Chapter 2 in the third edition began with a story that you should read. It describes a situation that you would find yourself in with no notice, should it occur. What would you do if you were servicing a computer and you discovered illegal material on it? Material that is forbidden by law and by company policy? Material that many would consider morally offensive? This happened in the case described in the chapter, and there is no Hollywood ending to the story. Think about the actions of the two technicians and the concepts of privacy and probable cause. Did they find the pornography on the computer in question in the course of their work, or did they violate the user's privacy? Did the user have a right to privacy on company owned equipment? The details given in the story may not tell us all we need to know to make a judgment.
On page 40, the text begins a discussion of a specific meaning of the word "professional". The author provides a four point list of criteria from the US Code of Federal Regulations. The first three criteria seem to apply to "learned professional" workers, and the fourth applies to "creative" professionals. In fact, in a web search, I only found these criteria being discussed as excuses to avoid paying minimum wages and overtime to people deemed to be professionals. I believe that the author is trying to make a point that sometimes an IT worker or administrator would meet the criteria to be considered a professional. However, on the next page, he presents an argument that legally IT workers are not considered professionals when they are not licensed by state or federal agencies, and are therefore exempt from malpractice suits. (CompTIA and other such certifying authorities are not government agencies.)
Changes to Professional Services
On page 41, the text summarizes a discussion from Ross Dawson, who tells us about seven forces changing professional services:
Actions in the Context of a Professional Relationship
The text continues with several discussions it says are about business relationships that an IT worker will have. Actually, the discussions are about the various crimes or unethical actions an IT person might take in the context of those relationships. In other words, the text discusses actions that IT staff might take, and groups those actions by the relationship that seems to relate to the action.
Relationship to Employer
The first relationship discussed is the relationship to an employer, but the first two paragraphs on page 43 are not unique to IT workers. Every employee should know the policies of his/her employer regarding wages, hours, duties, time off, and so on. Personal use of computers, email, and network resources are related to IT, but they are not issues unique to IT workers. Any employee might engage in prohibited use of an IT resource, not just the IT staff.
The text discusses software piracy, with regard to the fact that IT staff in an organization are sometimes tempted (or required) to pirate software to avoid the cost of licensed copies. This is always wrong if it is against the licensing requirements of the publisher, unethical as well as unlawful. In chapter one, the author remarked that software piracy "cost" publishers about 48 billion dollars in 2007. (In 2010, the Business Software Alliance estimated the cost as 59 billion dollars. See the link to their web site below.) In this chapter he describes that as lost revenue, which is more accurate. The failure to make a sale is not a cost, but it may be considered revenue that could or should have been realized. However we consider it, IT staff should not contribute to the problem. In addition to the other reasons for not being a pirate, doing so would implicate the employer, damaging the relationship which is supposed to be the topic of this section.
The text discusses the activities of the Business Software Alliance (BSA), an organization funded by member companies that acts on reports of piracy to find it, fine it, and stop it. The advantage to a company that is investigated by BSA is that the company may avoid court costs by agreeing to pay a fine and change its behavior. IT staff who have been told to pirate software can report their company to the BSA. The text states that BSA receives over 2500 reports a year.
The next topic is trade secrets, which are typically the methods used to do something. A company may choose not to copyright a process because doing so makes it a matter of public record. The Coca-Cola company, for example, keeps the recipe for Coke a trade secret that is known to only a few employees at a time. This has been a successful method for them since they started making Coke. Several formulae have been published, each claiming to be the one used by Coca-Cola, but there is doubt about each. How does this relate to IT staff? IT staff are frequently aware of manufacturing processes for hardware, features for software, bugs that are not yet public, and other company secrets that could be sold to a competitor. A person who shares this sort of information with people who are not supposed to know it is guilty of breaking any non-disclosure agreement they had to sign to get access to the information.
