Information Security at the

pucefakeΤεχνίτη Νοημοσύνη και Ρομποτική

30 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

111 εμφανίσεις

Information Security at the
University of Pennsylvania:

Practical Applications and Experience with Information
Ethics


CIS
401 Senior Design Course


Joshua Beeman

University Information Security Officer

February 23, 2012

Agenda


UPenn InfoSec
-

Who we are and what we do


Computer Ethics


Context and History


Ethics in practice


Examples from UPenn


Policy & Incidents


Workplace issues


Intellectual Property and Copyright


Cybercrime


Privacy


Professional Codes of Conduct


Globalization



Office of Information Security

Jim Choate
(Executive Director, ISC/AIT)

Senior Information Security Specialists:

John Lupton

Melissa
Muth

Dana
Taylor

Contact
security@
isc.upenn.edu

and reach all of us!

Joshua Beeman
(University Information Security Officer)

Office of Information Security

Information
Security’
s
core mission is to develop
strategies and practices that protect
Penn’s
confidential and sensitive information assets.

Information Security Services

Development of policy

Information Security
-
related projects and
initiatives

Security consultation,
awareness & training

Risk assessment, risk
management, threat
monitoring, and related
communications

Reporting on events and
trends

Incident handling,
response, investigation
and notification

Point of contact and
coordination

Office of Information Security

Brief Video…





https://www.youtube.com/watch?v=6bahX2rrT1I


Why it’s relevant


Facemash

-

Zuckerberg

was
charged by the
administration with breach
of security, violating
copyrights, and violating
individual
privacy.




Later used in an Art History
class as a “social study tool”.



Image from
:
https://www.facebook.com/photo.php?fbid=794826159841&set=a.794820416351
.2344423.1681&pid=41088721&id=1681


Ethics Defined



The
rules of conduct recognized in certain associations or
departments of human life
.
-

(O.E.D.)



More simply: the distinction between
right

and
wrong

in a given
context.

Computer Ethics


History & Key Themes

1940
's


Norbert
Wiener:


Originator of cybernetics


the structure of regulatory
systems
-

which he saw as having profound ethical
implications when applied to technology


Metaphysical concepts around information


1970's


Walter
Maner


Developed "Starter Kit" for Teaching Computer Ethics (1978)


Defined topics, including: Privacy and Confidentiality,
Computer Crime, Professional ethics, etc.


Believed computers introduced *new* ethical challenges


Deborah
Johnson


Saw computers highlighting pre
-
existing ethical problems in
interesting
-

but not *new* ways. Resulted in the
"uniqueness" debate.


Computer Ethics


History & Key Themes

1980
's


Deborah
Johnson published "Computer Ethics" textbook (1985)


James
Moor article "What is Computer Ethics", which describes
"policy vacuums" and "conceptual muddles".


1990
's


Donald
Gotterbarn

emphasized codes of conduct for computing
professionals "Computer Ethics: Responsibility Regained (1991)


Establishment
of professional organizations code of conducts, as
well as programs and tools to assist with ethical behavior (ACM,
IEEE, EFF, SEERI,
SoDIS
, etc.)


Universal/Key
concepts:


Technological impact on core human values, such as health,
happiness, abilities, knowledge, freedom, security, etc. (Wiener,
Moor, others)


Context of cultural norms, practices, rules and laws that form
the basis for societal ethics (right and wrong).

Policy and the Relationship to Ethics

Policy documents what you can and cannot do.


Some key Penn resources:


AUP


Electronic Privacy


Guidelines on Open Expression




What guides policy?


D
irectly
related to the mission of your organization


Frequently the place where we identify “conceptual muddles”


Strongly driven by human values (e.g., Wiener, Moor)


Workplace Issues


Employment/Labor Cases


University Employee unauthorized use of IT resources, unlawful
behavior, violation of terms of employment, etc.



Faculty responsibility to be SME?



Penn Cloud
assessments

Intellectual Property and Copyright


Copyright and IP issues


Digital Millennium Copyright Act (DMCA)


Professional misconduct (e.g.,
plagiarism)



Changing laws



Context matters


Different populations / different cultures
/ different ethical norms


Copyright incidents


Briton Chance website

82.40%

12%

3%

2.60%

1st violation
2nd violation
3rd violation
4th violation
Cyber Crime


Penn Incidents & Examples


Hacking & Malware


WebApp

Backdoor


Zeus bot


Drive
-
by malware


Theft & cloud



Hacktivism


2009
-

climate research emails at East
Anglia
University


2010


2011


Numerous
hacktivitst

attacks by Anonymous group
on both governments and private sector.



Enabling in the name of teaching/demonstration


Square debate

Image courtesy of https://
commons.wikimedia.org
/wiki/
File:Anonymous_at_Scientology_in_Los_Angeles.jpg


Privacy


Business of Penn


collecting information
about students, alumni, business partners,
etc.


