VIRGINIA MONTECINO

Montecino's CS 103 Course Page
Date:  Spring 99
Lecture 13 -  Computer Ethics and Law

Major Issues: 

Security - 
Internet transactions safety
Digital Spying 
Hackers, Crackers, Cyberpunks 
Online fraud
Infrastructure Protection 
Internet Privacy
Employee Rights / Health / Safety - 
privacy vs. company rights
online harassment, online stalkers,  hate groups, online exploitation of children, .........
Workplace safety: health issues - computer related - access for disabled persons, eye strain, repetitive stress/strain injury (RSI),  carpal tunnel syndrome

RESOURCES:
Computer Ethics, Laws, and Privacy Issues
ACM - Moral Imperatives
The Ten Commandments of  Computer Ethics  -  the Computer Ethics Institute
Electronic Frontier Foundation
ACM - Computing and Public Policy
GMU Responsible Computing Policy
Free Speech vs online Child Protection Act 
Information on encryption - Marchant
Code Breaking Contest
Laws Relating to Computers - Marchant
Copyright Resources - Montecino
Copyright and the Internet -Montecino
A Framework for Global Electronic Commerce
The White House,  July 1, 1997
Internet Privacy
Internet Privacy Coalition
Electronic Privacy Information Center
Your Web presence - protect yourself

back to top

FAMILIARIZE YOURSELF WITH THIS LEGISLATION:
--- CFAA-Computer Fraud and Abuse Act - 1986

It is a felony :

  • to commit unauthorized access to a Federal computer system with the intent to steal or commit fraud or inflict malicious damage.
It is a misdemeanor: 
  • to traffic in passswords.
(enforced by Secret Service or other authorized federal agency)

---- Electronic Communications Privacy Act -1986 

specifies which electronic communications are private and prohibits the unauthorized access to and disclosure of private communications.

---- CDA-Communications Decency Act - 1996 

It a felony to transmit obscene or offensive material over the Internet.  This Act was challenged by the ACLU and the challenge was upheld.  The CDA was overturned in 1997.

---- COPA - Child Online Protection Act - 1998
 makes it a federal crime (penalties up to $50,000 per violation and a sentence of up to 6 months in jail) to transmit material that is harmful to children over the Internet for commercial purposes.
 This act is being challenged in Federal Court as a violation of the First Amendment.
violation of the First Amendment. 

---- Virginia Computer Crimes Act

It is a felony:

  • to use a computer to commit fraud
  • to maliciously access a computer without authorization and damage, copy, or remove files. 
It is a misdemeanor: 
  • to use a computer to examine private files without authorization
---- Web Copyright Law - 1997

An infringement of someone's copyright protected property valued at least $1000 can be prosecuted even 
if there is no profic from the crime.  The penalty can be from $100,000 to $250,000.  A jail term of up to 3 years may be imposed if the infringement is for a violation of property valued at over $2,500.00.  For a second offense, the violator could get 6 years in prison. 

---- SAFE  - 1999
The House Judiciary Committee approved the Safety and Freedom through Encryption (SAFE) Act of 1999 (H. R. 850) on March 24. The legislation would relax U.S. export controls on encryption, but contains a controversial provision that creates a new federal crime for the use of encryption to conceal criminal conduct.  The legislation, introduced by Rep. Bob Goodlatte (R-Va.), would give U. S. citizens the right to choose any type of encryption to protect their confidential information and prohibits the government from requiring a key to U.S. consumers' computer systems. 

Update as of July 13,1999 - On July 13, 1999,  the House International Relations Committee passed the Security And Freedom through Encryption (SAFE) Act, sponsored by Bob Goodlatte, by a vote of 33 to 5.  Now it needs to go to the House of Representatives for a vote.

------------------
For new legislation and challenges to existing legislation, see the Thomas- Legislative Information on the Internet (Library of Congress);  the Congressional Universe; and the  Electronic Frontier Foundation; encryption legislation - Congressman Bob Goodlatte's Web Site updates on the legislation .

