EE579T/10 #1 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T Network Security 10:Legal and Ethical Issues Prof. Richard A. Stanley

Spring 2001© 2000, 2001, Richard A. Stanley

WPI EE579T/10 #1

EE579TNetwork Security

10:Legal and Ethical Issues

Prof. Richard A. Stanley


WPI EE579T/10 #2

Thought for the Day

“If you’re gonna do the crime,be prepared to do the time.”

Anonymous


WPI EE579T/10 #3

Overview of Tonight’s Class

• Review last week’s lesson

• Look at network security in the news

• Legal and ethical issues


WPI EE579T/10 #4

Last Week in Review

• There is a set methodology to follow to gain network access (but this isn’t a cookie-cutter sort of approach)

• The methodology follows from the architecture and the software of the network

• The types of attacks vary widely, and new ones are constantly being developed

• Basic countermeasures and sound auditing will go a long ways towards securing the network


WPI EE579T/10 #5

Hacker of Last Week• Abraham Abdallah

– Brooklyn, NY bus boy who stole identity of 217 of Forbes 400 richest folk

– Indicted for violation of 18 USC 1341, 1343• 1341: Frauds and Swindles

• 1343: Fraud by Wire, Radio, or Television

– What does this mean?

– Is identity theft not an issue here?


WPI EE579T/10 #6

Network Security Last Week- 1

• Microsoft Explorer 6.0 upgrade will include enhanced privacy features– Increased control over how much personal

information is collected when users visit particular Web sites

– Platform for Privacy Preferences (P3P)

– Five privacy settings will be included, some allowing users whether to accept cookies.

• PGP inventor says encryption flaw minor


WPI EE579T/10 #7

Network Security Last Week- 2

• Microsoft certificates hijacked– Imposter duped VeriSign into issuing a pair of

digital certificates in Microsoft's name.

– Danger exists that imposter could post a virus on the Net that would appear to be a legitimate posting authenticated by Microsoft

– Executable content like Active X and Office macros are the most vulnerable


WPI EE579T/10 #8

Network Security Last Week- 3• Lion worm

– Scans Internet looking for Linux computers with a known vulnerability

– Worm steals password file, sending it to a China.com site

– Utility developed to detect the Lion's presence in infected systems


WPI EE579T/10 #9

Network Security and the Law


WPI EE579T/10 #10

What You Need to Know

• What is illegal

• What are the elements of proof

• What constitutes evidence

• How to protect the evidence

• Whom to call

• When to call them

• What to tell them


WPI EE579T/10 #11

U. S. Law• Criminal

– Charges brought by state in name of the people– No private prosecutions (cf. U.K. law)– No double jeopardy (what does this mean?)– Penalties: incarceration, death and/or fines

• Civil– Action brought by one party against another– Penalties: deprivation of property


WPI EE579T/10 #12

Who Does What?• Law enforcement agencies

– Investigate crimes, collect evidence

• Prosecutors– Evaluate evidence, decide whether to prosecute– Represent state in criminal matters

• Courts– Hear evidence, reach conclusion on guilt

• Defense attorneys– Represent the accused


WPI EE579T/10 #13

Basis of U.S. Law

• English Common Law (except Louisiana)– Statutes (enacted by legislatures)– Case law– Precedents

• State/local vs. Federal law– Jurisdiction– Pre-emption


WPI EE579T/10 #14

Why Do You Care?• Computer crime is one of -- if not THE --

fastest growing crime categories

• “That’s where the money is”

• Fraud loss in Southern NY area alone, Jan ‘95 to Jan ‘00: nearly $400,000,000

• This isn’t just “victimless, white-collar crime:” nearly 2/3 of those arrested were carrying automatic weapons


WPI EE579T/10 #15

It Isn’t Just Crime

• If you operate a network service, you face civil liability if civil codes are violated– Copyright protection– Trademark protection– Other intellectual property

• Pressure from various entities– Privacy– Content


WPI EE579T/10 #16

Knowing what is illegal is key

• Example: until late 1998, it was NOT illegal in the U.S. to steal someone else’s identity

• Where you are defines what is illegal– OK to use another name in US if not to defraud– Illegal in U.K.

• You WILL be involved in this if you are involved in computer security


WPI EE579T/10 #17

Caution!

• You are NOT a law enforcement officer!

• You need to know about computer law to be an effective computer security person, just as you need to know about motor vehicle law to be an effective driver

• Ignorance is not an excuse


WPI EE579T/10 #18

A Quick Taxonomy of the Law

• Just like engineering, they have a language• 18 USC § 2319 decodes as “Title 18, United

States Code, Section 2319”• State laws have their own abbreviations, but

follow the same pattern:– In New York: PL = Penal Law– In Mass: MGL = Mass. General Laws– In Conn: CGS = Conn. General Statutes, etc.


