Unethical example in software system
With the widespread use of smart devices, more and more software has been developed. Within the collection of software, there are numerous instances of well-known and high-quality software, and of course, there are also plenty of software that contain unethical designs. The unethical reason possibly stems from the developers themselves, or of course, they can be unethical on account of their certain functionalities. This essay provides three examples to demonstrate the unethical design of the software that the team remembered.
The first software is CSDN, a blog platform that provides coders and developers with a place to ask and answer questions. It is similar to the Stack overflow for design purposes. CSDN requires users to sign up for an account to publish materials. However, the key unethical design is that CSDN uses plaintext storage for the passwords of users. By this design, CSDN directly “copy and paste” the password that the user sets to its database, which seems to make everything simple, but this can be fatal in two situations: others attack the database or an employee (who has permission to access the database) leaks plaintext passwords of users. Therefore, in 2011, the CSDN security system was attacked by hackers, causing the leaks of usernames and passwords for more than six million users. And the solution to avoid this issue is not significantly complicated. First, it is necessary to select a cryptographic method that is relatively slow, for instance, bcrypt. On the contrary, the hashing method like MD5 or SHA1 is designed to be fast and efficient, providing attackers with convenient conditions for brutal cracking. Second, a “salt” needs to be added, which is a random value that combines with the password before hashing. Then, it would be impossible for attackers to crack the password without knowing the “salt.” After setting up the algorithm, the only task of validation for login is to compare the hash of user input and the hashed code stored in the database. Therefore, it is a really simple process on a giant company scale but the developer would not like to make any effort to protect the security of users’ accounts, which should be identified as unethical for both aspects of developers and software functionalities.
The second software is 2345, which is a program and browser based on 2345.com, which is a Chinese web directory. After the program is installed on the computer, the default homepage of the browser on the Windows System would be changed to the website navigation called “2345”, and it’s extremely difficult for users to get rid of it. It could generate executable files with a random name of length from five to seven in the folder of “Windows” to avoid being truly deleted by the user. And since Windows has the characteristic to load all executable files under the “Windows” folder during the startup to check configuration, the software appears again once the computer restarts, even though the user has manually deleted it. Also, it is nearly impossible to fully remove the software without modifying the registry on the user’s hand. In this scenario, the action made by 2345 companies is definitely unethical due to the behaviors of software engineers in the company. The primary intention for the developer of 2345 is to seize more market share. By stopping users from deleting the software, the company can deliver other products that they developed and advertise to make money. Therefore, the unethical consequence fully originated from the software engineers.
The third software is CCleaner, famous for its system optimization and privacy protection. The software is mainly used to clear junk files and registries that the Windows System no longer uses. But in 2017, version 5.33 of CCleaner, published by Piriform, was implanted with malicious code. With the malicious code, the program will execute malicious code before entering the primary function, which will decode a shell code that can obtain a dynamic link library (DLL) and wipe the DOS header from DLL. By doing this, it would be difficult for the analysis tool to detect this DLL, which covers this file from detection. After running the DLL module, the malicious code can create an individual process to collect and encrypt local information and send it to the command and control (C2) server with a fake HTTPS POST. Eventually, the C2 server could distribute any payload for controlling these computers in the long term. In terms of CCleaner, up to 2.27 million CCleaner consumers and businesses have downloaded the infected CCleaner products, which is devastating. Therefore, Piriform started a long-term investigation. The investigation found that the attacker had already entered the Piriform network on March 11, 2017. It acquired the login permission, inferring that the attacker possibly used other service credentials that the Piriform workstation users had leaked to access the account of TeamViewer, which is remote-controlling software frequently used in the work. Then, without humans monitoring the running computer late at night, the attacker uses VBScript to delete the payload, infect another computer, and steal passwords by keystroke recorder. Five months later, the attacker started to conceal malicious payload in the CCleaner and began to attack all possible users. In this scenario, the action from the Piriform company is absolutely unethical since it cannot guarantee its software security to its users. Although the software itself, CCleaner, does not seem dangerous, the attacker could still use other methods, for instance, controlling developers’ computers and implanting malicious code to attack users. The developer should pay more attention to the service that runs with the software, monitor the status, and fix possible issues, not just the software itself. Therefore, this unethical action is attributed to unethical behavior by developers.
References:
https://xz.aliyun.com/t/11072
https://www.zhihu.com/question/477312440
https://thehackernews.com/2018/04/ccleaner-malware-attack.html
https://www.forcepoint.com/blog/x-labs/chinese-internet-suffers-most-serious-user-data-leak-history
https://www.secrss.com/articles/2365
https://coolshell.cn/articles/6193.html