Ethics isn't a county east of London, but it's the only way to look at security The trouble with good ideas is that, taken together, they can be very bad. It's a good idea to worry about supply chain malware injection – ask SolarWinds – and a good idea to come up with ways to stop it. It's even a good idea to look at major open-source software projects, such as the Linux kernel, with their very open supply …
Depends on the law. Common law defines what you can't do, and everything else is fair game. Generally there's some get-outs such as "Outraging public decency", which can mean anything, but other than those it's not illegal to do something that isn't prohibited.
In the case of the "experiment" to poison the Linux Kernel, such a thing left to continue unchecked would probably fall foul of some part of the Computer Misuse Act here in the UK. I suspect that had they not sent an email fessing up before it was too late, they'd probably have fallen foul of some equivalent US law. There are legally acceptable ways to be a white hat, but that's not really what they were doing.
Had it got as far as the kernel, and had it been harmless, they'd possibly be able to sustain a defence of no intent in a court case. If that worked it'd be a kindly judge indeed who'd let them off without a severe dressing down. More likely it wouldn't work as someone would have to have cleared up the mess in the kernel repos.
Anyway, law is society's rules; they *are* the only sysops. Arguably in a fully democratic society it is immoral to say that someone acting entirely within the law is doing something wrong, if other people don't like it. For example antivax protestors are widely despised because they try to prevent others people receiving vaccinations, often exhibiting behaviour bordering on harassment. In contrast someone paying tax within the boundaries of law is paying as much as society demands. Its not their fault or problem if someone else doesn't think that the law is right. We have laws and enforcement specifically to prevent societal outrage being fomented and manipulated for the purposes of imposing some small group's world view on people against the democratic majority.
And in old democracies, arguments along the line of "that should be illegal / legal" generally run into trouble when it turns out (as is often the case) that the same or similar matter had been repeatedly considered in the past, and good reasons why that thing isn't illegal / legal are found to be well established. That doesn't mean that it can't adapt; for example the UK had an effective data protection act long before the Internet made that very important.
Occasionally a country forgets. For example the Netherlands with its relaxed legal attitude to pot is now effectively a narco state; lawyers get murdered, police are corrupt, court witness get intimidated, the lot. Now, who can honestly say that that was unforeseeable?
Yes, I've been asked to do dodgy things on a couple of occasions and I've always refused to do it without a written order from the CEO and a note from the company lawyer that what they have asked me to do is legal.
It caused a stink the first time I did it, but it saved my bacon, when someone sued the company as a result of the actions I was told to perform.
... asked to do dodgy things on a couple of occasions ...
Ahh ...
In another life I was also asked to do something which was not illegal but was ethically and professionally highly questionable.
It required me to do a 180° on an already submitted report with the end result being the company I worked for paying top cash for realty that was basically crap.
Obviously justified by the new version of my report.
Result?
No stink, someone else did it.
A month later I was in a corner office with no duties and a year later I was let go because I had the wrong professional profile for what the company needed.
The company bigwig behind all that made sure the next five years were very hard for me.
I always wonder ...
O.
Ethics and morals are two clean different things. Ethics are merely what a community accepts as its norm of behaviour, regardless of morality. Classic examples are "compliance" and "due diligence". Morally, compliance means fulfilling the purpose of some regulation, legislation or policy however much effort is required. Ethically, it means doing as little as you can get away with to avoid getting caught out for not fulfilling the "letter of the law". Guess which is the normal choice. Morally, due diligence means exercising sufficient diligence to ensure that whatever is at question is properly considered - "due" meaning "sufficient". Ethically, "due diligence" is a cliché meaning performing some perfunctory process like that done by the Institutional Review Board and then ticking a box.
Although eminently newsworthy, the examples cited by Rupert are far from isolated. At the start of 2021 we published the results of two years research into compliance with the GDPR transparency obligation based on a sample of several hundred randomly selected businesses. We found not a single instance of compliance. Abstract as this may sound, failure to comply with the transparency obligation nullifies the entire Regulation as it prevents data subjects exercising their rights. The "compliance" we found was at best based on the "ethical" principle of fulfilling the minimum letter of the law whether the results delivered the intended purpose of the legislation or not (and it didn't).
