SecurityCurve » Teleological suspension of the ethical

More about malware ethics and AMTSO

Ed — Fri, 02 Jul 2010 17:25:33 +0000

Source: vergemagazine.com

So if you don’t keep up with this stuff, there’s been some interesting discussion going on in the blogosphere having to do with the AMTSO, malware testing, and so forth. The interwebs are all a-twitter with hot debate.

As some background and context, I recommend checking out NSS Labs’ excellent post, David Harley’s responses to the crazy ranting of yours truly, Kevin Townsend’s well-articulated viewpoint, and Kurt Wismer’s reasoned rebuttal.

Whew. That’s a lot of text about this humble topic! Anyway, for today (since it’s a Friday), I’m not going to get all down into the nitty-gritty of all of the excellent points made by others (on both sides of the issue), but I do want to spend just a minute or two on the ethical question of malware creation. Given all the discussion going on, I feel it valuable to add the proverbial two-cents.

Namely, is it ethical (big word, that) to create new malware for the purposes of testing? Or, more relevantly, is it ethical to create new malware for any research purpose. I argue that it is. Others argue that it is not.

Now before we get into the pros/cons, let me say that all of the folks debating this are all on the same team – nobody is advocating that bad guys should have free reign to create malware for nefarious purposes like h4x0ring the Interwebs - everybody agrees that’s not good. Instead, the issue centers around whether it’s ethical for a scientific institution (be it education, public sector, or industry) to create malware for testing, education, or research under defined, “safe”(r) parameters. Those on the “don’t do it” side of the argument argue that the risks outweigh the benefit; those on the other side argue that the benefits outweigh the risks.

Clearly there are risks associated with malware created for research purposes. We know, for example, that creating malware, even with the best of intents, can have undesirable impacts when it escapes the confines of the lab. So that’s not good. But what about if safety measures are put in place so that it doesn’t escape? Of so that – if it does escape – nothing bad happens (to the extent that we can control that). Is that bad? Kurt Wismer says it is:

For starters i can’t believe that after all these years people are still getting bent out of shape or trying to read ulterior motives into the ‘no malware creation’ rule. it’s one of the oldest and most fundamental ethical principles in the anti-malware community. if people found out that the CDC was creating new diseases they’d be up in arms – worse still if one of those new diseases got out (something whichhas happened in the malware world) – but in the case of the anti-malware community outsiders assume it’s because everyone in the anti-malware community has vendor ties and the vendors don’t want to look bad in tests. we’re not talking about the ‘we mostly frown on malware except when it’s useful to us’ community, it’s the ANTI-malware community. you can’t really call yourself anti-X if you go around making X’s. that would just make you a hypocrite.

Kurt makes good points. But I don’t think that creating of malware for research purposes necessarily has to contradict what Kurt says here. There are two reasons – one is pragmatic, the other philosophical. The pragmatic counter-argument has to do with the analogy to real-world diseases. And it turns out that biologists do, in fact, create new diseases for the purposes of forwarding research. For example, biologist Craig Venter (funded by the DoE) created a bacteriophage (a virus that infects bacteria). In that case, bioethicists argued in that case that the benefits outweighed the risks:

Does the potential for good that new life forms may have outweigh the harm they could do? Arthur Caplan, who heads the University of Pennsylvania’s Center for Bioethics, says yes. This technology “is impressive. It’s powerful and it should be treated with humility and caution,” Caplan says, “But we should do it.”

So this is OK in the physical world according to (some) bioethicists. I’m sure some would disagree, but it’s clearly not universal outrage. As for me, I’d argue that the risks of creating actual physical pathogens in the lab is more risky than the digital counterpart.

