ACTIVITY CASES

Activity 2.2

Research one of the following viruses, by either typing the keyword into a search engine or consulting one of the recommended texts:

• NIMDA virus
• I Love You virus
• Melissa virus
• Code Red virus
• Anna Kournikova virus
• MyDoom worm

How and where did the virus originate?

Who was responsible for creating and distributing it?

How did the virus work,and what effects did it have?

What prosecutions were brought,if any?

Answer:

The ILOVEYOU virus comes in an e-mail note with “I LOVE YOU” in the subject line and contains an attachment that, when opened, results in the message being re-sent to everyone in the recipient’s Microsoft Outlook address book and, perhaps more seriously, the loss of every JPEG, MP3, and certain other files on the recipient’s hard disk. Because Microsoft Outlook is widely installed as the e-mail handler in corporate networks, the ILOVEYOU virus can spread rapidly from user to user within a corporation. On May 4, 2000, the virus spread so quickly that e-mail had to be shut down in a number of major enterprises such as the Ford Motor Company. The virus reached an estimated 45 million users in a single day.

Two young Filipino computer programming students named Reomel Ramores and Onel de Guzman, show his intent, the NBI investigated AMA Computer University where de Guzman dropped out on his senior year. There, it was found that de Guzman was not only quite familiar with computer viruses, he had in fact, proposed to create one. For his undergraduate thesis, he proposed the commercialization of a Trojan virus, one that innocently enters another computer but would later steal passwords, addresses, and files, much like the Trojan Horse. He contended that through the Trojan virus, the user would be able to save on, if not totally make do without, prepaid Internet usage cards since passwords could be obtained by the virus. The thesis proposal was rejected by the College of Computer Studies board, forcing him to drop out.

The attachment in the ILOVEYOU virus is a VBScript program that, when opened (for example, by double-clicking on it with your mouse), finds the recipient’s Outlook address book and re-sends the note to everyone in it. It then overwrites (and thus destroys) all files of the following file types: JPEG, MP3, VPOS, JS, JSE, CSS, WSH, SCT and HTA. Users who don’t have a backup copy will have lost these files. The ILOVEYOU virus also resets the recipient’s Internet Explorer start page in a way that may cause further trouble, resets certain Windows registry settings, and also acts to spread itself through Internet Relay Chat (Internet Relay Chat).

Activity 2.4

 BCS Code of Conduct

Visit the British Computer Society (BCS) website and read through the BCS Code of Conduct at the following address: www.bcs.org/BCS/Join/WhyJoin/Conduct.htm

Consider which clauses in the BCS code of conduct are most relevant to hacking, and explain how and why.

Answer:

BCS Code of Conduct sets out the professional standards required by the Society as a condition of membership. It applies to all members, irrespective of their membership grade, the role they fulfil, or the jurisdiction where they are employed or discharge their contractual obligations.

Regarding with Hacking, the most relevant clauses to the issue of hacking include the following:

Public Interest

• You shall have due regard for the legitimate right of Third Parties.
  • Third parties could be considered as businesses, government bodies or the general public. Upon involving one’s self to any kind of unauthorised access which engages alteration of data, virus and malicious action distribution, he/she is capable of denying the rights of these parties.

Professional Competence and Integrity

• You shall ensure that you have the knowledge and understanding of Legislation and that you comply with such Legislation, in carrying out your professional responsibilities.
  • Unauthorized access constitutes as offense under any other legislation, would contradict this clause. This sets hacking in an international context, where computing professionals have a responsibility to be aware of, and understand, the jurisdiction of the law in the country in which they are working.

Duty to the Profession

• You shall seek to improve professional standards through participation in their development, use and enforcement.
  • With this clause, somehow hackers and BCS code of conduct goes together with the idea of improving the standards through participation. Hackers tend to penetrate system security and eventually expose weak points for improvements. In fact, hackers were also called as consultants because breaching of systems can provide more effective security in the future, so that other, presumably less well-intentioned, hackers are prevented from causing real harm.

Can hacking be consistent with any of these professional codes of conduct, or is it contrary to all of them?

Answer:

Hacking is not totally consistent to any professional codes of conduct or contrary to all of them. Somehow, it may have the same to some of those identified codes of conduct. But in contrary, hacking could be a crime if, and only if, the intension is to penetrate systems for self interest and later cause harm to the majority.

Activity 2.6

Can hacking be be justified ethically, even when it involves breaking the law? How and under what circumstances?

Describe a situation where hacking might be excused on ethical grounds. You must support your argument with cases drawn from the Press, Internet articles or textbooks.

Answer:

Most acts of computer hacking are illegal.

However, not all hacking is illegal – sometimes, companies hire professional security testers to purposely hack into their systems to determine how safe they are. This is known as penetration testing, also called “white-hat hacking” and “ethical hacking.” While such activities are technically hacking, they are not illegal because the attackers have permission.

This doesn’t mean that any hacking for which permission has been granted is legal, however. If someone gives you permission to hack their system, but they do not own the system or its network resources, it can be illegal.

CASE STUDIES

Case 1

Three years ago, Diane started her own consulting business. She has been so successful that she now has several people working for her and many clients. Their consulting work included advising on how to set up corporate intranets, designing database management systems, and management advising about security.

