|
Chapter 6 of P. Taylor's book - Them and Us (par
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Computer underground Digest Sun July 27, 1997 Volume 9 : Issue 59
ISSN 1004-042X
Editor: Jim Thomas ([email protected])
News Editor: Gordon Meyer ([email protected])
Archivist: Brendan Kehoe
Shadow Master: Stanton McCandlish
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Field Agent Extraordinaire: David Smith
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
CONTENTS, #9.59 (Sun, July 27, 1997)
File 1--Chapter 6 of P. Taylor's book - "Them and Us" (part 2 of 2)
File 2--Cu Digest Header Info (unchanged since 7 May, 1997)
CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.
---------------------------------------------------------------------
Date: 18 Jun 97 17:25
From: [email protected]
Subject: File 1--Preview of "Hacker" book: THEM AND US (part 2 of 2)
((MODERATORS' NOTE: This is Part two (of 2) of CuD 9.59, the
conclusion of Paul Taylor's chapter from his forthcoming hacker
book)).
------
6.6 BOUNDARY FORMATION PROCESS AND THE USE OF ANALOGIES
The previous sections of this chapter have established that the ethical
issues surrounding computer usage are both complex and liable to
fundamentally contrasting interpretations by the members of the CSI and the
CU. The debate that subsequently occurs between the two groups has been
shown as part of a boundary forming process by means of which both groups
reinforce their own identities. This section analyses the way in which
analogies are used within this process as both explanatory tools with which
to examine some of the issues in the ethical debate over hacking, and also
as a method of conveying the strength of opinion that is held.
The role of physical analogies in the ethical debate over security issues
has already been illustrated with the CSI's use of them to express fears of
the anonymous nature of the threat hackers pose. The general ease with
which physical analogies are used and the strength of feeling behind them
is vividly illustrated by Jerry Carlin's response to the question, ''Have
system breakers become the 'whipping boys' for general commercial
irresponsibility with regard to data security?" He replied, "It's
fashionable to blame the victim for the crime but if someone is raped it is
not OK to blame that person for not doing a better job in fending off the
attack!" (Carlin: e-mail interview) Sherizen was one of the few
interviewees to refrain from using analogies in his discussion of hacking,
contending that:
Usually, arguing by analogy is a very weak argument. When it comes to
discussing the law, non-lawyers often try to approach arguments this way.
I don't think that we can go very far to determine appropriate behaviours
if we rely upon analogies. What we need to develop are some social
definitions of acceptable behaviour and then to structure "old law for new
technologies." The physical analogies may help to score points in a debate
but they are not helpful here at all (Sherizen e-mail interview).
The grey and indeterminate ethical quality of computing makes it difficult
to establish such a code of 'acceptable behaviour', and it is in an attempt
to do so that physical analogies are used. Goldstein (editor of Hacking
magazine 'Phrack') explores the ethical implications of hacking by
questioning the use of an analogy that likens hacking to trespass:
Some will say ... 'accessing a computer is far more sensitive than walking
into an unlocked office building.' If that is the case, why is it still so
easy to do? If it's possible for somebody to easily gain unauthorised
access to a computer that has information about me, I would like to know
about it. But somehow I don't think the company or agency running the
system would tell me that they have gaping security holes. Hackers, on the
other hand, are very open about what they discover which is why large
corporations hate them so much (Goldstein 1993).
The moral debate about hacking makes frequent use of such physical
analogies of 'theft' and 'trespass'. The choice of the physical analogy
reflecting the initial ethical position of the discussant and will be
biased towards the point that the discussant is attempting to establish,
and hence certain emotive images such as rape and burglary are repeatedly
used.
(i) Property issues
Members of the CSI tend to emphasise the authorisation and access rights
criteria relating to information. Such criteria are held to be fundamental
to an ethical outlook on computing issues because of they stem from the
basic belief that information and computer systems are the sole property of
their owners, in the same way that property rights exist in material
objects. Physical analogies become a means to restrict the computer
security debate: "to questions about privacy, property, possessive
individualism, and at best, the excesses of state surveillance, while it
closes off any examination of the activities of the corporate owners and
institutional sponsors of information technology (the most prized 'target'
of most hackers)." (Ross 1990: 83). This is a rather partisan
interpretation of the role analogies play in the socially shaping boundary
formation occurring within computing. A less controversial assessment,
would be that in contrast to the CU, the CSI emphasises the property rights
of system owners with its use of analogies that are often dramatic and
vivid: "As far as the raison d'=88tre for attackers, it is no more a valid
justification to attack systems because they are vulnerable than it is
valid to beat up babies because they can't defend themselves. If you are
going to demonstrate a weakness, you must do it with the permission of the
systems administrators and with a great deal of care" (Cohen: e-mail
interview).
The difficulty faced with analogies that seek to emphasise the way in which
hacking tends to transgress property rights, centres upon what we have
already seen as the increasingly immaterial aspects of information and
which is also shown in Chapter 7 to create various problems for drafting
effective computer misuse legislation: "copyability is INHERENT in
electronic media. You can xerox a book but not very well and you don't get
a nice binding and cover. Electronic media, video tape, computer discs
etc., do not have this limitation. Since the ability to copy is within the
nature of the media, it seems silly to try to prevent it" (Mercury: e-mail
interview). Software copying is an example of how duplication within
computing is inherently more easy than with physical commodities:
copyability is intrinsic to the medium itself. For example, Maelstrom
contends that he: "can't remember a single analogy that works. Theft is
taking something else that belongs to someone without his/her permission.
