This is not an entry that I am making from what I have learned from reading a book or browsing websites, but from interaction as a network infrastructure intern, computer technician hobbyist, and help desk employee. It is a bit of wisdom and musing that has been mixed together and coughed up into a paper. I think I would have rather done more work with BackTrack 3b, but I've run out of time this week. So do not look for any sources past my own personal experience on this matter.
As I learn and discover more in the ways of hacking, the greater I find the urge to try what I have learned on systems other than my own. Then I remind myself that it is no less than looking through someone's window. Is it morally right to stand outside a stranger's house and watch them through a window? Of course not, so why would it be any different to do it through a computer?
I believe the anonymity of hacking is what emboldens people, makes them feel empowered and just in their ability to gain access to personal documents, even if they do no harm. Yet this invasive behavior could only breed distrust and anger on any other level.
But the subjects of ethics is not relegated to adults. Is it ethical to teach someone young, perhaps in junior high, to hack computer systems? It is certainly possible for younger generations to learn at an early age, even as young as grade school. However, knowing and understanding are two very different principles. While script kiddies are dangerous, a full, bona fide hacker of that age still has no understanding of the harm they can cause, yet has more power to infiltrate private systems.
Without a firm grasp of ethics or understanding, the juvenile will then cause damage to the system, the result of which could cost millions. At the same time, however, an early exposure to such knowledge could give the child a head start on a lucrative career path. And the earlier they begin, the more potential they will have in the field of information security.
Perhaps, then, the ethical thing would not be to expose or deny, but to regulate access and activities involving this knowledge. Ultimately, the outcome of a child's life is dependent on their parents or guardians.
There is also a code of ethics for the workplace. Even for those not in a network security position, or even in the IT department. Having similar skills and knowledge does not give them a right to employ it. It may be that the services are required from time to time, or not at all. But services are limited to what an administrator would ask of the employee.
Using such skills because another employee needs access to restricted files, forgot their password, or wants to delete an email containing questionable material that they accidentally sent to the boss, is unethical. All networks are privately owned, and even administrators must practice self restraint.
And why should such care be taken if nobody will know? Indeed they may not know of that offense. However, all members of the Information Technology department make other employees nervous. We are often viewed as key holders, overseers, and judges. I have seen for myself the widespread belief that we have access to all information, records on all the employees, and know their computing habits by heart.
To become what people believe will enforce the notion that we are a body to be resisted, a department that spends the day finding reasons to fire or reprimand, and reduce the freedoms of other employees. To prevent this, it is the duty of all, in IT or not, who possess such skills to hack, to keep to the code of ethics and refrain from activities that would tarnish or reduce employee's faith in IT.
And those who live under the strongest code of ethics, the penetration testers and security administrators, must hold even closer to the code of ethics. Security administrators cannot break the code of ethics for the top level of management within a company. Likewise, penetration testers must attempt to access information that could be crippling to individuals or the company to ensure its safety. They are entrusted with many company secrets, and to release any vulnerabilities to the company instead of exploiting them for personal gain.