*** PREFACE ***

The intent of this paper is to explore ethical topics which pertain to computing from multiple viewpoints. With fundamental values (or lack of values) being studied to see how they would effect decision-making. We will try to categorize some of the decisions and determine what ethics or philosophy is being used if possible.

Here, we will look at security of computer systems. More specifically, security through restricted access. The term "hacker" will be used at some points. It is not to be confused with "Cracker". A Hacker simply gets the most out of whatever they happen to be interested in. Hackers do things by trial and error at times. They don't like to be told to slow down, "go at this pace (like the rest of class)" or whatever.

*** INTRODUCTION ***

Having been a user of UNIX based systems for many years, I have notice security increased many levels from what was once thought adequate. To the seasoned user, this increase in security usually spells reduced usefulness of the system as a whole. The inherent learning experienced computer users may gain by exploring (their) complicated systems is diminished. More and more files and directories have been made un-readable to the ordinary user. This in an effort not to divulge information those crackers or other rogues might exploit.

Some would say that there is no other way to keep intruders out. They might argue that restricted access it "the way" toward protection of system resources. There are actually many ways to accomplish enhanced security only one angle being a tight file access policy, where many interesting are closed to reading and writing. The trouble with this approach is that it restricts the access of legitimate users of the system. Break-in artists would have to be already in the system to be held back by restricted access. Of course, an intruder with supervisor (root) permissions (many times the case), can read and write any file anyway. The learning that can be obtained by reading system configuration files, routing tables, various logs and the like does not occur when gratuitous closing of files has occurred.

It is true that one can read books for these details. My own experience has shown that this is not always appropriate. (It can be expensive too). People sometimes get carried away with a notion (like restricted access). They begin shutting everything down. They do not take time to study where the true risks are. They exercise privacy for privacy's sake.

*** VIEWPOINTS ***

We will take three different angles trying to explain why computer access restrictions should or should not be implemented. First being the people in charge of a large multi-user server. We can imagine an Institution like DePaul and their student account machines. Their position is to provide computing services to many people. Their user base has varying needs. Some users don't even know what kind of equipment their jobs are running on (to process web or net news data etc). On many servers, large multi-user machines, this type of user is the rule and not the exception. A small percentage of the users will ever actually log into the machine and run interactive shells.

These users may notice that there are numerous branches of the file system completely closed (directories with all permission denied to ordinary users). The fact that the higher level users are few is a key point. Perhaps they can be inconvenienced... after all, they are a minority! Later, the needs of power users, CS students or even Hackers (let's say) will be approached. Here, the impact of greatly restricted access to the server is studied to see if the needs of the student are being met. If, for example I have an account on the server and the account only lets me operate in my own file space, only lets me read files I have written myself, how will I learn the details of the server setup (say I wish to become an Administrator some day). Don't assume that great computer wizards got that way (just) reading books and sitting in class. The really good ones have seen and browsed every corner of their systems. This is a favorite diversion to hackers.

Get bored writing a report (like this one), browse the system file libraries for a while. Unguided learning should not be discouraged, as it is normally supplemental to the main stream approach. Sometimes, months or ever years later, prior study (however casual) pays off. Another issue with this type of "casual learning" is that some setups are so complicated, they can only be learned in small pieces and over a long period of time. Complete printed manual sets can cost hundreds of dollars. Library books must be returned and their contents will at times be forgotten by the time they are needed. The complete opposite entity from the first (the University) is the dirty, low life cracker. The kind that steals passwords, deletes files, taunts system administrators and is seeking thrills. He (or She) may vandalize a system and render it unusable. They may do so either with intent or by accident. Probably a younger person and possibly on the way to being a competent (and responsible) computer expert, this person at this stage is trouble. He will impress his friends and invite them to break into and explore the system too. They have and will continue to trash systems for fun. They are the reason that others will suffer. These pranksters have gotten lots of press, their stories are fun to hear about. I know first hand that some laypersons think it's cool to crack. It's like folk lore or something. They ask me to break into systems and perform various types of illegal acts, asking as if one could just sit down, begin to type and magically break into even well guarded sites (like TRW). I tell them "it's not that easy, you watch too much Sci-Fi".

Once, somebody offered me beer in exchange for fixing their bad credit rating. I of course declined this lopsided deal! And, some break ins are for more than thrills. Corporations have suffered losses of proprietary data, software and whatever to crackers. We won't study this however. The fact that some people will do damage is what counts here. We will begin now and see who does what and maybe explain why or why not they choose a certain strategy.

UNIVERSITY

The idea of a provider of large-scale services is taken up by the University. They have to be concerned about the overall safety of their system. They have a responsibility to provide good computing services to their user base. Odds are, they consider that they should serve the majority first, protect the interest of as many as possible. If there is an apparent easy way to prevent abuse, such a way is likely chosen. They decide to keep as little as possible in the open lest an unscrupulous user learns of a hole in security. Normally the majority on a server are not power users. They can exist without having to know what really goes on. These "ordinary users" do not know or care about tight security. They simply exist in it, taking it for granted. They (perhaps foolishly) rely on the Administrators of their server to take care of things. Here, the feeling is that unless something "needs" to be available to users, it will be closed.