The text considers the topic of whistle-blowing, which may relate to the story at the beginning of the chapter. If you are not familiar with the term, a whistle-blower is an employee who reports criminal or unethical actions by an employer to appropriate authority. Sometimes a whistle-blower may profit from fines paid by the company, but it is also possible that the whistle-blower may suffer some kind of retaliation from the company if he/she continues to be employed there. Note that in the story about Oracle in the text, the whistle-blower who profited was a former vice president of the company. The facts that the employee was high ranking and no longer an employee may have provided some protection. Retaliation against whistle-blowers is illegal, but that does not stop it from happening.
Relationship to Clients
The text spends a few lines talking about doing work for a client, reaching an agreement about what is to be done and what the compensation will be. The text points out that clients will often not know precisely what they want, how long a job should take, or what they should pay. An ethical IT person should act with the best interests of both parties in mind when making recommendations in all of these areas.
A client should be cautious in evaluating a recommendation from an IT contractor that the IT person (or their company, or related company) provide additional services that are needed because of the initial service. The initial service may be diagnostic, and may lead to discovery of problems, but the service of those problems should be put out to bid. This discussion leads to a list of actions that are, or border on, crimes:
Relationship to Suppliers
The next section mainly deals with bribery. The text defines offering a bribe as making the offer of money, property, or favors to gain a business advantage. Bribes may be offered for other than business reasons, but that is the focus of the chapter. Remember that the person offering the bribe and person accepting it are both guilty if the bribery is a crime.
Bribes are considered unlawful in most places, but you should note the discussion of the Foreign Corrupt Practices Act (FCPA). On the one hand, it is a crime under this act to bribe a foreign official, a foreign political party official, or a candidate for foreign political office. On the other hand, such a bribe is not a crime under this act if the bribe is legal under the laws of the country in which it takes place. The text discusses an IT person receiving money from a vendor after making a decision to buy their product. This would be perceived as a kickback regardless of the reason for it, and it should not be accepted.
This takes us into a gray area where a code of ethics is helpful. Most of us would see nothing wrong with paying a tip in a restaurant to the server. Is it wrong for an IT professional to receive a tip or gift for their service? Is it wrong to pay the tip up front, before the service? Is it wrong to pay money to a maitre d'hotel to get a better table in a restaurant or a show room? Not if that's the way the system works. (Never been to Vegas? Don't go without a guide.) Is it wrong to allow someone to pay for this kind of service on your behalf if they are trying to influence your actions or your buying decision? Yes, it probably is, and you should consult your code of ethics before considering accepting such a "gift".
The text discusses differences between a bribe and a gift, the critical differences involving secrecy. In most cases, you will find that a code of ethics forbids accepting even a gift from anyone if you influence the company's decisions that affect that person or their company's income.
Relationship to Other Professionals
The text mentions that members of a profession often show what can be called professional courtesy to one another, extending cooperation and support to each other about their conduct and decisions. In the real world, it is often the case that IT workers either choose not to share information with each other or choose to keep all information to themselves. I think this has several causes. One is the myth that secret knowledge leads to job security, and another is the high incidence of a lack of social skills among IT workers.
Neither of those causes explains the incidence of résumé inflation, which the text tells us occurs in about 30% of all résumés. It will do little good to make a claim that you have knowledge or skill that you do not have unless you plan to get it in short order, or you are never actually asked to use it. When the lack is found out, having falsified information on a job application may be grounds for dismissal. In short, don't lie on your résumé because doing so is wrong, and because there is every chance that it will bite you in the end. I am aware of a recent hiring episode that fell through because the applicant failed a credential check. Yes, employers will actually check.
Relationship to IT Users
The most important points in this discussion appear to be understanding the end user's needs and capabilities, and providing an atmosphere in which ethical behavior is encouraged. You might to do this by talking to users to find out what they need to know, then providing them with useful tips sheets or guides to hardware and software. You might also make sure that installation disks and image files are not kept where end users could take or copy them, avoiding the issue of unlicensed installation of company approved software. Locking down the user profiles so they cannot change a computer's configuration may irritate some users, but it also avoids the danger of their installing or removing software inappropriately.
