------------------------------ Date: 08 Sep 91 17:44:51 CDT From: Jim Thomas Subject: File 2--Clarification of "Boycott" Comment In my review of _Cyberpunk_ (CuD 3.32), I quoted a passage that referred to a "national computer security expert's" call for a boycott of any company that hired Robert Morris. In context, the passage would appear to be less than charitable. Gene Spafford, the person associated with the boycott call, never made this claim, and he has tried without success to clarify what was actually said. He was misquoted in a speech, and the misquote has become a reality of its own. Although it seems like a relatively minor point, the continued circulation of the quotation error perpetuates an unjustified aura of extra-legal professional retaliation. Sometimes the slightest transposition of words leads to quite different meanings, and it appears that Gene is the victim of a shift of phrases that distorted his message. We discussed this with him, and the following scenario seems to be the source of the error. We have included a response he wrote to the CACM to correct the error, but it was also garbled by the editor to whom it was sent. In March 1990 at the DPMA Computer Virus & Security Conference in NYC, Gene gave the keynote address. He discussed community ethics and made a statement like "We should boycott any company that hires someone like Morris *because of* what he did." This was heard by at least one person present as meaning, "Because of what he did, we should boycott any company that hires Morris." What he meant, and what he thought was clear from context, was "We should boycott any company that believes what Morris did was a reason to hire him." The quote was reported in CACM and Spaf wrote a letter (published in the October 1990 issue) pointing out the error, but they misunderstood the way it was supposed to have text boldfaced to indicate the emphasis. The point did not get across clearly and was also incorrectly paraphrased in Peter Denning's editorial in the August 1990 CACM. Enclosed is the text of the letter he sent to CACM and which was published in the September 1990 issue without the indicated emphasis: [ The following uses TeX conventions: {\it text} is italics, and {\bf text} is boldface.] To the editor: The May issue of {\it Communications} contained a ``News Track'' account of some of my remarks on hiring known hackers/crackers. I believe the report was derived from my keynote presentation at the 3rd DPMA Virus Workshop, held March 14 in New York. Unfortunately, the item in question did not report the full context of my remarks, and thus the actual intent was obscured. It is my contention that we should not do business with companies that hire known computer miscreants {\bf because of their criminal escapades}. There are two reasons for this, one grounded in good business sense, and the other grounded in professional ethics. From a business standpoint, hiring a known computer criminal because of his criminal past is likely to be a liabilty. The individual has already shown that he (or she) has not felt constrained to respect legal and ethical boundaries, or that he has exhibited poor judgment in not thinking about adverse consequences. What indication is there that such behavior will not be repeated? Furthermore, there is no indication that someone who breaks into a system knows how to protect the system or make it better -- he has only shown that he knows how to break in. This is the origin of my ``arsonist'' statement, quoted in the article. As a customer of such a firm, it is possible I would never be as confident about the integrity of its products as if the hacker had not been hired. From a professional standpoint, I view the hiring of computer criminals {\bf because of their notoriety or criminal success} to be insulting and unconscionable. Consider that there are many tens of thousands of people who have worked for years to become knowledgeable and responsible members of the profession, and many thousands more currently studying the discipline. What will it mean to them if a criminal is hired to a position of responsibility because of a violation of professional standards? Should the rest of us seek distinguished appointments by spectacular violations of the law? What would it say to all of us that a business would value unethical behavior above a record of accomplishment and professionalism? To ignore or accept such behavior is to allow our profession to be besmirched. I view it as an insult, and to acquiesce quietly would appear to be a violation of our Code of Professional Conduct. Note that I am {\bf not} in any way suggesting that we act to prevent these individuals from being employed in a computing-related profession. If the individual involved has the necessary training and background, and is as qualified as other applicants, then he should be treated as any other individual applying for a position. This is especially true once an individual has served a sentence for their [sic] crimes. Robert T. Morris, for instance, has demonstrated a keen interest and more than moderate facility with computers. To protest his taking a computing-related job would be to unfairly embellish the sentence already imposed by the federal court. We should not seek to second-guess our legal system, nor extract revenge above and beyond the punishment already meted out. To do so would be petty and mean-spirited. In summary, my remarks at the Virus Workshop argued that we should protest if businesses reward these offenders for their actions; I did not mean to suggest that we forbid these individuals from ever working in computing-related jobs. I also did not suggest that we devise any additional punishment for Mr. Morris. He has been sentenced for his crime, and it is not for us to seek to augment his punishment. It is time for all of us to move on and put that whole incident behind us. Eugene Spafford Dept. of Computer Sciences Purdue University W. Lafayette, IN 47907-2004 spaf@cs.purdue.edu Downloaded From P-80 International Information Systems 304-744-2253