Ch 6 Notes

CSCI 2070, Cyberethics Morality and Law in Cyberspace, 3rd edition, Richard Spinello,
Jones and Bartlett, 2006.

Ch 6 : Securing the Electronic Frontier

Vulnerabilities of the Net p 183

. There are companies on the net that sell source code of popular viruses. Our book
mentions a company selling a CD-ROM with source code for viruses and also virus-
writing tools, newsletters about destructive code, and a db describing how various viruses
work.

. FBI officials could do little about this threat to online security,

. Why?
- there is nothing illegal about publishing the source code of a virus.
-It IS illegal to release a damaging virus over the Internet however

. What are some obstacles to the growth of electronic commerce on the Internet? (ask
class)
- public apprehension about Nets security flaws
- faith in companys promises

. What are some security measures that companies use? (ask class)
Firewalls, security scanners, intrusion prevention products,

. In spite of these, web sites are still a major target of hackers

What are some of the attacks? (ask class)

- phishing (emails sent to users to appear to come from a bank or an online retailer.
They look authentic and direct users to a web site where they are asked to enter sensitive
information like passwords, bank account numbers, or credit card information

. What happens to e-commerce if people begin to lose trust in online companies web sites?
If phishing successes become to prevalent, what does that do to the legitimate companies?

. Because of the Nets open architecture, it is susceptible to viruses.

What is a virus? A self-replicating program

. What is a macro virus? A virus that exploits a macro. A macro is a piece of code that
can be written in MS Word, MS Excel. They are pieces of code that are inserted into the
instruction sequence when activated.
. A survey of 300 North American companies found that the companies (who responded)
had a monthly average of 103 virus infections per 1,000 computers

. A common cause is still e-mail

What are some reasons for this, ask class?

. Some terms/definitions:

Virus: A computer program that replicates itself by copying itself into other
programs stored on a computer. Usually with the intention to cause mischief or damage.
It attaches itself to a program or file that allows it to move from computer to computer.
The virus spreads by human action, unknowingly sending it in email attachments or
sharing infected files.

Worms: A computer worm is a type of virus that replicates itself, but does not
alter any files on your machine. Computer worms create problems by multiplying
frequently and taking up a computer's available memory or hard disk space. The worm
can travel without human interaction taking advantage of information in files and
transport mechanisms on your computer to move to other computers.

Trojan Horses: Are different than viruses in that they dont replicate themselves.
They are programs that appear to do one thing but do something else instead. It is
possible for a Trojan horse to attach itself to a virus file that spreads to multiple programs.

Malware: Software programs designed to do undesirable things (damage is one

example). Short for malicious software. Mal is a Spanish prefix meaning bad.

Adware: Software supported by advertisements. Most adware is safe, some

contain spyware. Some sources mention that these are often toolbars with capability to
conduct Internet searches or play games. Class, what are some examples?

Spyware: Software that spies on your computer. Could record web browsing
habits, keystrokes, eMail information, usernames, passwords, credit card account
numbers, etc. Could be installed by opening an email or by running another program that
has the spyware installer attached.

. Text discusses the famous Internet Worm launched by Cornell student, Robert Morris
in November 1988. Made Nightline TV Show. The student released the room and it
quickly spread to other systems on the Internet. The worms progress was facilitated by a
bug in Unix. Once invaded, the pgm reproduced itself over and over consuming large
volumes of memory. It did not modify system files or destroy other information. But
performance of computers deteriorated and many crashed. About 12 hrs after the worm
was introduced, Computer Systems Research Group at Berkeley developed a pgm to halt
the Worms spread.
Morris claimed he was running an experiment, he was convicted under the Computer
Fraud and Abuse Act and sentenced to a term of 3 years probation and fined $10,000. It
infected 2,500 computers in some way and clean up cost was reported to be over $1
million.

We dont see attacks like the Internet Worm often but there are still problems:

The architecture of the Net is open, designed to share information, not to conceal
it

This chapter focuses on four basic issues:

1) cybercrime
2) trespass, unauthorized access
3) Security measures that should be adopted to protect electronic commerce and online
communications
4) encryption and public policy debate in the U.S. on this topic

As weve said before, this class is an introductory one, all of these topics will be
introduced. Full courses could be offered on all of these topics

Cybercrime p 186.

Cybercrime is a special category of criminal act usually committed through the use of a
computer and/or network technologies.