When you pirate you don't steal, you copy" (Maelstrom: e-mail interview).
Similarly, in the case of cracking:
In absolutely no case can the physical analogies of 'theft' and
'trespassing' be applied in the matter of computer system 'cracking'.
Computers are a reservoir for information expressed in bits of zeroes and
ones. Homes and property have things far more intrinsically valuable to
harbour. Information protected properly whilst residing on a system is not
at issue for 'theft'. Encryption should have been a standard feature to
begin with and truly confidential information should not be accessible in
any manner via a remote means (Tester: e-mail interview).
(ii) Analogies - breaking and entering
In order to emphasise the potential harm threatened to systems by anonymous
intruders the physical analogies used tend to concentrate upon the fear and
sense of violation that tend to accompany burglaries. The dispute between
the CSI and the CU as to whether it is ethical to break into systems is
most often conducted with reference to the analogy of breaking and entering
into a building. Because of the divergence between the real world and
cyberspace, however, even such a simple analogy is open to varying
interpretations: "My analogy is walking into an office building, asking a
secretary which way it is to the records room, and making some Xerox copies
of them. Far different than breaking and entering someone's home" (Cohen:
e-mail interview).
Cosell presents the following scenario with which he attempts to frame the
ethical issues surrounding hacking:
Consider: it is the middle of summer and you happen to be climbing in the
mountains and see a pack of teenagers roaming around an
abandoned-until-snow ski resort. There is no question of physical harm to
a person, since there will be no people around for months. They are
methodically searching EVERY truck, building, outbuilding, shed etc.,
trying EVERY window, trying to pick EVERY lock. When they find something
they can open, they wander into it, and emerge a while later. From your
vantage point, you can see no actual evidence of any theft or vandalism,
but then you can't actually see what they're doing while they're inside
whatever-it-is (Cosell: CuD 3:12 April 1991).
From this scenario, various questions arise, such as: do you call the
Police? what would the intruders be charged with? and would your response
be different if you were the owner of the resort? Someone more sympathetic
to the hacker point of view illustrated the fundamentally different way in
which the two groups, CSI and CU, conceptualise the ethical issues and the
corresponding use of physical analogies. He responded that:
Of course you should call the cops. Unless they are authorised to be on the
property, (by the owner) they are trespassing, and in the case of picking
locks, breaking and entering. However, you're trying to equate breaking
into a ski resort with breaking into a computer system. The difference
being: 99 times out of 100, the people breaking into a computer system only
want to learn, have forgotten a password, etc. ... 99 times out of 100, the
people breaking into the ski resort are out for free shit (Rob Heins CuD
3:13).
The CU accuse the CSI of preferring to use physical analogies in order to
marginalise a group, rather than make use of their information for
improving the security of systems:
When you refer to hacking as 'burglary and theft' ... it becomes easy to
think of these people as hardened criminals. But it's just not the case.
I don't know any burglars or thieves, yet I hang out with an awful lot of
hackers. It serves a definite purpose to blur the distinction, just as
pro-democracy demonstrators are referred to as rioters by nervous political
leaders. Those who have staked a claim in the industry fear that the
hackers will reveal vulnerabilities in their systems that they would just
as soon forget about (Emmanuel Goldstein: CuD 1:13).
This is one explanation of why, if physical analogies are inevitably only
crude analytical approximations and rhetorical devices with which to
conceptualise computing issues, they are frequently used by the CSI in
their discourse. Johnson argues in response to the claim that hackers
serve a useful purpose by pointing out security faults that:
If a policeman walks down the street testing doors to see if they are
locked, that's within his 'charter'- both ethically and legally. If one is
open, he is within the same 'charter' to investigate - to see if someone
else is trespassing. However, it's not in his 'charter' to go inside and
snoop through my personal belongings, nor to hunt for illegal materials
such as firearms or drugs ... If I come home and find the policeman in my
house, I can pretty well assume he's doing me a favour because he found my
door unlocked. However, if a self-appointed 'neighbourhood watch' monitor
decides to walk down the street checking doorknobs, he's probably
overstepped his 'charter'. If he finds my door unlocked and enters the
house, he's trespassing ... Life is complicated enough without
self-appointed watchdogs and messiahs trying to 'make my life safe (Bob
Johnson: e-mail interview).
Thus, hackers are seen to have no 'charter' which justifies their
incursions into other peoples' systems, such incursions being labelled as
trespass. Even comparisons to trespass, however, tend to be too limited
for those wishing to identify and label hacking as an immoral act.
Trespass is a civil and not a criminal offence. Onderwater, makes this
distinction with his particular use of analogies: "Trespassing means in
Holland if somebody leaves the door open and the guy goes in, stands in the
living room, crosses his arms and doesn't do anything." In contrast,
hacking involves the active overcoming of any security measures put before
hackers, Onderwater sees it as more analagous to the situation whereby:
you find somebody in your house and he is looking through your clothes in
your sleeping room, and you say 'what are you doing?' and he says 'well, I
was walking at the back of the garden and I saw that if I could get onto
the shed of your neighbour, there was a possibility to get onto the gutter,
and could get to your bathroom window, get it open, that was a mistake from
you, so I'd like to warn you ... You wouldn't see that as trespassing, you
would see that as breaking and entering, which it is and I think it's the
same with hacking (Onderwater: Hague interview).