Regulations


PII, HIPAA, FERPA


Cloud privacy concerns


Social Media



UPenn MED grant


Rutgers suicide


Duke
powerpoint



Dr. Matt Blaze
& Clipper Chip



Other current events:


FB lawsuit & Google Privacy Shift


EPIC
lawsuit


Professional Codes of Conduct


Penn Institutional Review Board (IRB)


Wikipedia research example


Maner
/Johnston uniqueness debate


Note also: UPenn Social Media Guidance



Ethical (“white hat”) hacking



Gotterbarn

in practice


ACM, IEEE


GCEH


ISC2


The Ten Commandments of Computer Ethics:

http
://
www.computerethicsinstitute.com

Professional Codes of Conduct

Example from The
Computer Ethics Institute



1.
Thou
shalt not use a computer to harm other people.

2.
Thou shalt not interfere with other people's computer work.

3.
Thou shalt not snoop around in other people's computer files.

4.
Thou shalt not use a computer to steal.

5.
Thou shalt not use a computer to bear false witness.

6.
Thou shalt not copy or use proprietary software for which you
have not paid.

7.
Thou shalt not use other people's computer resources without
authorization or proper compensation.

8.
Thou shalt not appropriate other people's intellectual output.

9.
Thou shalt think about the social consequences of the program
you are writing or the system you are designing.

10.
Thou shalt always use a computer in ways that ensure
consideration and respect for your fellow humans.


Globalization


Collaboration


Access Control and Shibboleth



International Laws and Impact


Wikileaks

-

Julian
Assange


IP and global economy



Transcending Mission


Arab Spring


MIT open classroom & education gap

Some References & Resources



Computer and Information Ethics, Stanford Encyclopedia of Philosophy; Oct 23,
2008
http
://plato.stanford.edu/entries/ethics
-
computer
/





University of Pennsylvania Policy on Acceptable Use of Electronic
Resources:
http
://www.upenn.edu/computing/policy/
aup.html




University
of Pennsylvania Policy on Privacy in the Electronic
Environment:
http
://www.upenn.edu/almanac/v47/n04/OR
-
eprivacy.html




University
of Pennsylvania Guidelines on Open
Expression:
http
://www.upenn.edu/provost/PennBook/
guidelines_on_open_expression




Maner
, W. (1980), Starter Kit in Computer Ethics, Hyde Park, NY: Helvetia Press and the National Information and
Resource Center for Teaching Philosophy.



Johnson, D. (1985), Computer Ethics, Third Edition Upper Saddle River, NJ: Prentice
-
Hall, 2001.



West
, A.G.,
Hayati
, P.,
Potdar
, V., and Lee, I. (2012).
Spamming for Science: Active Measurement in Web 2.0 Abuse
Research
. In
WECSR '12: Proceedings of the 3rd Workshop on Ethics in Computer Security Research
,
Kralendijk
,
Bonaire.
http://www.cis.upenn.edu/~westand/docs/wecsr_12_final.pdf




Dittrich
, D., Bailey, M., Dietrich, S.: Building an active computer security ethics community. IEEE Security and
Privacy 9(4) (July/August 2011
)



Peter
Sunde

(2012), Wired Magazine: “The Pirate Bay’s Peter
Sunde
: It’s Evolution, Stupid”
,
February 10, 2012
http://www.wired.com/threatlevel/2012/02/peter
-
sunde/




Tavernise
, Sabrina, The New York Times, “Education Gap Grows Between Rich and Poor, Studies Say, February 9,
2012.


https://www.nytimes.com/2012/02/10/education/education
-
gap
-
grows
-
between
-
rich
-
and
-
poor
-
studies
-
show.html




Verifone

Consumer Alert: Card Skimming with Square, Uploaded by
VeriFoneInc

on Mar 9, 2011.
https://www.youtube.com/watch?v=ObGQxSuORy0




PÉREZ
-
PEÑA, Richard, The New York Times, "More Complex Picture Emerges in Rutgers Student’s Suicide, New
York Times, August 12, 2011.
https://www.nytimes.com/2011/08/13/nyregion/with
-
tyler
-
clementi
-
suicide
-
more
-
complex
-
picture
-
emerges.html?_r=1




Barber, C. Ryan, The Daily Tar Heel, "
Yankaskas

settles appeal, agrees to retire from UNC: Pay cut, demotion
rescinded in deal", April 18, 2011.
http://www.dailytarheel.com/index.php/article/2011/04/yankaskas_settles_appeal_agrees_to_retire_from_unc




“Clipper Chip”, Wikipedia entry:
https://en.wikipedia.org/wiki/Clipper_chip




https
://epic.org/




https
://www.eff.org/