. A prominent type of cybercrime now is identity theft

. Author describes three basic categories of computer crime:

1) software piracy
2) computer sabotage
3) electronic break ins

. Other authors have described the general categories of cybercrime/computer crime in

other ways too:

1) input crime
2) output crime
3) process crime

. Others have been more specific:

1) fraud
2) SPAM
3) cyber bullying
 4) drug trafficking
5) piracy

. How would the above specific types of cybercrime be categorized into the general
categories used by other authors?

. From http://www.playitcybersafe.com/cybercrime/: (part of bsa.org?)

The Tenth United Nations Congress on the Prevention of Crime and the Treatment of
Offenders (Vienna, 10-17 April 2000) categorized five offenses as cyber-crime:
unauthorized access, damage to computer data or programs, sabotage to hinder the
functioning of a computer system or network, unauthorized interception of data to, from
and within a system or network, and computer espionage.

. Software piracy involves unauthorized copying of software and distribution or making

available those copies over the network.

. The No Electronic Theft Act of 1997 forbids the willful infringement of a

copyright for purposes of commercial advantage or for financial gain

. SW piracy is still a problem

. go to bsa.org and review web site with class.

. Computer Sabotage (p 187).

Is interference w/ computer systems like disruption of operations via worm, virus,

or logic bomb. Computer sabotage can also involve using computer technology to
destroy data resident in a computer or damage a computer systems resources.

Time bomb: Typically malicious in intent, triggered by a particular date or time and can
deliver a virus or a trojan horse.

Logic bomb: Typically malicious in intent, triggered by a particular command or

keystroke. They will usually deliver a virus or Trojan horse.

Surveys by the Computer Security Institute indicate that 10 to 15 new viruses are
launched each day.

Some viruses are very costly, the Blaster worm and the SoBig virus from the summer of
2003 are estimated to have caused losses of $35 billion.

Denial of Service(DoS) attack is another form of computer sabotage becoming more

popular in recent years.
 These occur when a Web site is attacked w/ mock requests from multiple
computers until the server crashes and service is disrupted.

The SW to send the mock requests is implanted in computers around the world
and when signaled they bombard a selected web site w/ requests.

What are some famous DoS attacks? What was the impact? What are the ethical
issues? What are the economic issues?

During a 3-week period in mid-2001 researchers detected 12,800 DoS attacks

against more than 5,000 targets.

A final type of cybercrime is electronic break-ins and unauthorized access.

In the physical world, how does one demonstrate trespass? Spinello writes that
one must focus on the trespassers intent to enter into a forbidden property w/o
permission.

He writes, proving cybertrespass using this criterion is much more challenging.

Possible 5-minute break to work in groups to determine how one might do this.

This will be a separate section later in the chapter.

Lastly, Spinello does not include in his definition of cybercrime those crimes that are
facilitated thanks to the use of computer and network technologies.

These crimes do not require computer technology but may aid in the commission
of the crime.

Included in this category might be stalking, theft, fraud, swindling, embezzlement,

distribution of illegal material. These crimes have gone on for long before the arrival of
the Internet. Computers and network technology make them easier

What about phishing, he says it is not direct cybercrime but would be Internet-
related fraud.. It is a crime facilitated by the Internet. There are also crimes planned
and/or carried out with the Internet. Spinello refers to these as computer-related crimes.

Anti-Piracy Architectures p 188

. Laws have not been completely effective in combating software piracy

. There are more requests for relying on code to address this and content providers are
increasing their demands.
Michael Eisner, CEO Disney, accused Apple, MicroSoft, and Dell of failing to develop
secure systems b/c they helped sell more computers.

. The entertainment industry would like to incorporate copy-protection into PCs, DVD
players, and other digital media devices.

So, whose role is it to stop the illicit copying of software?

HW manufacturers?
If so, why should HW manufacturers become the enforcer for ineffective
copyright laws?

And, who should have a say in the future functionality of technology?

Should Hollywood dictate what components will be included in the next
generation of PCs?

Spinello concludes section by commenting that it should be possible to build a DRM

system that allows users to make a copy of a music or video file for their own personal
use assuming they legally obtained it.

Trespass and Unauthorized Access in Cyberspace p 190

trespass (from dictionary.com)

an unlawful act causing injury to the person, property, or rights of another, committed
with force or violence, actual or implied.
a wrongful entry upon the lands of another.

an encroachment or intrusion.

to encroach on a person's privacy, time, etc.; infringe (usually fol. by on or upon).