(iii) Rejection of breaking and entering analogies - hackers use of
physical analogies: chess vs breaking and entering
Gongrijp's description of the motives lying behind hacking was typical of
the hackers I met. He concentrated on the intellectual stimulation it
affords as opposed to any desire just to trespass onto computer systems .
He emphasised the chess-like qualities of computer security, and was at
pains to reject any analogies that might compare hacking to physical
breaking and entering. Gongrijp contended that:
Computer security is like a chess-game, and all these people that say
breaking into my computer systems is like breaking into my house:
bull-shit, because securing your house is a very simple thing, you just put
locks on the doors and bars on the windows and then only brute force can
get into your house, like smashing a window. But a computer has a hundred
thousand intricate ways to get in, and it's a chess game with the people
that secure a computer... it's their job to make the new release of their
Unix system more secure, and it's the job of the hackers to break in
(Gongrijp: Amsterdam interview).
Goggans turns the burglar analogy on its head when he argues that:
People just can't seem to grasp the fact that a group of 20 year old kids
just might know a little more than they do, and rather than make good use
of us, they would rather just lock us away and keep on letting things pass
them by ... you can't stop burglars from robbing you when you leave the
doors open, but lock up the people who can close them for you, another
burglar will just walk right in (Goggans 1990).
The implication of these combined views, is that the analogy comparing
hacking with burglary fails because the real world barriers employed to
deter burglars are not used in the virtual world of computing. Such
preventative measures are either not used at all, or are of a qualitatively
different kind to the 'doors' and 'locks' that can be used in computing.
Such barriers can be overcome by technologically knowledgeable young
people, without violence or physical force of any kind. The overcoming of
such barriers, has a non-violent and intellectual quality that is not
apparent in more conventional forms of burglary, and which therefore throws
into question the whole suitability of such analogies.
(iv) Problems of using physical analogies as explanatory tools
The following excerpt is a newspaper editorial response to the acquittal of
Paul Bedworth case. It compares computer addiction to a physical addiction
for drugs:
This must surely be a perverse verdict ... Far from being unusual in staying
up half the night, Mr Bedworth was just doing what his fellows have done
for years. Scores of universities and private companies could each produce
a dozen software nerds as dedicated as he ... Few juries in drug cases look
so indulgently on the mixture of youth and addiction (Ind 18.3.93:
editorial p. 25).
This editorial emphasises how such analogies are utilised in an attempt to
formulate ethical responses to an activity of ambiguous ethical content.
As Goldstein pointed out, it becomes easier to attribute malign intent, if
using such analogies succeeds in making a convincing comparison between
hacking and an activity the public are more readily inclined to construe as
a malicious activity. The adaptability of this technique is shown by the
way the editorial continues to utilise a physical analogy in order to
elicit critical responses, this time against the victims of the previously
maligned hacker: "Leaving those passwords unchanged is like leaving the
chief executive's filing cabinet un-locked. Organisations that do so can
expect little public sympathy when their innermost secrets are brought into
public view."
The main reason why physical analogies tend not to succeed in any attempted
project of stigmatisation/'ethicalisation' of hacking events is the
difficulty of convincing people that events that transpire in virtual
reality are in fact comparable and equivalent to criminal acts in the
physical world. We have seen for example the weaknesses of breaking and
entering analogies. They flounder upon the fact that hacking intrusions do
not contain the same threats of transgression of personal physical space
and therefore a direct and actual physical threat to an individual. With
the complete absence of such a threat, hacking activity will primarily
remain viewed as an intellectual exercise and show of bravado rather than a
criminal act, even if, on occasion, direct physical harm may be an indirect
result of the technical interference caused by hacking.
Thus the use of analogies is fraught with problems of equivalence. Whilst
they may be useful as a rough comparison between the real and virtual
worlds, the innate but sometimes subtle, practical and ethical differences
between the two worlds mean that analogies cannot be relied upon as a
complete explanatory tool in seeking to understand the practical and
ethical implications of computing:
They simply don't map well and can create models which are subtly and
profoundly misleading. For example, when we think of theft in the physical
world, we are thinking of an act in which I might achieve possession of an
object only by removing it from yours. If I steal your horse, you can't
ride. With information, I can copy your software or data and leave the
copy in your possession entirely unaltered (Barlow: e-mail interview).
Information processed by computers is such that previous concepts of
scarcity break down when correspondence is sought between the real and
virtual worlds. It is not just conceptions of scarcity that are affected,
however, the extent to which information correlates with the real world is
questionable at the most fundamental levels:
Physical (and biological) analogies often are misleading as they appeal to
an understanding from an area in which different laws hold. Informatics
has often mislead naive people by choosing terms such as 'intelligent' or
'virus' though IT systems may not be compared to the human brain ... Many
users (and even 'experts') think of a password as a 'key' despite the fact
that you can easily 'guess' the password while it is difficult to do the
equivalent for a key (Brunnstein: e-mail interview).
Physical analogies are inevitably flawed in the respect that they can only
ever be used as an approximation of what occurs in 'cyberspace' in order to
relate it to the everyday physical world. Thus they attempt to evaluate
and understand computing activities using a more natural and comfortable
frame of reference. Hence the language is often used by the CSI to
describe computer attacks, and a security breach of the academic network
with the acronym JANET, was referred to as the 'rape of JANET'. Spafford
admitted to having one of his systems hacked into at least three times, he
argued that he: "didn't learn anything in particular that I didn't know
before. I felt quite violated by the whole thing, and did not view
anything positive from it."(Spafford US interview [Emphasis mine]). The CU
stresses the differences between the virtual and real worlds and contends
that the use of physical language in such a situation is not warranted.
