We Can't Afford Even One E-Voting Morris Worm

from the catastrophic-failure dept

Over at CNet, Declan McCullagh has an interview with probably the most prominent computer scientist who supports paperless e-voting, Michael Shamos. In a wide-ranging discussion, Shamos acknowledges that e-voting isn't perfect but insists that every voting system has its flaws, and that e-voting can be made to work better than either paper ballots or touch-screen machines with paper trails (which he points out tend to jam a lot). Mike already pointed out some problems with Shamos's analysis, and you can check out Dan Wallach's post for a comprehensive rebuttal. But I found one of Shamos's comments particularly striking. He says:

Remember Robert Tappan Morris and the Internet worm? I would get worried if we start to see systematic evidence (of increasingly robust) attacks. But we've never seen any of those.

Shamos is referring to probably the most famous malware attack in the history of the Internet. In 1988, a grad student named Robert Morris created a worm that infected hundreds, if not thousands, of computers across the Internet. It was by far the most damaging Internet worm up until that time, and as a proportion of all hosts on the Internet, probably still ranks among the most successful worms in Internet history. The important point for our purposes is that nobody saw the Morris worm coming. The security vulnerabilities exploited by the Morris worm were known ahead of time, but few people other than the worm's author realized their seriousness.

Of course, once the Morris worm brought the Internet grinding to a halt for several days, everyone became acutely aware of the importance of security, and so they quickly fixed the bugs Morris had exploited. And luckily, at this point the Internet was still a relatively small, academic network, so while it cost millions of dollars of work to clean up the mess, no irreparable damage was done. But there wasn't a series of "increasingly robust" attacks leading up to the Morris worm that could have provided fair warning to Internet users of the day. The Morris Worm was a lot more sophisticated and successful than anything that had come before it. And by the same token, there's no reason to think that the bad guys will give us some advance warning by incompetently trying to steal a few city council seats before they disrupt a presidential election. If we continue to vote on insecure e-voting machines, we run the risk that our first clue that something is wrong will be when the voting machines in a key swing state "malfunction," throwing the presidential election into turmoil. I don't think we can afford to take that risk.

Filed Under: e-voting, michael shamos


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    zcat, 23 Apr 2008 @ 5:55pm

    EVoting NEEDS a Morris worm!!

    Not just one swing state, there needs to be a total and catastrophic failure of voting systems in several states, preferably involving more than one vendor.

    Nothing else is going to wake up voters and make them start to think about the security (or lack thereof) of current electronic voting systems.

    A few minor 'inconsistencies' in one or two states can easily be brushed off. "Exit polls are inaccurate", etc. It's _already_ happened twice. The voting public is blissfully unaware of this.

    "The canary was already sick, it probably died of natural causes"

    That won't wash if the problems are widespread and obvious.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.