The report of a preliminary investigation into the Senate file pilfering has been released (in two parts) by Senate Sergeant-at-Arms Bill Pickle.

The report mostly confirms what was reported previously: many files on the shared server were unprotected, so that anybody who knew how could get them; a clerk working for the Republican staff, under the direction of a senior Republican staffer, accessed more than 4,000 of the Democrats’ files; and some of the juiciest files were leaked to the press, probably by the aforementioned Republican staffer.

The report also contradicts some claims made previously. It is clear from the report that the availability of the files was not widely known. The report also shows that the people making the accesses worked to cover their tracks, both during and after the time when the accesses occurred. It also appears that the Republican staff member who oversaw the accesses made false statements to the investigators.

I wrote before that it wasn’t clear whether the accesses violated the Computer Fraud and Abuse Act (CFAA). The key question in applying the CFAA to these facts was whether the staffers were “entitled to” access the particular files they downloaded; and the answer to that question depends on the rules and practices of the Senate.

The issue still isn’t clear-cut, but the facts recounted in the report tend to tip the balance toward violation of the CFAA. The accessors’ efforts to cover their tracks, both during and after the accesses, are revealing. And the report tells how the clerk, on initially discovering the files were accessible, took a pile of printed-out opposition files to one of his supervisors, who shredded the files and “admonished [the clerk] not to use the … documents”. These facts, plus the apparent false statements made to the investigators, tend to support the argument that the clerk and the staffer knew that the accesses were improper.

The report makes no recommendation for or against a referral of the CFAA matter to the Justice Department. That decision is in the hands of the Senators.

There seems to be an active rivalry between the authors of competing computer viruses, with back-and-forth insults included in the textual comments within each virus, according to a Mike Musgrove story in today’s Washington Post.

Witty repartee it’s not: “Bagle – you are a looser!!!” But one does worry about what will come next, if the loosers decide to escalate from a war of words to an e-war. If that happens, the next step will be new virus versions that try to inoculate victims’ machines against rival viruses. And don’t expect the kind of clean, surgical inoculation you get from a good antivirus product, but a crude rewiring of the victims’ software configuration, causing all sorts of trouble.

In the worst (but unlikely) case, this could escalate into a full-on game of distributed core wars, with rampaging malware armies clashing in the computers of people foolish enough to click on the wrong attachments.

Let’s hope this doesn’t happen. And let’s all remember to update our antivirus software and be very suspicious of email attachments.

A reliable source tells me that a headhunter, working for e-voting vendor Diebold, is calling security experts, trying to find somebody to help Diebold improve the security of their systems.

Lately, computer security researchers have been pointing out the risks of software monoculture. The idea is that if everybody uses the same software product, then a single virtual pathogen can wipe out the entire population, like Dutch Elm Disease mowing down a row of identical trees. A more diverse population would better resist infection. While this basic observation is accurate, the economics of monoculture vulnerability are subtle. Let’s unpack them a bit.

First, we need to review why monoculture is a problem. The more common a product is, the more it will suffer from infection by malware (computer viruses and worms), for two reasons. First, common products make attractive targets, so the bad guys are more likely to attack them. Second, infections of common products spread rapidly, because an attempt to propagate to a new host is likely to succeed if a high fraction of hosts are running the targeted product. Because of these twin factors, common products are much more prone to malware problems than are rare products. Let’s call this increased security risk the “monoculture penalty” associated with the popular product.

The monoculture penalty affects the incentives of consumers, making otherwise unpopular products more attractive due to their smaller penalty. If this effect is strong enough, it will prevent monoculture as consumers protect themselves by shunning popular products. Often, however, this effect will be outweighed by consumers’ desire for compatibility, which has the opposite effect of making popular products more valuable. It might be that monoculture is efficient because its compatibility benefits outweigh its security costs. And it might be that the market will make the right decision about whether to adopt a monoculture.

Or maybe not. At least three factors confound this analysis. First, monoculture is often another word for monopoly, and monopolists behave differently, and often less efficiently, than firms in competitive markets.

Second, if you decide to adopt a popular product, you incur a monoculture penalty. Of course, you take that into account in deciding whether to do so. But in adopting the popular product, you also increase the monoculture penalties paid by other people – and you have no incentive to avoid this harm to others. This externality will make you too eager to adopt the popular product; and there is no practical way for the other affected people to pay you to protect their interests.

Third, it may be possible to have the advantages of compatibility, without the risks of monoculture, thereby allowing users to work together while suffering a lower monoculture penalty. Precisely how to do this is a matter of ongoing research.

This looks like a juicy problem for some economist to tackle, perhaps with help from a techie or two. A model accounting for the incentives of consumers, producers, and malware authors might tell us something interesting.

Senate staffer Miguel Miranda will resign in the wake of the recent scandal over unauthorized accesses to the opposition’s computer files, according to Alexander Bolton’s story in The Hill.

Miranda is the highest-ranking person who has been accused publicly of involvement in the accesses made by Republican staff to the Democrats’ internal strategy memos. His current (pre-resignation) job is in the office of Senate majority leader Bill Frist, directing Republican strategy in the judicial nomination battles. The events that triggered his resignation occurred when he worked for Judiciary Committee chair Orrin Hatch. The Hill reports that pressure from Hatch precipitated Miranda’s resignation.

An investigation by Senate Sergeant-at-Arms Bill Pickle is ongoing. It’s not clear whether any criminal charges will be brought.

[Link via Michael Froomkin.]