Monday, January 26, 2009

Downadup: A Cure Worse Than the Disease?

Anyone with a PC (and that means most people reading this blog) should know that there is a new worm out there which by some estimates has infected as many as one out of every three PCs worldwide. Known as Downadup or Conficker, it has spread rapidly in the last few weeks despite attempts by Microsoft to issue updated security patches to its Windows operating system. One reason these attempts haven't been particularly successful is that the worm reportedly disables the computer's automatic security update function by blocking access to security websites. Experts are concerned that the worm will be used by its originators to mount malicious botnet activity or other harmful and/or illegal actions in the near future.

That's all bad enough, but this attack has brought up an interesting ethical question. Suppose that security experts find that the worm is poised to do some really nasty things, as many already suspect it is. Suppose also that they (the "good guys," that is) figure out how to use the worm to gain access to infected computers, more or less the way its original developers intended. But instead of turning the worm (so to speak) to evil purposes, the security people use it simply to warn users that their computer is infected, and that they ought to do something about it. Would that be an ethical thing to do?

Opinions in the security community are reportedly divided on this issue. One security analyst was quoted by the New York Times as saying "It's a really bad idea . . . . The ethics of this haven't changed in 20 years, because the reality is that you can cause just as many problems as you solve." Arguing in favor of the idea, another expert was quoted as saying, "Yes, it's illegal, but so was Rosa Parks sitting in front of the bus."

I can think of at least two objections to the notion of using the worm itself to warn people about it. One is legal, and the other is more pragmatic and sociological.

The legal objection has to do with using malicious means to achieve a good end. If you as a security person exploit a worm that was developed by someone intending to harm others, you are intruding on the privacy and integrity of every computer that is infected. The very act of using such a means is illegal, even if you intend to use it for a good purpose. That is acknowledged by the expert who cited Rosa Parks as an example of someone who obeyed a higher law than what was on the law books at the time. But the immoral status of the law in this case is far from being as clear-cut to us now, as the Jim Crow discriminatory laws against blacks were when Rosa Parks disobeyed them half a century ago.

The pragmatic and sociological objection has to do with the reactions of the people who would get the alleged warning message. What is the first thing that comes to your mind when you get an email, say, telling you that your computer is infected and to go to such-and-such website to fix it? I don't know about you, but my first reaction is suspicion, and my next reaction is to flush the email, because I am pretty sure it is a "phishing" email designed to get me to compromise my computer somehow. The cyberworld has been so plagued by phishing dodges like this, that the chances of a legitimate message from a bona-fide security organization being believed are certainly less than 100%, and maybe much lower. So not only is it illegal, it probably wouldn't work very well.

There might be some invisible software way for the security folks to disable the worm remotely without the knowledge of those whose computers are infected, but who knows what other ramifications that might involve? Every computer is slightly different, and the risks involved in such tinkering probably outweigh the benefits that might result. Besides, it's no different in principle than walking into a stranger's office and messing with their computer, even if you mean to help out. Most people wouldn't appreciate this if they saw you doing it in person, and doing it remotely and invisibly doesn't change that aspect of the situation.

Maybe the person who brought up Rosa Parks is right, and the severity of the new worms like Downadup warrants a re-thinking of traditional ethics on this issue. An analogous historical situation that comes to mind was the controversy that arose when fluoridation of public water supplies was first proposed on a large scale in the 1950s to prevent tooth decay. This was another case in which an individual right (not to drink fluoridated water) was posed against a public good (the benefits of lower rates of tooth decay). In the Downadup issue, you have the individual right of not having some security expert mess with the inner workings of your PC, opposed against the common good that would result if said experts had the freedom to try counteracting worms by using the same methods the worms use. Although fluoridation is widespread, it is by no means universal and can still inflame controversies in regions where it is not yet practiced. Of course, public water supplies are delineated by geographic boundaries, while computer networks are essentially borderless, so the cases are different in that respect.

Perhaps we'll just have to wait and see what Downadup's evil creators (I have no hesitation in using that word for them) plan to do next. If its attacks are bad enough, maybe there will be a wider debate on the issue of how to forestall or prevent worms, including a reconsideration of the ethics of using worms to fight other worms. But until then, I'm not believing any emails telling me my computer's infected, unless they come from someone I trust in cyberspace. And these days, that's not a very long list.

Sources: The New York Times article "Worm Infects Millions of Computers Worldwide" appeared in the Jan. 22 online edition at I also used material from the sites and (Full disclosure: My wife edits a blog for, which is a subsidiary of the New York Times Company.)

1 comment:

  1. You picked an unfortunate analogy.
    The British Medical Journal reported in 2007 that fluoridation was never proved safe or effective and is unethical.