Also see: LAWS RELATED TO COMPUTERS - Dr . Marchant

People who commit high tech crimes: 

Hacker -  A person who writes programs in assembly language or in system-level languages, such as C. Although it may refer to any programmer, the term means  laboriously "hacking away" at bits and  bytes. The term is used to define people who illegally enter computer systems, insert viruses and illegally gain information.  True "hackers" resent the illegal hackers who sully their names. 

Cracker - A person who performs an illegal act and breaks into a computer system without authorization.  The cracker's purpose is to do harm, to damage or destroy riles, steal credit cards, insert viruses, perform computer espionage, etc.

Cyberpunk - An online delinquent, with high tech skills,  who breaks the law by breaking into computer systems.  The term comes science fiction novels such as Neuromancer,  by William Gibson 

Computer viruses - "troublesome" computer programs that attack themselves to a file, reproduce and spread from one file to another and one computer to another.  They can be spread from computer to computer, over a network and over the Internet. The payload is the mission it is intended to accomplish. 

[[A bug is NOT a virus. a bug is an error in software or hardware. If the bug is in software, it can be corrected with programming changes. If the bug is in hardware, the faulty circuits need to be redesigned.  The Y2K ("Year 2000" or "Millennium Bug")  problem is not a malicious program, but a "glitch" in the software. They are is stored with only two digits; for example, 10-12-82,  instead of 10-12-192.  When the year changes from 1999 to 2000, the date becomes 01-01-00, but the system still thinks the year is  1-1-1900, 1-1-2000.]]

Types of files generally affected by viruses - 
executable files (those with an .exe extension); boot sector files (system files - the ones your computer uses when you turn it on and go through the bootstrap process; macro files - account for approx. 75% of virus attacks (macros are miniature programs to automate document production (such as in Excel applications or Word documents). 

Major categories of viruses  include :Trojan horse, a time bomb, a logic bomb and a worm

Trojan horse - a program that appears to perform one function, but is actually programmed to do something else.  It can be used to break security and enter a network illegally.

Worm - usually enters a network and reproduces itself.  It does not need to be attached to an executable or document file. 

Time Bomb - set to go off on a particular date 

back to top
Examples of viruses:

Internet Worm - perpetrated by Robert Morris Jr. 1988.  This worm did not actually modify or delete any files, but it replicated itself to the extent that it brought down over 6000 systems.

Michelangelo - a time bomb set to activate on Michelangelo's birthday, March 6.  Occurred in 1994 -  can be contracted by reading an infected floppy. 

Melissa - self-replicating Macro virus - which is reactivated each time the next user opens the Word attachment - does not damage individual hard drives, but freezes up the Internet through the enormous volume of emails it generates. 

Chernobyl - The ICSA has issued a warning against the latest variant of the CIH Virus. This time bomb is expected to strike Monday, 26 April 1999, the thirteenth anniversary of the Chernobyl disaster, and has the potential to erase hard drives and corrupt a PC's BIOS. The CIH virus infects 32-bit Windows 95/98/NT executable files. It infects the computer's memory, then  files as they are opened. It modifies and corrupts certain types of Flash BIOS, software that initializes and manages relationships and  data flow between the system devices, including the hard drive, serial and parallel ports and the keyboard. By overwriting part of the BIOS, CIH can keep a computer from starting up when the power is turned on. Some variants of  CIH activate on April 26th or June 26th, while others activate on the 26th of every month. 

Encryption - science of scrambling text so that no one but the desired parties, sender and receiver, can read the data. Encryption turns the data into a secret code. Each algorithm uses a string of bits known as a "key" to perform the calculations. The larger the key (the more bits in the key), the greater the number of potential patterns can be created, thus making it harder to break the code and descramble the contents. 

Example of encryption software: PGP: "Pretty Good Privacy" - a method of encrypting email. released by Phil Zimmermann in 1991. PGP combines two algorithms,  RSA and IDEA, to encrypt plaintext.  Zimmermann was the subject of a Federal Investigation for exporting his PGP software. Charges were eventually dropped. See more details on encryption by Prof  Marchant. See legislation about encryption.

back to top

espionage - military, government, corporate
Cases Involving Encryption in Crime and Terrorism

Example of a famous espionage case: Clifford Stoll, with FBI help, cracked a case in which crackers in Germany enter a military network and the Internet to gather information on military research in the U.S. and then sold to to the KGB.