For example, despite such use of the language of physicality, it is
difficult to conceive of a computer intrusion that could be as traumatising
as the actual bodily violation of a rape. A second, diametrically opposed,
reason for questioning the validity of physical analogies would be that
instead of overstating situations within computing, analogies used to
describe a computer intrusion actually understate the harm caused by the
intrusion due to the generic aspects of hacking identified earlier.
In John Perry Barlow's "Crime and Puzzlement" recourse is made to the
metaphors comparing hackers with cowboys from the nineteenth century USA.
This specific comparison of hackers with cowboys illustrates some of the
problems associated with the use of metaphors. The basis of this metaphor
rests upon the view of hackers as pioneers in the new field of computing,
just as cowboys were portrayed as pioneers of the 'Wild West'. Such a
metaphor, in addition to the above discussion of the applicability of the
concepts of trespass and theft to the world of computing, provides a useful
example of both the suitability and limitations of analogies in discussions
of hacking. Commentators tend to 'customise' common metaphors used in the
computer security debate, in order to derive from the metaphor the
particular emphasis desired to further the point being argued:
Much of what we 'know' about cowboys is a mixture of myth, unsubstantiated
glorification of 'independent he-men', Hollywood creations, and story
elements that contain many racist and sexist perspectives. I doubt that
cracker/hackers are either like the mythic cowboy or the 'true' cowboy ...
I think we should move away from the easy-but-inadequate analogy of the
cowboy to other, more experienced-based discussions (Sherizen: e-mail
interview).
The tendency to use the 'easy-but-inadequate analogy' applies significantly
to the orginator of the cowboy metaphor himself. Thus, when I asked John
Perry Barlow his views as to the accuracy of the metaphor, he replied:
"Given that I was the first person to use that metaphor, you're probably
asking the wrong guy. Or maybe not, inasmuch as I'm now more inclined to
view crackers as aboriginal natives rather than cowboys. Certainly, they
have an Indian view of property" (Barlow: e-mail interview).
More negative responses to the comparison of hackers with cowboys came from
the hackers themselves:
WHO is the electronic cowboy ... the electronic farmer, the electronic
saloon keeper? ... I am not sold. I offer no alternative, either. I wait
for hacking to evolve its own culture, its own stereotypes. There was a
T.V. show long ago, 'Have Gun Will Travel' about a gunslinger called
'Palladin'. The knightly metaphor ... but not one that was widely
accepted. Cowboys acted like cowboys, not knights, or Greeks, or cavemen.
Hackers are hackers not cowboys (Marotta: e-mail interview).
6.7 THE PROJECT OF PROFESSIONALISATION
6.7.1 Creation of the computer security market and professional ethos
The creation of the 'them and us' situation forms part of the process
whereby a professional status opposed to the hacking culture and ethic is
established. Examples have already been seen of the lack of cooperation
that exists between the CSI and the CU in Chapter 5, it gave various
reasons for the CSI not being able to trust hackers sufficiently enough for
cooperation to be feasible. The antagonism that exists between the CSI and
the CU contributes to a process of boundary formation, but there is also
the widely-held belief that, along with legitimate reasons for
differentiation between the two groups, there is also an element of
manufactured difference. Below are two examples, one from the commercial
sector, and one from the CU, of people who believe parts of the CSI are
involved in creating a market niche for themselves from which it then
becomes necessary to exclude hackers:
Computer security industry' sounds like some high-priced consultants to me.
Most of what they do could be summarised in a two-page leaflet - and its
common sense anyway. A consultant - particularly in the U.S. - spends
3/4ths of his or her effort justifying the fee (Barrie Bates: e-mail
interview).
These virus programs are about to make me sick! In two years of heavily
downloading from BBSs, I've yet to catch a virus from one. Peter Norton
should be drug to a field and shot! McAffe too (Eric Hunt: e-mail
interview).
The veracity of opinions such as those above may be difficult to separate
from their origin in the antagonism that exists between the CSI and the CU,
but allegations that 'viral hype' has been used as a means of helping to
create a computer security market come from security practitioners
themselves:
It's very hard getting facts on this because the media hype is used as a
trigger by people who are trying to sell anti-virus devices, programs,
scanners, whatever. This is put about very largely by companies who are
interested in the market and they try to stimulate the market by putting
the fear of God into people in order to sell their products, but selling
them on the back of fear rather than constructive benefits, because most of
the products in the industry are sold on constructive benefits. You always
sell the benefit first, this is selling it on the back of fear which is
rather different, "you'd better use our products or else" (Taylor:
Knutsford interview).
The whole process of enforcing and furthering the proprietary attitude to
information outlined in Chapter 3 is further strengthened by a new language
of physicality resulting from the advent of computer viruses10. Software
is infected, and systems are spoken of in terms of being repeatedly
'raped'. Computer viruses are described in terms similar to those employed
in discussions of the dangers of promiscuous sex. Prophylactic safety
measures are seen to be necessary to protect the moral majority from
'unprotected contact' with the degeneracy of a minority group. Ross argues
that 'viral hysteria' has been deliberately used by the software industry
to increase its market sales:
software vendors are now profiting from the new public distrust of program
copies ... the effects of the viruses have been to profitably clamp down
on copyright delinquency, and to generate the need for entirely new
industrial production of viral suppressors to contain the fallout. In this
respect it is hard to see how viruses could hardly, in the long run, have
benefited industry producers more (Ross 1990: 80).
