软件工程师职业道德规范
It is common for professional societies and membership organizations to have a Code of Ethics intended to guide their members. Professionals working in the field of information security (INFOSEC) are often members of one or more of these entities, as are academic cyber security researchers and students desiring to enter the INFOSEC field.
专业协会和会员组织通常都有旨在指导其会员的《道德守则》 。 信息安全(INFOSEC)领域的专业人士通常是其中一个或多个实体的成员,而渴望进入INFOSEC领域的学术网络安全研究人员和学生也是如此。
In this article I will focus on three such entities: The IEEE and the Association for Computing Machinery (ACM), which are general professional societies with broad membership across many disciplines, and the Forum of Incident Response and Security Teams (FIRST), who “cooperatively handle computer security incidents and promote incident prevention programs”.
在本文中,我将重点介绍三个这样的实体: IEEE和计算机协会 (ACM),它们是在许多学科中都有广泛成员的通用专业协会,以及事件响应和安全团队论坛 (FIRST),它们“ 合作处理计算机安全事件并推广事件预防程序 ”。
Between mid-2018 and the end of 2019, all three of these professional bodies have been actively cultivating their codes of ethics :
从2018年中期到2019年底,这三个专业机构都在积极地培养自己的道德规范:
The ACM, who first published an extensive code of ethics in 1992, most recently updated their Code of Ethics and Professional Conduct in June 2018 after an open multi-draft revision process.
ACM于1992年首次发布了广泛的道德规范,在经过开放式多草稿修订程序后,最近于2018年6月更新了其《道德规范和专业行为守则》 。
The IEEE , whose original Code of Principles of Professional Conduct goes back to 1912, announced its most recent proposed revisions to its Code of Ethics on January 10, 2020. Member and volunteer comments will be accepted until April 10, 2020.
IEEE的原始《专业行为准则》可追溯到1912年 ,其2020年1月10 日宣布了其最新的《道德准则》 修订版。成员和志愿者的意见将在2020年4月10日之前接受。
The Ethics Special Interest Group of FIRST announced their proposed Ethics for Incident Response and Security Teams (EthicsfIRST) in December, 2019. Their open comment period ended in January 2020.
FIRST的道德规范特别兴趣小组于2019年12月宣布了其拟议的事件响应和安全团队道德规范(EthicsfIRST) 。其公开意见征询期于2020年1月结束。
To frame an analysis of the codes for these entities, I will assume a perspective from the subset of INFOSEC professionals involved in digital forensics and incident response (DFIR) and threat intelligence and kinds of actions associated with countering criminal activity by taking over and dismantling malicious botnets. I’ve examined several such case studies in my publications and presentations over the years, in some of which I participated.
为了对这些实体的代码进行分析,我将以INFOSEC专业人士的一个视角为例,这些专家涉及数字取证和 事件响应 (DFIR), 威胁情报以及与通过接管和拆除恶意软件来打击犯罪活动有关的各种行动僵尸网络 。 多年来,我已经在我的出版物和演示文稿中检查了几个此类案例研究,其中一些是我参与的。
道德准则作为行为指南 (Ethical codes as guides to behavior)
There is a famous quotation in software engineering (variously attributed to Grace Murray Hopper, Andrew Tanenbaum, or Alan Cox, depending on which web site you check!):
在软件工程中有一个著名的报价(根据您要检查的网站而定,其归因于Grace Murray Hopper,Andrew Tanenbaum或Alan Cox!):
“The good thing about standards is that there are so many to choose from.”
“关于标准的好处是有太多选择。”
— ¯\_(ツ)_/¯
—¯\ _(ツ)_ /¯
When it comes to aggressively responding to botnets and computer intrusions, it can seem like that with ethical codes, too!
当要积极响应僵尸网络和计算机入侵时,似乎也带有道德准则!
Beyond the three codes listed so far, here are some other codes of ethics or codes of conduct that might apply in this space:
除了到目前为止列出的三个守则之外,这里还有可能适用于此领域的其他一些道德守则或行为守则:
EC Council Code of Ethics
欧共体理事会道德准则
International Association of Special Investigation Units Code of Conduct
国际特别调查单位协会行为准则
ISC2 CISSP Code of Ethics
ISC2 CISSP道德规范
ISSA Code of Ethics
ISSA 道德规范
SANS GIAC Code of Ethics
SANS GIAC道德规范
SANS IT Code of Ethics
SANS IT道德守则
USENIX System Administrators’ Code of Ethics
USENIX 系统管理员道德规范
Michael Bailey, Sven Dietrich and I analyzed several ethical codes associated with general society at large (think justifications for “self-defense”), the professional community, and the academic community. Individuals from, or groups compromised of people from, each of these three categories engage in things like: the takeover and takedown of botnets; deceiving computer users to better understand how they respond to social engineering (e.g., phishing emails); performing research studies involving access to realtime communications or manipulation of networks used by thousands of people; or demonstrating the need to fix vulnerabilities in widely used internet services or devices by breaking them and publishing functional “proof-of-concept” exploit code.
我和迈克尔·贝利(Michael Bailey),斯文·迪特里希(Sven Dietrich)分析了与整个社会相关的几种道德准则(认为“自卫”的理由), 专业团体和学术团体 。 这三个类别中的每个类别的个人或受其折衷的群体都参与到以下活动中:僵尸网络的接管和删除; 欺骗计算机用户以更好地了解他们如何响应社会工程(例如,网络钓鱼电子邮件); 进行涉及访问实时通信或操纵数千人使用的网络的研究; 或表明有必要通过破坏它们并发布功能性的“概念验证”漏洞利用代码来修复广泛使用的Internet服务或设备中的漏洞。
We observed that ethical codes run the gamut from implicit societal codes where decisions are influenced by friends, family, or one’s own internal moral compass, to published codes like those of ACM, IEEE and the others listed above that members agree to follow when signing up or renewing their membership, all the way up to (in the United States) the Belmont Report’s principles of Respect for Persons, Beneficence, and Justice as codified in the United States Code of Federal Regulations (45 CFR 46, also known as the “Common Rule” because of its uniform adoption by all federal agencies and departments of the United States government.)
我们观察到,道德准则的范围很广,从隐性的社会准则(决定受朋友,家人或自己的内部道德指南针影响)到已发布的准则(例如ACM,IEEE和上面列出的其他准则,会员都同意在遵循时遵循)或更新他们的会员资格,一路攀升到(美国)尊重个人,善行和正义的贝尔蒙报告的原则,在联邦法规(美国法典编撰45 CFR 46 ,也被称为“ 通用规则 ”,因为该规则已被美国政府所有联邦机构和部门统一采用。)
We published our findings on the applicability and limitations of these codes and the efficacy of their enforcement mechanisms, along with over two dozen case studies with which to illustrate the ethical questions raised, in a technical report (“
最低0.47元/天 解锁文章
6842
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
