home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 1
/
HACKER1.ISO
/
cud3
/
cud333b.txt
< prev
next >
Wrap
Text File
|
1992-10-10
|
7KB
|
122 lines
------------------------------
Date: 08 Sep 91 17:44:51 CDT
From: Jim Thomas <tk0jut1@mvs.cso.niu.edu>
Subject: File 2--Clarification of "Boycott" Comment
In my review of _Cyberpunk_ (CuD 3.32), I quoted a passage that
referred to a "national computer security expert's" call for a boycott
of any company that hired Robert Morris. In context, the passage would
appear to be less than charitable. Gene Spafford, the person
associated with the boycott call, never made this claim, and he has
tried without success to clarify what was actually said. He was
misquoted in a speech, and the misquote has become a reality of its
own. Although it seems like a relatively minor point, the continued
circulation of the quotation error perpetuates an unjustified aura of
extra-legal professional retaliation. Sometimes the slightest
transposition of words leads to quite different meanings, and it
appears that Gene is the victim of a shift of phrases that distorted
his message. We discussed this with him, and the following scenario
seems to be the source of the error. We have included a response he
wrote to the CACM to correct the error, but it was also garbled by the
editor to whom it was sent.
In March 1990 at the DPMA Computer Virus & Security Conference in NYC,
Gene gave the keynote address. He discussed community ethics
and made a statement like "We should boycott any company that hires
someone like Morris *because of* what he did." This was heard by at
least one person present as meaning, "Because of what he did, we
should boycott any company that hires Morris." What he meant, and
what he thought was clear from context, was "We should boycott any
company that believes what Morris did was a reason to hire him."
The quote was reported in CACM and Spaf wrote a letter (published in
the October 1990 issue) pointing out the error, but they misunderstood
the way it was supposed to have text boldfaced to indicate the emphasis.
The point did not get across clearly and was also incorrectly
paraphrased in Peter Denning's editorial in the August 1990 CACM.
Enclosed is the text of the letter he sent to CACM and which was
published in the September 1990 issue without the indicated emphasis:
[ The following uses TeX conventions: {\it text} is italics, and
{\bf text} is boldface.]
To the editor:
The May issue of {\it Communications} contained a ``News Track''
account of some of my remarks on hiring known hackers/crackers.
I believe the report was derived from my keynote presentation at
the 3rd DPMA Virus Workshop, held March 14 in New York.
Unfortunately, the item in question did not report the full
context of my remarks, and thus the actual intent was obscured.
It is my contention that we should not do business with companies
that hire known computer miscreants {\bf because of their
criminal escapades}. There are two reasons for this, one
grounded in good business sense, and the other grounded in
professional ethics.
From a business standpoint, hiring a known computer criminal
because of his criminal past is likely to be a liabilty. The
individual has already shown that he (or she) has not felt
constrained to respect legal and ethical boundaries, or that he
has exhibited poor judgment in not thinking about adverse
consequences. What indication is there that such behavior will
not be repeated? Furthermore, there is no indication that
someone who breaks into a system knows how to protect the system
or make it better -- he has only shown that he knows how to break
in. This is the origin of my ``arsonist'' statement, quoted in
the article. As a customer of such a firm, it is possible I
would never be as confident about the integrity of its products
as if the hacker had not been hired.
From a professional standpoint, I view the hiring of computer
criminals {\bf because of their notoriety or criminal success} to
be insulting and unconscionable. Consider that there are many
tens of thousands of people who have worked for years to become
knowledgeable and responsible members of the profession, and many
thousands more currently studying the discipline. What will it
mean to them if a criminal is hired to a position of
responsibility because of a violation of professional standards?
Should the rest of us seek distinguished appointments by
spectacular violations of the law? What would it say to all of
us that a business would value unethical behavior above a record
of accomplishment and professionalism? To ignore or accept such
behavior is to allow our profession to be besmirched. I view it
as an insult, and to acquiesce quietly would appear to be a
violation of our Code of Professional Conduct.
Note that I am {\bf not} in any way suggesting that we act to
prevent these individuals from being employed in a
computing-related profession. If the individual involved has the
necessary training and background, and is as qualified as other
applicants, then he should be treated as any other individual
applying for a position. This is especially true once an
individual has served a sentence for their [sic] crimes. Robert
T. Morris, for instance, has demonstrated a keen interest and
more than moderate facility with computers. To protest his
taking a computing-related job would be to unfairly embellish the
sentence already imposed by the federal court. We should not
seek to second-guess our legal system, nor extract revenge above
and beyond the punishment already meted out. To do so would be
petty and mean-spirited.
In summary, my remarks at the Virus Workshop argued that we
should protest if businesses reward these offenders for their
actions; I did not mean to suggest that we forbid these
individuals from ever working in computing-related jobs. I also
did not suggest that we devise any additional punishment for Mr.
Morris. He has been sentenced for his crime, and it is not for
us to seek to augment his punishment. It is time for all of us
to move on and put that whole incident behind us.
Eugene Spafford
Dept. of Computer Sciences
Purdue University
W. Lafayette, IN 47907-2004
spaf@cs.purdue.edu
Downloaded From P-80 International Information Systems 304-744-2253