In addition to the practical benefits the CSI has derived from the concerns
associated with viruses, the threat they pose to systems' security has been
used to reinforce ideological opposition to hackers and their
anti-proprietary attitudes:
Virus-conscious fear and loathing have clearly fed into the paranoid climate
of privatization that increasingly defines social identities in the new
post-Fordist order. The result -- a psycho-social closing of the ranks
around fortified private spheres -- runs directly counter to the ethic that
we might think of as residing at the architectural heart of information
technology. In its basic assembly structure, information technology is a
technology is a technology of processing, copying, replication, and
simulation, and therefore does not recognise the concept of private
information property (Ross 1990: 80).
The boundary formation exercise necessitates the exclusion of hackers from
influence within computing, whilst, at the same time, developing a
consistent ethical value system for 'legitimate' security professionals.
An example of boundary formation in action is the advent of computer
viruses and worms and the particular case of Robert Morris and the Internet
Worm. Cornell University published an official report into the Internet
Worm incident, concluding that one of the causes of the act was Morris'
lack of ethical awareness. The report censures the ambivalent ethical
atmosphere of Harvard, Morris' alma mater, where he failed to develop in a
computing context a clear ethical sense of right and wrong. Most
significantly, the judgement made upon the Morris case was full of implicit
assumptions that betrayed a boundary forming process in the way it stressed
the need for professional ethics in opposition to those of hackers.
Dougan and Gieryn (1988), sum up the boundary-forming aspects of responses
to the Internet Worm in their analysis of the e-mail debate that occurred
shortly after the incident. The computer community is characterised as
falling into two schools of thought with regard to their response to the
event. The first group is described as being organised around a principle
of 'mechanic solidarity, the second, one of 'organic solidarity'. The
mechanic solidarity group's binding principle is the emphasis they place
upon the ethical aspect of the Morris case, his actions are seen as
unequivocally wrong and the lesson to be learnt in order to prevent future
possible incidents is that a professional code of ethics needs to be
promulgated. These viewpoints have been illustrated in this study's
depiction of the hawkish response to hacking. The second group advocates a
policy more consistent with the dovish element of the CSI and those hackers
that argue their expertise could be more effectively utilised. They
criticise the first group for failing to prevent 'an accident waiting to
happen' and expecting that the teaching of computing ethics will solve
what they perceive as an essentially technical problem. The likelihood of
eliminating the problem with the propagation of a suitable code of
professional ethics seems to them remote:
I would like to remind everyone that the real bad guys do not share our
ethics and are thus not bound by them. We should make it as difficult as
possible -- (while preserving an environment conducive to research) for
this to happen again. The worm opened some eyes. Let's not close them
again by saying 'Gentlemen don't release worms' (Dougan and Gieryn 1988:
12).
The hacker Craig Neidorf known as 'Knight Lightning', in his report on a
CSI conference, underlines the theory that the debate over hacking centres
upon a project of professionalisation, with the argument that what mostly
distinguishes the two groups is the form, rather than content of the
knowledge they seek to utilise:
Zenner and Denning11 alike discussed the nature of Phrack's12 articles.
They found that the articles appearing in Phrack contained the same types
of material found publicly in other computer and security magazines, but
with one significant difference. The tone of the articles. An article
named 'How to Hack Unix' in Phrack usually contained very similar
information to an article you might see in Communications of the ACM only
to be named 'Securing Unix Systems'. (Craig Neidorf: CuD 2.07).
The implication is that hackers' security knowledge is not sought due to
reasons other than its lack of technical value; instead the CSI fails to
utilise such knowledge more fully because it interferes with their
boundary-forming project that centres upon attempting to define the
difference between a hacker and a 'computer professional':
Ironically, these hackers are perhaps driven by the same need to explore, to
test technical limits that motivates computer professionals; they decompose
problems, develop an understanding of them and then overcome them. But
apparently not all hackers recognise the difference between penetrating the
technical secrets of their own computer and penetrating a network of
computers that belong to others. And therein lies a key distinction
between a computer professional and someone who knows a lot about
computers. (Edward Parrish 1989).
Another interesting example of the similar traits that the CSI and CU share
in common, is the case of Clifford Stoll's investigation of an intrusion
into the Berkeley University computer laboratories, which he subsequently
wrote up in the form of a best-selling book, The Cuckoo's Egg. Thomas
points out that:
Any computer undergrounder can identify with and appreciate Stoll's
obsession and patience in attempting to trace the hacker through a maze of
international gateways and computer systems. But, Stoll apparently misses
the obvious affinity he has with those he condemns. He simply dismisses
hackers as 'monsters' and displays virtually no recognition of the
similarities between his own activity and those of the computer
underground. This is what makes Stoll's work so dangerous: His work is an
unreflective exercise in self-promotion, a tome that divides the sacred
world of technocrats from the profane activities of those who would
challenge it; Stoll stigmatises without understanding (Thomas 1990).
What makes Stoll's behaviour even less understandable is that throughout
the book he recounts how he himself engages in the same kind of activities
that he criticises others for indulging in. This fact that Stoll labels
hackers as 'monsters' despite the fact he shares some of their qualities13
is indicative of the boundary forming process the CSI have entered upon.
The process also involves other groups that are involved in the de facto
marginalisation of hackers whilst not actually being directly involved in
computing, examples of such groups are the various government agencies and
politicians involved in the drafting of legislation about hacking.
