To study computer security effectively, you have to observe computer systems in ways
that could potentially give you access to information other people do not intend for you
to have. You can't be a security expert without knowing the techniques that are used to
breach security. Thus, more than is true in most subdisciplines of computer science, the study of
security brings you into frequent and tricky contact with ethical problems.
If computer and communications technology are to bring more benefits than cost to
human beings over the long-term, we are going to need a steady supply of security experts.
I want you to experiment, investigate, and follow your nose as you learn how the
security infrastructure (or lack thereof) of modern computer systems works. But I also
want you to learn to think deeply not just about the technology but also about its implications.
Before each new activity in this class, we will take a few minutes in class to talk about
the ethical and legal implications of what we're about to do. I want you to have similar conversations
with your classmates and yourselves as you explore security theory and practice. Think about
what you're doing ahead of time, and make a plan for how to study security without breaching security.
This note can't thoroughly cover the ethical ground we need to cover. However, I want to
offer a small number of general principles you can use to get started. I will be eager
to hear your thoughts on other useful general principles.
- Read and understand
Carleton's academic
integrity policy, and make sure your security studies adhere to this policy.
- Don't break the law. (We'll do some research on the relevant law so you'll know more
about what is and isn't legal.)
- When you think you are getting close to a questionable area or practice, raise the issue in our
Slack channel board and/or in class, so we can discuss it.
- Plan ahead. It is much better not to get into an ethically compromised
situation in the first place than to have to deal with such a situation's consequences.
One bit of planning has already been done for you. In this class, we will make extensive
use of a pair of specially built virtual machines to act as attacker and target, which will
provide you with an ethically safe environment in which to experiment from both perspectives.
- Whenever possible, restrict your observations to your own devices.
- When you observe more than your own devices, make sure that the owners and operators
of the other devices you are observing (1) know that you're observing them, and (2) give you
permission to do so.
- If you find your observations have led you to possess data owned by another person,
(1) do not read it, (2) discard all copies of the data immediately, and (3) inform the
person that this observation took place and what you did to fix the problem.
- If your investigations leave you with access to and/or control over a device or
account to which you are not entitled to have access or control, (1) logout or otherwise
give up your access/control, and (2) inform a relevant responsible party (e.g. the owner
of the device or account) of what happened and when, so they can take steps to prevent
similar problems in the future.
- Don't hide your actions. Do your study in good faith, and if you end up doing something
wrong, tell people about it. Transparency is good.