UNIT 2 - Unauthorised Access (Computer Hacking)

TABLE OF CONTENTS
CONTENT .......................................................................................................................... 2
1. HACKING DEFINITION .............................................................................................. 2
2. DEFINITION OF A HACKER ...................................................................................... 2
2.1 HACKER ETHIC ........................................................................................................... 3
3. PSYCHOLOGICAL PROFILE OF A HACKER .......................................................... 3
3.1 COMPUTER NERD SYNDROME ..................................................................................... 4
4. HACKERS: DEMOCRATIC VERSUS TOTALITARIAN STATE ............................. 5
4.1 THE POLITICAL PHILOSOPHY OF CONFUCIUS ................................................................ 5
4.2 GEORGE ORWELL'S NINETEEN EIGHTY FOUR ................................................................ 6
5. HACKERS: SECURITY CONSULTANTS................................................................... 6
6. WORMS, TROJAN HORSES AND TIME BOMBS ..................................................... 6
6.1 TROJAN H ORSE........................................................................................................... 6
6.2 LOGIC BOMB OR TIME BOMB ...................................................................................... 7
6.3 VIRUS ........................................................................................................................ 7
6.4 VACCINE OR DISINFECTANT ........................................................................................ 7
6.5 WORM ....................................................................................................................... 7
6.6 TEMPEST .................................................................................................................... 8
7. LEGAL CONSTRAINTS: THE COMPUTER MISUSE ACT, 1990 ............................ 8
7.1 HISTORICAL PERSPECTIVE .......................................................................................... 8
7.2 THE THREE NEW CRIMINAL OFFENCES ........................................................................ 8
7.3 JURISDICTION ............................................................................................................. 9
8. LEGAL CONSTRAINTS: THE COMPUTER FRAUD AND ABUSE ACT (CFAA) .. 9
9. PROFESSIONAL CONSTRAINTS: ACM CODE OF ETHICS AND
PROFESSIONAL CONDUCT ......................................................................................... 10
10. ETHICAL POSITION ON HACKING...................................................................... 10
10.1 SIMPLE HACKING.................................................................................................... 10
10.2 INFORMATION OWNERSHIP ...................................................................................... 11
10.3 COMPUTERS: MATERIAL POSSESSIONS?.................................................................... 11
11. SUMMARY................................................................................................................. 12

BIS2061 1 Unit 2
Content

1. Hacking Definition

The computer ethicist Duncan Langford views hacking as an emotive term. He states
that back in the 1960s and 1970s the term hacking was used to describe an individual
working with computers who was technically gifted. In the early days of computing
there was no implication that someone known as a computer hacker would act
illegally. However, the social and computing environment has greatly changed since,
and as it tends to be with language, the use of the term hacker ‘expanded and its
definition broadened’.

Langford (1995) argues that despite historical claims his definition of hacking is
‘obtaining and exploiting unofficial access to a computer system’.

2. Definition of a Hacker
In The Hacker's Dictionary (Forestor and Morrison, 1990, Computer Ethics:
Cautionary Tales and Ethical Dilemmas in Computing,) the authors outline at least
seven different definitions of a hacker:

A person who enjoys learning the details of computer systems and how to stretch their
capabilities, as opposed to most computer users, who prefer to learn only the
minimum amount necessary
One who programs enthusiastically, or who enjoys programming rather than just
theorising about programming
A person capable of appreciating the hacker ethic, see 2.1 below.
A person who is good at programming quickly
An expert on a particular program, or one who frequently does work using it or on it
An expert of any kind
A malicious inquisitive meddler who tries to discover information by poking around.
For example, a password hacker is one who tries, possibly by deception or illegal
means, to discover other peoples' computer passwords. A network hacker is one
who tries to learn about the computer network is one who tires to learn about the
computer network, possibly because he / she wants to improve it or possibly
because he / she wants to interfere

The currently accepted view of a hacker is someone who uses a specialised

knowledge of computer systems to obtain illegal access to them. Probably, too, once
they have obtained access to a system, a hacker would be expected to steal and
corrupt data (Langford 1995).

