Joe's Jottings
Jottings Number 69, Reply A, by Peter Naus:
Date: Thu, 20 Feb 97 10:29:56 -0800
I hope I'm not speaking out of turn here... This is a fairly long piece of drivel, so feel free to skip to the conclusion. I think clearly enough, but I wander like a fly on fire when I write... Dad has always told me, "Locks are only for keeping honest people out." In essence, I believe that to be true. It seems that no matter how good the mousetrap, sooner or later someone will build a better mouse. It's called evolution when it happens in nature. Yet it becomes anarchy when it occurs in human circles. Why? The problem with this situation, as I see it, is that of degree. As a hacker (a real hacker, not the modern "Stainless Steel Rats"), the challenge was in the creation. Here's a tool I've made to fix a particular problem. I use it to fix the problem. I don't use it to fix something else unrelated (usually). If I write some code to perform a particular task : say, calculate prime numbers, and realise that my code could be used to crack passwords, for example, and I still release the code into the public domain, is that ethical? Probably. If I release the code into the PD with a big red sticker saying : WARNING! YOU MUST NOT USE THIS CODE TO CRACK PASSWORDS! I RENOUNCE ALL LIABILITY IF YOU DO! - is this ethical? I feel it's NOT. Because I gave up my responsibility for the problem, and because I let people know that this is a use to which the tool could be put. Am I in the same position as the developer of the nuclear bomb - hey, I just wrote the code, what you use it for is not up to me? (Not that I'm comparing the enormity of the position, just the ethical situation!). If I know my code will cause data loss in some sytems given a set of circumstances, should I tell my potential audience? I guess that's what you meant by "fuzzy"... You may have seen advertisements for "double decker" type VCRs lately. The ads I have seen ALWAYS stress at the end of the ad, or in very small letters at the bottom of the screen, "Not to be used for duplicating copyrighted material". Yeah, right. The only reason I haven't got one is because I can't afford it. If I could afford it, I could probably afford to buy legitimate copies of "The Good, The Bad, and The Ugly" and "Terminator 2" and "The Princess Bride". (I have broad tastes. Go figure...:). But (assuming I wasn't caught, which is an incredibly remote possibility, you have to admit) it would be "easier" for me to buy some good quality blank tapes and hire videos and copy them than it would be for me to track down a particular film's distributor, then find a local office, then contact them, find what catalogue item it is.... and I haven't even got to the payment options yet! So why don't the major studios stop the sales of these things? Because they can't prove that the units are used for this purpose without spending a huge amount of resources. And anyway, if more people get to see the film, and want to buy a copy themselves, isn't that a good thing? Another example. We have a local radio station which urges listeners to phone in if they see a police radar trap, then they broadcast the trap locations every 15 minutes. They even offer prizes. And you know what? The police _officially_ tolerate this! They figure it's going to make people drive more slowly, and therefore it couldn't hurt! I haven't heard of a bigger crock in my life! It's EASIER for the police to let the trap locations be broadcast than it is for them to mount an expensive advertising and/or legal campaign to stop it. And besides, the police have just taken delivery of laser speed "guns". They don't need the radar traps anymore, maybe? I guess the point I'm stumbling blindly towards is, yes, security and ethics are two sides of the same view. Sort of. We provide security against a different ethic, a different value set. If we make something easy to do, then we cannot just say "don't do this". We have to feed back, to make people believe that it is not right to do this thing. When I was little, dad used to belt me for doing the wrong thing. It worked. Eventually... :) Now I know it's wrong to steal money. I know that it deprives someone else of that money. I know that I would feel bad if it was _my_ money and someone took it. And, buried deep down in my reptilian brain, my cells remember the pain when I took the money all those years ago and got punished for it. Nowadays, the punishment would be different, but the result would be the same. So I leave the money alone. By whatever path, I have chosen not to steal the money. I didn't convince myself that if someone else would, why not me. I didn't say, hey, I've been working overtime for months, and I never get paid. This is the money that's owing to me. That's what locks and passwords and Vchips and yuppie "bip bip" car alarms and guard rails on the edges of cliffs are about - putting up a barrier, a sign, saying "if you want to do this thing, I am deliberately making it hard for you so you will stop and think first". That's security. Ethics seems to me to be the decision whether or not to put up the barriers in the first place. Or, to put it another way, ethics are morals hung on a different