Responsibility for unreliable software
ECA '94 Proceedings of the conference on Ethics in the computer age
Ethics and information systems: the corporate domain
MIS Quarterly - Special issue on intensive research in information systems
Before we knew it: an empirical study of zero-day attacks in the real world
Proceedings of the 2012 ACM conference on Computer and communications security
| Hi-index | 0.00 |
Imagine this scenario: a bank customer walks up to an ATM to withdraw cash from her account. While entering her PIN, she accidentally presses the '3' key at the same time as the 'Clear' key. Instantly $100 comes out of the cash dispenser! Curious, she checks the receipt and seeing that the money did not from her account, she tries the same operation. Again, $100 comes out of the cash dispenser. At this point she has two options, A: she can continue to take advantage of this obvious flaw and tell her friends, or B: she can report this problem to the bank, telling no one else. While Kantian ethics might require the latter, the issue becomes much grayer when it comes to computer software vulnerabilities. Many variables exist to cloud the ethical judgment of a software flaw's discoverer. The question becomes: is it better to report any vulnerability that could cause catastrophic problems (as in the ATM example) or to make the vulnerability information public in order to simultaneously compel the software vendor to address the problem while giving the vendor's customers a chance to prepare for potential exploitation? Software companies are facing this dilemma on a regular basis. There are dozens of websites, newsgroups, and e-mail lists dedicated to the task of sharing vulnerability information, whether condoned by the software company or not. The issue increases in severity as vulnerable software becomes ubiquitous across global networks. The public release of vulnerability information is often the first drop of the monsoon that is the malicious network worm. How this information is controlled and disseminated is critical to the stable operation of millions of computer systems and networks across the globe.Modern software with network capability is fundamentally complex and can span thousands of lines of source code for one small part of the package. Without proper testing and quality assurance, many bugs and errors slip through. Software development requires these iterations of coding and bug fixing to produce stable and polished final products. Larger and more complex software gives a greater chance for a bug to remain undiscovered. Yet, since major vulnerabilities have appeared in relatively smaller projects, proper code audit and testing are critical regardless of the size of a software package or the amount of source code required to produce it. If bugs or security vulnerabilities are not discovered and fixed by the software manufacturers, it is inevitable that they will be discovered by outside researchers.This breeds the ethical conundrum of what the researchers do with the information once it has been discovered. Foundational to disclosure, regardless of the ideology, is the notion of providing useful protective information to the most appropriate audience. Many suggest that disclosure is about doing the 'greatest good' for the greatest number of people, which is an obvious adherence to the ethical principle of Utilitarianism. There are numerous parties involved in the network security process such as software vendor, security researcher, system administrator, and even malicious attacker: all whose intentions reflect on the ethical principles behind their actions.