Legal and Ethical Aspects of Computer Hacking ECE4883 Internetwork Security Georgia Institute of Technology Acknowledgement: Kiran Tajani
In Class Today Hacking Policies Ethical Constraints Legal Constraints
What is Hacking? An event where one enjoys learning the details of a computer system A culture where people find their computer and its surroundings fascinating. The process of creating a new program or making changes to existing programs using complicated software Hacking is Art
Types of Hacking Three types! Good Hacking! Bad Hacking! Dangerous Hacking
Morals of Hacking Ways of hacking! Ethical Hacking! Inform first! For fun
Hacktivism The use of hacking to promote a political cause Modern form of civil disobedience Political form of cyber-terrorism A cover for ordinary pranks
Hackers Termed by the media Hacker: a person who enjoys exploring the details of programmable systems and how to stretch their capabilities; one who programs enthusiastically. New Hacker s Dictionary
Then VS. Now Different types:! Novice! Crackers! Experts! Dangerous! Ethical
Hacker s Morals Why hack?! They DON T have morals What s in it for them?! Promote tighter security! Detect flaws and patches
Learn to Hack Hacking Schools Hacking Classes! They exist?! What do they teach?
Schools: Zi Hacademy, Paris Civil Hacker s school, Moscow The Hackers Compendium The Law
Ethical or Not? So who is responsible for the outcome from these teachings?! It s the teachers! They are the ones teaching such techniques and tools.! It s the students! They are responsible for the actions they decide to take after learning tools to protect themselves.
The Law What types of policies are in place? How do they differ from each other? What kind of defined lines are there? Should these be there? Are these clear enough?
United States Code Title 18 Part 1 > Chapter 119 > Section 2511! Interception and disclosure of wire, oral, or electronic communications prohibited. Part 1 > Chapter 121 > Section 2701! Unlawful access to stored communications
Georgia Computer Systems Protection Act HB 822 Computer Invasion of Privacy! Any person who uses a computer or computer network with the intention of examining any employment, medical, salary, credit, or any other financial or personal data relating to any other person with knowledge that such examination is without authority shall be guilty of the crime of computer invasion of privacy.
Patriot Act USA Patriot Act: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act U.S. government s anti-terrorism policy
Homeland Security Department of Homeland Security AKA: National Police Force Connect 22 different Agencies Exchange of information becomes a norm Centralized institution with the power to keep track of computer and email usage
Georgia Institute of Technology Computer and Network Usage Policy! Available for all students and faculty Authorize users and uses Privileges for individuals User Responsibilities! Access to Facilities and Information
Ethical and Legal Constraints How easy is it to catch hackers and how many hackers have been caught? Are these policies good enough? Do the current policies actually define the limits of hacking? Can companies hack into their own systems and find vulnerabilities? Can other find vulnerabilities for them without being asked to?
What if? A Georgia Tech student uses their personal PC and the school s network to do a port scan on a commercial web site. A Georgia Tech student uses their personal PC and a commercial ISP to do a port scan on a commercial web site. A Georgia Tech student sends a spoofed mail from the school account that appears to come from another user. A Georgia Tech student uses a school computer and password guessing software to access and crack the administrator password. A Georgia Tech student discovers that another user failed to log off when departing. The student uses the account to send an inflammatory email to the department chair.
References 1. Pfleeger, Charles. (2000). Security In Computing (2 nd ed.). Upper Saddle River, NJ: Printice Hall PTR. 2. From RedDragon on IRC, handed to newbies. January 16, 2001. http://newdata.box.sk/2001/jan/are.you.a.hacker.html 3. Protect Yourselves From Hackers CDs. 2002. http://www.onedollarcds.com/hack 4. Vasilyev, Ilya V. Civil Hackers' School. April 12, 1999. http://klein.zen.ru/hscool/ 5. Coomarasamy, James. Learning to Hack. December 1, 2001. http://news.bbc.co.uk/1/hi/world/europe/1686450.stm 6. Georgia Computer Systems Protection Act. Last Modified: June 29, 2002. http://www.security.gatech.edu/policy/law_library/gcspa.html 7. Title 18, Part 1, Chapter 119, Section 2511 Interception and disclosure of wire, oral, or electronic communications prohibited. US Code Collection. http://www4.law.cornell.edu/uscode/18/2511.html 8. Title 18, Part 1, Chapter 121, Section 2701 Unlawful access to stored communications. US Code Collection. http://www4.law.cornell.edu/uscode/18/2511.html 9. Minow, Mary. The USA PATRIOT Act and Patron Privacy on Library Internet Terminals. February 15, 2002. http://www.llrx.com/features/usapatriotact.htm 10. Bush Homeland Security bill nears passage by US Congress. The Editorial Board. November 18, 2002. http://www.wsws.org/articles/2002/nov2002/homen18.shtml 11. Georgia Institute of Technology Computer and Network Usage Policy. Office of Information Technology. Last Modified October 20, 2003. http://www.oit.gatech.edu/information_security/policy/usage/ 12. Baase, Sara. A Gift of Fire: Social, Legal, and Ethical Issues for Computers and the Internet. 2nd edition. Prentice Hall. 2003. Page 289. 13. Palmer, C.C. Ethical Hacking. International Business Machines Corporation. Copyright 2001. www.research.ibm.com/journal/sj/403/palmer.html 14. Harvey, Brian. Computer Hacking and Ethics. April 1985. www.cs.berkeley.edu/~bh/hackers.html 15. Shell, Barry. Ethical Hacking. Georgia Straight Weekly, Vancouver, BC. September 14, 2000. http://css.sfu.ca/update/ethical-hacking.html