WPI EE579T/10 #19

Basic Theorem

• It is not permissible to break the law in order to enforce it– IRC sessions and law enforcement– Automatic actions to counter hacking– Eavesdropping (but not always)

• Depending on your point of view, this is a basic preservation of constitutional liberty or a gift to law breakers. But it is the law!


WPI EE579T/10 #20

What is illegal?

• Can’t cover everything, so will concentrate on US federal law, with added local & foreign examples

• US Code can be found on the Web at: www4.law.cornell.edu/uscode

• Title 18 is the criminal title: it defines federal crimes and criminal procedure

• All the laws of the United States are found (somewhere) in the Code


WPI EE579T/10 #21

US Code Overview - 1Title 1 General Provisions

Title 2 The Congress

Title 3 The President

Title 4 Flag and Seal, Seat Of Government, and the States

Title 5 Government Organization and Employees

Title 6 Surety Bonds (repealed)

Title 7 Agriculture

Title 8 Aliens and Nationality

Title 9 Arbitration

Title 10 Armed Forces


WPI EE579T/10 #22

US Code Overview -2Title 11 Bankruptcy

Title 12 Banks and Banking

Title 13 Census

Title 14 Coast Guard

Title 15 Commerce and Trade

Title 16 Conservation

Title 17 Copyrights

Title 18 Crimes and Criminal Procedure

Title 19 Customs Duties

Title 20 Education


WPI EE579T/10 #23

US Code Overview -3Title 21 Food and Drugs

Title 22 Foreign Relations and Intercourse

Title 23 Highways

Title 24 Hospitals and Asylums

Title 25 Indians

Title 26 Internal Revenue Code

Title 27 Intoxicating Liquors

Title 28 Judiciary and Judicial Procedure

Title 29 Labor

Title 30 Mineral Lands and Mining


WPI EE579T/10 #24

US Code Overview -4Title 31 Money and Finance

Title 32 National Guard

Title 33 Navigation and Navigable Waters

Title 34 Navy (repealed)

Title 35 Patents

Title 36 Patriotic Societies and Observances

Title 37 Pay and Allowances Of the Uniformed Services

Title 38 Veterans' Benefits

Title 39 Postal Service

Title 40 Public Buildings, Property, and Works


WPI EE579T/10 #25

US Code Overview -5Title 41 Public Contracts

Title 42 The Public Health and Welfare

Title 43 Public Lands

Title 44 Public Printing and Documents

Title 45 Railroads

Title 46 Shipping

Title 47 Telegraphs, Telephones, and Radiotelegraphs

Title 48 Territories and Insular Possessions

Title 49 Transportation

Title 50 War and National Defense


WPI EE579T/10 #26

Where You Stand Depends on Where You Sit

• What is illegal depends on:– where the crime occurred– who has jurisdiction

• this is not always determined by geography (e.g., bank robbery is always a federal crime in the U.S.A.)

• there may be overlapping jurisdiction

• prosecutors may decide to proceed in one jurisdiction because of penalties available


WPI EE579T/10 #27

Other Criminal Laws

• Criminal Code of Canada: www.efc.ca/pages/law/cc/cc/html

• Mass. General Laws: www.state.ma.us/legis/laws/mgl


WPI EE579T/10 #28

What the laws will tell you

• What is prohibited, often in excruciating detail

• What must be proven to prove the crime (often by inference)

• What the penalty is for violating the law


WPI EE579T/10 #29

Language is Important• Regulations are not laws -- they describe

details of how to comply with the law

• Annotations in laws trace the history of the law’s development--what was illegal yesterday may not be illegal today (e.g. Prohibition), and vice versa

• You need a lawyer or a law enforcement agent to help with the details


WPI EE579T/10 #30

How Do Regulations Fit?

• Regulations provide detailed information on how laws are to be applied– Code of Federal Regulations (CFR) [44 USC § 1510]

– Code of Massachusetts Regulations (CMR)

– Similar taxonomy to statutes

• Regulations are not laws, but failure to observe their requirements can often lead to serious problems

• In some cases, violation of a regulation is a violation of a statute


WPI EE579T/10 #31

Some facts about law enforcement

• For the most part, law enforcement agents are intelligent, honest, and hard-working

• Pay scales are far below private industry, so finding agents with technology skills is hard, especially CURRENT technology

• They want to do a good job -- taking criminals off the street is what they do

• You need their help, and they need yours.