Relationship to Society
This is a bit of a stretch. Some IT workers have job functions that affect people beyond their company and its customers, but this is the exception rather than the rule. If you are one of those few, you have the same obligation that any worker has whose work affects the public. The public trusts that those who serve it will do a decent job of protecting their interests. With regard to IT work, it may be a bit like an observation made by Edmund Burke, an Irish statesman, about the duty of a representative of the people: "Your representative owes you, not his industry only, but his judgment; and he betrays instead of serving you if he sacrifices it to your opinion." What does this mean for an IT worker? It means that you must use your judgment about what you do, which is more informed than that of someone without your special knowledge of your job.
Codes of Ethics
The text proceeds to discuss what a code of ethics might contain. On page 53, there is a short list of four benefits that might be obtained by having and using a code of ethics:
The text lists several organizations for IT workers whose codes of ethics appear in the appendices. As it states, no one organization is considered preeminent over the others, and each has had a particular focus at one time or another for particular kinds of work. Which one you might choose to belong to may relate more to the job you have or are pursuing than to differences between the organizations themselves.
Certifications and Licensing
A certification is typically obtained by passing a standardized test over a body of knowledge that is meant to show a level of proficiency or expertise in the subject. The text lists several types of certifications that an IT worker could obtain. It divides them into certifications from particular vendors (e.g. Cisco, Microsoft, Oracle) and certifications from industry associations (e.g. CompTIA, SANS, PMI). The problem, historically, is that about half of IT shops tend to care about certifications, and about half do not. This may be related to the fact that there is no standard body of knowledge that an IT professional is expected to have, so no one certification will serve to prove your usefulness to any given organization. Many students graduating from good programs have nothing to put on a résumé but their grades, degrees, and certifications, while many people who "came in the back door" have nothing to show but their experience. The text makes a point that pursuit of certifications by employees can provide training in current hardware/software, and can improve an employee's knowledge, improving their value to the company.
Governments typically do not license IT professionals, perhaps because of the lack of a knowledge standard to measure. There is no standard to hold an IT generalist to, only standards that apply to specific products.The text mentions that Great Britain, Australia, Ontario, and British Columbia have established licenses for software engineers, but these are exceptions rather than common practices.
It has already been discussed that IT workers have been held exempt from malpractice by court rulings, but the text brings up some related issues. To understand, you need to understand some phrases from this discussion:
So, if a court relies on the assumption that an IT worker is not a professional in terms of malpractice, it could still find that the worker failed to act as a reasonable person or a reasonable professional should have. The more knowledge and experience a person has with problem or procedure, the more the public and a court would reasonably expect that the person could do. It's like Stan Lee said: with great power comes great responsibility.
Ethics for IT Users
"IT users" are practically everyone. There are few workers anywhere who do not use IT services in one way or another. The distinction made by the text in this section is more about the ethical problems faced by people who are not IT workers.
Piracy is possible any time software may be copied or installed without proper licensing. Some applications, in fact, allow a licensed user to install two (or three) copies of the same software under the same license, with the understanding that only one of those copies would be in use at any given time. This allows a user to install something on their work and home computers without being guilty of failing to buy another license. This kind of license is typically available to individual purchasers, and does not apply to the kind of software installed by IT staff in large companies. Piracy is possible when IT staff leave installation disks for software with site licenses lying around. Employees typically misunderstand the situation: the company has not paid for unlimited installations of the software, it has merely paid for lots of installations of it. Eventually, "lots" becomes "no more".
Inappropriate use of resources is possible for all employees, including IT staff. Any person using company resources for unlawful purposes is subject to dismissal and prosecution. What employees must understand is that some activities that are lawful at home are considered grounds for dismissal if conducted at work, because they are against the allowed use policy of the company.
Inappropriate sharing of information is an IT problem if the company views sensitive information as an IT asset. It is possible to reveal information over the phone, over the Internet, by fax, by email, in person, or any number of other ways a thief can devise. All should be avoided unless the holder of the information has reason to give it to a requester.
It is a responsibility of the IT staff to provide instruction to users by various means to help them avoid unethical decisions.
