IEEE Technology and Society Magazine - June 2015 - 43

stakeholders (should their research in some way benefit
society by reducing the prevalence of weak passwords).
The Carna creator and the criminals look the same
and act in practically the same way in terms of their
end actions. However, their actions differ in duration,
maliciousness, and intensity. The Carna botnet operator did act in ways that were at or below the level of
malicious actors, "in the least invasive way possible
and with the maximum respect to the privacy of the
regular device users" [14]. One could attempt to argue
from a minimal risk perspective that any harm is less
than what the owners of these systems were normally
experiencing. On the other hand, there is no evidence
that suggests the outcome of the Internet Census had
any significant societal benefit that would balance
out the violation of autonomy of the owners of these
networked devices, or offset any actualized harm to
their systems from the scanning.1 In terms of possible harms, it is possible that some owners had their
device's IP addresses blacklisted, causing them to
lose Internet access. Or some may have been reported
to their ISPs as acting in a hostile manner and been
blocked from accessing the Internet until their service
provider could determine that the customer's device
had been cleaned. There is just as much evidence and
likelihood of these harms having resulted as there
is evidence that performing the Internet Census has
actually achieved one of its stated goals, "[to] help
raise some awareness that, while everybody is talking
about high class exploits and cyberwar, four simple
stupid default telnet passwords can give you access to
hundreds of thousands of consumer as well as tens of
thousands of industrial devices all over the world" [14].
As for ethical principles, the most obvious violation is
of respect for persons, which requires upholding primary
stakeholders' autonomy, so they are aware of and consent to their involvement in this experiment (even if that
simply means using their computing resources). There
was some consideration of beneficence demonstrated
by the minimization of risk to the primary stakeholders.
In a sense, there was discrimination in the selection
of "subjects" as evidenced in statements by the Carna
author: "We took a closer look at some of those devices
to see what their purpose might be and quickly found
IPSec routers, BGP routers, x86 equipment with crypto
accelerator cards, industrial control systems, physical
door security systems, big Cisco/Juniper equipment and
so on [...] We used a strict set of rules to identify the
target devices' CPU and RAM to ensure our binary was
only deployed to systems where it was known to work.
1

In February 2014, a report by Citizen Lab in Canada on theRemote Control
System, sold by Hacking Team, used the Internet Census data set as one
source of information to identify RCS command and control and proxy
hosts. See [24].

june 2015

∕

We also excluded all smaller groups of devices since we
did not want to interfere with industrial controls or mission critical hardware in any way" [14]. These measures
placed the burden primarily on home users, avoiding
systems that could potentially harm secondary stakeholders and their customers or clients (who otherwise
were not part of the Primary Stakeholder population).
They also decreased the chances that the Carna botnet operator would cause sufficient harm to warrant
attempts by law enforcement to pursue criminal charges
(a benefit to the Carna author).
As for the Menlo Report principle of respect for law
and public interest, the Carna author fails at both compliance (adhering to laws about unauthorized access
of systems), as well as transparency and accountability
(by nature of the anonymous publication of the report
and data). It seems pretty clear that accessing systems
without the owners' knowledge and loading and running
software on those systems - regardless of how carefully
designed the code may be - violates the autonomy of
the system owners. There was no owner consent, therefore the use is unauthorized and could violate computer
crime statutes in multiple jurisdictions around the globe.
Were this researcher in the United States - and we
do not know, because of anonymous publication - the

Using a brute-force password
guessing algorithm that focused
first on the manufacturer-delivered
defaults, psyb0t successfully
penetrated over 80 000 devices.

applicable law would be 18 U.S.C. 1030, known as the
Computer Fraud and Abuse Act (CFAA) [19]. CFAA,
specifically, § a(2)(c) states: "Whoever [...] intentionally
accesses a computer without authorization or exceeds
authorized access, and thereby obtains [...] information
from any protected computer [...] shall be punished as
provided in subsection (c) of this section." The term
"protected computer" is broadly defined as any computer, "used in or affecting interstate or foreign commerce or communication, including a computer located
outside the United States that is used in a manner that
affects interstate or foreign commerce or communication of the United States" [19]. The United States' CFAA
is framed generally around unauthorized access, obtaining information, and exceeding permissions, while laws

