Discussion Questions

The Kevin Mitnick case.

This discussion focuses on how much of criminal Kevin Mitnick really is. "Mitnick has been described as more of a computer prankster who used his hacking skills to harass companies and people he didn't like rather than to enrich himself," writes Michael Shapiro. Consider these questions.
  1. What rules of ethics did Mitnick violate?
  2. Identify some of the stakeholders who were harmed by Mitnick's actions.
  3. Since there is no evidence that Mitnick intended to profit from his actions, should his transgressions be treated lightly?
  4. How real was the harm to the other stakeholders?
  5. Is it necessary to punish Mitnick severely to deter others from copycat computer break-ins?

  6. Takedown. You may also find it helpful to reread the discussion of ethical principles in Ch. 2 of Spinello and Chapter 7 on Ethical Issues and Information Security.

Can hacking be justified?

Here are four justifications sometimes given for hacking.
  1. All information should be free, and if it were free, there would be no need for intellectual property and security.
  2. Break-ins illustrate security problems and cause them to be fixed.
  3. Hackers are doing no harm; they are just learning about how computer systems operate.
  4. Hackers break into systems to watch for abuse and hold "Big Brother" at bay.

  5. How can you argue against each of these justifications? Are the arguments against them compelling? You may find it helpful to reread the discussion of ethical principles in Ch. 2 of Spinello and the section on pp. 198-201 entitled "Related Ethical Issues" (related to information security).

  6. Do you think that it can ever be an ethical act to write a virus? Why or why not?
  7. Based upon one of the ethical theories we covered in Lecture 1, how could you reason to your answer to question 1?
  8. Is it unethical to induce others to perform unethical acts, specifically, unauthorized copying of copyrighted software. Does it follow that organizing a virus-writing contest is also unethical?
  9. Is it ethical to write viruses for purposes of scientific research, such as understanding evolution of living organisms, or testing the theory of evolution? If so,what safeguards should be applied to this research? Who should enforce the safeguards?
  10. If all virus-writing is unethical, then should all virus-writing be equally illegal and equally punished? Why or why not? You may allude to utilitarian or deontological theory in support of your answer.
  11. Should the penalty for creating viruses (and for sabotaging computers in general) depend on the intent of the perpetrator, the amount of damage, or both?
  12. If the penalty depends on the amount of damage, how should the damage be assessed, given that damage may be spread sparsely and widely throughout the world? 

The case of Craig Neidorf and Phrack. 

This discussion deals with the ethics of publishing information that may be helpful in breaking into computer systems. Consider these questions, among others.
  • Did Neidorf do anything unethical? 
  • Should he have been convicted? 
  • Should newsletters like Phrack be discouraged? If so, how? 
  • Is it possible to allow free publication of material like Phrack and still convince would-be criminals that hacking is unethical? 
  • Should it be possible to prosecute the publisher of Phrack if pre- cautions are not taken and information published there leads to a crime? 
  • Should the First Amendment extend to computer communication? 
  • Is dissemination of material like Phrack protected by the First Amendment? The trial judge in this case dismissed two friend-of-the-court briefs seeking to have the case thrown out because it threatened constitutionally protected speech, saying that the First Amendment doesn't protect otherwise criminal conduct just because it involves speech. 
  • Is prosecution of Phrack a threat to free expression?
  • Use the background material on pp. 201-201 of Spinello, and in the articles on this week's We b page.

    You may find it helpful to reread the discussion of ethical principles in Ch. 2 of Spinello and the rest of Chapter 7 on Ethical Issues and Information Security.

The diffrent views on hacking

Peruse the readings on hacking on this week's Web page. You will probably find them much more sympathetic to hackers than my lectures or the Spinello textbook (see pp. 198 ff.). Why is this true?

One might hypothesize that it is due to an "institutional bias" against restraints on one's profession. In general, people in a profession tend to oppose governmental restraints on their profession. Trial lawyers, for example, tend to oppose legal reforms that would make it more difficult for people to sue. Manufacturing companies tend to oppose further government regulations relating to safety and the environment. Timber companies oppose restrictions on logging designed to protect endangered species. There is a tendency in each profession to believe that its members "know best" how to handle issues related to their occupation.

So, one might contend, people who program computers and networks tend to oppose restrictions on their freedom to access computers. They may not sympathize with the actions of "hackers," but they see restrictions designed to prevent abuse as threatening their freedom to browse networks in new and creative ways. Hence their outcries against prosecution of people engaged in arguably "benign" forms of hacking.

  • Do you agree with the hypothesis expressed above?
  • Can you cite any places in the readings to support your position?
  • Should computer professionals be trusted to write the regulations on hacking because they know their profession best? Or should society be skeptical of their recommendations because of institutional bias?

  • The disgruntled employee and hacking. 

    Besides hacking, a related threat to information security is sabotage by a disgruntled employee. Case 7.1 from Spinello, "The disgruntled consultant," highlights this risk. Read the description on pp. 205-207 of the text and then answer Spinello's questions:
    1. How could TTI improve its security policies and its procedures for dismissing employees?
    2. What should Dr. Bluestein say to his client, the Commerce Bank? Should he be open and truthful about what went wrong or tell the executives at Commerce something else?
    3. Is TTI liable, that is, responsible, for Chase's reckless actions, or is TTI the victim in this case? Should it compensate the bank in some way for the delay in delivering the cash management application?

    4. In answering these questions, you may find it helpful to read Chapter 7, and/or review the ethical principles in Chapter 2.