Monday, June 18, 2007

When Good Coders Turn Bad

It can be argued that ethical hacking creates more good, by ensuring vulnerabilities are spotted by friends, rather than foes. But what happens when a "good" computer programmer suddenly turns "bad"? Shouldn't permanent consequences apply to that person?

In other industries, the consequences of disobeying authority, rules, laws, and ethical standards are clear.

Disbarment, excommunication, impeachment, license revocation and restraining orders are used every minute of the day by courts, prosecutors and lawyers to ensure that standards and authority are respected, and keep criminals out of our legal system, health system and law enforcement system - and DUI criminals off the roads, and violent offenders out of people's homes.

Lawyers, doctors, dentists, politicians, policemen, soldiers, bus drivers - when people from these professions are convicted for a criminal offense related to their expertise or position, they can be disbarred, impeached, dishonorably discharged, or otherwise dealt with, according to a strict code.

In most cases, though their may retain their expertise for the rest of their lives, they lose the right to make money from their credentials ever again. Which is how it should be.

But what of wayward computer science graduates? Does a s'kiddie or coder/criminal currently place anything permanently at risk when he/she decides to move over to the Dark Side and do wrong?

Would he/she think about their actions differently if committing a criminal act meant that their credentials - their college degree, technology licenses and certifications, developer association ties, network access credentials - could be permanently revoked or nullified, upon conviction?

Currently, there are nothing like these forms of punishment in our still-emerging industry. Criminals are able to leave jail and set up businesses, based on their new-found notoriety, and some achieve levels of adulation quite out of proportion to the amount of good they do in the world.

This is the equivalent of a lawyer, having been disbarred for dishonesty, being invited to join a prestigious law firm to become their in-house expert on fraud.

It also places a lot of pressure on the legal system. Because no industry standard such as disbarment exists, judges have to "make it up" in cases involving electronic criminals. They understand they cannot remove expertise from the criminal - so they make up punishments that approximate the removal of credentials: no Internet access, no computer access, etc, for a period of time usually equivalent to a third of the jail time.

This is ad hoc, and not the same as disbarment. It does not send a clear, up-front message to people prior to the commitment of a felony that they need to respect laws - or at the least, certain ethical standards - or they will lose the right to practice their craft, if the crime is serious, forever.

As an industry, maybe it's time to get together and start putting some teeth behind a code of ethics in the form of revocable credentials - so judges and other figures of authority can start excluding convicted felons from using technologies in ways that could hurt legitimate users.

Note: There are some commentators out there who still believe that committing crimes using software is cute, excusable, and totally cool.

It isn't. See you in jail.

No comments: