NSCI Ethical Hacking - National Security Cyberspace Institute
Security in Cyberspace
description
Transcript of Security in Cyberspace
Security in Cyberspace
Torbjörn Lundqvist
Overview● Written on the body: Biometrics and
Identity, Irma van Der Ploeg – In what way does biometrics contain information about ourselves
that previous token-based systems don't ● Terrorism or Civil Disobedience: Toward a
Hacktivist Ethic, Mark Manion & Abby Goodrum– How does one go about distinguishing computer terrorism from
civil disobediance, and in what way does one define the ethics of hacking and civil disobediance?
Privacy and Security● Security:
– Ambiguous, Safety vs. security distinction, being free from danger, hard to assure
– Computer security vs. data security, protection from worms, hackers vs. data loss
● Privacy: – Often used synonymously with “anonymity” – Psychological Privacy/ Informational privacy– Control vs. Restricted Access theory– Impossible without security
Security● As an ethical issue: is true security
achievable? If so: is it desirable? Conflict:– Pros
● anonymity and privacy can be ensured (on a personal level, information-restriction becomes easier)
● Identity can be established more easily (seems to conflict with the latter)
– Cons● Anonymity and privacy can lead to unlawful
behavior (due to the ease of restricting information)
● “Easy identification” makes it harder to hide from others (again, conflict with the latter)
Biometrics● In what way does biometrics
contain information about ourselves that common token-based systems don't?
● How can this information be used to ”ensure our security” by ”invading our privacy”?
Biometrics● Van der Ploeg: In 1996 I-scan software
implemented in the Department of Public Affairs in Illinois● All welfare clients were called to an interview,
and made to submit a retinal scan● Failure to comply meant disqualification from
social service benefits and other sanctions● Reason: The need to ensure against social
welfare fraud
Biometrics● Biometrics: stipulated as “The Collection of
physical features using a sensory device to record digital representations of physical features unique to the individual”● Retinal scan● Fingerprints● Voice patterns● Movements/Body odor
Biometrics● The method consists of using digital representations as
templates to which a match is made upon identification, if the template matches the sample the subject is known, if not, the subject is unknown
Template:Stored indefinetly
Sample
T1Match, Known
Sample
TX
Mismatch, Unknown
Biometrics● Older systems of identification, ID-cards
etc. are ”token-based”, biometrics are not– ”Biometrics are turning the human body into the
universal id of the future” ABC News Jan 15, 1998– Possible buyers: military forces, governments,
private corporations● Development of genetic API in 1998
– BioAPI Consortium – IBM, Microsoft, Novell, Compaq ● Specifications for a global standard to allow easy
implementation of biometrics into computer software begins
Biometrics● Of course: Biometrics is concerned with
maintainence of security through identity check– Question: what is identity? Can identity be
established in relation to the human body● Van der Ploeg
– Biometrics requires a theory of identity that takes the body and the embodied nature of subjectivity into full account
– there is a need to investigate what kind of body the biometric body is
Biometrics● van Kraligen (Biometrician) – Distinction of
identity and verification of identity– Biometrics is regarded as the later
● Schrectman (Philosopher), Philosophical distinction between– Identity– Sameness of body (where identity is to self
knowledge what sameness of body is to re-identification)
● Necessary and sufficient conditions why p1 is p1 at both T1 and T2?
Biometrics● ... is able to detect both sameness and
difference of ”token”, (token-based systems can't)
● ... can re identify the body, but of course, not the ”essence” or ”beliefs and values” of the individual
● ... may seem to be able to be better at establishing psychological identity, but due to the above, cannot be any more effective than token-based systems
Biometrics● Since the body is very much a part of personal identity, and ”identity”
can be regared as more profound than ”sameness of body” ● it may be easy to identify the body using biometrics, however, it is
highly difficult to characterize a psychological individual over time, ● Parfit (Reasons & Persons): Personality does not persist over time
– P.: Personality changes over time, token identity does not, and we can not be certain that psychological identity changes over time
– P.: Wether or not psychological identity persists over time is therefore not relevant
– P.:What matters – psychological connectedness (of memory and character) between p1 and p2 over time
● From this perspective. Biometrics is not any better in characterizing the psychological identity of the individual
Biometrics● van der Ploeg:
– identity can be viewed from a third person perspective (sameness of person)
– Identity can be viewed from a first person perspective (self knowledge)
– The distinction between can lead to an assumption that biometrics is only concerned with ”sameness of person”, but, the person is a ”performance piece”
Biometrics● Van der Ploeg:
– Personality is something that is constantly being reshaped by (among other things) information technology
– With information technology, it becomes possible to fragment personal identity
– Suddenly bodies are irrelevant to identity, identification may be near impossible without the use of the body as identification
Biometrics● The problem is of course that biometrics
removes the boundaries between nature and culture, – Split second identification makes it
possible to map identity patterns over individuals that may not exist,
– Van der Ploeg: biometrics investigations prompts cultural determinism. One is judged but rather by ones cultural background and previous exploits
Hacktivism● Terrorism or Civil Disobedience: Toward a
Hacktivist Ethic, Mark Manion & Abby Goodrum– How does one go about distinguishing computer terrorism from civil
disobediance, and in what way does one define the ethics of hacking and civil disobediance?
