September 18, 2020

Immunizing the Internet

Can computer crime be beneficial? That’s the question asked by a provocative note, “Immunizing the Internet, or: How I Learned to Stop Worrying and Love the Worm,” by an anonymous author in June’s Harvard Law Review. The note argues that some network attacks, though illegal, can be beneficial in the long run by bringing attention to network vulnerabilities and motivating organizations to address problems.

I don’t buy the note’s argument, but there is a grain of truth behind it. Vendors and independent analysts often disagree about whether a vulnerability is real or could ever be exploited in practice. One thing I’ve learned over the years is that the best (and often the only) way to resolve that debate is to demonstrate an exploit. If you can do something, people will accept that it is possible.

Our recent e-voting study is a good example. Diebold can’t seriously argue that malicious code can’t sway an election, because we have a working demo that we have shown on national TV and in front of congress.

Even when the vendor is willing to acknowledge reality and work constructively to fix a problem, a working demonstration is useful in helping the vendor cope with the problem – and in helping the good guys within the vendor organization neutralize any internal minority that wants to deny the problem. Showing the vendor a working demo can be the first step in a constructive problem-solving relationship.

(To be clear: You can build a working demo and show it to people without revealing to the public every detail of how to build the exploit. How much information to publish about a demonstration exploit is a separate issue from whether to build it in the first place.)

But some sorts of problems can’t be demonstrated without breaking the law. For example, Diebold apparently claims that there is no way to tamper with the upcoming November election in (say) Maryland. I’m convinced that claim is false, but the most direct, obvious way to prove it false would involve actually tampering with the election, which of course is unthinkable.

The note’s reasoning would imply that the penalty for tampering with the election might be reduced, especially in cases where the tampering is engineered to be obvious and to cause minimal damage, for example if it added 10,000 write-in votes for Homer Simpson to a statewide race where a candidate was running unopposed. Though such an attack would be instructive, it would still be wrong and would deserve serious punishment. If the legal lines are drawn in the right places, and if the punishment otherwise fits the crime, then we shouldn’t let attackers off easy just because their attacks were instructive.

Comments

  1. the_zapkitty says:

    One could, perhaps, also use this as a gentle warning to those who get a little hot-headed at the displayed venality of the current process?… “If you try anything stupid you could get your ass nailed to the wall as a trophy in a Diebold boardroom while they still trumpeted the supposed invulnerability of their systems… and you’ll deserve it.”

    The real trick will to take back the regulatory process from the companies being regulated… and to keep electoral districts and vendors alike from destroying any possible evidence of problems after the elections.

    Court-ordered penalties and sanctions for such wholesale erasures in the recent past are still being handed down even now.

  2. It’s almost as if the authors are putting some computer criminals in the same category as whistle-blowers who do have protections under certain circumstances.

  3. This has long been a potential problem in white-hat hacking – demonstrating to a potential client that they need a security audit by breaking into their network is still illegal 🙂 Showing that the TSA is incompetent by sneaking real explosives on a plane is also a no-no. The best way to demonstrate how easy it is, IMHO, is to teach someone high enough in the organization to have responsibility for the outcome and the ability to make the necessary changes (CEO, Governor, Senator, etc) how to do it and have them prove it to themselves – at that point they become converts.

  4. “for example if it added 10,000 write-in votes for Homer Simpson to a statewide race where a candidate was running unopposed. Though such an attack would be instructive, it would still be wrong and would deserve serious punishment”.

    Why would this deserve serious punishment? What harm has been done? I would never want to write such a code, for fear of a bug accidentally compromising the election. And in such a case the conseqences should be severe. But if it was done correctly I see nothing to justify serious punishment. It should instead be covered under whistleblower protections.

    I agree it qualifies as elections tampering, under the current definition. As a result it would be appropriate to make an arrest and try the case. But the laws were not written with this scenario in mind. This is precisely the reason we have judges and juries, and not automatic sentencing — to let the punishment fit the crime. Here it seems a fitting penalty would be a firm pat on the back.

  5. Cariaso, I suspect that sometimes Ed Felten feels obliged to avoid inducing or inciting his audience to crime, and hence has to exhort a contrarian judgement in the hopes that his regular readers will read between the lines and forgive him for apparently toeing the party line.

  6. the _zapkitty says:

    cariaso Says:

    “Why would this deserve serious punishment? What harm has been done? I would never want to write such a code, for fear of a bug accidentally compromising the election.”

    In the question is the answer.

    In other words: The judge, anyjudge, will look at the situation from this viewpoint: “Who gave you the right to break the law and interfere with the rights of other people?”

