Case one

A. There are many ethical issues about which people hold very strong opinions—abortion, gun control, and
the death penalty, to name a few. If you were a team member on a project with someone whom you knew
held an opinion different from yours on one of these issues, would it affect your ability to work effectively
with this person? Why or why not

B. You are the customer service manager for a small software manufacturer. The newest addition to your 10-
person team is Aubrey, a recent college graduate. She is a little overwhelmed by the volume of calls, but is
learning quickly and doing her best to keep up. Today, as you performed your monthly review of employee
e-mail, you were surprised to see that Aubrey is corresponding with employment agencies. One message
says, “Aubrey, I’m sorry you don’t like your new job. We have lots of opportunities that I think would
much better match your interests. Please call me and let’s talk further.” You’re shocked and alarmed. You
had no idea she was unhappy, and your team desperately needs her help to handle the onslaught of calls
generated by the newest release of software. If you’re going to lose her, you’ll need to find a replacement
quickly. You know that Aubrey did not intend for you to see the e-mail, but you can’t ignore what you saw.
Should you confront Aubrey and demand to know her intentions? Should you avoid any confrontation and
simply begin seeking her replacement? Could you be misinterpreting the e-mail? What should you do?

C. What do you think motivates a hacker to attempt to break into computers to probe their defenses?

D. You are a member of the IT security support group of a large manufacturing company. You have been
awakened late at night and informed that someone has defaced your organization’s Web site and also
attempted to gain access to computer files containing information about a new product currently under
development. What are your next steps? How much effort would you spend in tracking down the identity of
the hacker?

E. You are beginning to feel very uncomfortable in your new position as a computer hardware salesperson for
a firm that is the major competitor of your previous employer. Today, for the second time, someone has
mentioned to you how valuable it would be to know what the marketing and new product development
plans were of your ex-employer. You stated that you are unable to discuss such information under the
nondisclosure contract signed with your former employer, but you know your response did not satisfy your
new coworkers. You fear that the pressure to reveal information about the plans of your former company is
only going to increase over the next few weeks. What do you do?

Case two

1. Whistle-Blower Divides IT Security Community

As a member of the X-Force, Mike Lynn analyzed online security threats for Internet Security Sys- tems (ISS), a
company whose clients include businesses and government agencies across the world. In early 2005, Lynn began
investigating a flaw in the Internet operating system (IOS) used by Cisco routers. Through reverse engineering, he
discovered that it was possible to create a net- work worm that could propagate itself as it attacked and took control
of routers across the Internet. Lynn’s discovery was momentous, and he decided that he had to speak out and let IT
security professionals and the public know about the danger. “What politicians are talking about when they talk
about the Digital Pearl Harbor is a network worm,” Lynn said during a presentation. “That’s what we could see in
the future, if this isn’t fixed.”

Lynn had informed ISS and Cisco of his intentions to talk at a Black Hat conference—apopular meeting of computer
hackers—and all three parties entered discussions with the conference managers to decide what information Lynn
would be allowed to convey. Two days before the pre- sentation, Cisco and ISS pulled the plug. Cisco employees
tore out 10 pages from the conference booklet, and ISS asked that Lynn speak on a different 2. 2. 2.Voice over
Internet Protocol (VoIP) security.

In a dramatic move, Lynn resigned from ISS on the morning of the conference and decided to give the presentation
as originally planned. Within a few hours of his presentation, Cisco had filed suit against Lynn, claiming that he had
stolen information and violated Cisco’s intellectual property rights. “I feel I had to do what’s right for the country
and the national infrastructure,” Lynn explained.

Lynn’s words might have held more credibility had his presentation not been titled “The Holy Grail: Cisco IOS
Shellcode and Remote Execution” and had Lynn not chosen a Black Hat annual conference as the venue for his
crucial revelation.

Rather than speak to a gathering of Cisco users, who would have responded to the revelation by installing Cisco’s
patch and putting pressure on Cisco to find additional solutions, Lynn chose an audience that may well have
included hackers who viewed the search for the flaw as a holy crusade. Black hats are crackers who break into
systems with malicious intent. By contrast, white hats are hackers who reveal vulnerabilities to protect systems.
Black Hat is a company that pro- vides IT security consulting, briefings, and training. The CEO of Black Hat, Jeff
Moss, also founded DEFCON, an annual meeting of underground hackers who gather together to drink, socialize,
and talk shop. During the DEFCON conference, which followed the Black Hat conference, hackers worked late into
the night trying to find the flaw.

“What Lynn ended up doing was describing how to build a missile without giving all the details. He gave enough
details so people could understand how a missile could be built, and they could take their research from there,” said
one DEFCON hacker.

Once well defined, the line between white hat and black hat has become blurry. Security professionals, law
enforcement officials, and other white hats have infiltrated the ranks of the black- garbed renegades at DEFCON
annual conferences. IT companies hire hackers as IT security experts. Microsoft has declared that it plans to host
annual hacker conferences that it will call Blue Hat conferences. Respectable IT giants such as IBM, Microsoft, and
Hewlett-Packard have invited the black hats into the industry, and they have accepted the invitation in large part.

Yet Cisco’s handling of Lynn had the black hats up in arms. “The whole attempt at security through obscurity is
amazing, especially when a big company like Cisco tries to keep a researcher quiet,” exclaimed Marc Maiffret, chief
hacker for eEye Digital Security. Maiffret felt that Cisco would have to mend some bridges with the IT security
community.

White hats, in the meantime, bombarded the IT media with opinion pieces reminding people that a similar Black Hat
disclosure about Microsoft precipitated the creation of the Blaster worm, which tore across the Internet and cost
billions of dollars in damage.

Discussion Questions

A. Do you think that Mike Lynn acted in a responsible manner? Why or why not?

B. Do you think that Cisco and ISS were right to pull the plug on Lynn’s presentation at the Black Hat
conference? Why or why not? Explain your answer.

C. Outline a more reasonable approach toward communicating the flaw in the Cisco routers that would have
led to the problem being promptly addressed without stirring up animosity among the parties involved.
Explain your answer.

D. Discuss the ways in which a software manufacturer can protect the unauthorized use of its software. Which
do you think is the best way for a software manufacturer to protect new software? Why?
A successful distributed denial-of-service attack requires downloading software that turns unprotected computers
into zombies under the control of the malicious hacker. Should the owners of the zombie computers be fined as a
means of encouraging people to better safe-guard their computers? Why or why not?