Combined together, these groups have contributed towards a response to
hacking that has been labelled a 'witch-hunt' mentality by some observers.
6.7.2 Witch-hunts and hackers
Part of the cause of the witch-hunt mentality, that has allegedly been
applied to hackers, is the increasing tendency within society towards the
privatisation of consumption examined in the early chapters. The pressures
to commodify information can be seen as an extension of the decline of the
public ethos in modern society which is accompanied by the search for
scapegoats that will justify the retreat from communitarian spirit. The
hacker is the latest such scapegoat of modern times in a series including
Communism, terrorism, child abductors and AIDS:
More and more of our neighbours live in armed compounds. Alarms blare
continuously. Potentially happy people give their lives over to the
corporate state as though the world were so dangerous outside its veil of
collective immunity that they have no choice ... The perfect bogeyman for
modern times is the Cyberpunk! He is so smart he makes you feel even more
stupid than you usually do. He knows this complex country in which you're
perpetually lost. He understands the value of things you can't
conceptualize long enough to cash in on. He is the one-eyed man in the
Country of the Blind (Barlow 1990: 56).
This is the root of peoples' fear of hackers and the reason why they are
labelled as deviant within society despite the fact that, as we have seen
above, hackers share some of the same characteristics as their CSI
counterparts. The simultaneous existence of shared characteristics and
deviant status for hackers is a necessary result of the fact that:
The kinds of practices labelled deviant correspond to those values on which
the community places its highest premium. Materialist cultures are beset
by theft (although that crime is meaningless in a utopian commune where all
property is shared) ... The correspondence between kind of deviance and a
community's salient values is no accident ... deviants and conformists both
are shaped by the same cultural pressures -- and thus share some, if not
all, common values -- though they may vary in their opportunities to pursue
valued ends via legitimate means. Deviance ... emerges exactly where it is
most feared, in part because every community encourages some of its members
to become Darth Vader, taking 'the force' over to the 'dark side' (Dougan
and Gieryn 1990: 4).
The vocalised antagonism between the CSI and CU and the exaggerated
portrayals of the media examined in this chapter are part of the process
whereby hackers are marginalised and defined as deviant. In the quotation
below Stoll is singled out to personify this process but the method he uses
is held in common with all the other figures quoted in this chapter who
contribute to the 'them and us' scenario by the strength of the views they
express and the analogies they choose to express them with:
Witch hunts begin when the targets are labelled as 'other', as something
quite different from normal people. In Stoll's view, hackers, like
witches, are creatures not quite like the rest of us, and his repetitious
use of such pejorative terms as 'rats,' 'monsters,' 'vandals,' and
'bastard' transforms the hacker into something less than human ... In a
classic example of a degradation ritual, Stoll -- through assertion and
hyperbole rather than reasoned argument -- has redefined the moral status
of hackers into something menacing (Thomas 1990).
6.7.3 Closure - the evolution of attitudes
The witch hunt process is a device to facilitate what Bijker and Law (1992)
have analysed as closure. The notion is usefully illustrated by examining
the evolution of society's attitudes from the benign tolerance of the early
MIT hackers to the present climate of anti-hacking legislation. In
addition to Levy's identification of three generations of hackers14,
Landreth suggests the arrival of a fourth generation of hackers when he
talks of a major change occurring in the CU around about the time the
elitist hacking group he joined known as the "Inner Circle" was set up. In
addition to the effect of the increased dispersal of micro-computers, there
was also the effect of the hacker movie Wargames.: "In a matter of months
the number of self-proclaimed hackers tripled, then quadrupled. You
couldn't get through to any of the old bulletin boards any more - the
telephone numbers were busy all night long. Even worse, you could
delicately work to gain entrance to a system, only to find dozens of
novices blithely tromping around the files" (Landreth 1985 :18). These
'wannabe' hackers reflect the relative immaturity and absence of the
original hacker ethic that characterises the latest manifestation of
hacking. Chris Goggans from the Legion of Doom concurs with this
identification of a change in the basic nature of the CU environment. In
the early days:
People were friendly, computer users were very social. Information was
handed down freely, there was a true feeling of brotherhood in the
underground. As the years went on people became more and more anti-social.
As it became more and more difficult to blue-box the social feeling of the
underground began to vanish. People began to hoard information and turn
people in for revenge. The underground today is not fun. It is very power
hungry, almost feral in its actions. People are grouped off: you like me
or you like him, you cannot like both ... The subculture I grew up with ,
learned in, and contributed to, has decayed into something gross and
twisted that I shamefully admit connection with. Everything changes and
everything dies, and I am certain that within ten years there will be no
such thing as a computer underground. I'm glad I saw it in its prime
(Goggans: e-mail interview).
Thus one reason for the changing nature of the computer underground is
simply the fact that more would-be hackers arrived. 'Elite' hackers such
as Goggans felt that this cheapened in some way the ethos and atmosphere of
camaradarie that had previously existed within the CU. Feelings of
superiority which help to fuel the motivation of a hacker had become
undermined by the advent of too many 'wanna-be' young hackers. Sheer
numbers alone would mean the demise of the previous emphasis hackers placed
upon sharing knowledge and the importance of educating young hackers. The
idiosyncratic actions of the first generation hackers, within the isolated
academic context of MIT, were often praised for their inventiveness.
Similar actions in the wider modern computing community tend to be
automatically more disruptive and liable to censure.
