Ethics are of incredible importance in the security field. Scott Granneman looks at recent examples of poor security decisions made at HP, Diebold, Sony, and Microsoft.
I'm talkin' about friendship. I'm talkin' about character. I'm talkin' about - hell, Leo, I ain't embarrassed to use the word - I'm talkin' about ethics. You know I'm a sporting man. I like to make the occasional bet. But I ain't that sporting. When I fix a fight, say - if I pay a three-to-one favorite to throw a goddamn fight - I figure I got a right to expect that fight to go off at three-to-one. But every time I lay a bet with this sonofabitch Bernie Bernheim, before I know it the odds is even up - or worse, I'm betting the short money. ... He's selling the information I fixed the fight. Out-of-town money comes pourin' in. The odds go straight to hell. ... The point is, Bernie ain't satisfied with the honest dollar he can make off the vig. He ain't satisfied with the business I do on his book. He's sellin' tips on how I bet, and that means part of the payoff that should be ridin' on my hip is ridin' on someone else's. ... It's gettin' so a businessman can't expect no return from a fixed fight. Now if you can't trust a fix, what can you trust? For a good return you gotta go bettin' on chance, and then you're back with anarchy. Right back inna jungle. On account of the breakdown of ethics. That's why ethics is important. It's the grease makes us get along, what separates us from the animals, beasts a burden, beasts a prey. Ethics. Whereas Bernie Bernheim is a horse of a different color ethics-wise. As in, he ain't got any. He's stealin' from me plain and simple.Yes, Johnny Caspar is correct: "ethics is important." And it is especially important when it comes to computer security. In many cases, we are the keepers of the keys, and if we violate trust, and compromise the confidentiality, integrity, or even availability of the data and networks we oversee, then yes, "you're back with anarchy." Don't look now, but it sure appears that we're getting dangerously close to anarchy, given the incredibly unethical behavior we've seen in security practices in the past year or so. Sure, I guess some folks could argue back at me that these incidents aren't that unethical. But if it walks like a duck and quacks like a duck, then it is what it is: a duck. A big, stinking, unethical duck.
The big news in the last week has been the debacle among HP's board (Why is it HP keeps doing things that cause me to write about them?). Patricia Dunn, the chairwoman of HP's board, was upset that one of the other directors was leaking information to the media. Her solution? Hire investigators, who them impersonated various board members and asked the phone companies for their records (this practice is known by the rather benign sounding term "pretexting," as though it's the sort of thing one does before firing up emacs or the infinitely better vim). The phone companies happily acquiesced - more great ethics on display - and Dunn found her culprit. At the least the action is completely unethical; at the worst it's illegal, leading the California AG to investigate HP's board and others. Hopefully, charges will be filed. Dunn has stepped down as chairwoman, but she's still on the board, which only goes to show how seriously HP takes her repugnant acts.
But really, Dunn's Ace Ventura-worthy sleuthing is nothing compared to some other ethical indiscretions that it pains me to recall. The developers who work for companies that spam or spew spyware onto computers all across the world, for instance. Spammers and spyware creators - despite their pathetic protestations of innocence - are essentially dirtbags peeing in the collective pool of the Internet. Anyone who works for them to further their interests is tainted by the association. Companies that used these clowns to advertise - Delta, Cingular, and Vonage - are just as colored. I don't care how much you need a job, or how badly you want to acquire customers - spyware and spam are among the absolutely sleaziest ways to accomplish those goals.
One of the first columns I ever wrote in this space was about the wonderful folks at Diebold and their oh-so-fabulous electronic voting machines. That was almost three years ago, and in the interim, not much has changed ... except that there's now even more proof of just how awful and dangerous these devices truly are. Not only are these hunks of junk ridiculously easy to hack, but the paper verification systems - added only begrudgingly by the company - tend to produce ballots worthless for counting about 10% of the time.
How in the world spokespeople for Diebold could continue to offer assurances to the public - assurances that reputable investigators are demonstrating to be false - and continue to face themselves in the mirror is beyond me. And my scorn extends to those who continue to work on those machines, continue to sell those machines, and especially to those who are supposed to look out for the public and yet continue to give money to Diebold to purchase those machines. It's really beneath contempt.
How about Sony and its now infamous rootkits, another transgression of the public trust that I wrote about a year ago? Whoever thought that installing a damaging rootkit on customers' computers when they tried to listen to one of your company's CDs was a good idea had rocks in his head. We know that Sony's malware is still present on hundreds of thousands of networks, but I wonder if Sony really understands what they did. Oh sure, Sony realizes that it angered a lot of people, and I'm sure the company is sorry that it got caught, but did anyone lose his or her job at the company as a result of the rootkit fiasco? Did the company categorically state that it repudiated the techniques used in the rootkit? Did executives at the company start to understand the problems with DRM, and why customers hate it so much? Nah. I didn't think they would.
The above examples are pretty obvious in their almost total lack of ethics. Sometimes, however, the line between unethical and an honest mistake is a thin one, even open to debate. For instance, is it unethical to (continually) release ineffective patches that actually make problems worse? Or is it just incompetent, especially given the resources that could be put to bear testing the fix beforehand? Or is it just an honest oops? When it comes to continuing to support a technology like ActiveX that has been shown time and time again to have massive vulnerabilities or choosing to rush "security" patches out the door to fix DRM issues (actual quote: "We have teams working around the clock on this project") long before you issue fixes for known, real holes ... well, the line seems a bit more obvious to me, but I guess some could still take the opposite tack. It's just a mighty thin area to stand on over there on the other side of that line, that's all.
Perhaps I'm just a naive rube, but I find it difficult to understand how these individuals live with their unethical choices. I cannot comprehend how someone could make the moral choice to lie to the public, or take advantage of the ignorance of the majority of computer users, or break the law to flush out a small problem. Is money all that they care about? Do ethics not fit into their world views at all? Or have they gotten so adept at self-justification that they have deluded themselves into thinking that what they're doing is OK?
As security professionals, we're supposed to be the good guys, the ones who protect the public against the bad guys. We're not supposed to be the bad guys. When someone crosses that ethical line - because they're asked to, or ordered to, or paid to - it's still crossing the line, and it's still wrong. A criminal who sets up a phishing scam or installs a keylogger to grab credit card numbers knows that what he's doing is against the law. At least he's honest to himself about his dishonesty. But those who attempt to cloak their unethical actions in the mantle of adherence to "shareholders" or "profits" or "error" are even worse, because they're lying to themselves as well as those affected by their rotten choices. It stinks, and we need to act - and react - accordingly.
At a key point in Miller's Crossing, one character begs another to "Look in your heart!" That's good advice. Perhaps if more individuals did that, we'd see some changes. After all, it's all about ethics. Johnny Caspar was right about one thing: ethics are "the grease makes us get along, what separates us from the animals." Right now, we could use some. Badly.