Hacktivism● Terrorism vs. civil disobedience
– “One mans terrorist is another mans freedom fighter” - William Laqueur, 1977
● Violence breeds more violence, Non-violence does not, (Ghandi, “Satyagraha”)
– Violent struggle vs. civil disobedience ● Peaceful breaking of unjust laws (direct action)
– Non-violent protest: Boycotts, sanctions, “sabotage” (s. f. Plowshares-movement), “information-war”
– Non-violent protest takes moral high-ground, in that it confronts power without resorting to violence
– Protesters take responsibility of their actions, (imprisonment, etc.)
Hacktivism● Hacktivism
– “The (sometimes) clandestine use of computer hacking to help advance political causes” - Manion and Goodrum
● Hacking– “The practice of exploiting or gaining
unauthorized access to computer systems through clever tactics and detailed knowledge” - Wikipedia
Hacktivism● Hackers attack commercial websites – Feb.
8, 2000– 18 page statement, claiming responsibility is
released (MSNBC)– Alleged reason: Growing commodification and
capitalization of the Internet– No one is arrested, no one is charged
Hacktivism● Valentines day, 2000, plowshares
movement restricts access to Faslane naval base, Scotland– Faslane is the base of UK Trident-class
submarines – Reason: These submarines are armed with
nuclear weapons– Plowshares movement claims responsibility
due to ethical concerns– 185 arrested
Hacktivism● 1998, Eugene Kashpureff usurps traffic
from interNIC – Manion & Goodrum– Action taken non-anonymously– Ethically motivated, protest of domain-name
policy– Jailed as result
● “Under a government which imprisons any unjustly, the true place for a just man is also a prison” - David Henry Thoreau, 1849
Hacktivism● Hacktivism, civil disobedience?
– Has been used to protest● Anti-democratic crackdowns in china● Indonesian occupation of west-timor● Human rights abusers
– Targets● Governments & national security● Private industry and intellectual property● Human rights abusers
Hacktivism● Core principles – Manion & Goodrum
– No damage done to persons or property– Non-violent– Not for personal Profit– Ethically motivated– Willingness to accept personal responsibility
for ones actions
Hacktivism● Hacktivism, cyber-terrorism?
– RAND Corp. John Arquilla and David Ronfeldt● “Netwar” - The study of network based conflict and
crime, Networks and Netwars, 2001● “... terrorist and social activist organizations will be most
effective if they develop networking capabilities ... attuned to the information age.”
● “If governmental powers can understand how modern-day netwar organizations are formed, they may be better able to target and dismantle those terrorist ... groups ...”
● “Act of violence for the purpose of intimidating or coercing a government or civilian population” - US Law
Hacktivism● Internet provides forums for the
organization of Electronic Civil Disobedience (ECD) – Manion & Goodrum– What CONSTITUTES Hacktivism (or ECD)
● Running FloodNet?● Hacking CNN.com?
– The point is not destruction of information, rather disruption of the flow of information
● New type of non-violent protest?– If so: why is hacking judged harsher than traditional non-
violent protests?
Hacktivism● “Legitimate Hacking”?
– First objective of invasion: control information ● S.f. The Phone book (don't trust the media)● Information Warfare (Op. Desert Storm)● Propaganda (WW2)
– When is it okey to breach security?● Whenever it does not concern us?● Whenever it concerns multinational cooperations? ● Whenever it concerns other governments? ● Whenever there is a need for it?
– Who decides?● Whenever it happens in our favor?● Whenever “we” condone it?
Hacktivism● Often, Hackers take stance against warfare
and even information war – Against the LoU “Declaring war in anyone is a
most deplorable act” (2600, CDC, ) - Hackernews 12/28/98
● Why label the hacktivist as a terrorist?– Labeling the hacktivist as a threat to security
furthers legitimization of erasure of individual privacy
Hacktivism● Is hacking democratic activity? (Levy 1984)
– Freedom of information– Computer access– Mistrust Authority – Promote decentralization
● Do these principles conflict with the tenants of democracy?– Foucault – Failure to confirm authority leads to
uproar (Foucault 1987)– For whom does hacking really compromise
security?