IEEE Technology and Society Magazine - June 2015 - 46

farther because they receive almost no condemnation
or questioning of their actions, while at the same time
receiving praise (rather than a meaningful discussion
of the ethics and responsible conduct of research)
from like-minded individuals.
Specifically to point b), whoever created the Carna
botnet and performed the Internet Census 2012 exhibits the exact opposite of integrity as the term is used
by Carter [23]. The Carna botnet operator may have
an understanding of right and wrong, but implicitly
acts as though he knows what he is doing is wrong by
hiding behind anonymity, choosing personal fame and
self-satisfaction above other things, and being silent
on the ethical considerations of his actions. While the
Carna botnet author clearly does exhibit a willingness
to openly say what he did and why he did it, what does
this mean for point c) above? Will the next person trying to push the limits even more be as careful as the
Carna author? Since there is no source code made
public (only the data), the next person may be far less
expert in coding, as has happened with worm authors
in the past (e.g., the "good worm" at Xerox PARC in the
1980s that took down every workstation at the facility,
or the Morris Worm that wreaked havoc on the early
Internet because of bugs that failed to limit propagation). The publication of the source code would be
even worse, as that would enable copy-cats with far
less skill and care, or more likely, computer criminals
seizing on an opportunity, to similarly take over and
control hundreds of thousands of devices.
Finally, perhaps the most troubling aspect of this
activity is the absence of widespread public discussion
of this experiment. That lack of discussion illustrates a
lack of a common understanding of ethics in the computer security field. This was clearly an event that took
ethically questionable activities from a hypothetical
realm into reality and deserved much closer examination than a few blog posts.

Author Information
David Dittrich is with the University of Washington, Seattle, WA; email: dittrich@u.washington.edu.
Katherine Carpenter is a Consultant, and can be
reached at carpenter.katherinej@gmail.com.
Manish Karir is with QuadMetrics; email: mkarir@
quadmetrics.com.

References
[1] CERT, "SGI Ip vulnerability," Sept. 23, 1997; http://www.cert.org/
advisories/CA-1995-15.html.
[2] D. Dittrich and K.E. Himma, "Active response to computer intrusions," in Handbook of Information Security, vol. III, ch. 182, 2005;
http://ssrn.com/abstract=790585.
[3] B. Dowadup,Symantec, W32, Dec. 2008; http://www.
symantec.com/business/secur ity_response/wr iteup.
jsp?docid=2008-123015-3826-99.