    The judge might understand the reasons why, might understand the public-spirited motive, but that won’t keep her from bringing down the hammer on the offender.

  7. the _zapkitty says:

    Crosbie Fitch Says:

    “Cariaso, I suspect that sometimes Ed Felten feels obliged to avoid inducing or inciting his audience to crime, and hence has to exhort a contrarian judgement in the hopes that his regular readers will read between the lines and forgive him for apparently toeing the party line. “

    Ed’s only pointing out that any person actually doing what no few commenters to news articles and blogs nationwide have suggested doing, spoofing some election results as an object lesson in the current problems with e-voting, such a person would in fact be committing a serious felony.

  8. Alas, I think that this talk of “recapturing the regulatory process” is pretty much a pipe dream without the kind of incident that Felten advises against creating. From airline safety to the privacy of video-rental records, it’s pretty much a historical given that nothing happens (no matter how much time reasonable people have spent arguing their case) until there is blood (real or from metaphorical oxen) pooling on the ground.

  9. “we shouldn’t let attackers off easy just because their attacks were instructive. ”
    kinda ironic coming from the “Freedom to thinker”

  10. “Why would this deserve serious punishment? What harm has been done?”

    There’s at least one obvious source of harm: If obvious-but-harmless ballot tampering were discovered, then there is a far stronger reason than otherwise to suspect less-obvious, more-harmful tampering. The election would probably be re-run after some delay, at great cost to taxpayers and to the ability of government to function smoothly.

    (Of course, if the election is so vulnerable that you think tampering will take place undetected if you don’t act, then I suppose re-running the election is actually less harmful than letting the results stand. But an election without any tampering is even better, if it’s possible.)

  11. the_zapkitty says:

    Jesse Weinstein Says:

    “Not taking a position, just exploring this further…
    If the exploit was to change the displayed totals of votes from a certain district to show 10,000 votes for Homer Simpson (not attached to any name, just a change in the total). This could not go un-noticed, so no-one would be misled.”

    Aside from derailing an election, that is.

    “Someone above said this would be wrong because it would “interfere with the rights of other people”. What people, and what rights, specifically, would be interfered with in the above situation?”

    I find this disturbing. While all to many people assume that they are given “rights” in the constitution that are simply not there (even if they should be 🙂 ), this right is explicit, detailed, and has been literally bought with blood by disenfranchised people… often.

    The right to vote.

    If you interfere with an actual election, whoever you might be and whatever your motives, then you are interfering with the right to vote. It doesn’t matter if you are a vote-stealing cog in the political machine of one party or another, or if you are just a geek showing that some company’s claim to “invulnerable election machines” is utter BS… whatever the reason… you will have become a criminal.

  12. “…has been literally bought with blood by disenfranchised people… often.”

    It seems as if you are suggesting that people should not simply stand idle, whilst they become disenfranchised by those exploiting the facility to steal their votes.

    Are you suggesting that geeks should resort to criminal actions to prevent such disenfranchisement?

    The real question is whether you, like Ed Felten, think that such criminals who thwart wholesale disenfranchisement deserve to be seriously punished?

  13. A major problem with doing something like generating 1,000 votes for Mickey Mouse is that it may obscure the results of other races. For example, suppose that all 1,000 votes from Mickey Mouse come from 10 machines. On those machines, in a different, contested race, Mr. Smith received 700 votes and Mr. Jones received 500. Everywhere except on those machines, Mr. Smith received 97,000 votes and Mr. Jones received 97,100.

    It may well be that the attacker didn’t do anything to the ballots for Mr. Smith or Mr. Jones, but all 1200 ballots cast in that race on the Mickey Mouse’d machines would have to be considered suspect. No matter who claimed the ultimate victory, about half the population would feel cheated.

  14. You may underestimate the intelligence of half the population there. I suspect that ALL of the population would feel cheated.

  15. the_zapkitty says:

    Crosbie Fitch Says:

    “…has been literally bought with blood by disenfranchised people… often. The right to vote.”

    “It seems as if you are suggesting that people should not simply stand idle, whilst they become disenfranchised by those exploiting the facility to steal their votes.”

    No. And what I said couldn’t possibly be interpreted that way. That you might see it that way is somewhat indicative of your frame of mind, perhaps.

    Which seems to be somewhat angry 🙂 Understandable, given what all is going on.

    “Are you suggesting that geeks should resort to criminal actions to prevent such disenfranchisement?”

    Er…. switchback? Weren’t you complaining about me supposedly arguing the other side a moment ago? Either way, this too is simply incorrect.

