Week 13: April 24 Ethics analogies online speech: Section 230 breaks analogy with newspapers source code as speech: print v online differences linking: is printing the name of another publication an analogy? Paper 3 remarks: Discussion rules: watch for "gray areas" Software trust email sony linking: do you need permission? hacking felonies antitrust ============================================================== Trusting software: how do we do this? What responsibility do vendors have? is there an obligation for software to work on our behalf? a "fiduciary obligation"? Trusting your email software; trusting your browser See stopbadware.org We've seen that people form trust relationships based on a fairly limited set of positive experiences (though a limited set of negatives, as well). Sometimes it seems that software has a lot to live up to, in that we trust it because we don't *see* bad experiences, but it is so easy for software to take advantage of us. * collecting personal information * sony "rootkit" cd driver Email: who is responsible for keeping you safe from spam? From embedded tags in html that reveal to the sender if you've viewed the email? The images issue has been around for almost a decade; many email vendors (and many freemail providers) have been reluctant to support image-blocking until the last year or two. (There may be non-conflict-of-interest reasons for that: it may be perceived as a hard-to-understand option.) Browsers: browsers do all sorts of identification of themselves when they connect. Some of that is important; some is questionable. Most browsers do not leak "private" information. Try http://www.jms1.net/ie.shtml, with internet explorer. What about cookies? Many browser PLUGINS *do* leak some degree of private information. When you register a plugin, you connect some personal information to that plugin. Also, some plugins contact the mothership at regular intervals. See spywareremove.com/remove-BrowserPlugins SEVERAL media players (plugin or otherwise) may do some checking of licenses or with mothership before allowing play. Perhaps most players from media companies behave this way. What about compatibility lock-in? ======== To what extent should your OS be required to act on your behalf? Palladium (aka Next-Generation Secure Computing Base): locks you out of lots of things. Trusted side: can't be reached by debuggers or viruses Problem: machine now is autonomous; vendor has complete control. Software updates, file compatibility, ================================================================ SONY case has the rights of users front and center. Sony's 2005 copy-protection scheme : that installs a private CD driver AND a hidden "r00tkit" that conceals itself and hides some registry keys. Is this legit? How does it compare with Palladium (secure-computing platform)? Users *do* click on a license agreement. Were they sufficiently warned? (Software may have been installed before the EULA came up; clearly the EULA did not explain just what was going on.) Note from Mark Russinovich, via wikipedia: He also mentioned that the XCP software installed silently before the EULA appeared, that the EULA does not mention the XCP software, and that there was no uninstaller, all of which are illegal in various ways in various jurisdictions. Several comments to the entry recommended a lawsuit against Sony BMG. There is now a virus/worm out that takes advantage of the sony kit. Sony issued an uninstall utility that didn't actually uninstall the software, but did make it visible. However, users had to supply an email address, which by Sony's privacy policy was eligible for spamming. This or a later removal kit ADDED a bad ActiveX control. ====================================================================== ============================================================== What about linking? * is a link to a defamatory site a form of defamation? (It probably depends on the context) * is a link to "illegal" software forbidden? 2600 case: * what about linking to other sites: bandwidth trademark avoidance of advertising cussedness/control search engines do this CONSTANTLY. For a while this was a serious issue, but it seems to be flaming out. Lots of sites still have bizarre linking policies, though. dontlink.com Universal v Reimerdes: from wikipedia: In particular the Second Circuit ruled that linking on the Internet happened so fast that it could be restrained in ways that might not be constitutional for traditional media. =================================================== Hacking zero-day exploits Should they be tolerated? Encouraged? 