People will not agree on exactly what "needs" to be closed however. In any event, most of the users will not notice anyway. The greater common good (to the system users and managers) is fulfilled. A security measure is implemented and it is probably worthwhile to sit back, see if anyone comes forth with good reasons to relax the restrictive measures. It's interesting to note that security holes must exist prior to a rouge being able to violate security (by casual browsing). By the same token, some parts of the file system cannot be closed to reading, user processes must access these areas at run time. Say for example I cannot even see a file which may expose a hole, I cannot know about the hole (thus Security through Obscurity). Should not the basis of the weakness be removed rather than just trying to hide it? With the point being that perhaps the security problem is not addressed, just worked around by adding restrictions.

The notion to not fix a problem but just conceal it is not unique to computing. It seems common in many fields (politics especially). This would seem to indicate to some entities that it's an OK path toward solving a problem. Student hackers have been known to be among the most persistent break in artists around. They use the computer resources often and are not noticed simply for being in the system as they have legitimate accounts. But other CS students are affected by the restricted access policies too. How many of the students would exploit security holes is not known. It's a safe bet however, that fewer than 50% of the grapes are sour. Most systems are shipped nowadays with very tight access. In other words, the local Administrators did not themselves institute the restrictive policies. They did however allow them to be retained on our server.

POWER USER

I am a power user and a Hacker. So are hundreds of other good members of the Internet community. A system administrator myself, help desk attendant, programmer etc. Having just started a College degree at age 35 (yeah I know, over the hill!), I come into this with five or six years of solid self study under the belt. Oh sure, I read lots of books but good hackers usually have something better than just book smarts. They are street smart and possess hands on experience. "We" have a lot to contribute to the computer world, knowledge, expertise etc. But this is not paramount really. What is important is the strong belief that computing resources should be available to the community and in as open a fashion as possible. Crackers will continue to do their dirty work. We should not be punished for their actions. The world is about the availability of knowledge more so than ever before. This must extend to internal parts of computer systems. Some people must understand what it is they are doing to get the most out of it. Other more ordinary users will not care. They will still benefit when they ask someone like me for help. Too much good is jeopardized when ones takes something away from the masses just to insure (or help to insure) security is upheld. Crafty scoundrels will continue to find ways in.

CRACKER

There are too many of these people out there. Some will cause problems for many people. At times bringing entire systems to a halt. The Internet Worm is the most well know example of this. But the cases are many. Most cases of computer misuse are actually very benign and crackers know this. It's tempting to break in. To some, it is something they cannot resist. The mere fact that some College, Corporation or other powerful group will try hard to keep them away provides enhanced thrills.

The subversives will balk at any effort establish laws. Some might say that crackers try harder to break in to sites with high security. This type of person has no ethical standing whatsoever (it seems). They only consider what is good for themselves. The thrills, money, glamour or whatever else drives them to play around and see what can be accomplished. And what they have accomplished is to cause many people to spend countless hours working to develop security measures. Some simple (like our subject). Others not. Of course it's not correct to say these people always act on their own behalf. Some may feel they are making a contribution to their own community, the underground Cracker community. There are magazines which publish information about computer break in techniques. This sort of thing does not help the problem. The main stream media also contributes to the notion that this unacceptable behavior can in some cases be justified. Aside from the truly dangerous, adult, professional Crackers (is there such a thing), generally its is kids that cause trouble. And they cannot be stopped without taking away the privledges of the ordinary user. Come on!

*** CONCLUSION ***

It would appear that a Utilitarian Philosophy is involved in the way systems are protected against intruders insofar as changed levels of access for the general user. In this sense, what is seen as the most pleasant outcome, the riddance of unwelcome logins (or whatever) can be reduced by simply keeping everything closed except that which is directly needed for server operation. The intended job of the sever being (in the case of Shrike for example) to provide cheap Internet access to DePaul Students (as a whole).

Other students like myself who may want more from their UNIX account cannot rest assured their needs will be met. Their needs fall outside the realm of the server operation. The otherwise noble cause of wanting to learn more about computers through being able to access everything, does not take precedence over the security. Us noble students wanting more freedom have a different philosophy. We feel that it's wrong to penalize a whole community just because a few stepped out of line. Only those responsible for damages should be punished. This suggests that each potential cracker get a chance to cause this "damage" and is then punished later, not what the owners of expensive hardware and software wish to see happen.

We have also a utilitarian viewpoint but with respect to a different common good. We feel truly that the computing community (a global community in the 2000's and beyond) will benefit from openness of systems. The sensible ones must however concede that break ins are a real problem. We should bolster our position by offering better ways to increase security. Make systems more secure by targeting pertinent areas, removing bugs, getting laws passed that will punish computer criminals rather than just slap them on the hand. Watch system activity ourselves and report suspicious activities to those in charge. How about the "Bad Guys"? Their ethical standpoint seems not to exist. They go against the institution by violating rules and with intent to cause damage, harass people or steal secrets. They go against the legitimate hacker community by abusing systems and thereby causing trouble for other computer users. They are driven by an Egoistic philosophy. They strive for their own benefit without caring what the consequences are for others and they should be punished.

"SobeGirl.com is the fastest growing content provider on the Web. We shoot new content sets every week and give Adult webmasters all over the globe incredible value for their money. Serve broadband content now with SobeGirl. All content sets include crystal clear video streams and pics. Together they form a great packages at great prices. Check out www.sobegirl.com today to see for yourself why hundreds of webmasters other webmasters know. "SobeGirl converts better."