MARCH/APRIL 2008
‘The root of this problem is software controlled by its developer’
Richard Stallman
I fully agree with Jonathan Zittrain’s conclusion that we should not abandon general-purpose computers. Alas, I disagree completely with the path that led him there. He presents serious security problems as an intolerable crisis, but I’m not convinced. Then he forecasts that users will panic in response and stampede toward restricted computers (which he calls “appliances”), but there is no sign of this happening.
Zombie machines are a problem, but not a catastrophe. Moreover, far from panicking, most users ignore the issue. Today, people are indeed concerned about the danger of phishing (mail and web pages that solicit personal information for fraud), but using a browsing-only device instead of a general computer won’t protect you from that.
Meanwhile, Apple reported that 25% of iPhones have been unlocked. Surely at least as many users would have preferred an unlocked iPhone but were afraid to try a forbidden recipe to obtain it. This refutes the idea that users generally prefer that their devices be locked.
It is true that a general computer lets you run programs designed to spy on you, restrict you, or even let the developer attack you. Such programs include KaZaA, RealPlayer, Adobe Flash, Windows Media Player, Microsoft Windows, and MacOS. Windows Vista does all three of those things; it also lets Microsoft change the software without asking, or command it to permanently cease normal functioning.
But restricted computers are no help, because they have the same problem, for the same reason.
The iPhone is designed for remote attack by Apple. When Apple remotely destroys iPhones that users have unlocked to enable other uses, that is no better than when Microsoft remotely sabotages Vista. The TiVo is designed to enforce restrictions on access to the recordings you make, and reports what you watch. E-book readers such as the Amazon “Swindle” are designed to stop you from sharing and lending your books. Features that artificially obstruct use of your data are known as DRM, or Digital Restrictions Management (our adversaries call DRM “Digital Rights Management,” based on their idea that restricting you is their right—choose a term and choose your side); our protest campaign against DRM is hosted at DefectiveByDesign.org.
The nastiest of the common restricted devices are cell phones. They transmit signals for tracking your whereabouts even when switched “off”; the only way to stop this is to take out all the batteries. Many can also be turned on remotely, for listening, without telling you. (The FBI has done so already, and the U.S. Commerce Department lists this danger in its Security Guide.) Cellular phone network companies regularly install software in users’ phones, without asking, to impose new usage restrictions.
With a general computer you can escape by rejecting such programs. You don’t have to have KaZaA, RealPlayer, Adobe Flash, Windows Media Player, Microsoft Windows or MacOS on your computer (I don’t). By contrast, a restricted computer gives you no escape from the software built into it.
The root of this problem, both in general PCs and restricted computers, is software controlled by its developer. The developer (typically a corporation) controls what the program does, and prevents everyone else from changing it. If the developer decides to put in malicious features, even a master programmer cannot easily remove them.
The remedy is to give the users more control, not less. We must insist on free/libre software, software that the users are free to change and redistribute. Free/libre software develops under the control of its users: if they don’t like its features, for whatever reason, they can change them. If you’re not a programmer, you still get the benefit of control by the users. A programmer can make the improvements you would like, and publish the changed version. Then you can use it too.
With free/libre software, no one has the power to make a malicious feature stick. Since the source code is available to the users, millions of programmers are in a position to spot and remove the malicious feature and release an improved version; someone will surely do so. Others can independently compare the two versions to assure you which version treats you right. As a practical fact, free software is generally devoid of designed-in malware.
Many people do obtain restricted devices, but not for motives of security. Why do people choose them?
Sometimes it is because the restricted devices are physically smaller. I edit text literally all day, and I find the keyboard and screen of a laptop well worth the size and weight. However, people who use computers differently may prefer something that fits in a pocket. In the past, these devices have typically been restricted, but they weren’t chosen for that reason.
Now they are becoming less restricted. In fact, the OpenMoko cell phone features a main computer running entirely free/libre software, including the GNU/Linux operating system normally used on PCs and servers.
A major motive for purchasing some restricted computers is financial sleight of hand. Game consoles, and the iPhone, are sold for an unsustainably low price, and the manufacturers then charge when you use them. Thus, game developers must pay the game console manufacturer to distribute a game, and they pass this cost on to the user. Likewise, AT&T pays Apple when an iPhone is used as a telephone. The low up-front price misleads customers into thinking they will save money.
If we are concerned about the spread of restricted computers, we should tackle the price deception that sells them. If we are concerned with malware, we should insist on free software that gives the users control.
Postnote: Zittrain’s suggestion to reduce the statute of limitations on software patent lawsuits is a tiny step in the right direction, but it is much easier to solve the whole problem. Software patents are an unnecessary, artificial danger imposed on all software developers and users in the US. Every program is a combination of many methods and techniques—thousands of them in a large program. If patenting these methods is allowed, then hundreds of those used in a given program are probably patented. (Avoiding them is not feasible; there may be no alternatives, or the alternatives may be patented too.) So the developers of the program face hundreds of potential lawsuits from parties unknown, and the users can be sued as well.
