Thursday, September 28, 2006

diebold voting machine viruses

i saw a lot of articles about the recent research done on the potential for malicious code injection and vote stealing on the diebold accuvote ts voting machines but there was one kind of article i was expecting but never saw...

you see, the researchers claimed to have created a virus for the voting machine as part of their research - so where's the outcry from the anti-virus community about that? there doesn't seem to be any (and i have web searches on virus/worm/trojan/{as many other malware terms as i can fit in a search query} redirected to my feed reader so i'm pretty sure i would have seen something if there was something to see) and that seems kind of peculiar when compared to the reaction to the consumer reports av tests...

what could be the cause of the silence? do they only care about virus creation when it serves as a handy way to deflect criticism that makes the vendor's product look bad? the fact that vendors whose products weren't tested by consumer reports also raised a stink about the virus creation, and the fact that the anti-virus-writing public letter most often cited was originally in reference to a university course that advertized virus writing as part of the curriculum, both suggest that the community's concern over virus writing is not as narrow and self-serving as the nay-sayers would have you believe...

maybe the security researchers involved in the voting machine virus creation are somehow beyond reproach? well, some people thought the security personalities involved in the consumer reports test were beyond reproach too, so that shouldn't be it either...

maybe the technical circumstances of the voting machine virus nullify the threat it poses? [sarcasm] because a virus that can only infect voting machines (that run windows) wouldn't really be a threat to the public if it fell into the wrong hands - it's just a threat to democracy... [/sarcasm]

well, i'll tell you what - i can't speak for anyone else in the anti-virus community, but if they're anything like me, maybe they just didn't know what to think at first, and as time wears on it becomes easier and easier to just let it go... when i first read the headlines i wasn't sure what to think - on a very basic level i felt uneasy about it but i wasn't sure if that was just a knee-jerk reaction so i waited for some anti-virus type who knows more than me to provide some analysis (or even an opinion) that would at least shed some light on how other people in the community felt about the whole thing... nothing doing though, so i've had to mull it over myself and i've come to the conclusion that my knee-jerk reaction was right...

the fundamental arguments against writing viruses for supposedly good reasons are a) there are inherent risks and social costs (unless you're able to ensure that no one ever finds out about it or encounters it) , and b) there ways to get the same results without creating a virus and thus without the problems in (a)... both of these apply in this case...

the risks are that the virus will fall into the wrong hands (either accidentally or on purpose) and affect people and as smart and trustworthy as the researchers may be, no one is above reproach (saints have been known to kill people), no one is beyond making errors... the risks remain no matter who is involved and the impact here could be dire, subverting the democratic process (even just for a single country) can a affect everyone... add to that the social costs of telling people who really have no business handling viruses let alone creating them that virus creation is a legitimate research practice... sure it might also embolden smart people to do good research too, but considering the persistent and autonomous nature of the threat that a self-replicating program poses (it can keep going and going long after anyone involved in it's creation or spread has lost interest and moved on) it really does only take a few bad apples to ruin the bunch...

that brings us to the issue of there being ways to get the same results, in this case being able to prove the same things, without creating a virus... i've already shown that this is possible in the general case and in this case in particular the researchers state quite clearly that the voting machines are general purpose computers (that makes viral susceptibility a forgone conclusion)... in fact they've made it clear that the machines run a version of windows, so there's absolutely no reason to create a virus for this platform since just about everyone knows that windows and viruses go together like peas and carrots... unless you want your new nickname to be 'captain obvious' there's no need to prove a virus is possible on this platform and so no need to create one for their security proof...

so if there was no need to create a virus, if you could demonstrate everything you needed to demonstrate with non-viral code (and you could), then the ends can not justify the means - the risks, however small they may be, remain present and the social costs are completely unmitigated... i don't want to bash the researchers too much (i do that an aweful lot) especially since there was a question (at least in my mind) about whether or not the ends might really justify the means in this particular virus-creation case (by gosh, democracy was at stake), but creating an actual virus (and by their description it was an actual virus, basically a kind of boot infector) was a wrong-headed thing to do...

0 comments: