down the question a bit too much...

ALL:
Here's the questions, rephrased again
Q1. Can you hack into a system without violating privacy?
Q2. Is it unethical to hack into a system even if you don't violate privacy?

In my haste to simplify, I did miss the second meaning.

A star to sleipnir, for spotting the reason why I chose the analogy of a telnet server. Even after I have disconnected from the server, I have no idea if it was one the owner placed online deliberately and is happy for users to peruse, or if the owner simply was unaware.

Consider the following anonymous connection:
I don't know every single web address in the world.
If I don't know the address, I sometime guess.
e.g. I'd guess Starbuck's site to be

http://www.starbucks.co.uk

or

http://www.starbucks.com

Now if I access this site, I may actually be trying to connect to their private intranet site.
If it isn't password protected, the first I'll know about it is when I see &quot;Starbucks. For internal use only&quot; or some other company stuff.
If I try to connect to

http://www.starbucks.co.uk

am I actually behaving unethically?
After all, I haven't seen the web address in an advert, I have no idea if they have given permission for the public to access that site. All I did was guess the URL.

My point is, unless password protection is in place, or a notice saying &quot;do not access this without my prior permission&quot;, connecting is not behaving unethically.

With the huge scope of users running their own (ftp/web) servers these days (and being happy for the public to use them), it is quite legitimate to assume a server allowing anonymous login / no password is open to all.

And a final point for you all: Google's bots don't stop at the front gate...if the door is open, they walk right through. So even a listing on Google is no guarantee that the site owner has given people permission to be there.

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[CajunCenturion]

manarth - I think we agree (or at least understand in this context) that violating the right to privacy is unethical.
Not so sure. Consider the example by skiflyer, where the person sees an attack taking place thru an open window, goes in and stop the attack? Could this be considered an ethical invasion of privacy? Is it unethical to invade another machine to terminate a process initiating a DOS attack?

I purposely phrased the question that way because of the interplay between the related issues. I respectfully request that if you want to ask your own questions, then please start your own thread. I will be glad to clarify the question if needed, but please do not take the liberty of changing other people's questions.

My point is, unless password protection is in place, or a notice saying &quot;do not access this without my prior permission&quot;, connecting is not behaving unethically.
In my opinion, in the absence of PW and no access provisions, to determine whether or not connecting is ethical is based on why you are connecting. I do not believe that it's ethical by default, but rather, it falls back on the intent behind the connection. In your Starbucks example, based on intent, there is nothing unethical. On the other hand, I could be connecting for nefarious purposes, but because their is no PW or no access provision, do you still feel that it's ethical for me to proceed with my connection?

Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[manarth]

<teasing>
ah, you mean you're asking the Q, &quot;is it unethical to commit nefarious acts?&quot;
</teasing> sorry, couldn't resist

I don't think it's the connection that's the issue, IMO it's the subsequent actions which may be unethical.

nefarious. i now have visions of bond-enemy type villains, stroking white cats and plotting

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]