Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:15 AM

When Bad Tech Leads to Worse Results

E-voting, 'friendly' worms may be flawed - and misunderstood

There is very little that gets me more upset than bad technology. Entirely too often, new technologies are implemented not because they are useful, but because they seem innovative and cool. Here are a couple of recent examples that have been bothering me.

Bad Idea No. 1: Computerized Voting Machines

I love low-tech solutions. This is a recent development for me, inspired in no small part by spending the last several years living in Cambodia. So many people seem to forget that there are some problems that are best solved by very traditional, low-tech equipment. (See Low-Tech Security.)

Voting is one of those things. Computers are great if you are running a poll on your Website and don’t expect fraud, or if you don't care much if it happens. But if it is a national — or even local — election, the threat model is different because the stakes are higher.

Voting machines are a solution to a problem that has already been solved. Maybe the ballot design problem isn't, but that isn’t the fault of the machines. As in many cases, the humans screwed that one up. For a far more thoughtful discussion of this, see Rebecca Mercuri’s work.

Bad Idea No. 2: Worms That Do Good

This one is seeing some press recently because of an article in New Scientist about Microsoft's research paper on the topic. (See Critics: Microsoft's 'Friendly Worm' Is a Dumb Idea.)

There are two problems. First, worms don’t do good. Worms, by definition, lack central control, and patching and system modification need both central control and accountability. The mechanism used by a so-called Good Worm to access systems can be used just as easily by a Bad Worm, turning the "feature" into a bug. And when the access vector becomes a vulnerability, the potential for damage is just too high.

There's another problem here. Check out the New Scientist article, and then look at the paper referenced on Microsoft’s site. Close examination of this paper will reveal a)TONS of math, and b) an emphasis that the paper is pure research and not an upcoming product description.

I do understand the tendency of our IT security community to assume the worst of people — it is, after all, what we are paid for. However, in this case, I think that the research is quite interesting, and not necessarily motivated by evil or stupidity. It will probably prove of more use to the bad guys than the good guys, but in this case, the Microsoft team isn't at fault.

Indeed, the paper (actually a technical report since the paper hasn’t been published yet) mentions the word “patch” exactly once, and in the bibliography at that. One of the authors has studied effective patch dissemination in the past. That work didn’t propose using worms to do it. This paper doesn’t, either. Perhaps the idea is proposed in the unpublished work, but it seems more likely that the author of the New Scientist article just got things wrong.

Here's a bit of advice that comes from both of these "bad technology" examples: Talk to the media, but make sure they get it right. If they don’t, you may find yourself waiting in line for hours until the technically unskilled staff at your local voting station try to reboot the booths — without losing any votes.

— Nathan Spande has implemented security in medical systems during the dotcom boom and bust and suffered through federal government security implementations. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
PUBLISHED: 2019-12-05
Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation m...
PUBLISHED: 2019-12-05
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
PUBLISHED: 2019-12-05
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash...