NoticeBored blog

Police are using technology to capture criminals, for example by fitting out vehicles with CCTV and leaving them in vulnerable locations to lure car thieves. The CCTV images are so good that it's easy to make out the criminal's facial features and sometimes even his name and birth date tattoo'd on his neck (doh!).

But consider the question about whether such activity is ethical. From most perspectives (other than the criminals'!), it seems acceptable since the recording devices are within someone's property space which is clearly being violated by the criminals. One might argue that leaving such an attractive lure in a vulnerable place is entrapment, encouraging an otherwise law-abiding person to step over the line and break in, but what do you think? This is a good topic for a tea-time discussion in the average office.

UPDATE Oct 17th: Here's another situation with similar ethical issues. The FBI has allegedly been running DarkMarket, a carders' web exchange for stolen credit card numbers. What a great way to capture details about the criminals, the cards and the culture, but is it ethical? To make it work, they had to let a significant number of carders' transactions go ahead without interference, leading to millions of pounds worth of fraudulent purchases and costs for the card holders and/or credit card companies, banks and retailers concerned, in the same way that undercover drugs cops let and in fact help drug deals proceed until they have the opportunity to spring the trap.

Labels: Awareness, Ethics, Physical

My colleague Rob Slade, renowned for his book reviews, has just circulated a glowing review of the book Computer Ethics by Deborah Johnson. I say "glowing" deliberately: Rob has published many harsh reviews and, in my experience, they are generally well deserved. The relatively few books that Rob likes stand out as somewhat exceptional and, again, in my experience are well worth reading. Rob knows his stuff. I find him hard but fair. In short, I trust Rob's judgement on computer security books.

Ethically I should point out that I have not actually read Johnson's book myself - I am merely passing on a recommendation. If you have read it and would like to put me straight, please comment below!

Labels: Ethics

A fellow inmate of CISSPforum sent us a link today to an interesting piece in the Boston Globe regarding the victim of a laptop theft using remote access software to log on to his machine and, in due course, identify the suspected thief's name and address as he typed it into a website. At last, an ethical use for a Remote Access Trojan (RAT)!

The Web is awash with organizations offering to license their RATs and keylogging Trojans but, so far as I can see, they are mostly aiming at the "Spy on your spouse" market. Some of them claim to be aiming at "Spy on your employees" or "Spy on your children", as if that legimitises their activities but speaking personally, I find these uses unethical too. Spouses, employees and children ALL have legitimate expectations of privacy, whether online or off. To me, spying on them as they use the computers is essentially the same as spying on them in the Real World. It's underhand and unfair. Putting yourself in their shoes, how would you like to be spied upon?

[Aside: presumably there is a market for counter-espionage techniques, software that identifies RATs etc. and responds in some appropriate fashion, perhaps feeding the spies false information or simply cutting the link, the IT equivalent of firing a poison pellet into the spy's calf!].

That said, an incident close to home has made me reconsider my ethical position when a close family member discovered that her child was being 'groomed' through online chatrooms. The discovery came not through spy software but good ol' fashioned parenting - keeping a close eye on the little ones and protecting their interests. In this case, the parents' concern was justified and the groomer was stopped in his tracks, but I'm not saying that "the end justifies the means". If my relative had used spy software, I would still have found it distasteful. I think. But that's my personal perspective: you may see things differently.

Anyway, the use of spy software to recover a stolen computer seems perfectly reasonable and indeed entirely legitimate to me. The thief has no reasonable expectation of privacy while using stolen equipment. Maybe I wouldn't go so far as to say the thief has no rights at all (he is still a human being after all) but privacy is not one of them. The Globe mentions similar cases where owners have turned on built-in cameras to photograph those who are using their stolen systems - again, that's not unreasonable to me, just a creative use of technology.

Of course, thieves will see things differently.

Labels: Ethics, Hacking, Malware

Whereas most months we revise and reissue NoticeBored security awareness modules on topics we've covered before, this month we've written a completely new one on ethics and morality in information security. To be fair, its something we have touched on several times but it seemed appropriate to go into a bit more depth for once.

Ethical people and indeed organizations act in accordance with principles of conduct that are generally considered correct, appropriate or proper. In respect of information security, ethical behavior reinforces procedural controls. Unethical people who disregard the principles and ignore procedures weaken security, just as a rusty door bolt can jeopardize physical security. However, there is more to ethics than mere compliance. We all face ethical decisions and dilemmas from time to time, situations in which our internal values, beliefs guide our actions as much as external pressures.

The NoticeBored newsletter explores the risks around ethics and sets the scene for the remainder of the awareness module. The module covers aspects such as:

• Responsible disclosure of security vulnerabilities
• Cheating and hacking
• Management responsibilities to set the right ethical tone at the top
• Employee responsibilities to uphold ethical principles
• Whistleblowing on unethical practices
• The slippery slope from entirely ethical to entirely unethical behaviors.
  

As always, the newsletter is freely available to all as a PDF file but you'll need to subscribe to the NoticeBored awareness service for the MS Word version, plus around 36Mb of other awareness materials (including 6 posters, 3 seminar presentations, 4 screensavers, several briefings and guidelines, a crossword, an awareness test and a survey, a discussion paper on ethics metrics, a board agenda, awareness activities and an internal controls questionnaire to review your organization's ethical security controls).

Labels: Awareness, Ethics