Tuesday, November 24, 2009

why are ethics so undervalued?

why are ethics so undervalued? i honestly don't know the answer to that question but i'd like to explore the topic and explain what i mean.

first i'd like to dispel any fears that i'm about to go on at length about people not understanding the difference between right and wrong - i think most people do understand the difference. that said, i don't think most people appreciate the difference - which is to say i don't think it holds much meaning for people, i don't think it's important to them.

i'll give you an example. not too long ago anton chuvakin posted an article on FUD - specifically one that is, if not an outright endorsement of FUD, at the very least an argument that sometimes it's a good thing. i'm not going to pick too much on the notion of endorsing the use of manipulation in the workplace, what interests me in this discussion was something he wrote in response to a blog post criticizing his stance:
personally, I think that “trumping with ethics” is a low card in intellectual arguments! IMHO it is one step above name calling
i don't think there can be any question that this statement represents a remarkably low valuation of the topic of right and wrong.

by way of contrast, i would place ethical right/wrong one step below technical right/wrong - and those of you who know me know how highly i value technical accuracy (hint: i make enemies simply by correcting people).

so where does such a huge difference in values come from? and what does it mean for the security community that anton is not only not an outlier but in all likelihood far closer to the norm than i am. have we become an "ends justify the means" sort of society? is security as a goal something we need to promote at all costs?

i suppose i need to better understand why it means as much as it does to me, so i guess i've got some soul searching ahead of me, but nowhere in that search do i expect to find why it's so much easier for others to put aside. i don't get many comments on my posts (since normally i know the answer to the question i'm asking) but in this case i'm hoping to hear what others think so please feel free to comment.


Unknown said...

This is really a self-reflecting post :-)

Ethics is a hard thing because the more you know, the harder it becomes to make a decision. For example you've mentioned the "Total Security" marketing in the previous post, but consider this: how many of the marketing people are aware (at a technical level) of what their product can or can't do? (we might hypothesize that they don't want to know about to keep the cognitive dissonance at a low level, but that's an other discussion).

I've once heard the following metaphor, which I think very accurately describes the scientific process: knowledge is like a balloon: the more air you blow in it, the larger the surface (ie. the border with the "unknown") becomes. This means that the more you research a topic, the more you become aware of its limitations and you will begin to question yourself more and more.

An other quote I like is: "I have strong opinions weakly held". So rejoice: the fact that you concern yourself with ethics, means that you have a considerable body of knowledge.

PS. The case of the Stonekit author is a good example for this. IMHO, one of the reasons for his aggressiveness is the fact that when he initially described the flaw to people, they've said "yeah, we pretty much knew about this possibility", which made him angry since (and I speculate here) he thought he discovered something new and amazing. Nothing new under the sun and progress is made in small steps not in leapfrogs.

Sorry for rambling on, I will stop now :-)

David Harley said...

I don't know the answer to that one. I have to agree, though, that there are a lot of people in the anti-malware space nowadays whose values are very pragmatic compared to the straitlaced, no-compromise ethics of older generation researchers.

That's not always a bad thing, but it's definitely not a universally GOOD thing, and I often miss the admittedly inflexible ethical framework of the 80s/90s.

Anton Chuvakin said...

They are "undervalued," since they are abused.

The "slightly" overdramatized conversation illustrates it:

- "Sir! It is unethical to argue about ethics!"
- "It is not true"
- "Ha, my ethics prohibit it - such argument are one step up from eating people. Thus, shut up!"
- "I disagree!"
-" ..all you want. I say it is unethical!"

In oder to avoid it, I suggest to keep "the ethics argument" (if it can be called that) out of substantive discussions.

Unknown said...

I disagree with Dr Chuvakin, though he makes a point about them being abused. However, just because they can be abused doesn't mean we throw them away and consider them useless.

To "explore" this topic, laws and the courts are "overvalued" because they can be abused. So, let's keep them out of substantive conversation.

Without ethics, I don't believe we have laws. I completely agree with the original post. Ethics are undervalued and yet talked about so much.

As far as the two questions posed are concerned, I believe "security as a goal" is something to promote within reason. I don't want to go so far as to say "it's like crushing the kid's dream that Santa doesn't exist", but I believe it's something close to that.

I'm an idealist in this point. If I stop believing security can be acheived, then why should I be in the security business; unless my goal is to legally steal money.

Anton Chuvakin said...

Well, laws have the same issue. Here is an example:

imagine we are arguing about the biological and chemical impact that a particular drug has on humans. Suddenly, right before you start to feel that you side is losing, you exclaim: "But sir! this drug is ILLEGAL. Shut up!" Mmmm... didn't we have a discussion about chemistry? :-(

People "trump with laws" just like they "trump with ethics" and that is why I think that UNLESS you mark a particular discussion as "one about ethics", trumping with ethics is... well... unethical!

Unknown said...

Apologies up front for focusing more on the FUD side than the ethics side. I would bet if you put both positions in the same room, they'd end up agreeing with each other. The whole discussion of FUD and whether it is good, bad, or necessary boils down to clearly stating what you think FUD is. I could argue it either way depending whether you think FUD is presenting a negative scenario with unreasonable hyperbole versus a negative scenario with reasonable cautions. Too often someone will kneejerk the cry of FUD to both situations.

It is possible that the problem with using ethics as an argument is similar to saying, "This is right because the Bible says it is." The assumption is the agreement in how valid the Bible is or how heavily it should be weighed as a source in an argument. Similarly, one person's level of ethics may not be accepted by someone else, which tends to muddy arguments down into opinions.

That's my stab at the issue. I *think* I side a bit with your opinion that ethics is really close below being technically right or wrong. Then again, I mean...what else is left? Fully subjective flips of a coin? :)

The bottomline, I think, is just that there is no black/white definition of ethics. Not only does the scope (and context) change from one person to the next, but the line of where right and wrong falls is not often agreed-upon.