Now do Review Question 1

BIS2061 2 Unit 2
2.1 Hacker Ethic

The early hackers took the position seriously enough to establish their own ethical
code, known as the Hacker Ethic. Langford (1995) argues that the creation of the
Ethic was sincere, as were its intentions. There are five principal values comprising
the Hacker Ethic:

Access to computers, and anything which might teach you something about the way
the world works, should be unlimited and total. Always yield to the hands-on
imperative
All information should be free
Mistrust authority - promote decentralisation
Hackers should be judged by their hacking, not bogus criteria such as academic
excellence, age, race or position
You can create art and beauty on a computer

The focus of the Hacker Ethic is, perhaps understandably in the circumstances, on the
hacker. Among the areas left out are the rights of owners and users of computer
systems, and consideration of a computer scientist's responsibilities to them.

3. Psychological Profile of A Hacker

‘Typical actions taken by hackers include breaking into both public and private
databases, sometimes just to see if it is possible, sometimes for more serious reasons,
(for example, altering grades in a school computer or altering credit rating).
Information on how to accomplish these and other tasks is sometimes posted -
anonymously, of course - to specialist bulletin boards. Serious hackers may use a
succession of computers as staging posts, to route a continuing series of attacks on
different systems. The book Cuckoo's Egg, by Clifford Stohl describes how military
computers in the USA were attacked by hackers in Germany through a whole series of
staging posts. It is obviously much more difficult to trace an attack made in this way
to its source’ (Langford, 1995)

'A recent PriceWaterhouseCoopers study revealed that 59 percent of all companies

with Websites experienced one or more security break-ins during 1997. Moreover,
this figure is probably too low because many of these incidents usually go unreported.
One of the more notorious and widely publicised security breaches happened to the
New York Times on September 13, 1998. Their website server was invaded by a
group of belligerent hackers who posted pornographic material and printed this
threatening message for all to see:

FIRST OFF, WE HAVE TO SAY . . .. WE OWN YOUR DUMB ASS.

S3COND, TH3R3 AR3 SO MANY LOS3RS H3R3. ITZ HARD TO PICK
WHICH TO INSULT MOST.

The site had to be closed for nine hours while IT personnel cleaned up the offensive
messages and plugged the hole.' (Spinello, 2000)

BIS2061 3 Unit 2
In answer to the question "why do hackers hack?" and offer an explanation for the
behaviour described above, one reason that has been given is the satisfaction gained
from the intellectual challenge involved. It has been said to be similar to solving an
elaborate crossword - and the guessing of passwords and inventing means of
bypassing file protections poses intriguing problems that some individuals will go to
enormous lengths to solve (Forestor and Morrison, 1990). In other instances, hacking
has involved acts of vengeance, usually by a disgruntled employee against a former
employer. For others, hacking represents a lifestyle that rests upon severe social
inadequacy among otherwise intellectually capable individuals - so called "computer
nerd" syndrome.

3.1 Computer Nerd Syndrome

The computer nerd syndrome particularly affects male adolescents between the ages
of 14 and 16. For psychologists such as Sherry Turkle of Massachusetts Institute of
Technology (MIT), hackers are individuals who use computers as people substitutes,
basically because computers do not require the kind of mutuality and complexity that
human relationships tend to demand.

Other researchers at Carnegie-Mellon University have provided evidence that

partially supports this view. Sara Kiesler and her co-workers have investigated the
social psychology of computer mediated communication and found that this medium
removes status cues such as sitting at the head of a table, body language, and provides
a kind of social anonymity that changes the way people make decisions in groups.
Their investigations into computer conferencing and electronic mail highlighted that
group decision-making discussions using this medium exhibited more equal
participation and a larger coverage of issues.

However, despite this, the limited bandwidth of the computer screen, i.e. its lack of
feedback in the form of body language, etc. often causes users to seek substitutes for
it. For example, in the absence of any other non-verbal mechanisms to communicate
their emotions, electronic mail users often substitute depiction of their face to
represent how they are feeling or how their message should be interpreted. The
following collection of keyboard characters is often used to represent a smile, a wink
and a sad face respectively:
|:-) |;-) |:-(

Forestor and Morrison (1990) conclude:

‘The form of communication that computers require, even when communicating with
other human beings, may indeed be attractive to those who feel less competent in
face-to-face settings where the subtleties of voice, dress, mannerisms and vocabulary
are mixed in complex ways. Those who are less skilled in dealing with these sources
of information may therefore retreat to more concrete and anonymous forms of
interaction with a machine, while those who are limited by these communication
modes attempt to extend them to incorporate more naturalistic features of
communication when dealing remotely with other human beings.’