WPI EE579T/10 #32

Prosecutorial Peculiarities

• All crimes are not prosecuted• The likelihood of prosecution depends on

– Magnitude of the crime– Likelihood of conviction

• Will the jury understand the crime?• How good is the evidence?

• You can improve probability of prosecution by knowing what you are doing and keeping the evidence sound

• Prosecutors get performance reviews, too


WPI EE579T/10 #33

Agency Snapshots - 1

• FBI– Federal Bureau of Investigation– Part of US Department of Justice– Charged with enforcement of federal laws– Other counterparts

• Canada: RCMP

• Germany: Bundeskriminalpolizei

• Many nations have no counterpart


WPI EE579T/10 #34


• USSS– United States Secret Service– Best known for protecting the President– Part of the Treasury Department– Primary jurisdiction in counterfeiting (all sorts),

currency and electronic crime– Foreign counterparts: no exact ones. RCMP in

Canada has many of same roles


WPI EE579T/10 #35


• US Customs Service– Responsible for collecting duties and

preventing smuggling– Primary enforcement agency protecting US

borders– If you bring it into the US, it is their business– Part of the Treasury Department– Nearly every nation has an equivalent agency


WPI EE579T/10 #36

What About Unauthorized Computer Access?


WPI EE579T/10 #37

Unauthorized Computer Access

• Federal law– 18 USC § 1030 -- Fraud, use of computers for economic

espionage, computer intrusions

• Massachusetts law– 266 MGL § 33A. Intent to defraud commercial computer service;

penalties

– 266 MGL § 120F. Unauthorized access to computer system; penalties

• Canadian Law– Criminal Code of Canada, 342.1


WPI EE579T/10 #38

18 USC § 1030

• Knowing, intentional unauthorized access or access beyond authorization is a crime, depending on the computer and what is accessed

• Trafficking in computer access information a crime

• Severe punishments provided– As much as 10 years imprisonment


WPI EE579T/10 #39

MGL CHAPTER 266. CRIMES AGAINST PROPERTY.

Chapter 266: Section 120F. Unauthorized access to computer system; penalties.

Section 120F. Whoever, without authorization, knowingly accesses a computer system by any means, or after gaining access to a computer system by any means knows that such access is not authorized and fails to terminate such access, shall be punished by imprisonment in the house of correction for not more than thirty days or by a fine of not more than one thousand dollars, or both.

The requirement of a password or other authentication to gain access shall constitute notice that access is limited to authorized users.


WPI EE579T/10 #40

Criminal Code of Canada342.1 (1) Every one who, fraudulently and without colour of right,

(a) obtains, directly or indirectly, any computer service,

(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system,

(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or

(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.


WPI EE579T/10 #41

What is Evidence?

• 18 USC § 3482. Evidence and witnesses - (Rule) • SEE FEDERAL RULES OF CRIMINAL

PROCEDURE Competency and privileges of witnesses and admissibility of evidence governed by principles of common law, Rule 26

Can you see the utility of a good attorney here?


WPI EE579T/10 #42

Presumption of integrity

31.3 For the purposes of subsection 31.2(1), in the absence of evidence to the contrary, the integrity of an electronic documents system by or in which an electronic document is recorded or stored is proven

(a) by evidence capable of supporting a finding that at all material times the computer system or other similar device used by the electronic documents system was operating properly or, if it was not, the fact of its not operating properly did not affect the integrity of the electronic document and there are no other reasonable grounds to doubt the integrity of the electronic documents system;

(b) if it is established that the electronic document was recorded or stored by a party who is adverse in interest to the party seeking to introduce it; or

(c) if it is established that the electronic document was recorded or stored in the usual and ordinary course of business by a person who is not a party and who did not record or store it under the control of the party seeking to introduce it.

Criminal Code of Canada


WPI EE579T/10 #43

Some Other Computer Crimes• 18 USC § 471 -- Counterfeiting US notes

• 18 USC § 1028 -- Identity theft

• 18 USC § 1029 -- Fraud and related activity in connection with access devices

• 18 USC § 2252 -- Kiddy pornography

• 18 USC § 2318 -- Counterfeit computer labels, program documentation, packaging

• 18 USC § 2319 -- Copyright infringment


WPI EE579T/10 #44

Identity Fraud

• Deals with “false identification document”– Making, transfer, use, possession all crimes– Identity documents covered

• Any identification document issued under by or under the authority of the United States

– Includes federal, state, local, foreign government, international quasi-governmental organization

– Birth certificate, driver’s license, personal ID card

– Penalties up to 15 years imprisonment


WPI EE579T/10 #45

What To Do?

