Articles

---

The importance of teaching kids the ethical use of computers.

The self-confessed author of the recently released Anna Kournikova worm claimed on a Web site that he wanted to write and release the new worm because Net surfers learned nothing from the I-Love-You virus. He wrote, "I never wanted to harm the people (who) open the attachment. But after all it's their own fault they got infected."

As many readers will recall, the Anna Kournikova worm (often wrongly called a virus) arrived, uninvited, in e-mail messages bearing an attachment that purported to be a JPEG file with a photo of the famous tennis star after whom it is named. In fact, the attachment was a VBS (Visual Basic Script) file. As soon as hapless recipients opened the attachment using Microsoft Outlook as their e-mail client, the VBS file was loaded and executed, allowing the worm to spread itself to all the recipients on each victim's e-mail address book.

Much like the earlier Melissa and I-Love-You malicious programs (malware), the worm generated a cover message with a harmless-sounding subject ["Here you have, ;o)"] and a simple body [Hi: Check This!] that might increase the number of recipients willing to open the attachment -- after all, the message used each victim's e-mail address in the origination field as part of its deceptive wrapper.

The worm spread about as fast as its predecessors and caused significant network bandwidth saturation around the world. As with other worms, damages included lost productivity, lost sales, and direct salary costs of recovery staff (for full details see CERT Advisory CA-2001-03 at http://www.cert.org/advisori es/CA-2001-03.html).

Too often, we hear facile explanations of why viruses and worms continue to proliferate in type and frequency of infection.

One school argues as the putative virus-writer does that users have only themselves to blame for launching viruses. Yes, it is true that users of some e-mail software such as Microsoft Outlook are at risk because software engineers have designed their products to execute code in attachments at top priority, without any choice over the functions that such code can invoke. Yes, such users are exhorted never to open any attachment they are not expecting and indeed to delete unsolicited executable code. Yes, the Windows 9x operating systems normally obscure the file types of received files and require an explicit reversal of the default to prevent the kind of deception used by worms (the filename was "AnnaKournikova.jpg.vbs" which would appear as "AnnaKournikova.jpg"). However, none of these failures of software engineers in any way justifies the irresponsible behavior of malware writers.

When the Unabomber sent his victims mail bombs, did any sane person blame the victims for opening the packages?

Another familiar whine from criminal hackers and distributors of malicious code is that they are performing a service by demonstrating security weaknesses.

If sociopaths made a game of poisoning canned soups in grocery markets to demonstrate the inadequacy of security measures in the food-distribution chain, would anyone countenance their claim?

And if the self-justification is more narrowly targeted, the perpetrators claim that their attacks are focused solely on the manufacturers and that the users are victims of the software vendors' incompetence for creating an operating system that lacks even the most elementary concepts of operating-system security (privilege levels).

Well, but suppose an automobile manufacturer were to design an automobile susceptible to, say, catastrophic loss of control if subjected to radio-frequency interference by a deliberately-modified garage-door opener. Mark you, I am proposing a scenario where damage would not occur without deliberate, malevolent manipulation by someone determined to make cars crash.

Would anyone seriously propose that the agent causing car crashes was contributing to better automobile quality? Would anyone countenance the claim that making cars crash was a big-hearted demonstration of professional concern for safety?

Nah -- the excuses offered by virus writers and hobbyists are beside the point. Far from being solely a technical problem addressed by guerilla software quality-assurance activists, I think that the roots of the malware problem spread deep and they spread wide.

First of all, we are seeing the consequences of a deliberate design decision by software engineers to automate actions that ought not to be automated. We are suffering the consequences of a technical monoculture in which the dominant vendor consistently opts for automated insecurity. Whoever argued that an e-mail client should execute attachments with no provision for safety checking? Why should an operating system have a single level of privilege so that any arbitrary code can access all functions and everything in memory? Why isn't there even a restricted partition available to run an untrusted application in isolation from the rest of the operating environment?

But all these criticisms of software design ignore the other side of the evil growth that is today's malware.

The other root of malware is the global failure to reach the kids and adults who become malware writers and distributors.

The work of Sarah Gordon and others (see for example the papers listed at http://www.badguys.org/papers.htm has convinced me that there is a wide variety among such people. Some few are moral imbeciles, but most are more likely unaware of the damage and distress their sick hobby can cause. Others are deluded fools who genuinely believe the propaganda they have been fed by others in the malware game.

Regardless of the degree of psychopathology among these people, I believe that the collective failure to integrate cyberspace into our moral universe is by far the most important contributor to the plague of malware through which we are living (see "Totem and Taboo in Cyberspace" at http://www.infowar.com/hacker/hack6.html-ssi). As information-technology professionals, we ought to be leading and contributing to efforts to educate adults and children about ethical use of computers and networks. We security experts and network specialists do a lot of talking to each other about security. We natter on at conferences about the latest vulnerabilities and exploits; we make tsk-tsking noises about how awful the latest case of Web of vandalism is. As Peter Tippett of TruSecure Corporation has often said, faced with a rising tide of criminal hacking, we raise the dikes ever higher. Our conception of improving security is focused entirely on resisting attacks.