The second argument is a philosophical one based on Kierkegaard’s Fear and Trembling. Kierkegaard suggested what he calls a Teleological Suspension of the Ethical – the argument basically boils down to ethics being relative; a “bigger” win ethically trumps a smaller questionable action:

Let us imagine that a man named Bob walks into a bank to make a deposit. While he is at the counter five robbers rush into the bank and overtake all the people. As this hustle and bustle goes on, Bob spies that a young girl has ducked into a broom closet for safety. The robbers, unfortunately, have killed everyone in the bank except Bob and the small girl. The head robber approaches Bob and puts this question to him, “Is there anyone else alive in the bank, because if there is we are going to kill them?” Bob answers swiftly with an “ethical” “No.” The robbers loot the vault and escape. Now we ask, was Bob’s statement breaking any commands of God? Norman Geisler answers this in his “Christian Ethics” with a profound “No”. He directs us to say that the situation, Bob having to answer a murderer, does not oblige us to tell the truth. Thus, Bob did the right thing and saved a life, and the lie “did not count.”

In the example, lying is unethical, but because it was done to save a life, the unethicalness of it was “suspended” because of the bigger win. I think malware creation is similar: creating malware could be unethical in some circumstances. But the unethicalness of it is “trumped” in a research context because of the interests being served: better security for the industry.

McAfee: “Ethics First” Apparently Isn’t

Ed — Thu, 01 Jun 2006 15:42:00 +0000

You ever seen McAfee’s business ethics pledge? In case you haven’t, they call it “Ethics First” and they proclaim it loud and proud on their website:

We are committed to holding the highest ethical standards. Our business relationships with customers,
shareholders, employees, suppliers, and local communities must always be built on a foundation of integrity and trust. We call this commitment “Ethics First”

ISC(2) Under Investigation for Plagiarism

Ed — Mon, 27 Feb 2006 12:55:16 +0000

For those of you unfamiliar with my opinion on the CISSP, I’m not a huge fan. It’s not that I’m against certification per se, it’s just that I question the value of the cert and I think ISC^2 is the wrong body to administrate such a cert. I think, for example, that a for-profit entity has an economic incentive to push as many people through the process as possible, thereby lowering the quality of the certification over time. Additionally, I’m of the opinion that CISSP doesn’t really do much for the public at large and doesn’t do much for practictioners like other professional certifications (CPA, license to practice medicine, etc.); unlike other professional certifications, it doesn’t prevent malpractice, it doesn’t provide recourse for individuals who have been burned by poor-quality security professionals, etc. At best it’s of questionable value; at worst it’s a cash-cow for the licensor.

In any event, given my feelings on the topic, I was interested to read that ISC(2) is under investigation for plagerism in the “Official” CISSP guide. Apparently, an entire chapter in that book has (allegedly) been copied and pasted verbatim into the book from a paper from the American Bar Association. There are (allegedly) additional materials “borrowed” from a number of other sources as well. For those unfamiliar with the CISSP, there is a mandatory code of ethics that accompanies the certification. The following are all entries from theISC^2 code of ethics:

-Act honorably, honestly, justly, responsibly, and legally.
-To discorage behavior such as… Associating or appearing to associate with criminals or criminal behavior.
-Tell the truth; make all stakeholders aware of your actions on a timely basis.
-Avoid conflicts of interest or the appearance thereof.
-Take care not to injure the reputation of other professionals through malice or indifference.

Is it me, or in the light of those aspects of the code, that this ISC^2 plagerism is particularly noxious. It’s not just the fact that they stole from others – it’s the hypocrisy of making other people swear to uphold the code that they violated in an official publication of theirs… on no less than 5 counts.

Shady Verisign Dealings

Ed — Thu, 31 Mar 2005 17:36:24 +0000

Well, Verisign has done it again. One of the bidders for the .net domain has gone on the record saying that there are factual issues in the published recommendation. The register, did some digging and found out that (surprise, surprise) there are serious conflicts of interest with several members of the evaluatory commitee. Pretty standard and transparent stuff, really. Evaluators with a monetary and/or personal interest in favoring their chosen pony and no compunction against slanting the evaluation criteria, ignoring technical experts, etc., etc. My question about this is, though: why is Verisign even allowed to bid?

Don’t people remember that time that Verisign tried to hijack DNS to make money on all our collective typos? Remember when ICANN had to strongarm Verisign and threaten them publicly in order to make them comply? Paul Twomey (ICANN president) said in a statement:

“…VeriSign