• Know the applicable law where you operate

• When you determine a violation has probably occurred:– Save the audit logs and any other documentary

evidence of the offense– Notify your supervisor– Call the authorities– Keep your suspicions close hold


WPI EE579T/10 #46

Whom to Call?

• First, call the local police – Describe what you think you have– Ask for advice– Announce intention to call federal law agency

• Call the feds– FBI– USSS


WPI EE579T/10 #47

Before You Call• Get to know the cognizant law enforcement

agents, local and federal• Find out if you can help them

– Low investment, high payoff– They’ll be more responsive if they know you

• Don’t cry wolf– Be sure you know what you are talking about– Have the information to support your claim


WPI EE579T/10 #48

Above All...• Be certain your organization intends to

pursue the criminal case to the end; otherwise, you are wasting everyone’s time and they won’t thank you

• Keep your mouth shut except to the police; the libel laws are still in full effect

• Don’t forget you don’t carry the badge

• Don’t talk down to the police


WPI EE579T/10 #49

Policy again• Be sure you have written policy for your

employees about what is and what is not permitted, and make sure you can show they have read it

• Don’t exceed your authority

• Don’t be unreasonable

• Don’t be capricious -- the same penalty for the same infraction should be the rule


WPI EE579T/10 #50

Legal Issues in Computer Security

• Copyrights [17 USC]– Protect expression of ideas, not the idea itself– Gives author exclusive rights to copy & sell– Can cover “any tangible medium of expression”– Work must be original to the author– Subject to “fair use”– Marking required– Lasts for 50 years after death of last author


WPI EE579T/10 #51

Copyrights Again

• Copyright valid without registration, but registering helps insure protection

• Infringement resolved in the courts

• U. S. Govt. works in public domain, but not all governments (cf. Crown Copyright)

• Programs can be copyrighted, but…

• Copyright limits distribution, not use


WPI EE579T/10 #52

Copyright Requirements

• Create the work

• Mark the work with copyright notice

• File a copyright form

• Distribute the work


WPI EE579T/10 #53

Copyright Infringement

• Basic statute is 17 USC § 506– Title 17 deals with copyrights– Section 506 treats remedies for infringement– For legal consistency, penalties are in the

criminal title, Title 18

• Up to 3 years imprisonment, first offense

• Up to 6 years imprisonment, second or subsequent offense


WPI EE579T/10 #54

Patents

• Protect inventions [35 USC]

• Object patented must be “nonobvious”

• Patent goes to first to invent (in U.S.)

• Requirements for patent– Search for prior art– Patent Office determination that it is novel– Issuance of patent


WPI EE579T/10 #55

More on Patents• Valid for 20 years since US ratification of GATT

harmonization, earlier 17 years, not generally renewable• Requires disclosure of all working details• A patent is a public document• Infringement must be opposed. Claims:

– This isn’t infringement

– The patent is invalid

– The invention is not novel

– The infringer invented first


WPI EE579T/10 #56

Patents and Software

• Software can be patented

• Easier to patent a process in which software forms a part, but then use of the software outside the process is not covered

• Not much case law yet


WPI EE579T/10 #57

Patent Infringement

• Is a civil, not a criminal matter– Cf. Copyright violations

• Remedies provided – 35 USC § 271 defines infringement– 35 USC § 281 provides for civil remedy– 35 USC § 284 et seq. provide for damages

• If you participate in infringement, you could be a defendant


WPI EE579T/10 #58

Trade Secrets

• Gives a competitive edge over others

• Must always be kept secret

• Applies well to software

• Hard to enforce (e.g. reverse engineering)


WPI EE579T/10 #59

Who Owns Intellectual Property?

• Generally, if you were paid to produce it by your employer, they own the property

• If you produce it on your own time, but use skills learned on the job, they may still own the property

• Intellectual property agreements

• Employment contracts


WPI EE579T/10 #60

Some Related Statutes• Freedom of Information Reform Act of 1986 [5

USC § 552]– Requires disclosure of Executive Branch data except in cases

of national security or personal privacy

– Significant impact on computer security

• Privacy Act of 1974 [5 USC § 552]• Fair Credit Reporting Act [15 USC § 1681]

– Places limits on data collected on individuals and uses to which data can be put

– Consumer right to know contents of own files


WPI EE579T/10 #61

More to Think About

• Censorship

• Privacy

• Actions of others

• Responsibility to report crimes

• Public approbation vs. legal action

• Whose laws apply?– Cf. eBay and Nazi memorabilia in France


WPI EE579T/10 #62

More Legal Considerations

• What if…– One of your employees is using your network

to do something illegal?– Someone outside the organization is using your

network resources for illicit purposes?– Your system is broken into and important

information goes missing or becomes public?