    “The real question is whether you, like Ed Felten, think that such criminals who thwart wholesale disenfranchisement deserve to be seriously punished?”

    Go ask any survivor of the first civil rights movement that question. They sometimes had to break laws… but they were fighting bad laws… racist laws… Are you suggesting that the laws against interfering with an election are bad laws?

    As Ed said, the punishment should fit the crime. And the crime of interfering with the vote is a serious one indeed.

    Enforcement of such has, of course, been varied and so have the actual penalties inflicted on the perpetrators… ranging from hanging to jail time to heavy fines to a slap on the wrist. But the fact that election tampering has been part of American politics since the beginning doesn’t make the laws against it meaningless or “bad laws”.

    And it has now been verified by the courts that some aspects of the 2000 and 2004 elections really were interfered with. And more is coming out every day.

    How do you think the courts should treat the persons they have found responsible? And why should the courts be required to treat an irate geek any differently?

    Note the terminology I used.

    The judge and jury can always make their opinions known with light or no real punishment. But should the laws be changed to lessen the crime of election interference?

    You can’t have your cake and eat it to.

    And a geek interfering with an election so that Eruru was elected president had best understand that they may well end up in front of a judge who thinks that “that was all paranoid bullshit”… and brings the hammer down hard on the geek.

    (Of course… Aruru for Secretary of State is a shoo-in… :))

  16. I’m not an expert, but I think that civil disobedience is considered by many philosophers to be moral under certain circumstances. I am not sure but I think your homer simpson example may fall into that category. In any event, I think laws and practices that undermine political equality are especially deserving of civil disobedience. This isn’t about my “right” to copy an mp3 or something trivial like that.

  17. the_zapkitty says:

    Michael Weiksner Says:

    “I’m not an expert, but I think that civil disobedience is considered by many philosophers to be moral under certain circumstances. “

    True, but then it becomes a classic case of civil disobedience, one where the person who is performing the illegal action as a protest against injustice is aware that they are risking the same legal consequences (or worse) as a person who did it just for kicks.

    But the rather juvenile Note referenced by Ed suggests instead that the legal system should change the punishment for those who commit a specific type of crime, that some of those persons who commit such a crime should be held as less responsible than others who commit the same sort of crime… if their crime is judged to be somehow “instructive”.

  18. //You may underestimate the intelligence of half the population there. I suspect that ALL of the population would feel cheated.//

    The people who voted for whatever candidate was not deemed the winner would certainly feel cheated; that was the “about half the population” I was referring to. From a conventional legal standpoint, it would be hard to argue that the people whose candidate was deemed the winner would be harmed, though you are correct that some of them may still feel like they’ve been cheated of the opportunity to have a “clean win”.

    On the other hand, having watched somewhat the Washington state gubernatorial election, it would seem that at least some people were more interested in being handed a “win” than they were in any sense of legitimacy. Actually, that race needs to be considered in any evaluation of voting protocols.

    If a candidate can be elected despite the fact that, in an area that heavily favors that candidate, the number of ballots exceeds the number of voters by a number far greater than the margin of “victory”, fraud-prevention measures become moot. The essense of fraud prevention is the principle that when fraud is detected something must be done to nullify any benefit the fraudster might hope to attain. It’s useless to be able to detect fraud if the response to such detection is to allow the fraud to continue unabated.

  19. One problem is that if an attacker simply added a fictional character’s name to the election results with a bunch of votes for that character, the voting machine company (and in the USA, the rightwing noise machine) would likely say that this proved nothing, since it didn’t show that the actual people in the race had their vote altered. Now sure, you might say (and should say) that the votes could’ve been added to any actual candidate, but you didn’t “prove that” because you didn’t do exactly that. This would be a dumb position for them to take, and dumb for people to accept, but have you ever argued with, for instance, a creationist? They make that exact argument all the time, and it’s incredibly difficult if not impossible to get through to them. And this sort of reasoning is extremely common; their bogus argument would be very likely to work, IMO.

  20. the_zapkitty says:

    QrazyQat Said:

    “… the voting machine company (and in the USA, the rightwing noise machine) would likely say that this proved nothing…”

    Hmmm… they haven’t owned up to the complete debunking they’ve received so far… why would that change just because an imaginary character or two got elected?

    “If you try anything stupid you could get your ass nailed to the wall as a trophy in a Diebold boardroom while they still trumpeted the supposed invulnerability of their systems… and you’ll deserve it.”

    The discussion has definitely come full circle 🙂

  21. Theres no such thing. Something is always going to be bad.

    Gamerhideout.com Register!!!