Chapter 3 begins with another story, but this time it should be review, as much of this chapter should be. On page 85, the text offers some questions to help us think about ethics issues related to security measures that either are or are not taken. We will discuss these in class.
The text offers a list of four reasons for increasing numbers of computer incidents:
We should review some terminology:
Infecting software is divided into viruses and worms. A virus typically requires a carrier to infect a system, like an email, an instant message, or a program that the user runs. A virus typically has two tasks: replicate and damage. Some viruses have historically been rather benign, just displaying a message to the user. The ones that cause damage to a system are categorized by the method they use or the damage they cause:
Worms: once it is started, a worm can replicate itself across connected computer systems by itself. It does not need a carrier. A worm can attack any running computer that is connected to a network that an infected computer is on: it does not require cooperation from the user. Worms are more dangerous due to their self driven nature. Once a worm is detected in a system, each device on the network must be scanned for it, cleaned if necessary, and prevented from accessing the network until this is done or you run the risk of continued propagation of the worm.
Trojan horse programs are named for the myth of a wooden horse that was used to smuggle Greek soldiers inside the walls of Troy. A program of this sort has two aspects: what we are told it does, and what it actually does. In some cases, Trojans may do what they say, but they also have a hidden malicious purpose which is what puts them in this category. A classic ploy used by Trojans is to pretend not to be a program at all. The text gives an example of a file that has a .exe extension, but the characters .docx occur in the name immediately before it. If a Windows computer is using the default (idiotic!) configuration, the actual .exe extension will be hidden from the user, and the user may think it is only a Word document.
A logic bomb is not a bomb. It is malware that waits for a logical condition to occur before it executes its mission. A classic case was the Michelangelo virus that only executed on the birthday of Michelangelo Buonarroti (which, as everyone knows, is March 6th). Other examples are given in the text. Some act like "dead man switches", where the malware engages if it is not regularly reset, or if a person's ID is removed from a network. A logic bomb can be hidden in a much larger program, making it difficult to find.
A newer wrinkle in malware is the botnet. This has been around for a while, but it is a refinement and step back from the others at the same time. A botnet is a network of computers that have been infected, turned into robots (aka zombies), that can be used for any of several kinds of attacks. The refinement is the creation of a network of infected machines on one mission. The step back is the brute force aspect of the attacks. The attacker (the bot herder) does not depend on finesse or subtlety, he uses more points of attack to meet his goal.
A Denial of Service (DoS) attack can be when multiple computers are used to tie up all available connections to a system, preventing real users from making a connection or receiving service. When a botnet is used, the attack can be called a Distributed Denial of Service (DDoS) attack.
One method takes advantage of typical connection behavior. The attacking computer sends a request to connect, a SYN signal. The victim system replies with an ACK (acknowledgement) and a SYN request to complete the connection. The victim waits for a return ACK from the attacker which is never sent. By itself, this is not a problem, as the connection is eventually dropped. However, imagine it happening thousands of times a second. A real requester stands little chance of getting into the system.
Another method is to send ping signals to many devices, but to wrap them so they look like they are from a server that is the real victim. Ping is a flexible command. Among other things, you can tell it how many times to repeat. Send to lots of devices with lots of repeats, and you may flood the server with responses from other devices. This is called a smurf attack.
A DoS attack against a wireless network can be carried out by jamming the frequencies the service uses. A second method of attacking a wireless system uses an aspect of CSMA/CA. A wireless system can use explicit acknowledgement, which means that each data unit (frame) that is received intact must be acknowledged by an ACK sent by the receiver, like a permission to send again. If the sender does not get an ACK in a reasonable time, the data stream is sent again, but new data is not. This ties up the system with repeated data frames.
The text continues to discuss rootkits. At first, the rootkit sounds like a resident virus that replaces operating system files with its own. There are similarities, but one difference is that a rootkit is much more extensive, and another is that the rootkit obtains elevated privileges to carry out its stealth actions. The resident virus may replace one program on the computer, which will then do some harm to the system. The rootkit opens a door for lots of malware. How?