. Unauthorized access to computer systems continues to be a problem on the Internet.

. Many individuals do not see a parallel between trespassing on a computer system and
physical trespass.

. Class, what are the differences, why do people feel this way? (write on board)

. Virtual boundaries vs. physical boundaries

. Is unsolicited e-mail or spam a form of trespass? Does it force itself into anothers
virtual mail box? Is that part of an individuals personal space?

What are some parallels to the real world and some differences? What are some
informal ethical guidelines to help determine an answer?
The Computer Fraud and Abuse Act (CFAA) passed in 1986, amended in 1996 makes it
a crime to access any protected computer w/o authorization and as a result of such
access to defraud victims of property or to recklessly cause damage.

.Due to the 1996 amendment, protected computers include those used by the government,
financial institutions, or any business engaged in interstate or international commerce, or
anyone involved in interstate communications.

. The category of protected computer includes then, virtually any computer connected
to the Internet.

. The CFAA then makes trespass a federal crime if one does so to pilfer classified
information, to perpetrate fraud, or to cause damage.

. Also a federal crime to cause the transmission of a pgm or piece of code (like virus) that
intentionally causes damage to a protected computer.

Lastly, it prohibits unauthorized access that causes damage regardless of whether or not
the damage was recklessly caused.

. Most states have laws now that make unauthorized use of computers a crime even if the
motive is just curiosity. There are harsher penalties for computer trespass where entry
has occurred to commit another crime (like theft of material).

You read pg. 192-193 where Lessigs framework is applied to hacking. Test Question!!!

Questionable Forms of Trespass p 194

Spam imposes costs on the recipients and the ISPs.

Some ISPs have sued spammers for trespass to chattels seeking injunctions to protect
their property

Trespass to chattels is a tort action based on the unauthorized use or interference with
anothers property.

Def: Tort: Wrongful act, other than a breach of contract, that injures another and for
which the law permits a civil (noncriminal) action to be brought. Relief may be obtained
in the form of damages or an injunction. The term derives from Latin tortum, meaning
"something twisted, wrung, or crooked." Assault, defamation, malpractice, negligence,
nuisance, product liability, property damage, and trespass are all (apart from their
potentially criminal and contractual aspects) torts. (From, Britannica Concise
Encyclopedia and Answers.com)

The revival of the trespass to chattels doctrine in the context of cyberspace has
had unexpected and far-reaching consequences. Trespass to chattels, a doctrine developed
to protect physical property, initially seemed to courts to be merely a useful doctrinal tool
to control spam, unwanted commercial bulk e-mail. However, the doctrine has recently
expanded into other situations, making visible the flaws inherent in applying to
cyberspace doctrines based in real and tangible property. (from The Continuing
Evolution of Cyberspace Trespass to Chattels,
http://www.law.berkeley.edu/institutes/bclt/pubs/annrev/exmplrs/final/lqfin.pdf)

Case: CompuServe Inc. v. CyberPromotions Inc.

Main Issue: claim that spam transmitted through an ISP violates property rights.
ISP, CompuServe notified CyberPromotions that it was prohibited form using its mail
servers to tranmit its unsolicited bulk e-mail (or spam). CyberPromotions refused to
comply and Compuserve filed suit contending that the defendant was trespassing on its
property

Specific legal claim was trespass to chattels

In 1997, Judge ruled against cyberpromotions and the courts reasoning has been met with
mixed reviews

One part of the definition of property is the right to exclude others from use. A corollary
of that right is the need to seek permission of the owner to use his or her property.

This case leaves unanswered a larger question concerning the target of SPAM. Does
spam constitute trespass at the user level?

What about search engines, are their activities ever equivalent to trespass? Most use a
software robot, spider bot that automatically search and retrieve information.

What about one going through commercial sites extracting pricing information?

In eBay v. Bidders Edge a court sided w/ eBay in a request for injunction to provide
Bidders Edge from using spider technology to aggregate comparative auction data

There can be problems though in labeling all unwelcome activity or communication as

trespass.

Security Measures in Cyberspace p 196

<have class discussion on securing a small business>

Have them consider possible natural disasters, physical break ins as well as
electronic.

Firewalls

Filtering Systems
Virus Protection Software

Encryption

Updated Software install patches

Secure passwords, rules for passwords

Physical security is important to consider as well

Offsite backups