peg. Ethics are morals for a price. Let's ask a hard, and not unrealistic, question. Let's answer it truthfully. Do we tell a customer that the use of somemay mean that they are more susceptible to conditions which could result in data loss, or monetary loss? Currently, not directly. That's what a disclaimer is for. Should we tell them? Yes. Do our competitors do the same thing for their ? no. Should _they_ tell the customer? Yes. Will we or our competitors ever tell the customer about flaws in our own equipment/tools? Not unless we are forced to. Do we tell the customer about flaws in our competitors products (and vice versa)? You bet your hot patootie we do! And our competitors return the favour for us! So, what's the difference between telling a customer that use of our may result in data loss, and telling a customer that use of a competitor's may result in data loss? $$$$$. That's what. That's the difference between morals and ethics. So why don't we just tell the customer what problems they will have if they use our , and rely on our competitor to do the same? After all, if it's the truth... Ah, $$$$$. The only problem is.... you can't live directly off the profits of moral decisions. You'll sleep better, but you won't necessarily eat better :) Our business ethics are geared towards rewards, profits, dividends. Our personal ethics are sometimes geared to very different things, but I've never heard of a business ethic of loss, humiliation, or breakdown. Are ethics different in cyberspace than reality? No. Ethics are a set of values. Values should not change with the medium! We are still doing liveware interfacing, only over a hugely reduced bandwidth! Ethics should be identical! It costs us nothing to be courteous. It costs us nothing to be rude, or demanding, or nasty. But it's easier to be rude than to be understanding. It's easier to be nasty, or spam someone, or flame them, than it is to open a communication path with them. It's easier to send a short, sharp signal of outrage, than a considered response. The question has become one of industry - because of the bandwidth reduction, it is EASIER to send a negative image tahn it is to send a positive one. That's what I like about this list. People take the time to explore the positive side. In real life, we rely on moral judgement. We already know that the application of morality is patchy, at best, but we still believe it. We know people have extremely different sets of values but we believe a fundamental group of values is common to most people. Like the need for warmth, for protection from hurt, the need to get food. How we achieve those goals can be totally different from person to person. I see a stick, you see a club. You see a cuddly pet, I see rabbit stew. Are ethics easier to apply in cyberspace? No. They are harder to apply, because we don't have the ancillary data. Do they require more consideration? Yes. Does security affect morals or ethics? Probably not directly. Do we need security? Oh yes. Because there are people with different morals, and different ethics. And no matter what security we build, we will always need to build more securely. And it won't help. Because we can never build security against every value different to our own. I feel like I've started out facing north, but now I'm facing ENE. I apologise for the rambling, but I hope you can see the gut of the question. I have a question I'd like to ask if I may. When is a better mousetrap ethical? PC Pete ************************************************************************ ----------__---------------- Peter NAUS Technical & Training ---------__----------------- Asia Pacific TIS (Client Operations) --------______---______----- Hewlett-Packard Australia -------__--__---__--__------ 31 - 41 Joseph St. ------__--__---______------- Blackburn. -------------__------------- VICTORIA 3130 AUSTRALIA ------------__-------------- Tel (IDD): +61 3 9272 4069 **************************** Fax (IDD): +61 3 9272 4014 Data is not information; Internet: Peter_Naus@hp.com Information is not knowledge; Knowledge is not wisdom. - Philip Adams 17'45S:144'58E ************************************************************************ ....................................................................... ************************************************************************ ----------__---------------- Peter NAUS Technical & Training ---------__----------------- Asia Pacific TIS (Client Operations) --------______---______----- Hewlett-Packard Australia -------__--__---__--__------ 31 - 41 Joseph St. ------__--__---______------- Blackburn. -------------__------------- VICTORIA 3130 AUSTRALIA ------------__-------------- Tel (IDD): +61 3 9272 4069 **************************** Fax (IDD): +61 3 9898 5499 Data is not information; Internet: Peter_Naus@hp.com Information is not knowledge; Knowledge is not wisdom. - Philip Adams 17'45S:144'58E ************************************************************************
....................................................................... TO: ALIAMUS_STEVE/HP-PaloAlto_om4@opnmail2 ....................................................................... TO: PODOLSKY_JOE/HP-PaloAlto_om4@opnmail2