The complete, simple solution is to eliminate patents from the field of
software. Since the patent system is created by statute, eliminating patents
from software will be easy given political will. See endsotfpatents.org.
Right now, companies that distribute the free/libre anti-virus package ClamAV are being sued for patent infringement by Trend Micro. Many of our networks are protected from viruses by ClamAV. Don’t tolerate such aggression—boycott Trend Micro and any company that uses patents to attack software developers and users.
Click here to return to the
New Democracy Forum
Comments
The cause of the tidal wave of viruses and spam isn't that proprietary software vendors *want* to allow it -- of course they don't, it damages their (already bad) reputation. It's a combination of vulnerabilities and bad incentives.
The bad incentive problem is that, for historical/cost-efficiency reasons, the major proprietary software vendors largely disregarded security until quite recently, because they weren't being penalized for it with bad sales or bad PR. While this *is* largely a proprietary software problem at present, this is not because of the proprietary software model: it's not as if you need to look at the Windows code to determine that Windows is extremely vulnerable to malware, and major free Unix tools used to be vulnerable to exactly the same problem. The problem is that backward-compatibility concerns and other problems have prevented one major proprietary software vendor (Microsoft) from implementing decent security, so that viruses can take the entire system over, and that people didn't care that their system might be taken over --- and also of course the proprietary vendors had no incentive to tell the unknowing that their systems were vulnerable.
In any case, if Microsoft's code were all free software, the problem would not be solved: *someone* would have to make it secure, and once it was secure *someone would have to convince most users to upgrade to the secured version*, even if the only improvement is security fixes, at the cost of potentially destabilizing the user's already-working applications.
The vulnerability problem --- that currently it is easy to accidentally write code that allows external attackers in --- is equally shared by free and proprietary systems, and by open and closed systems, and to be blunt it's the larger of the two problems: a single vendor spying on you is unlikely to be as bad as an unknown number of nasty criminals spying on you and perhaps using your machine in parts of wars with each other. Despite what I said in the previous paragraph, Unix's stricter default permissions doesn't help much in this area, as most malware these days doesn't want to take the entire system over, but just wants to send out network packets with spam in them or spy on the user's financial transactions. Neither of these operations typically requires any more privilege than the user already has, so free Unix systems are every bit as vulnerable to them as is, say, Windows (they just don't have enough crackers trying to break into them, and have a good bit more hardware diversity). Both the free world and Windows have tried hard to implement technical hacks to make this sort of thing harder (StackGuard and the like), but I fear that the only real way around it is to switch from C to languages that don't allow the sort of unchecked buffer- and integer-overruns that C is so prone to. (This doesn't mean they need to run in a virtual machine: a language with stricter formal compile-time checks or less primitive data-structures, compiling down to raw machine code just as C does, would be every bit as good. Of course I'm preaching to the choir here...)
However, both the free and proprietary worlds are a long, *long* way from that, the popularity of scripting languages in Unix notwithstanding. So what alternatives are available?
I suspect the most effective that doesn't require rewriting everything would be a combination of heuristic behaviour observation and retroactive paranoia in vulnerable areas. I suspect that we could torpedo most of the current attack vectors with a few simple checks:
- applications that don't usually initiate network connections should be treated with suspicion when they start doing so
- applications whose transitive children don't usually initiate network connections should likewise be treated with suspicion when they start doing so
- likewise for applications and their transitive children that don't usually observe information flow in other applications. ('Observe information flow' is woolly: in Unix, 'uses ptrace() or acquires the window handles of X windows that it doesn't own' would cover most of it.)
Of course this won't help if you install a new application which contains intentional spyware/malware, and it would take work to spot browser-based vulnerabilities this way (as web browsers already *do* initiate legitimate outbound network connections all the time); but it might reduce the effect of vulnerabilities a good bit without requiring a huge security ruleset (as SELinux does) or firing off too many false alarms. (One problem here is that users are so used to false alarms that if we *do* spot a problem and warn the user, the user is likely to say 'yes, yes, go away and let the app do its thing' even if the app is a network time server client and it's trying to send spam.)
But even this won't help for long. The attackers will find new attack vectors; and here we *are* at the mercy of proprietary software vendors, because we can't harden proprietary systems: only the vendors can do that.
I'm not sure if there *are* any good answers here. Even locked-down systems are still general-purpose computers, capable of executing arbitrary code as soon as a vulnerability comes to light; and if we drop general-purpose computation we drop virtually everything that makes computers worth using in the first place. Even free software is still (frequently) vulnerable to external attack.
Proprietary closed software is certainly worse for users and for freedom than its free-and-open antithesis, and I would much rather use the latter than the former: but I'm not sure this helps in this case. The crackers don't care if your software is free.
J.B. Nicholson-Owens
http://digitalcitizen.info/