Dear Ethix – Issue 41

Failed Electronic Transaction

I enjoyed reading about your failed electronic transaction. Probably many readers have had similar experiences (I have), but I believe you persisted far more than most people would. Just look at all the valuable things you learned for only $22! If you enrolled in a designer seminar for the same information, you would expect to pay many times more. šŸ˜‰

Bill McNeely
Bellevue, WA

I just got your latest Ethix; it was an exercise in laughing to keep from crying as I read your story of the Good Housekeeping subscription. We have all been there, done that. But you have a voice that many of us lack. If it has not already occurred to you, have you sent copies to the CEOs of Bank of America, Good Housekeeping, Visa, and the Magazine Service Center?

As Orin Smith so correctly points out, it is the top of the house that sets the ethical standards for an organization. How well I know from many years, both well below the top of the house and as the owner of a small business for 20+ years.

John Nunnikhoven
Chester, VT

Copies of that article went out to the leaders of those companies. We will share responses if we get them.

Use of Ethix

I want to thank you again for the work you are doing with Ethix. I read and use your articles and editorials regularly with my staff and often share the information with others.

Timothy J. Wente
Bellevue, WA

Teaching Hacking?

I read the March/April 2005 issue of Ethix and noticed a submitted question regarding the ethics of teaching computer/networking hacking.

You wisely answered the question by stating that you did not know the curriculum so you could not give a definitive answer. You also stated that it was possible to review past (public) hacker incidents to learn from the mistakes of others.

The world of computers and networking changes so fast that past incidents, while interesting, are potentially out of date by the time they are dissected in the classroom and of little value in protecting current computer/networking scenarios.

Any organization interested in teaching ā€œhackingā€ skills should endeavor to set up their own, private, computers/networks with the latest software for students to work with. I also know of major corporations who allow outsiders to attempt to hack into their networks, providing ā€œauthenticated hackersā€ with permission to do so. In my opinion there is no better way to learn than actual job experience; in the seedy world of hacking this may just mean trying your skills on a real network where permission to do so exists.

Network security is a moot point if there are no attackers; we need to know who the attackers are and what their methods of attack are. Only then can we know what to look for and how to defend against those attacks. Teaching someone how to attack a network puts them in the attackerā€™s mindset and opens their thinking up to ideas/issues that they might not experience in a textbook. If we can teach a future network administrator to think like a hacker(and learn how to learn) we have done a better job than if we simply educate about the ā€œ20 greatest network attacks of the last decade.ā€ If we dangle a carrot in front of a student, say extra credit points for hacking into a ā€œsecureā€ network, we might spur that student to go above and beyond and truly learn how to use the hackerā€™s tools for the good of the organization (maybe that means spending a lot of time with a network protocol analyzer and getting to know that tool better than neededā€”ultimately this might result in a more valuable employee).

I do not subscribe to the idea that if we teach hacking we may be creating a future hacker. Anybody interested in hacking can go to the Internet and learn there. Do I think it is unethical to teach network security by learning hacking? Not at all, I think it is necessary.

Greg Eigsti
Redmond, WA