BIS2061 4 Unit 2
4. Hackers: Democratic versus Totalitarian State
It is argued that for the sake of balance a truly democratic society should possess a
core of technically gifted but recalcitrant people. Given that more and more
information about individuals is now being stored on computers, often without our
knowledge or consent, it might be reassuring that some citizens are able to penetrate
these databases to ascertain what is going on. In this sense it could be argued that
hackers represent one way in which we can help avoid the creation of a more
centralised, even totalitarian government.

Indeed, at the time of the Chernobyl nuclear power station disaster in the former
Soviet Union, hackers from the Chaos Computer Club released more information to
the public about the developments than did the then West German government itself.
All the information was gained by illegal break-ins carried out in government
computer installations.

Hacking has the potential to cause enormous harm by utilising resources that have
tremendous power. Yet we should not forget that there are other, equally powerful
and much older ways in which similar powers can be unleashed (Forestor and
Morrison, 1990). Leaks to the press, espionage of all kinds and high quality
investigative journalism - for example, such as that which uncovered Watergate and
the Iran-Contra affair - have the power to break a government's control of information
flow to the public. This can ultimately even destroy corporations or governments that
have been shown to be guilty of unethical or criminal activities.

4.1 The Political Philosophy of Confucius

There is a remarkable parallel between Confucius and Plato, both of whom were
deeply immersed in philosophising about the ideal state in which justice would be
administered by a wise and virtuous ruler, and in which the concept of the common
good, benevolently supervised, would form the governing consideration. They
differed to the extent that whereas Plato advocated the principle of guardianship
whereby a ruling class would be educated and fashioned to rule the state without fear
of contradiction in their just rule, Confucius considered the populous as an intelligent
and critical check against wrong tendencies in government.

Confucius' theory of government was both paternal and democratic. The ruler is father
of his people, and his right to rule is the order of nature. He is at the same time,
responsible in detail for the welfare (material and moral) of his people. On the other
hand, the highest source of wisdom is the people themselves - they know what is good
for them - vox populi, vox dei. His humblest subject is the ruler's equal, and revolution
against tyranny is a duty.

Thus it could be argued that hackers represent the humblest subject whose duty is to
revolt against the tyranny of a totalitarian state. The hacker, in the true sense of
Confucianism, helps avoid the creation of a more centralised and totalitarian
government. This relates to the third principle of the Hacker Ethic in promoting
decentralisation (see 2.1).

BIS2061 5 Unit 2
4.2 George Orwell's Nineteen Eighty Four

George Orwell, novelist, essayist and critic is famous for his savagely angry satirical
novels Animal Farm and Nineteen Eighty Four. His distrust of authority and all
political parties inspired Nineteen Eighty Four, an elaborate satire on modern politics
prophesying a world perpetually laid waste by warring dictators. The novel above all
pictures the horrors of totalitarianism pursued to the limit, the very horrors that
hackers help avoid.

Now do Review Question 2

Now do Review Question 3

5. Hackers: Security Consultants

In many instances the breaching of systems can provide more effective security in
future, so that other, presumably less well intentioned, hackers are prevented from
causing real harm. Given the possibility of terrorist acts becoming more and more
technologically sophisticated, perhaps we can also look to hackers as a resource to be
used to foil such acts and to improve our existing security arrangements. Forestor and
Morrison (1990) highlight that

‘To some extent this is already happening: in the US, convicted hackers are regularly
approached by security and intelligence agencies with offers to join them in return for
amelioration or suspension of sentences. Other hackers have used their notoriety to
establish computer security firms and to turn their covertly gained knowledge to the
benefit of commercial and public institutions.’