46

[4] W. Pitcock, Your Router, Plausible Home to a Stealth Rootkit?,
Aug. 2006; http://nenolod.net/~nenolod/router-malware.pdf.
[5] G. Evron, Chuck Norris Botnet and Broadband Routers,
Feb. 2010; http://gadievron.blogspot.com/2010/02/chuck-norrisbotnetand-broadband.html.
[6] B. Nahorney, Linux.Psybot-Is Your Router Secure?, Mar.
2009; http://www.symantec.com/connect/blogs/linuxpsybot-yourroutersecure.
[7] A. Nusca, "'Psyb0t' worm infects Linksys, Netgear home
routers, modems," ZD Net, Mar. 2009; http://www.zdnet.com/
blog/btl/psyb0t-worm-infects-linksys-netgear-home-routersmodems/15197.
[8] R. McMillan, "Chuck Norris botnet karate-chops routers hard," PC
World, Feb. 2010; http://www.pcworld.com/article/189868/article.
html.
[9] packet storm, 2015; http://packetstormsecurity.com/files/
download/109244/lightaidra-0x2012no-cross.tar.gz.
[10] vierko, lightaidra 0x2012 (aidra), May 2012; http://vierko.org/tech/
lightaidra-0x2012/.
[11] Anonymous, "Finding Vanilla Routers: How to scan and locate
default configured routers," Compuhowto.com, Feb. 2010; http://
www.compuhowto.com/security/findingvanilla-routers/.
[12] F. Lyons and D. Fifield, "Mastering the Nmap Scripting Engine
3/3," YouTube, 2010; http://youtu.be/E2_uhTRN3Ug?t=1m40s.
[13] Unspecified reporter, "Carna botnet - An interesting, amoral
and illegal Internet census," Infosecurity Mag., Mar. 2013; http://
www.infosecurity- magazine.com/view/31343/carna-botnet-aninteresting-amoral-and-illegal-Internet-census/.
[14] Anonymous, "Internet Census 2012: Port scanning /0 using
insecure embedded devices," bitbucket.org, Mar. 2013; http://
Internetcensus2012.bitbucket.org/paper.html.
[15] M. Bailey, D. Dittrich, E. Kenneally, and D. Maughan, "The
Menlo Report," IEEE Security & Privacy, vol. 10, no. 2, pp. 71-75,
Mar./Apr. 2012; http://www.computer.org/csdl/mags/sp/2012/02/
msp2012020071-abs.html.
[16] D. Dittrich and E. Kenneally, Eds., The Menlo Report: Ethical principles guiding information and communication technology research, CAIDA,
Dec. 2012; https://www.caida.org/publications/papers/2012/
menlo_report_actual_formatted/.
[17] D. Dittrich and E. Kenneally, Eds., "Applying ethical principles
to information and communication technology research: A companion to the Department of Homeland Security Menlo Report,"
CAIDA, Jan. 2012; http://www.caida.org/publications/papers/2013/
menlo_report_companion_actual_formatted/.
[18] U.S. Department of Health and Human Services, The Belmont
Report: Ethical Principles and Guidelines for the Protection of
Human Subjects of Research. Washington, DC: U.S. Department of
Health and Human Services, 1979.
[19] U. S. Code. Title 18, Part 1, Chapter 47, § 1030 (Computer Fraud and
Abuse Act), 1984; http://en.wikipedia.org/wiki/Computer_Fraud_
and_Abuse_Act.
[20] O. S. Kerr, "Cybercrime's scope: Interpreting 'access' and
'authorization' in computer misuse statutes," SSRN, Nov. 2003;
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=399740#.
[21] L. Vihul, C. Czosseck, K. Ziolkowski, L. Aasmann, I. Ivanov, and
S. Brüggemann, "Legal Implications of Countering Botnets," Joint
report from the NATO Cooperative Cyber Defence Centre of Excellence
and the European Network and Information Security Agency (ENISA), 2012;
http://www.ccdcoe.org/381.html.
[22] D. Dittrich, M. Bailey, and S. Dietrich, "Building an active computer security ethics community," IEEE Security & Privacy, vol. 9,
no. 4, pp. 32-40, 2011; https://staff.washington.edu/papers/ieeesnp-ethics-2011.pdf.
[23] S. L. Carter, Integrity. Basic, 1996; http://www.stephencarterbooks.com/books/nonfiction/integrity.
[24] B. Marczak, C. Guarnieri, M. Marquis-Boire, and J. Scott-Railton,
"Mapping Hacking Team's 'untraceable' spyware," Citizenlab, Feb.
2014; https://citizenlab.org/2014/02/mapping-hacking-teamsuntraceable-spyware/.

IEEE Technology and Society Magazine

∕

june 2015

http://www.nenolod.net/~nenolod/router-malware.pdf http://gadievron.blogspot.com/2010/02/chuck-norris http://www.symantec.com/connect/blogs/linuxpsybot-your http://www.zdnet.com/ http://www.pcworld.com/article/189868/article http://www.packetstormsecurity.com/files/ http://www.vierko.org/tech/ http://www.Compuhowto.com http://http:// http://www.compuhowto.com/security/findingvanilla-routers/ http://www.youtu.be/E2_uhTRN3Ug?t=1m40s http://http:// http://www.infosecurity http://www.magazine.com/view/31343/carna-botnet-an http://www.bitbucket.org http://http:// http://Internetcensus2012.bitbucket.org/paper.html http://www.computer.org/csdl/mags/sp/2012/02/ https://www.caida.org/publications/papers/2012/ http://www.caida.org/publications/papers/2013/ http://en.wikipedia.org/wiki/Computer_Fraud_ http://papers.ssrn.com/sol3/papers.cfm?abstract_id=399740# http://www.ccdcoe.org/381.html https://staff.washington.edu/papers/ieee http://www.stephencarter http://www.cert.org/ http://www.books.com/books/nonfiction/integrity https://www.citizenlab.org/2014/02/mapping-hacking-teamsun http://www.ssrn.com/abstract=790585 http://www http://www.symantec.com/business/security_response/writeup

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - June 2015