Ethics and Security Research

CS498sh Malware Analysis

Reading Materials
Ethics and Technology by Herman Tavani ACM Code of Ethics
http://www.acm.org/about/code-of-ethics

Crossing the Line: Ethics for the Security Professional

http://www.secureworks.com/research/articles/other_articles/ethics/

David Dittrichs presentation on Ethics in Security Research

http://www.youtube.com/watch?v=i4TKoqSPn30&feature=player_det ailpage http://www.youtube.com/watch?v=b0OYNCtXDQ&feature=player_detailpage Article for presentation http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5669246

Ethics
Community agreed upon guidelines
If community does not understand ethical reasoning for action, they will condemn the action.

Not the same as the law

Something can be legal but unethical And visa versa

Computer ethics is the analysis of nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology. James Moor

Ethical Approaches
Utilitarianism Approach
The ends justify the means. Determine if the action does good for the most people Bentham and Stewart

Deontological or Rights Approach

There are inherent university moral rules. They should never be broken. Kant

The Common-Good Approach

Evaluate how action affects the broader community Ancient Greeks

Making it up as you go along

Rely on your gut to guide you.

One Argument Strategy

Moors Just-consequentialist Theory
1. Deliberate over policies from an impartial point of view. Policy is ethical if:
A. Does not cause any unnecessary harms to individuals and groups B. Supports individual rights, the fufilling of duties, etc.

2. Select best policy from the set of just policies by ranking options in terms of benefits and (justifiable) harms. In doing this be sure to
A. weigh carefully between good and bad consequences B. distinguish between disagreements about facts and disagreements about principles and values when deciding which particular ethical policy should be adopted.

ACM Code of Ethics

1.1 Contribute to society and human well-being 1.2 Avoid harm to others 1.3 Be honest and trustworthy 1.4 Be fair and take action not to discriminate 1.5 Honor property rights including copyrights and patent 1.6 Give proper credit for intellectual property 1.7 Respect the privacy of others 1.8 Honor confidentiality

ACM Code of Ethics

2.1 Strive to achieve the highest quality, effectiveness and dignity in both the process and products of professional work. 2.2 Acquire and maintain professional competence 2.3 Know and respect existing laws pertaining to professional work. 2.4 Accept and provide appropriate professional reviews 2.5 Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis possible risks. 2.6 Honor contracts, agreements, and assigned responsibilities 2.7 Improve public understanding of computing and its consequences 2.8 Access computing and communication resources only when authorized to do so.

ACM Code of Ethics

3.1 Articulate social responsibilities of members of an organizational unit and encourage full acceptance of those responsibilities 3.2 Manage personnel and resources to design and build information systems that enhance the quality of working life. 3.3 Acknowledge and support proper and authorized uses of an organizations computing and communication resources. 3.4 Ensure that users and those who will be affected by a system have their needs clearly articulated during the assessment and design of requirements; later the system must be validate to meet requirements. 3.5 Articulate and support policies that protect the dignity of users and others affected by a computing system. 3.6 Create opportunities for members of the organization to learn the principles and limitations of computer systems.

Security Research Ethical Dilemmas

Interacting with other entities behaving illegally and/or unethically
Can we do unethical things for the greater good? How about illegal things?

Informed consent
Can we do things for other computer users for their own good? Would they understand it if we told them?

Responsibly handling harmful artifacts

Find Flaw in Insulin Pump

From recent DEFCON presentation.
Authentication and encryption problem in wireless Insulin Pump. With 10 lines of perl can remotely adjust pump operation Tell people of flaw? Work with manufacturer?

What are the ethical issues and consequences?

Improving State of the Art

You find a better means of automatically characterizing and identifying maliciously acting code.
A side effect of your work is identifying an entirely new approach to creating subversive code.

Do you release your work?

Investigating Bot Nets

Researcher interacts with live bot net to learn about it
Subverts nodes to gain access Interact with malware developers via chat Forced inoculation Use flaw in malware to take down infected machine

What are ethical issues and consequences?

Phishing Study
Organization decides to send phishing message to all people it provides email to.
Email attachment appears to be dancing bunny picture Actually sends a message to a central server to track the number of recipients who opened the attachment

What are the ethical issues and consequences?

Who Has the Right to Investigate Malware?

How should an organization with malware decide who to pass on the malware for investigation?
Analogies to medical research? Are restrictions worth enforcing?

What are the ethical issues and consequences?