Presently she is designing a database management system for the personnel office of a medium-sized company. Diane has involved the client in the design process, informing the CEO, the director of computing, and the director of personnel about the progress of the system. It is now time to make decisions about the kind and degree of security to build into the system. Diane has described several options to the client. Because the system is going to cost more than they planned, the client has decided to opt for a less secure system. She believes the information they will be storing is extremely sensitive. It will include performance evaluations, medical records for filing insurance claims, salaries, and so forth.

With weak security, employees working on client machines may be able to figure out ways to get access to this data, not to mention the possibility of on line access from hackers. Diane feels on-line strongly that the system should be much more secure. She has tried to explain the risks, but the CEO, director of computing and director of personnel all agree that less security will do. What should she do? Should she refuse to build the system as they request?”

Answer:

Values and Ideals (Section 4.3, ACS Code of Ethics)

For the case presented, Diane had shown the following values and ideals:

• Priorities. Diane had placed the interest of the majority first, above her personal interest and the interest of her client.
• Competence. Diane had worked competently and diligently for her client by providing several options and recommending which options work best for her clients.
• Honesty. Diane had shown honesty by informing her client of the risks involved for a low cost option which offers lower security for a highly sensitive information.
• Social Implications. Diane had strived for the enhancement of the quality of life of her client and those who are affected of her work by recommending that her client to approve the creation of the system with higher security.
• Information Technology Profession. Diane took care of protecting and enhancing the integrity of the Information Technology profession by raising concerns to her client that higher security are necessary for the implementation of the system.

If I am on the place of Diane, the first thing that I would do is to advise my client that the system which they are requesting to built does have a conflict of interest against mine. I should explain to them that as a professional information technology practitioner, I must endeavor to preserve the confidentiality, integrity, and security of the information of others; that I must be able to preserve the continuity of information technology services and information flow in my care; and that I must consider and respect people’s privacy which might be affected of my work. If I am to build the system with low security, I will be risking sensitive information of majority of the users, for which might endanger my client, the users, and my company.

 As for this case, the following ethical standards should apply:

Priorities

• I must endeavour to preserve continuity of information technology services and information flow in my care.
• I must endeavour to preserve the integrity and security of the information of others.
• I must endeavour to preserve the confidentiality of the information of others.
• I must advise my client or employer of any potential conflicts of interest between my assignment and legal or other accepted community requirements.
• I must advise my clients and employers as soon as possible of any conflicts of interest or conscientious objections which face me in connection with my work.

Competence

• I must make myself aware of relevant standards, and act accordingly.
• I must accept responsibility for my work.

Social Implications

• I must consider and respect people’s privacy which might be affected by my work.

Case 2

Consider an HCI consultant with extensive experience in evaluating web sites and graphical user interfaces (GUI). She has just received an evaluation contract for a new accounting product made by Company A due to her prior experience with e commerce site evaluation.

The work involves assessing the training requirements and the usability of the system. During the initial configuration of her usability laboratory, she becomes aware that that software she is to evaluate contains a GUI already patented by a rival Company B, which she evaluated several weeks before. Under her contractual arrangements, she is not allowed to discuss the evaluation of a product with anyone outside the contract. She therefore has an obligation to Company B not to provide information regarding their product to anyone else without their permission. She has a similar obligation to Company A. Can she continue with the evaluation? If she cannot continue with the evaluation, how does she inform Company A of the patent violation? Does she have an obligation to let company B know Company A has copied their GUI?”

Answer:

As a professional information technology practitioner, the HCI consultant should not continue the evaluation until the patent infrigement issue is resolved. The first thing that she should do is to inform her immediate employer, the company A, of the patent infrigement; however, due to contractual arrangements from the previous employer, the company B, she should not disclose information regarding the company and its product. Rather, she can only inform company A that before she can continue with the evaluation, she must first help the two companies settle the infrigement. What she will do is to ask company A their permission to allow her to contact the affected company, and to allow her to share limited details regarding the patent infrigement. If her immediate employer allows her, she can go to company B and explain to them the current situation regarding the conflict of interest with company A. She would then ask for permission to allow her to inform her immediate employer regarding the patent infrigement, disclosing information of the company B, and limited information of the patent being infriged. If the company B would allow her to disclose any information, she would need to inform her immediate employer of the details of the infrigement, so that company A will evade a course of complication in the near future due to patent violations.

As for this case, the following ethical standards should apply:

Priorities

• I must advise my client or employer of any potential conflicts of interest between my assignment and legal or other accepted community requirements.
• I must advise my clients and employers as soon as possible of any conflicts of interest or conscientious objections which face me in connection with my work.

Competence

• I must make myself aware of relevant standards, and act accordingly.
• I must respect and protect my clients’ and employers’ proprietary interests.
• I must accept responsibility for my work.
• I must advise my clients and employers when I believe a proposed project is not in their best interest.
• I must go beyond my brief, if necessary, in order to act professionally.

Social Implications

• I must endeavour to understand, and give due regard to, the perceptions of those affected by my work.

Information Technology Profession

• I must do what I can to ensure that the corporate actions of the Society are in accordance with this Code of Ethics.