The Computer Fraud and Abuse Act of 1986 was signed into law in order to clarify definitions of criminal fraud and abuse for federal computer crimes and to remove the legal ambiguities and obstacles to prosecuting these crimes. The Act established two new felony offenses for the unauthorized access of "federal interest" computers and a misdemeanor for unauthorized trafficking in computer passwords.

Two prominent cases : 

Herbert Zinn, a high school dropout.  "Shadowhawk,"  as he called himself was the first to be convicted under the Act of 1986. Zinn was only 16  when he broke into AT&T and Department of Defense systems. He was convicted on January 23, 1989.  He destroyed $174,000 worth of files, copied  programs valued at millions of dollars, and published passwords and instructions on how to violate computer security systems. He was sentenced to nine months in prison and fined $10,000. Zinn, had he been 18,  could have received 13 years in prison and a fine of $800,000.

Robert Morris, a 22 year old graduate student at Cornell. Morris launched a "worm" which navigated the Internet on its own,  searched for security weaknesses and replicated itself. More than 6000 systems had crashed or were seriously crippled. Eradicating the worm cost victims  millions of dollars. Morris was convicted and sentenced to three years of probation, 400 hours of community service and a $10,000 fine under the Act. 

back to top

The Computer Emergency Response Team (CERT) was formed to deal with Internet security vulnerabilities.

Security Measures:

Protect your data

Anti-viral software - Symantec, McAfee, Norton Anti-virus, Dr. Solomon

Backups - back up data regularly on storage media

Password protect - your computer files if you share a computer with someone else.

Passwords - don't give out password. Devise unique passwords

encryption - an option for sensitive data

Restrict Access to networks: 

Hardware Key (dongle)  -  a copy protection device that plugs into a computer port, often the  parallel port. The software sends a code to the port, and the hardware key reads the serial number and verifies its presence to the program. The key hinders software duplication, since each copy of the program has a unique number. (see picture of a dongle)

Firewalls - used to keep internal network segments secure and provide secure access to the Internet.  A firewall can also separate
an organization's public Web server from its internal network.

Types of firewalls
Packet Filter -  Blocks traffic based on IP address and/or port numbers. Also known as a "screening router."

Proxy Server - serves as a relay between two networks, breaking the connection between the two. Also typically caches Web pages .

Network Address Translation (NAT) hides the IP addresses of client stations in an internal network by presenting one IP and translates back and forth.

Stateful Inspection tracks the transaction in order to verify that the destination of an inbound packet matches the source of a previous outbound request. Generally can examine multiple layers of the protocol stack, including the data, if required, so blocking can be made  at any layer or depth.

PROTECT YOURSELF ON THE INTERNET: See these guidelines to  help you protect your privacy,  avoid copyright infringement, and protect your reputation and future job prospects. 
-----------------
Balkans War - First "Cyber War"
 

The Defense Department's number two civilian described the conflict with Yugoslavia as ``the first cyber war we're fighting.''

Speaking April 14 at a symposium on information assurance, John Hamre, deputy secretary of defense, said so far the cyber attacks on NATO have been ``very incoherent and amateurish.''

He also said the attacks likely were Yugoslav-sponsored but probably not conducted by the Serb-controlled government but ``messed up the NATO home page.'' Adding, ``It's all directly tied to the war.''

Monday April 19, 12:25 pm Eastern Time
Company Press Release
SOURCE: Association of the United States Army
http://biz.yahoo.com/prnews/990419/dc_ausa_ko_1.html

Workplace safety: health issues - computer related - eye strain; repetitive stress injury (RSI) - Repetitive Stress/Strain Injury  - repeated physical movements doing damage to tendons, nerves, muscles, and other soft body tissues; carpal tunnel syndrome

back to top

VIRGINIA MONTECINO

Montecino's CS 103 Course Page