Ethics and Trust in Programming

In the article, Reflections on Trusting Trust, Thompson points out that “The act of breaking into a computer system has to have the same social stigma as breaking into a neighbor’s house” [1]. Morally this makes sense, but putting too much trust into other people doing the right thing is too risky. While social stigma can influence people to converge to a specific behavior, there is no guarantee that they will. If all people were trustworthy, then security would not be needed. Though it is impossible to prevent all types of attacks, preventative security measures can help mitigate the risks of those people that choose to launch an attack. At the end of the day, it is easier to prevent/deter an incident than to clean up the damage after the fact. Defensive mechanisms such as authorization control, authentication control, availability control, concurrency control, configuration control, cryptography, encoding, error handling, session management, input validation, and logging and auditing methods can be used to help increase security.

Another interesting point Thompson makes in the article is that you cannot totally trust code that was not written yourself. Thompson describes how compilers, assemblers, and applications can be corrupted to introduce hard to find code attacks. This brings up an interesting point that there must be a balance between trust and security, where laws can enforce the trust component. These laws, however, may be hard to enforce and the consequences of hacking must match the severity of the incident. To instill good behaviors in new programmers, universities and companies usually require a course/training revolving around computer ethics. Code reviews and pair programming are also leveraged during development to lower the risk of internal hacking. Testing also can help lower this risk. However, as pointed out in article, lower level computer hacks are hard to pinpoint. Thus, laws that have consequences, especially for widely distributed hacks, can motivate companies to take and administer anticipatory actions. With these points in mind, are companies doing enough to protect themselves as well as their customers from the risks of hacking? Is the government making justifiable consequences for hacking?

[1]	K. Thompson, “Reflections on Trusting Trust,” ACM, 1984.