6. Worms, Trojan Horses and Time Bombs

Some individuals, often describing themselves as hackers, anonymously release
destructive software known (because of both the manner and ease with which they
spread) as computer viruses.

6.1 Trojan Horse

The term comes from Homer's Iliad. In the Trojan War, the Greeks presented the
citizens of Troy with a large wooden horse in which they had secretly hidden their
warriors. During the night, the warriors emerged from the wooden horse and overran
the city. In computers, a Trojan horse is a program in which malicious or harmful
code is contained inside apparently harmless programming or data in such a way that
it can get control and do its chosen form of damage, such as ruining the file allocation
table on your hard disk. A Trojan horse can be considered a virus if it is widely
redistributed.

BIS2061 6 Unit 2
6.2 Logic Bomb or Time Bomb

This is a program that is triggered to act when it detects a certain sequence of events,
or after a particular period of time has elapsed. For example, a popular form of logic
bomb monitors employment files and initiates systems damage (such as erasure of
hard discs or secret corruption of key programs) once the programmer's employment
has been terminated. A simple variation on the theme is to have a logic bomb virus,
that is, a virus that begins to replicate and destroy a system after it has been triggered
by a time lapse, a set of pre-programmed conditions coming into existence, or by
remote control using the appropriate password.

6.3 Virus

A virus is a piece of programming code inserted into other programming to cause

some unexpected and, for the victim, usually undesirable event. Viruses can be
transmitted by downloading a program from other sites, or be present on a diskette.
The file you are downloading or the diskette you have received may not be aware of
the virus it is carrying. The virus lies dormant until circumstances cause its code to be
executed by the computer. Some viruses are playful in intent and effect ("Happy
Birthday, Ludwig!") and some can be quite harmful, erasing data or causing your hard
disk to require reformatting.

6.4 Vaccine or Disinfectant

Vaccine or Disinfectant software is a class of program that searches your hard drive
and floppy disks for any known or potential viruses. The market for this kind of
program has expanded because of Internet growth and the increasing use of the
Internet by businesses concerned about protecting their computer assets. Here are
three of the most popular anti virus programs. You can download free trial copies
from their sites:

§ Dr. Solomon's Software http://www.drsolomon.com/

§ MacAfee Virus Scan http://www.nai.com/default_mcafee.asp
§ Norton Anti-Virus http://www.symantec.com/avcenter/index.html

Some vaccines are general-purpose programs that search for a wide range of viruses,
while others are more restricted and are only capable of identifying a particular virus
type. Other forms of virus protection include isolation of the infected system(s), use
of non-writable system discs so that viruses cannot copy themselves there, and testing
of unknown software (particularly public domain software downloaded from bulletin
boards) on a minimal, isolated system.

6.5 Worm

A worm is a type of virus or replicative code that situates itself in a computer system
in a place where it can do harm. There are viruses (such as Melissa) that don't ‘worm
themselves in’to a place where they can do harm, they simply replicate themselves by
e-mail to many computers. Like most computer viruses, worms usually come in

BIS2061 7 Unit 2
Trojan horses. Worms tend to exist in memory and are non permanent, whereas
viruses tend to reside on disc where they are permanent until eradicated. In addition,
worms are network orientated, with 'segments' of the worm inhabiting different
machines and being cognisant of the existence of the other segments in other nodes of
the network. Worms actively seek out idle machines and retreat when machine load
increases.

6.6 Tempest

The term refers to the electronic emissions that computers generate as they work.
With the right equipment, these transmissions can be monitored, stored and analysed
to help discover what the computer was doing.

Now do Review Question 4

7. Legal Constraints: The Computer Misuse Act, 1990

7.1 Historical Perspective

‘It had long been assumed in the UK that hacking was illegal; but in 1988 the House
of Lords eventually decided to the contrary. Concern following this decision led to the
Law Commission Working Paper on Computer Misuse. This paper, after a general
examination of the problems, made several specific recommendations for changes in
the law. In 1989 the Tory MP Emma Nicholson promoted a Private Member's Bill to
combat hacking but later withdrew it, following Government promises to legislate.
However, despite these promises, no official Government measures were taken. In
1990 another private member, Michael Colvin, introduced a second private bill on
computer misuse. Although this bill incorporated recommendations from the Law
Commission paper, the penalties recommended by the Commission were greatly
increased. The Bill eventually became the Computer Misuse Act in August 1990.’
(Langford, 1995)