This attitude seems to take for granted that criminal hackers and virus writers will continue to increase the frequency, sophistication, and effectiveness of their penetration attempts and malicious software. It's much the same attitude that we (reasonably) adopt with regard to earthquakes, tornadoes, hurricanes, and snow storms: basically, we treat computer crimes as if they were acts of god.

We don't know all the details of the criminal hacker underground. However, we know for sure that there are children being seduced by hacker propaganda right now. Children live in a child's subculture; for many kids, the adult world impinges very little on their daily life. In many families, children care more about their peer group's approval then about their parents' opinions. It's not surprising, then, that there are kids who are playing with powerful hacking tools -- maybe kids in your neighborhood or even your family -- who are launching denial of service attacks, vandalizing Websites, using stolen credit cards, and writing and spreading viruses or worms.

In the 1980s, there was a pre-teen kid whose family thought that there was nothing unusual about his having several phone lines that he paid for in his bedroom. The child had convinced them that running half a dozen modems concurrently 24 hours a day was just something that computer geeks had to do. The parents never asked where the child obtained the money to pay for extra phone lines. It turned out that their "computer genius" was trolling for fax numbers using war dialers and was selling the fax numbers he identified to junk-fax operators who were paying him for his harvest.

In 1996, a 16-year-old Australian, Drew Henry Madden, of Brisbane started defrauding businesses using stolen and forged credit card numbers just after leaving school. By 1997, he had stolen $100,000 in goods and services. In October 1997, he pleaded guilty to 294 counts of fraud and was given a suspended sentence. His defense attorney blamed his victims' poor security for the losses. Despite the youngster's unusual revenue stream, his mother appeared to have accepted his globetrotting ways and massive purchases of lottery tickets without comment.

Very few of us in the networking and security professions seem to go out of our way to talk about security and criminal hacking to anyone outside our field. We seem to be content to talk to each other and agree on how unfortunate it is that parents or the schools or TV cartoon shows don't teach kids about the ethical use of computer technology.

So why aren't we out there talking to kids and teachers and parents ourselves? We know how tough it is for network operations when someone has breached our perimeter. We have gone through all-night sessions checking our software and data because some unknown broke through a vulnerability we should have patched or infected our networks with malicious software. We need to speak up about of our point of view. We need to go out into our own communities and spread the word about what really happens when there's unauthorized access to our systems. We should be speaking about our concerns in schools, churches, synagogues, mosques, community centers, Co-op stores, teen centers and anywhere we can reach adults and children in an effort to stem the tide of criminal hacking.

If you'd like some materials aimed at kids for your foray into outreach, visit the K-Files on SecurityPortal.com and check out the ethics section at http://www.securityp ortal.com/kfiles/ethics.html . Start with "Why Kids Shouldn't Be Criminal Hackers" http://www.securityportal.com/kfiles/files/kidcriminals.html and then read "Making Ethical Decisions: A Guide for Kids" at http://www.securityportal.com/kfiles/files/ethicaldecisions.html.

* * *

FOR FURTHER READING:

Some other useful sites with resources for educating parents, teachers and youngsters:

AiCE Australian Institute of Computer Ethics http://www.aice.swin.edu.au/

Computer Ethics Institute http://www.brook.edu/its/cei/cei_hp.htm

Web Clearinghouse for Engineering and Computing Ethics http://www4.ncsu.edu/~jherkert/ethicind.html

Computer Ethics - Mississippi State University (David Vance) http://cyberethics.cbi.msstate.edu/

Computer Ethics (ThinkQuest) http://library.thinkquest.org/26658/

Computer & Information Ethics Resources on WWW (University of British Columbia) http://www.ethics.ubc.ca/resources/computer/

Cyberangels http://www.cyberangels.org/

Cyberspacers http://www.cyberspacers.com/home.html

Ethics Resources for Teachers and Trainers http://www.depaul.edu/ethics/ethc1.html

"In Search of a Common Rationale for Computer Ethics" (R. N. Barger, 1994) http://www.nd.edu/~rbarger/common-rat.html

Institute for Business and Professional Ethics at DePaul University http://www.depaul.edu/ethics/

Journal of Ethics and Information Technology http://www.wkap.nl/journals/ethics_it

Markkula Center for Applied Ethics http://www.scu.edu/SCU/Centers/Ethics/homepage.shtml

"On the Philosophical Foundation of Computer Ethics" (L. Floridi) http://www.wolfson.ox.ac.uk/~floridi/ie.htm

Online Ethics Center for Engineering & Science http://onlineethics.org/

WebWise Kids http://www.webwisekids.com/

* * *

M. E. "Mich" Kabay is security leader in the INFOSEC Group of AtomicTangerine, Inc. He can be reached by e-mail at [email protected] and by phone in his Vermont office at 802-479-7937. Copyright � 2001 M. E. Kabay. All rights reserved. The author grants the ACM unlimited rights to publish, archive, or otherwise make available this document provided the text remains intact and all the author's contact information and copyright statements are included.