Home       About Me       Contact       Downloads       Part 68    Part 70   

Part 69: Security

October 19, 2012

Nothing much got done this week due to continued health issues. On a good note, I discovered that it wasn't really taking a second of CPU to produce the summaries of modified chunks. I had forgotten to call the initialization for my timing routine. The initialization records the granularity of the high resolution timer. Without that call, it defaults to something useless. Once I did the timing properly, I got a time of 5 milliseconds... much better and not a problem to do every time a block is added.

This week I was looking at the Windows 8 release announcements, and got annoyed by the whole Windows Store being added by Microsoft. I understand that companies want to be in the "publishing" business, where they own the distribution channel and can rake off 30% for listing your app on a website. The question is why this situation persists and has worked so well for Apple. I think it comes down to the problem of computer security.

During my programming career, from 1975 to 2005, I was never part of a team that built any security features into a system. I had some exposure to what customers wanted when I did contracting, but otherwise, what follows is based on my experience as user and programmer, not as a security expert.

Some History

Back in the beginning, there was nothing to worry about. The computer was a mainframe in its own dedicated machine room, and all programs were run either by programmers or by system administrators. They knew what they were running and didn't worry about malicious software.

On those early computers (pre-1960) the machine only ran one program at a time and had no persistent storage other than tape drives or punched cards. There was nothing to steal and nothing to corrupt. The worst that could happen is that your program failed to run and wasted some machine time.

"Timesharing" was initially a way for the expensive computer to run more than one program at a time. There had to be some minimal security to keep bad programs from crashing the operating system or interfering with other programs, but that was it.

Eventually mainframe computers had typewriter-style terminals connected to them (sometimes hundreds at a time) and had hard disks. Users were authenticated with a userid and password, just as today. There were user files that had to be protected, and worries about unauthorized access.

The threats still didn't come from malicious software. For one thing, a big commercial mainframe probably only ran the software installed by system administrators. Unless programming tools were installed and made accessible to users, there was no way for a user to create a new program. Threats were confined to clever uses of system commands.

Academic systems used by programmers were different (Unix systems pretty much always had compilers available to users), but even there, the software was explicitly run by users or administrators and was pretty much a known quantity. The exceptions were things like student pranks.

This environment persisted up to the creation of the internet, and motivated some assumptions about security that turned out to be trouble later:

  1. Systems designers thought of the user as the source of threats. Good users just did their jobs and tried not to break anything. Evil users tried to break into systems and steal files.

  2. Users all knew what programs they were running. If a program did something bad, it was because an evil user was misusing it, or had written a tool for his evil plans.

  3. Programmers wanted to be able to make the system do whatever they liked. They didn't want the system telling them "no" all the time. It was fine for the operating system to protect itself against bad code, but if the user wanted to run a program that deleted all his files, then he should be able to do that.

You can see the effects of these assumptions in our current systems (which are all similar to 1970s Unix.) The user logs into the system and is authenticated. The OS will run anything the user tells it to run. A program can do pretty much anything it wants.

There is some security in the OS, to protect the OS itself and the files of other users. But in practice, programs can evade these restrictions if the programmer was clever enough to defeat the OS.

The Internet

The internet changed the threat model and made all of those assumptions invalid. Every time someone visits a web page with a script on it, they are running an unknown program. Every time a user opens an email attachment, they are running an unknown program. Even if the user uses all good programs, looking at unknown data could expose him to threats. The data might corrupt the viewer, using it to add new code to the system and take it over.

The problem here is that the OS is still authenticating the user, and assuming he knows what he's doing and means to run all these programs. In reality, the user is some clueless consumer who has no idea what programs he's running.

Part of the industry response has just been BS -- "if you people would stop visiting porn sites and running email attachments, we wouldn't have viruses!" That's also been the attitude of most programmers. Many of us make these kinds of statements, sigh at the stupidity of ordinary users, and swear that we never get viruses, because we know what to avoid.

The next industry response was antivirus programs -- basically a sophisticated "black list" that keeps you from running programs known to be malicious. Most people are still putting up with this, and companies are still thinking of this as "good security". Some organizations just forbid users from installing any new software on their machines.

I think it's widely understood now that antivirus programs don't really work except against the crude "script kiddie" threats. The more sophisticated attacks on the net now just aren't spotted by antivirus programs. In any case, the antivirus approach is essentially reactive. The AV company has to spot the threat and change their product to recognize it. They can't do this until the virus is already infecting machines.

App Stores

When Apple created their App Store, they were solving this problem with a "white list" of approved programs, not a black list. They knew that phones were consumer appliances, and they just couldn't afford to let people run unverified programs. Phones would be crashing all the time and their support people would be overwhelmed. If bad software started to use the network to spread itself, consumers would be hit with unexpected bandwidth charges and blame Apple.

For consumers, the App Stores have worked well. They get a variety of programs and haven't had to put up with viruses. For Apple, running the store means getting a huge cut of all the sales there for next to no work. Just requiring sellers to have a name and address and pay money to list something on the store weeds out all the pests.

Since this has been so successful for Apple, it's natural that Microsoft would go the same way. From their point of view, it's money for nothing and has no problems.

The cost of this approach is to developers. I can't just put out demo programs for the iPad or other tablets. I would have to get each release of my demos approved by Apple, Google or Microsoft.