Have you ever seen a movie about a robbery in which the robbers send false information to security staff (like a video loop) that shows all is well, while the robbers proceed to steal whatever they want? That's kind of what a rootkit does. The rootkit assumes the role of a trustworthy part of the operating system. It will stand between the user and security software on one side, and other malware doing whatever it wants on the other.
The intention of the rootkit programmer may not be malicious. In 2005, Sony installed a rootkit installer on their audio CDs which had the goal of preventing computer users from copying those CDs. Their intent was not malicious, but it changed a PC without the user's consent, and it made the PC vulnerable to security exploits. The first is just wrong, and the second is worse: it opened a vulnerability that could be exploited. As the saying goes, the road to hell is paved with good intentions.
Detection and removal of a rootkit can be difficult, but it is worth trying before formatting the hard drive and starting over. The Sophos company, for example, has a free download that is supposed to be good at finding and removing these problems. Here is another one from Kaspersky. Students should do an internet search for tools from the vendor of their choice.
Spam is unsolicited email, but most email is unsolicited. It matters more that spam is email that is sent to many users with the intent of selling them something. That is not so bad, but the fact that spamming is cheap, easy to do, easy to set up, and offers fast returns compared to other kinds of marketing all add up to the fact that spammers send thousands of such messages to all of us every day. Too much to deal with, for most of us. Like our text for CSS 211, this book ignores the idea of spam filters on email accounts. As I observed for that class, Google does a fine job of filtering out the spam, and putting it in a folder for me to check, in case their filter is wrong. (Sometimes it is wrong in the sense that some spam is mail I actually want to read. Can you think of an example from your own mailbox?)
Our text brings a new spin to the spam discussion: spammers may want a continuous supply of new email accounts, which they can set up by automated processes unless their robots are foiled by methods like CAPTCHA. CAPTCHA is meant to present a distorted text image that a human can read, but a machine cannot. I find CAPTCHA is often difficult to read. The example in the text is not bad, but it is not common in my experience. Look at the Wikipedia article on the subject. The third version of distorted text is more like what I commonly see: letters and numbers stretched and smashed so much that I can't tell what they are supposed to be. Mission accomplished, I suppose, but also an ethical point. If I have to use the system multiple times to get what I want from it, has the company made my life hard enough that I will go elsewhere for the service I wanted? Is it ethical to impose a security barrier that turns away legitimate traffic as well as robots working for spammers?
The text moves on to the problem of phishing, solicitation of personal or company information through an official looking email. A variation on phishing is listed: spear phishing - sending the email to specific people, customizing it to look like a message sent to them by an entity with some of their personal information already. Where spam typically is looking for a customer, phishing scams are looking for a victim to steal something from. Sort of gives you a warm feeling for the friendly old spammer, doesn't it? The fourth edition of the text adds two more terms. Smishing involve using SMS text messages for the phishing attempt. Vishing uses voice mail as the attack medium. Other than that, the methods and results are similar.
The text discusses some categories used to classify attackers:
The text moves on to explain a new term: trustworthy computing. The text tells us that this is a goal of many vendors. The Microsoft version is used as an example that has four components, shown as four pillars of a Greek temple on page 102 (which is a bit silly).
The four components are related enough that they appear to overlap.
The text changes topic again to discuss risk assessment, which was also covered in CSS 211. In this text, the concept of risk assessment includes the related concepts of asset identification, threat identification, vulnerability assessment, risk assessment, risk management, and risk mitigation. Review the notes from this lesson from CSS 211, then come back here.
The next section is about security policies, which is also a review of material from CSS 211. It reminds us that a policy defines what should be done, and a standard establishes how to do it. This text includes guidelines in the concept of defining methods, where the CSS 211 text defined guidelines as recommendations.
The text continues for several more pages discussing IT security issues that seem unrelated to ethics. They are, however, related to legal issues which is the other focus of this course, if not the titular focus of the text. Review the remainder of the chapter if this material is not new to you. If you have not covered this in a recent class, read more carefully before doing the self assessment questions.