Blog Entry No.3

Computer Hacking

Activity 2.1 Researching Hacking Cases

Research one of the following hacking cases by either by typing one of the keywords into a search engine, or consulting of the recommended textbooks:

Kevin Mitnick

Raphael Gray

Master of Deception

Mafiaboy

Legion of Doom

Robert Mooris' Internet Worm

From your research, answer the following questions:

What was this case about?

The case is all about the Computer hacking, a computer system was hacked by an 18 years old Raphael Gray, he hacked an e-commerce sites and expose 26,000 credit card numbers.

Raphael Gray - (internet "hacker" exposes Microsoft security weaknesses) Raphael was arrested at his home on the 23 March 2000, he was 18 years old hacker from rural Wales. The case was alleged that he had intruded into nine e-commerce websites in Britain, America, Canada, Thailand and Japan and taken details of some 26,000 credit card numbers and disclosed some of the credit card information on the Internet. When he was interviewed that he had been concerned for some time at the inherent security weakness in one particular make of software called Microsoft Internet Information Server.

What were the protagonist and parties involved?

No protagonists were mentioned. Parties involved were the law enforcement officers, e-commerce sites, and other organizations concerned as well as the owners of credit card information.

Did any prosecution results? If so, what were their outcomes?

It was said that the result of the prosecution was accepting that Raphael’s motivation was he wants to expose and to publish the fact that the e-commerce retailers has a low security measures and it is vulnerable to hacking, and to inform the individuals and users of the e-commerce sites that they should not trust their credit card information to any of the e-commerce retailers sites.

In this case Raphael initially faced a ten count indictment; each count is under section 2 of the Computer Misuse Act 1990 which has intent to use the computer to perform a function to secure unauthorized access.

The case of Raphael Gray result in six initial counts alleging an offence under the Computer Misuse Act 1990 section 2(1), alleging the defendant had committed an offence under section 3(1) of the Computer Misuse Act by doing an act which caused an unauthorized modification of the contents of a computer. The remaining four counts alleged obtaining services by deception on two separate occasions, by using a credit card number he had downloaded to set up two separate websites upon which to display the credit card information. And the related offences under the Computer Misuse Act section 2(1). This result in the third section of Misuse act of 1990 which is unauthorized access.

But on March 28, 2001 the prosecution reduces the first six counts to section 1 charges of simple unauthorized access if the defendant pleaded guilty to the remaining four counts. And after that Raphael was given a two year community rehabilitation order for his case.

What ethical issues are raised by this case?

The ethical issue of this case was Raphael intention was to make the users of the e-commerce site to be aware that there credit card or personal information that they entered in those sites is vulnerable of hacking, and can be used with anyone who has a bad intention. But through this, Raphael Gray also violated the UK Computer Misuse acts, when he exposed this credit card numbers and information in the public. At first place Raphael's intention was good but to the owner of the e-commerce sites and the owner of those credit card basically would say that his act is unethical because he make an unauthorized access to this information.

Activity 2.3 The Computer Fraud And Abuse Act

Find out about the US Computer Fraud and Abuse Act(CFAA).

How does this Act compare with the UK Computer Misuse Act?

The following URL is recommended as a starting point for your research, though you may also want to consult some of the recommended texts and other articles:

www.eff.org/Legislation/CFAA

Activity 2.5 Arguments against Hacking

Write a summary of the main arguments against hacking - from a legal, professional and ethical perspective.

Hacking is argued to be an illegal act since an unauthorized access of a computer material can be considered as an criminal offense (also mentioned in the computer misuse act of 1990). In spite of the fact that it was considered illegal, hackers at some point do this offense in order to disclose information considered by others as "confidential", but the public deserves to know.

On an ethical perspective, hacking is also argued to be an unethical act of trespassing, since it involves an electronic entry to a computer system which is also viewed as a physical entry to an office or home. In this case, if computers are viewed as material possessions.

Hacking is considered as an unprofessional act, since the act of hacking into other's computer systems sometimes leads disruption of businesses and organizations. Though hacking can also be an issue on the professional perspective, since it was allowed on any code of conduct or any professional body, hackers often offered to work as security consultants in information security firms.

References:

http://www.mjreedsolicitors.co.uk/uncategorized/raphael-gray-curador/

http://jadefactura.wordpress.com/2010/12/09/research-hacking-cases-raphael-gray/

Blog Entry No.2

Case Study 1

What should she do?

Diane should show a demonstration or simulation of the effects that could happen with the weak security produced on the requested system. Being an adviser, she is well-aware of all the risks they are taking. Even if the client's willing to take the risks, Diane should follow one of the core values of the code of ethics, Priorities (4.3.1), which says "I must place the interests of the community above those of personal or sectional interests." and some of its sub-components. Diane should also follow "I must make myself aware of relevant standards, and act accordingly." (4.6.3) which might mean to use the proper security standards for risks in such system as proposed.

Should she refuse to build the system as they request?