The reasons for this change in attitude are inextricably linked with the
evolution of computing as a technology. Herschberg argues that computer
security can be compared to the experiments of the Wright brothers, yet
apart from such peripheral 'dovish' sentiments, the climate within the CSI
and society as a whole is increasingly unsympathetic to the claims by
hackers that they represent innocent intellectual explorers: closure in
computer security has occurred. Leichter's perception of the evolution of
hacking is at odds with that of Herschberg. He too uses an airplane
analogy but prefers to emphasise that:
When the first 'airplane hackers' began working on their devices, they were
free to do essentially as they pleased. If they crashed and killed
themselves well, that was too bad. If their planes worked - so much the
better. After it became possible to build working airplanes , there
followed a period in which anyone could build one and fly where he liked.
But in the long run that became untenable ... If you want to fly today, you
must get a license. You must work within a whole set of regulations (Jerry
Leichter: CuD 4.18).
Over time, technologies develop, and as a result, people's interactions
with that technology, even if they remain unchanged, will be viewed
differently as society adapts to the changing technology. An example of
this is the changing role of system crashes. In the earliest days of
computing, the computers functioned by means of large glass valves, which
after relatively short periods of use were liable to over-heat, thus
causing a system crash. Even if hackers were responsible for some of the
system crashes that occurred, the fact that they were equally liable to be
caused by other non-hacker means, led to a climate whereby hacker-induced
crashes were accepted as a minor inconvenience even when they were
extremely disruptive by today's standards. This is an example, therefore,
of the importance of taking into account the societal context of an act
involving technology before an evaluation of its ethical content is made.
6.8 CONCLUSION
This chapter has traced the origin of the ethical debate between the CSI
and the CU, showing how the novel nature of some of the situations thrown
up by computing has resulted in a process of negotiation. This process
takes the form of markedly different ethical responses to the novel
situations being made and competing with each other. The contrasting
interests and perspectives of the two groups is highlighted by the fact
that whilst hackers see their activity as manifesting ethical concern over
potential governmental and commercial abuses of privacy, the CSI prefers to
see the activity as unethical or as evidence of a general decline in social
values.
There are two important elements of doubt regarding the view of the CSI.
Firstly, the argument that hacking is intrinsically unethical is weakened
by the fact that, as Levy documents, the same acts of hacking that are now
criticised as immoral, were benignly tolerated in the days of the early MIT
hackers. Bloombecker even goes so far as to claim that what would nowadays
be labelled a computer criminal, helped to make computing what it is.
Cohen also asserts, that unofficially, hackers are often used commercially
to check the security of systems. Secondly, the chapter has shown, that an
increasing aspect of computing is the way in which it produces novel
situations where there seem to be no clear-cut boundaries between right and
wrong. This is most noticeable in the situations produced by technology
that are most divorced from everyday experience, typified by the notion of
cyberspace. Ethical uncertainty concerning hacking is also exacerbated by
the fact that the activity is often motivated by a series of complex
factors. The fact that there is a keen debate, both within the CSI, and
between the CSI and the CU, implies that any purported immorality of
hacking is due to the social shaping of a perception that has evolved from
the MIT days of benign tolerance to the present atmosphere of
criminalisation.
An important part of this process of social shaping is the way in which
physical analogies are used in the formation of computer ethics. They are
being increasingly used in professional discussions of the issues as part
of the process of group delineation. Where previously there were only
blurred or indefinite computer ethics, physical analogies are now used to
establish clearer computing mores. The need to use physical analogies in
the first place arises because hacking takes place in the qualitatively
new realm of human experience: cyberspace. The fact that the real world
and cyberspace are such different realms has led to a need to explain and
make ethical judgements about hacking from a conventional frame of
reference, that is, using analogies based upon the physical world.
The constant use of physical analogies and metaphors in discussing the
legal and ethical issues of hacking is thus an attempt to redefine, in a
practical manner, the concept of informational property rights, as they are
to be applied in the computer age. The use of analogies is much more
common within the CSI than it is from hackers themselves. This is because
the CSI have a general need to make comparisons between cyberspace and the
real world in order to legitimate their role and to demonise the CU.
Hackers do not have this need; their behaviour is based upon accepting
computing as a realm of intellectual and social experimentation, and they
find it attractive because of the very fact that it is different from the
real world.
In summary, there are perennial claims from each successive generation that
the youth of the age are largely unethical, and that they are harbingers of
a break-down in the general moral order. Such claims are perhaps an
inevitable part of the human condition, and its inter-generational
relations. This study, however, is more concerned with the specific
aspects of computing that give rise to qualitatively new circumstances
facing computer users, the ethics of which are indeterminate. These
situations encourage behaviour, which, to be recognised as unethical,
assumes that an adequate and convincing comparison can be made with
non-computing situations. It is the difficulty of attempting to
conceptualise the ethics of computer-induced scenarios that leads to
attempts to translate them into a more easily understood and common-place
experience.
The chapter shows, however, that there is doubts as to whether 'real-world'
ethics can be transposed in such a literal manner. This is illustrated by
the various examples given of the CSI's alleged double standards. These
examples imply that the vagueness of computing ethics is such that any
professional code of ethics that is produced is likely to be more the
result of one group enforcing its value system on another group, rather
than one group having any inherently superior moral advantage in the
ethical debate.