7.2 The Three New Criminal Offences

The Act introduces three new criminal offences:

Unauthorised access to computer material. Described as simple hacking - that is,

using a computer without permission. This now carries a penalty of up to six
months in prison or a £2000 fine, and is tried in a Magistrate's Court
Unauthorised access to computer material with the intent to commit or facilitate
commission of further offences. This section of the Act covers actions such as
attempting to use the contents of an email message for blackmail. This is viewed
as a more serious offence; the penalty is up to five years' imprisonment and an
unlimited fine

BIS2061 8 Unit 2
Unauthorised modification of computer material. This section of the Act covers
distributing a computer virus, or malicious deletion of files, as well as direct
actions such as altering an account to obtain fraudulent credit

The latter two offences are tried before a jury. The act also includes the offence of
conspiracy to commit and incitement to commit the three main offences. This aspect
of the Act makes even discussion of specific actions, which are in breach of the main
sections, questionable practice. It is sufficient to be associated with an offender in
planning the action, or to suggest carrying out an action which is illegal under the Act,
to be in a position to be charged.

7.3 Jurisdiction

The Act attempts to cover international computer crime. An individual can be

prosecuted in the UK under the 1990 Misuse Act as long as there is at least one
'significant link' with the UK. For example,

‘Hacking into a computer in Milan from a computer terminal in London is illegal, as

is hacking into London from Milan. Interestingly, using the UK as a staging post is
also illegal under the Act - breaking into the Pentagon from Milan via a UK university
is illegal, and could result in UK prosecution, even if the hacker had never been in
England.’ (Langford 1995)

Activity 1 – Illegal access to personal data

8. Legal Constraints: The Computer Fraud and Abuse Act

(CFAA)
‘The Computer Fraud and Abuse Act (CFAA), which was last amended in late 1996,
is evidence that the US legal system has begun to take the issue of unauthorised
access more seriously. The provisions of the act protect the confidentiality of
proprietary information and make it crime to "knowingly access a computer without
or in excess of authority to obtain classified information". The statute also makes it a
crime to access any "protected computer" without authorisation and as a result of such
access to defraud victims of property or to recklessly cause damage. Protected
computers include those used by the government, financial institutions, or any
business engaged in interstate or international commerce. Thus, trespass is a federal
crime if one does so to pilfer classified information, to perpetrate fraud, or to cause
damage (for example, to destroy files or disable an operating system). The only strict
trespass provision of the statute protects computers used on a full time or part time
basis by the government from unauthorised access, even if no damage is done and no
information is stolen.’

‘All the states, with the exception of Vermont, have also enacted their own computer
crime statutes, which, in some cases, go beyond the scope of the Computer Fraud and
Abuse Act. Specifically, most state laws make unauthorised use of computers a crime
regardless of the circumstances.’
(Spinello, 2000)

BIS2061 9 Unit 2
 Now do Review Question 5

9. Professional Constraints: ACM Code of Ethics and

Professional Conduct
Commitment to ethical professional conduct is expected of every member of the
Association for Computing Machinery (ACM). The ACM Code of Ethics and
Professional Conduct (consisting of 24 imperatives formulated as statements of
personal responsibility) identifies the elements of such a commitment. It contains
many, but not all, issues professionals are likely to face. Some general moral
imperatives address additional, more specific, considerations of professional conduct.

The general moral imperative 2.8 states "a member must access computing and
communication resources only when authorised to do so". Theft or destruction of
tangible and electronic property is prohibited by imperative 1.2.: "Avoid harm to
others". Trespassing and unauthorised use of a computer or communication system is
also addressed by this imperative. Trespassing includes accessing communication
networks and computer systems, or accounts and/or files associated with those
systems, without explicit authorisation to do so. Individuals and organisations have
the right to restrict access to their systems so long as they do not violate the
discrimination principle (see *imperative 1.4 below). No one should enter or use
another individual's computer system, software, or data files without permission. One
must always have appropriate approval before using system resources, including
communication ports, file space, other system peripherals, and computer time.