"Compliance officers" should have an obligatory banner on their office walls - "What's the least we can get away with doing to keep out of trouble?
... according to the Cambridge dictionary, is:
"the study of what is morally right and wrong, or a set of beliefs about what is morally right and wrong"
... which I am not sure is the same as your proposed definition (irrespective of how useful the distinction you are making might be).
"The rules of conduct recognized in certain limited departments of human life. 1789" [Oxford dictionary]. And this limited definition is borne out by the "ethics" specified by practically every professional association. They don't mention morals at all - they're mostly aimed at curbing behaviours that might reflect adversely on the association.
So I don't have a personal cynical definition. It is ironic though that the definition above coincided with the French revolution - possibly the most immoral period in recent French history.
Perhaps not, but if I google/bing/duck that very phrase, I get no useful hits. My own concise oxford dictionary does not have that definition, but "1. relating to morals, treating of moral questions, morally correct, honourable; 2. set of principles of morals, science of morals, moral principles, rules of conduct, whole field of moral science."
If, as I believe you say, your preferred definition, as quoted by you, is from 1789, you do at least to seem to have personally chosen a rather cynical take on an archaic definition ... unless you are about 240 years old, I suppose, which might explain your preference.
I think that if wanted to make a further point here, it would be this: "morally correct" does not imply (only) behaviour only just "moral", or such should be better described as "not immoral"; likewise the words "honourable" or "ethical" do not imply similarly borderline behaviour. It is your apparent choice to say that "ethically" applies only(or at least primarily) to barely ethical or borderline unethical behaviour that strikes me as that of a cynic.
A clear distinction between morals and ethics can be seen in the Minnesota case.
The researchers morals said code insertion was wrong and detecting it was right. [The paper published on GitHub is a good read and notes that all the patches they submitted fixed a recorded error and that the patches without the superfluous code were also created to replace the insertion patches.]
BUT, the way they went about it failed to take into account the other people who would be involved. This is what makes it unethical, as the article points out.
> We are all human beings, we live in a community, and everything we do affects others
That's a tad simplistic, isn't it. Since people are mostly concerned with themselves and their families, there are many different shades of "community" and "others", ranging from "to be protected at all cost" to "who cares".
If a very profitable action harms a very unimportant part of "others", most people won't hesitate. There is even a whole psychological tool set helping to cope with any lingering doubts, like denying any harm done, or devaluing the victim ("they don't deserve this", "they are evil"). History and our everyday lives are full of examples.
The point of a "community" (as opposed to a loose bunch of humans competing for resources) is first and foremost to set rules which rein in peoples' more egoistic impulses, making possible a cohabitation without (too much) bloodshed. Government types, religions, all have this one goal in view, but unfortunately the consensus is that we haven't found yet the right recipe...
My own point is that while this article is right, it's omits to stress what an uphill battle it is, especially in those times where it's "cool" to be inconsiderate, ruthless and blatantly egoistic. You'll never bring people to renounce to something to somebody else's profit as long as they are convinced that this "somebody else" is shit.
My company occasionally has phishing campaigns, and very successful they are too! However, they are used to train people, not catch them out/ People have become so good at spotting them, they even question missives from above that have a slight haddocky smell about them (which makes the quality of internal missives better).
But the GoDaddy phish is just shameful. I wasn't aware of it, so it's just lost my business.
Having a large wage packet and career seniority doesn't mean a person is competent, ethical or wise.
Every large entity should employ one person who is employed simply because they are competent, ethical and wise. Run all Big New Ideas past them before you spend money on them or announce them. And give them a veto so they can just tell you to forget it.
One day, it will save you from yourselves.
> Every large entity should employ one person who is employed simply because they are competent, ethical and wise.
Besides the obvious question of where they would find that person, there remains the big problem that incompetent, unethical and foolish people just hate to be told what to (not) do, and since they are the vast majority they will prevent this from ever happening.
It's a good suggestion, but doomed to fail...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