1. Sometimes vendors ignore exploit reports without the publicity 2. Sometimes users really need a script to tell them if they are vulnerable; such a script is typically tantamount to an exploit 3. Sometimes announcing a flaw gives crackers all they need to exploit it; withholding details merely gives false security. Consensus seems to be that zero-day exploits are still a bad idea; that one has some responsibility to let someone know about an exploit so a patch can be developed. Patch Tuesday is now followed by Exploit Wednesday. ================================================================ ================================================================ Felony prosecutions Kutztown 13 kids issued 600 apple ibooks in 2004 admin password was part of school address, taped to back! passwd was changed but new one was cracked. kids got admin privileges and: bypassed browser filtering installed chat/IM software, maybe others disabled monitoring software The school's security model was hopelessly flawed. WHO IS RESPONSIBLE FOR THAT? The school simply did not have the resources to proceed properly. The kids were warned REPEATEDLY. But why didn't the schools simply take the iBooks away? Why were FELONY charges pursued? www.wired.com/news/technology/0,1282,68480,00.html cutusabreak.org: now gone Wikipedia: Kutztown_Area_high_School ================================================================ randall schwarz www.lightlink.com/spacenka/fors Oregon made it a FELONY to do anything UNAUTHORIZED. Also, taking a file without authorization was declared to be THEFT. Schwartz faced three counts: 1. installation of an email backdoor at intel (he thought he had some kind of permission) 2. Taking password file 3. Taking individual passwords These he did as a former sysadmin, now assigned to other duties, but still concerned about password security. All he did was to run the "crack" program to guess passwords. Appeals court argued that although "authorization" wasn't spelled out in the law, Schwartz did things without authorization as narrowly interpreted. The appelate court also upheld the trial court's interpretation of "theft": taking anything without permission, even if the thing is essentially useless or if the taking is implicitly authorized. ====================================== Schwartz and Kutztown 13 cases have in common the idea that sometimes the law makes rather mundane things into felonies. For Schwartz, it is extremely clear that he had no "criminal" intent in the usual sense, although he did "intend" to do the actions he was charged with. ================================================================ ================================================================ Software & Antitrust issues Nature of Open Source what is antitrust? free markets monopolies & cartels law of supply and demand Sherman act no agreement between A and B that restrains trade between other parties, particularly between C and D but also sometimes between B and C. predatory practices: single-source for supplies linking one product with another pricing below cost price-fixing: requiring sale at a specific price ATT Antitrust case, leading to breakup of ATT IBM antitrust case 1975-1981 Microsoft antitrust case just what *did* they do to netscape? Bundled IE free Tweaked APIs so IE was more "natural" than others Declared IE was "integral" to windows restrictive licensing agreements Not really free. Feltenization pricing of windows to OEMs restrictions on adding features (no netscape) requirement that *every* machine sold come with windows unfair pricing bundling IE into OS so it couldn't be removed Final thought: Many have argued that antitrust law simply undermines successful companies at the expense of weak ones. By the same token, monopolies do restrict innovation. But sometimes we need a common platform. MS *did* do lots of low-life things re netscape, like tell them that if they didn't cooperate they would get developer documentation in three months, but otherwise they'd get it right away. Is it seriously possible to argue that bundling an application into an OS is a violation of "bundling"? ========================================================================= ========================================================================= Bringing ethical issues to the attention of your supervisor Programmers: quality issues Network admins: security loopholes, excessive security that users will likely find ways to bypass software licensing issues backup procedures DB admins data normalization issues security access issues Websites quality of information Nobody wants to make a Career Limiting Move BUT your boss doesn't want something to blow up later. * Explain consequences * Explain potential consequences * Discuss liability * Discuss how this is going to look later * Recast the question * Ultimately, respect management's right to make decisions Going over your boss's head: Generally a CLM, BUT sometimes there are specific avenues. Challenger engineers * none would say "yes" to "are you claiming the ship will crash" * none would say "no" to "are you claiming the ship is safe" How managers tend to think, versus techies bottom line means a lot future consequences can impact this Ethics and the notion of the Social Contract: JJ Rousseau, 1762 Legal liability: "yes, but we don't wanna get sued...." Whistleblower protections: federal & state law, company policy Writing a CYA memo Richard M Daley and that guy who first noticed the potential leak Discuss Louis Koncza, Chief Engineer for chicago. Wrote memo to boss, DOT head John LaPlante, about leaking in the coal-railway tunnels under the chicago river. But memo asked for money for repairs and didn't make it clear it was an emergency. LaPlante authorized, for example, a BIDDING process. Daley fired Koncza, for failing to convey sufficient urgency, and because "sending a memo to a supervisor does not absolve you". John LaPlante was fired too (Concza's boss) "Daley did what he had to do"