In 2005, Binghamton University Professor Scott Craver launched the Underhanded C contest. Targeted at programmers and hackers, the competition challenged entrants to come up with code that was “readable, clear, and seemingly trustworthy…yet covertly implements a malicious function.”
The goal wasn’t to further erode online privacy, but to create malware in a laboratory setting so its format and behavior could be properly studied. The contest was purely white hat, innocent in the same way as a racy stand-up set. The idea was to embed transgression into normal language, to fold meaning back on itself in a surprising way. Rather, Craver was attempting to engineer a digital flu shot, a dash of evil code that could help him inoculate new programs. The idea wasn’t to spot problems, but to create systems capable of rendering them irrelevant.
Ten years later, the contest has grown up. This year, Carver’s baby is being reared by the Nuclear Threat Initiative, a non-profit, non-partisan organization dedicated to preventing the spread of nuclear weapons by watchdogging adherence to the Nuclear Non-Proliferation Treaty. NTI’s deeper pockets have sweetened the deal for winners (Professor Carver paid past winners $200 of his own money while NIT has pushed the prizes up to $1000) and upped the stake: Underhanded C competitors are inputting code that makes fissile material detectors — the mechanisms responsible for monitoring the material capable of triggering a nuclear reaction — output fuzzy results. They are lying to watchdog algorithms, or mocking them anyway.
While it’s tempting to see this challenge as politically reactionary (Iran amirite?), Carver’s has gone out of his way to lance that theory. “Problems of fissile material verification go all the way back to the late 1970s, when Gustavus Simmons found a potential vulnerability in the system jointly developed by the US and USSR to implement part of the SALT-II treaty,” he points out in Underhanded C’s verbose FAQ.
The linger question of relevance doesn’t necessarily concern the contest’s topic, but the application of its results. Is Underhanded C about solution or showing off?
One past winner of the Underhanded C competition isn’t optimistic about efforts to combat malicious code. “No matter how smart your tools are,” John Meachem, who won the 2008 Underhanded C competition, wrote during his online victory lap, “if you ultimately intend to write the wrong thing or solve the wrong problem, they can’t protect against it.” His argument is simple: It’s extremely difficult to screen for intentionally malicious code containing good code without running it to see how it works. That’s not a big deal if it’s just image rendering software, but playing guess and check with fissile material detection software isn’t a great idea.
Part of the idea of the contest is to write humorous or ironic code. And, in a sense, evil code is sarcastic: It goes out of its way to express ideas it doesn’t represent. But sarcastic coding is considerably more corrupting than sarcastic speech because it is always written and interpreted in a second language. We are all digital immigrants, and we have to work to understand counterintuitive digital meaning.
We have to work even harder if we want to be safe.