WPI EE579T/10 #63

What Is Your Responsibility?• For intellectual property?

• For personal data?

• For financial data?

• For proper operation of the network?

• How and where are these things defined?


WPI EE579T/10 #64

Ethics Concerns• Information Management

– Data acquisition– Access– Stewardship

• Information Security– Ownership of intellectual property– Crime– Liability and reliability


WPI EE579T/10 #65

Ethical Issues

• Ethics and the law are not the same

• Ethic is an objectively defined standard of right or wrong

• Ethical standards tend to be idealistic

• Set of ethical principles is an ethical system


WPI EE579T/10 #66

Law Versus Ethics

• Formal, written• Interpreted by courts• Established by

legislature• Applies to everyone• Conflict, “right”

resolved by courts• Enforceable

• Unwritten principles• Interpreted by indiv.• Presented by religions,

philosophers, etc.• Personal choice• No external arbiter of

“right” or conflict• Limited enforcement

LAW ETHICS


WPI EE579T/10 #67

Ethics Overview

• Complex• Ethics and religion• Ethics not universal• Ethics does not provide unique, immutable

answers– Ethical pluralism– Very unlike scientific view of “truth”– Rarely a higher authority


WPI EE579T/10 #68

Ethical Reasoning

• How to approach an ethical issue?– Understand the situation– Know several theories of ethical reasoning– List the ethical principles involved– Determine which principles outweigh the others

• First and third are key

• Easy to go off at half cock


WPI EE579T/10 #69

Ethical Principles--Examples

• Teleology– Focus on consequences

– Egoism: benefits to person taking the action

– Utilitarianism: benefits to entire world

• Deontology– Focus on sense of duty

– Some things are just intrinsically good

– Rule-deontology

– Act-deontology situation ethics


WPI EE579T/10 #70

Ethics Case 1Dave works as a programmer for a large software

company. He writes and tests utility programs. His company operates two shifts: during the day, program development and online applications are run; at night batch production jobs are completed. Dave has access to workload data and learns that adding programming work to the night shift runs would not adversely affect performance of the computer to other users.

Dave comes back after normal hours to develop a program to manage his own stock portfolio. His drain on the system is minimal; he uses very few expendable supplies such

as paper. Is Dave’s behavior ethical?


WPI EE579T/10 #71

Some Values Issues

• Ownership of resources

• Effect on others

• Universalism principle

• Possibility of detection, punishment

• Other issues?

• Which are more important than others?


WPI EE579T/10 #72

Ethics Case 2Donald works for the county health department as a

computer records clerk, where he has access to files of patient records. For a scientific study, a researcher -- Ethel -- has been granted access to the medical portion, but the corresponding names, of some records.

Ethel finds some information that she would like to use, but she needs the names and addresses in order to contact these people for more information and for permission to do further study.

Should Donald give Ethel the names and addresses?


WPI EE579T/10 #73

Some Principles Involved

• Job responsibility

• Use

• Possible misuse

• Confidentiality

• Tacit permission

• Propriety

• Law


WPI EE579T/10 #74

Ethics Case 3Kevin Mitnick, the notorious computer hacker accused of

causing millions of dollars in damage to technology companies, has been ordered to get off the lecture circuit or risk going back to prison. The federal probation department sent word through his probation officer that his activities must stop, Mitnick said. “They’re saying I can no longer write or speak about technology issues.” Mitnick said in a telephone interview. “I think it is an abrogation of my First Amendment rights. … Probation is not supposed to be punitive.”

Government officials could not be reached for comment.Are Mitnick’s actions ethical? Are the government’s?


WPI EE579T/10 #75

Ethics Case 4

The school computer center


WPI EE579T/10 #76

General Moral Imperatives(ACM Code of Ethics and Professional Conduct)

• Contribute to society and human well-being• Avoid harm to others• Be honest and trustworthy• Be fair and take action not to discriminate• Honor property rights including copyrights and

patents• Give proper credit for intellectual property• Respect the privacy of others• Honor confidentiality


WPI EE579T/10 #77

The “P” Word

• Can or should you have an ethics policy?

• Why or why not?

• Are you aware of organizations that do have ethics policies?


WPI EE579T/10 #78

The Other “P” Word• Privacy

– What is it?– How to protect it?– What do customers and employees expect?– What do they have a right to expect?– Where is the Constitutional right to privacy

found?


WPI EE579T/10 #79

Summary

• Network security involves a close interaction of legal and ethical issues

• Ethics and the law are not the same

• There are no hard and fast answers to ethical questions, but there are guidelines

• It doesn’t hurt to seek others’ opinions, but the ultimate responsibility rests with you