*imperative 1.4: The values of equality, tolerance, respect for others, and the
principles of equal justice govern this imperative. Discrimination on the basis of race,
sex, religion, age, disability, national origin, or other such factors is an explicit
violation of ACM policy and will not be tolerated

10. Ethical Position on Hacking

10.1 Simple Hacking

When a hacker gains access to a system and rummages around in a company's files
without actually altering anything, what damage has he / she caused? Have they
simply stolen a few thousandths of a penny's worth of electricity (Theft Act of 1968)?
Indeed, if the hacker informs a company of their lax security procedures, is he / she
creating a public benefit by performing a service that they might otherwise have to
pay for? In some countries, for example, Canada, it is not an offence to walk into
somebody's residence, then look around and leave - as long as nothing has been
altered or damaged. Can a hacker's walk through of a system be considered in similar
terms?

BIS2061 10 Unit 2
 Now do Review Question 6

10.2 Information Ownership

If we consider the private sector, we might even question the right of a company to
hold information on individuals, and their right to deny individuals access to that
information. For example, many commercial institutions tap into databases that hold
the credit ratings of hundreds of thousands of people. The providers of these databases
have collected information from a huge range of sources and organised it so that it
constitutes a history and an assessment of our trustworthiness as debtors. Who gave
these companies the right to gather such information? Who gave them the right to sell
it, which they do, along with subscription lists, names and addresses? What limits are
there on the consequences of this information for the quality of our lives? What rights
should we have in ensuring that our details are correct?

Now, if we imagine a hacker penetrating a system so that he / she can correct the
records of those who have denied correction of incorrect data, which of these two -
the database owner or the hacker - has committed the greatest ethical error? Are they
both equally guilty?

Should I own information about me? Or should I, as a database operator, own any
information that I have paid to be gathered and stored? On the other hand, given that
the storage of information is so pervasive and the very functioning of modern society
relies upon computer based data storage, does the public have a right to demand
absolute security in these systems? Finally, should some hackers be regarded as our
unofficial investigative journalists, finding out who holds what information on whom
and for what purposes, checking if corporations are indeed adhering to the data
protection laws; and exposing flagrant abuses that the government cannot or will not
terminate?

10.3 Computers: material possessions?

‘If computers are viewed as material possessions, then electronic entry to a computer
system can be looked on as very similar to physical entry into an office or home.
Unless there is a specific invitation, or previous permission to enter, this is trespass, if
not unlawful entry. Hackers have a typical defence though: they are entering to test
for loopholes in the software. Is this realistic? If challenged, many hackers claim to
know a friend of a friend, who was paid by a large company to test its computer
systems for security loopholes. This is, of course, comparable to paying a burglar to
attack your home in the hope that the burglar may reveal security weaknesses.’
(Langford, 1995)

Langford pursues the analogy further and argues:

‘What would most people think of someone who broke into your home and went
through your desk, reading whatever letters and personal material they happened to
find? On the face of it, there seems, so far, to be a clear legal and ethical case against
hacking into someone else's computer system.’

BIS2061 11 Unit 2
However, Langford does highlight a second position on hacking which follows the
contention that computers are not to be viewed as material possessions, belonging to
one business, or another. There is, the view runs:
‘An undefined global community of computing, where the physical ownership of each
machine is secondary to the benefit of its users. Sometimes, taking the Internet as a
limited example, supporters' claim that exploring this electronic world is somehow
above such considerations as yours or mine - electrons belong to no one. If there is a
cost, big business can afford to pay it.’

Langford elaborates:
‘There are clear strengths to the idea, particularly in view of the advantages of
openness. The general enrichment, which tends to come from wide information
distribution may mean developers never have to reinvent the wheel, or needlessly
design from scratch which already exists elsewhere.’

Activity 2 – Trespass and Web Sites

11. Summary
This unit has introduced some of the key concepts and issues that are invoked by
unauthorised access (computer hacking). You have been presented with the ethical,
legal and professional arguments concerning computer hacking.

BIS2061 12 Unit 2