IEEE Technology and Society Magazine

43



Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - June 2015

IEEE Technology and Society Magazine - June 2015 - Cover1
IEEE Technology and Society Magazine - June 2015 - Cover2
IEEE Technology and Society Magazine - June 2015 - 1
IEEE Technology and Society Magazine - June 2015 - 2
IEEE Technology and Society Magazine - June 2015 - 3
IEEE Technology and Society Magazine - June 2015 - 4
IEEE Technology and Society Magazine - June 2015 - 5
IEEE Technology and Society Magazine - June 2015 - 6
IEEE Technology and Society Magazine - June 2015 - 7
IEEE Technology and Society Magazine - June 2015 - 8
IEEE Technology and Society Magazine - June 2015 - 9
IEEE Technology and Society Magazine - June 2015 - 10
IEEE Technology and Society Magazine - June 2015 - 11
IEEE Technology and Society Magazine - June 2015 - 12
IEEE Technology and Society Magazine - June 2015 - 13
IEEE Technology and Society Magazine - June 2015 - 14
IEEE Technology and Society Magazine - June 2015 - 15
IEEE Technology and Society Magazine - June 2015 - 16
IEEE Technology and Society Magazine - June 2015 - 17
IEEE Technology and Society Magazine - June 2015 - 18
IEEE Technology and Society Magazine - June 2015 - 19
IEEE Technology and Society Magazine - June 2015 - 20
IEEE Technology and Society Magazine - June 2015 - 21
IEEE Technology and Society Magazine - June 2015 - 22
IEEE Technology and Society Magazine - June 2015 - 23
IEEE Technology and Society Magazine - June 2015 - 24
IEEE Technology and Society Magazine - June 2015 - 25
IEEE Technology and Society Magazine - June 2015 - 26
IEEE Technology and Society Magazine - June 2015 - 27
IEEE Technology and Society Magazine - June 2015 - 28
IEEE Technology and Society Magazine - June 2015 - 29
IEEE Technology and Society Magazine - June 2015 - 30
IEEE Technology and Society Magazine - June 2015 - 31
IEEE Technology and Society Magazine - June 2015 - 32
IEEE Technology and Society Magazine - June 2015 - 33
IEEE Technology and Society Magazine - June 2015 - 34
IEEE Technology and Society Magazine - June 2015 - 35
IEEE Technology and Society Magazine - June 2015 - 36
IEEE Technology and Society Magazine - June 2015 - 37
IEEE Technology and Society Magazine - June 2015 - 38
IEEE Technology and Society Magazine - June 2015 - 39
IEEE Technology and Society Magazine - June 2015 - 40
IEEE Technology and Society Magazine - June 2015 - 41
IEEE Technology and Society Magazine - June 2015 - 42
IEEE Technology and Society Magazine - June 2015 - 43
IEEE Technology and Society Magazine - June 2015 - 44
IEEE Technology and Society Magazine - June 2015 - 45
IEEE Technology and Society Magazine - June 2015 - 46
IEEE Technology and Society Magazine - June 2015 - 47
IEEE Technology and Society Magazine - June 2015 - 48
IEEE Technology and Society Magazine - June 2015 - 49
IEEE Technology and Society Magazine - June 2015 - 50
IEEE Technology and Society Magazine - June 2015 - 51
IEEE Technology and Society Magazine - June 2015 - 52
IEEE Technology and Society Magazine - June 2015 - 53
IEEE Technology and Society Magazine - June 2015 - 54
IEEE Technology and Society Magazine - June 2015 - 55
IEEE Technology and Society Magazine - June 2015 - 56
IEEE Technology and Society Magazine - June 2015 - 57
IEEE Technology and Society Magazine - June 2015 - 58
IEEE Technology and Society Magazine - June 2015 - 59
IEEE Technology and Society Magazine - June 2015 - 60
IEEE Technology and Society Magazine - June 2015 - 61
IEEE Technology and Society Magazine - June 2015 - 62
IEEE Technology and Society Magazine - June 2015 - 63
IEEE Technology and Society Magazine - June 2015 - 64
IEEE Technology and Society Magazine - June 2015 - 65
IEEE Technology and Society Magazine - June 2015 - 66
IEEE Technology and Society Magazine - June 2015 - 67
IEEE Technology and Society Magazine - June 2015 - 68
IEEE Technology and Society Magazine - June 2015 - 69
IEEE Technology and Society Magazine - June 2015 - 70
IEEE Technology and Society Magazine - June 2015 - 71
IEEE Technology and Society Magazine - June 2015 - 72
IEEE Technology and Society Magazine - June 2015 - 73
IEEE Technology and Society Magazine - June 2015 - 74
IEEE Technology and Society Magazine - June 2015 - 75
IEEE Technology and Society Magazine - June 2015 - 76
IEEE Technology and Society Magazine - June 2015 - 77
IEEE Technology and Society Magazine - June 2015 - 78
IEEE Technology and Society Magazine - June 2015 - 79
IEEE Technology and Society Magazine - June 2015 - 80
IEEE Technology and Society Magazine - June 2015 - Cover3
IEEE Technology and Society Magazine - June 2015 - Cover4
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_march2023
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_december2022
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_september2022
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_june2022
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_march2022
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_december2021
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_september2021
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_june2021
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_march2021
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_december2020
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_september2020
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_june2020
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_march2020
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_december2019
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_september2019
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_june2019
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_march2019
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_december2018
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_september2018
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_june2018
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_march2018
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_winter2017
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_fall2017
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_summer2017
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_spring2017
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_winter2016
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_fall2016
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_summer2016
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_spring2016
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_winter2015
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_fall2015
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_summer2015
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_spring2015
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_winter2014
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_fall2014
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_summer2014
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_spring2014
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_winter2013
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_fall2013
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_summer2013
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_spring2013
https://www.nxtbookmedia.com