The process whereby one group's value system can be imposed upon another
has been analysed in a frame of reference that compares the increasing
marginalisation of hackers from mainstream computer usage to the practice
of witch-hunts. One analysis of the gradual stigmatisation of hackers is
that they have been part of a degradation ritual whereby a more dominant
social group has progressively alienated them from 'normal' society in
order to promote its professional interest. The role of the media in this
process has been shown by the way it projects hackers as stigmatised
'others', thus aiding the boundary forming professionalisation process of
the CSI.
Particular examples of the process of group differentiation and
professionalisation have been given, relating to the advent of viruses and
the specific case of the Internet Worm. The likelihood of eliminating
threats to computer security with the propagation of a suitable code of
professional ethics seems remote considering the extent of the CU's ethical
disagreement with the CSI and the thrill obtained from the very fact that
the CU is 'underground'. Despite this, once the process of
professionalisation has been initiated, the temptation is to proceed to
codify the nascent but dominant group's response to computing's ethical
dilemmas, by means of legislation.
The subsequent closure of computing technology has occurred to such an
extent that the hippy-like ethos of the CU looks increasingly anachronistic
in the 1980's and 90's. In so far as hackers have represented a force of
anti-capitalistic information-sharing, their stance seems to have absorbed
within the state's sponsorship of the development of computing technology.
The second generation hard-ware hackers such as Steve Wozniak, have seen
their 'wholesome and green' product (hence the name 'Apple') brought to the
masses as indeed they wished, but significantly as a commodified product.
This is perhaps a reflection of the market's ability to co-opt and absorb
radical change. It threatens, in the case of hackers, to undermine their
status as a group embodying alternative values. The new generation of
'wanna-be' hackers, is significant because it represents more than simply
adolescent boys intrigued by the intellectual challenge and feelings of
power of illicit computing. In addition, they also represent the
increasing tendency of information to be viewed as a tradeable commodity in
the form of 'Amiga kid'-type groups. Their illicit blackmarket activities
and their seemingly amoral views regarding the ethical implications of
accessing and manipulating other peoples' information represents the
extreme end of a spectrum which also includes the activity of 'benign'
hackers. It is a spectrum whose various points reflect some of the ethical
issues that society still has to satisfactorily address regarding
information and the implications of its changing properties.
An example of the unsettled nature of society's response to information is
the doubt that still remains regarding the effects of its policy of closure
towards hackers. The question still arises from the above analysis of
whether the evolution of attitudes towards the CU is in response to a
change in its nature towards a more crime-orientated environment, or
whether the increased tendency to perceive and portray hacking as a
criminal and unethical activity has taken on the quality of a
self-fulfilling prophecy, driving would-be 'pleasure hackers' into the arms
of the criminal underground. The implications of this latter scenario are
examined in the next chapter.
1 Thus Eric Goggans and Robert Schifreen (as well as several other hackers
encountered in the fieldwork) have started their own computer firms;
Professor Herschberg has contacts with and produces interaction between
hackers and the security industry by means of his consultancy work, and the
authorised and unauthorised (in the case of accepting a documented hack in
lieu of a dissertation) use of students to test systems.
2 Fear of boundary transgression is vividly portrayed in such urban legends
as 'The Mexican Dog' and 'The Choking Doberman', c.f. Woolgar (1990).
3 Joseph Lewis Popp: he was charged in January 1990 with using a trojan
horse hidden within a diskette to extort money from recipients whose
systems had subsequently become infected. The trial did not come to court,
however, because his defence argued that he was mentally unfit to stand
trial. They described how he had taken to putting hair curlers in his
beard and wearing a cardboard box on his head in an apparent attempt to
protect himself from radiation.
4 c.f. Appendix 1's summary of the fieldwork's statistical evidence of the
age factor.
5 Sterling 1993: 95
6 references taken from CuD 4.11
7 As shown with the title of Paul Mungo's article: "Satanic Viruses" (c.f.
bibliiography)
8 c.f. CuD 3:37
9 Channel 4 Television, November 1989
10 c.f Woolgar 1990.
11 The former was the defence lawyer for Craig Neidorf in the E911 trial of
1990, Dorothy Denning being a computer scientist from Georgetown
University, Washington, with an academic interest in CU issues.
12 CU electronic magazine
13 Thomas' review of The Cuckoo's Egg includes numerous examples of Stoll
indulging in such activities as borrowng other peoples' computers without
permission and monitoring other peoples' electronic communications without
authorisation.
14 c.f. Appendix 2 for a full account.
------------------------------
Date: Thu, 7 May 1997 22:51:01 CST
From: CuD Moderators <[email protected]>
Subject: File 2--Cu Digest Header Info (unchanged since 7 May, 1997)
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.
CuD is available as a Usenet newsgroup: comp.society.cu-digest
Or, to subscribe, send post with this in the "Subject:: line:
SUBSCRIBE CU-DIGEST
Send the message to: [email protected]
DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.
The editors may be contacted by voice (815-753-6436), fax (815-753-6359)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.
To UNSUB, send a one-line message: UNSUB CU-DIGEST
Send it to [email protected]
(NOTE: The address you unsub must correspond to your From: line)
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5590 (and via Ripco on internet);
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.
In ITALY: ZERO! BBS: +39-11-6507540
UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD
Web-accessible from: http://www.etext.org/CuD/CuD/
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland)
ftp.warwick.ac.uk in pub/cud/ (United Kingdom)
The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
URL: http://www.soci.niu.edu/~cudigest/
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
------------------------------
End of Part 2 (of 2) of Computer Underground Digest #9.59
************************************
|
|