With the given rules, Diane should continue advising her client no matter what or reject the project to prevent ethical dilemma that is at risk. and if things go wrong, it's her responsibility.

a.)
Priorities (4.3.1)
I must place the interests of the community above those of personal or sectional interests.
Competence (4.3.2)
I must work competently and diligently for my clients and employers.

b.)
4.5.1
I must endeavour to preserve continuity of information technology services and information flow in my care.

4.5.2
I must endeavour to preserve the integrity and security of the information of others.

4.5.3
I must respect the proprietary nature of the information of others.

4.5.4
I must endeavour to preserve the confidentiality of the information of others.

4.5.5
I must advise my client or employer of any potential conflicts of interest between my assignment and legal or other accepted community requirements.

4.5.6
I must advise my clients and employers as soon as possible of any conflicts of interest or conscientious objections which face me in connection with my work.

4.6.3
I must make myself aware of relevant standards, and act accordingly.

4.6.4
I must respect and protect my clients' and employers' proprietary interests.

4.6.5
I must accept responsibility for my work.

Case Study 2

Can she continue with the evaluation?

No, it will be hard for her to continue the evaluation because of what was happening between the two companies she is evaluating.

If she cannot continue with the evaluation, how does she inform Company A of the patent violation?

She must write a letter or inform Company A that the GUI they used has already been used and thus warn them of the possible law suits if they decide to continue with their current GUI.

Does she have an obligation to let Company B know Company A has copied their GUI?

No. Her obligation is to inform Company A that their GUI design has already been used by a different company and must change it as soon as they can to avoid conflicts.

a) Values and Ideals (from Section 4.3 ACS Code of Ethics)
4.3.1 Priorities
4.3.2 Competence
4.3.3 Honesty

b.)

4.5.2 I must endeavour to preserve the integrity and security of the information
of others

4.5.4 I must endeavour to preserve the confidentiality of the information of
others.

4.5.5 I must advise my client or employer of any potential conflicts of interest
between my assignment and legal or other accepted community
requirements.

4.5.6 I must advise my clients and employers as soon as possible of any
conflicts of interest or conscientious objections which face me in
connection with my work.

4.6.3 I must make myself aware of relevant standards, and act accordingly.

4.6.4 I must respect and protect my clients' and employers' proprietary
interests.

4.7.1 I must not knowingly mislead a client or potential client as to the
suitability of a product or service.

4.7.3 I must give opinions which are as far as possible unbiased and objective.

4.7.5 I must qualify professional opinions which I know are based on limited
knowledge or experience.

Cisco Foundation

The Cisco Foundation was established in 1997 by a gift fromCisco. We make strategic grants to programs with long-lasting impact on alocal, national, and global scale. We also empower employees to give morethrough our matching gifts program.

Vision & Mission

The Cisco Foundation supports Cisco's efforts to team withNPO/NGO organizations around the world to develop public investment programsfocused on critical human needs, access to education, and economic empowerment.We focus this work on underserved communities and look for solutions thatharness the power of the Internet and communications technology.

Code of Ethics

Innovative ideas, emerging technologies, strategic acquisitions - I workin an industry where the pace is fast and change is constant. But there aresome things that do not change, like the commitment to doing business honestly,ethically, and with respect for one another. I think Cisco has been successfulas a company because we put core values like these into practice on the jobevery day; doing the right thing is just part of our DNA.

Cisco was founded in an environment of open communication,empowerment, inclusion, integrity, and trust.

These values remain at the forefront of our culture and ourbusiness decisions. We must maintain our commitment to these values andcontinue building a culture that understands what is acceptable and what isnot. We will never compromise on issues of integrity. Our Code of BusinessConduct (COBC) reinforces our core values and is a guide to help you make theright ethical decisions and resolve issues you may encounter.

Make good choices.

When you are faced with an ethical dilemma, you have aresponsibility to take action. A decision tree can help. It may seem easier tosay nothing or look the other way, but taking no action is, in itself, anaction that can have serious consequences. Let the decision tree guide youractions. Speak up if you see or suspect activity that violates our COBC. As wecontinue to grow and innovate, you will be helping to further our mission andpreserve our core values.

Cisco continued success depends on your ability to make decisions that areconsistent with our core values.

Regardless of the situation, exercise total honesty andintegrity in everything you do. As an employee, you are responsible forcomplying with all applicable laws and regulations in each country in which wedo business and for knowing and complying with our COBC and other policies ofthe company. Violations of law or this COBC or other policies of the companyare subject to discipline, which may include termination of employment. Yourcommitment to doing the right thing will strengthen our team and our reputationas a global leader.

Resources:

http://www.cisco.com/web/about/ac48/about_cisco_cisco_foundation.html

http://files.shareholder.com/downloads/CSCO/1521768215x0x387353/97e5e9eb-b4e4-472c-8bc6-9241cc73be5c/Cisco_2010_COBC_external.pdf