On the PC, you can run anything you download, although Windows will prompt you to confirm first. OSX wants you to go to the System Preferences and downgrade your security on the whole system just to run a single downloaded app. I suspect that's one reason why so few Apple users have run my demos.

The other problem is that the stores restrict the kinds of programs you can write. The Windows Store approval process requires that

   5.1 Your app must not contain adult content.

   5.2 Your app must not contain content that advocates discrimination, hatred, or violence based on membership in a particular racial, ethnic, national, linguistic, religious, or other social group, or based on a person’s gender, age, or sexual orientation.

   5.3 Your app must not contain content or functionality that encourages, facilitates or glamorizes illegal activity.

   5.4 Your app must not contain or display content that a reasonable person would consider to be obscene.

   5.5 Your app must not contain content that is defamatory, libelous or slanderous, or threatening.

   5.6 Your app must not contain content that encourages, facilitates or glamorizes excessive or irresponsible use of alcohol or tobacco products, drugs or weapons.

   5.7 Your app must not contain content that encourages, facilitates or glamorizes extreme or gratuitous violence, human rights violations, or the creation or use of weapons against a person or animal in the real world.

   5.8 Your app must not contain excessive or gratuitous profanity.

I honestly don't know how they are going to ship a lot of games with some of these restrictions. I also don't know how you can write an MMO with text messages between users, or any app that allows user-submitted content.

On the other hand, I understand the legal problems. If Microsoft is going to run a store and bless applications, it's going to be at least partly legally responsible. If it let all virus-free applications be sold, it would get into the same issues that Google has with YouTube. People will sue, so they've taken the easy way out. Just make the whole platform safe for 12 year olds and the easily offended!

Another problem is this clause:

   3.9 All app logic must originate from, and reside in, your app package You app must not attempt to change or extend the packaged content through any form of dynamic inclusion of code or data that changes how the application interacts with the Windows Runtime, or behaves with regard to Store policy. It is not permissible, for example, to download a remote script and subsequently execute that script in the local context of your app package.

I believe Apple has a similar restriction and it prevents the kind of MMO I want to write, where users can add game logic to the world. Technically it prevents downloadable content or UI skins or anything that would use scripts to extend the function of the app.

Again, I can see the other side. They can't really approve an app if they don't know what it does. If it can be extended by users, they can't review the app as seen by the end user. Downloadable content could be dangerous or offensive and get them in legal trouble.

However, this is discouraging. For example, the biggest use of the net is of course the web, and under these terms, a web browser is not a valid app, since it's extensible and content cannot be reviewed ahead of time.

Finally, both Apple and Microsoft put restrictions on app-enabled commerce. I suppose there could be legal complications if someone thinks they are buying something through the Windows Store, when in fact it's just some app. But I think the rationale for this is mostly greed. Apple doesn't want "Kindle for the iPad" users buying books directly from Amazon and not giving them a cut.

What's At Stake

I could make arguments about openness of the net and say how this is all wrong. It's a throwback to the "walled garden" style of the early online services like AOL. It hurts indie developers and reduces innovation. These App Stores are suitable for a TV-style model, where all the content comes from a publisher. They aren't suitable for a user-contributed social-media world.

Instead of a rant, I think I should just list the various forces at play.

Publishers don't want a wide open user-contributed world. They want to be gatekeepers and extract a huge fee from content creators. This includes not only the legacy music, movies, etc. publishers, but now companies like Apple, Microsoft and Amazon. A world without publishers means they become commodities (hardware, OS, bandwidth) and have tiny profit margins. Or in the case of some publishers, just go out of business.

Governments don't want an open net. They want to be able to shut down objectionable speech and control commerce. The U.S. has fairly strong protections, but other countries don't. Some hate the whole idea. Note the various bits of legislation like SOPA that support legacy publishers and make user-contributed content legally risky.

Users don't much care and won't stick up for objectionable content, even when they like it. They don't want viruses and white listing suits them fine. They don't know what they are missing when some applications are not developed. On the other hand, they do want social media and the ability to publish their own content.

Programmers tend to be more libertarian, and they want to be able to develop code and distribute it freely. But they haven't come up with a serious answer to the security problem because they don't suffer from it much themselves.

Content Creators are just starting to realize the value of an open net without publishers as gatekeepers. I've recently been reading the blog of author Kristine Kathryn Rusch who writes at length about the lousy deal that authors are getting these days from publishers. Creators may realize they don't have to put up with it anymore.

Startup Companies don't want a lot of middlemen between them and the market. Although companies have always paid for distribution, they controlled what kind of distribution and advertising they did. I expect them to find the new gatekeepers annoying to deal with and push back against these terms. Companies have more money and clout than individual creators. In particular, they can afford lawyers and to shop around between publishers.

The Future

The current situation is very unstable with all these players competing for influence and the rules of the game being rewritten by new companies, new technology and legislation.

In some ways, the open PC platform was an accident. The vendors like IBM or the minicomputer makers would have been content to produce smaller machines for industry with software coming from the usual sources. The hobbyist computer market in the 1980s grew faster than anyone expected, to the point where big companies like IBM had to get into the game.

Vendors made their systems open because they didn't want to spend the resources to write software for them, and had no idea what people were really going to do with the machines. I don't think anyone expected that general purpose computers would be used so heavily for games. The desktop publishing market was also a surprise to most of the industry, as was the Web when it first arrived (people were still betting on AOL-type services very late in the game).

All of these developments favored software from multiple sources. Without the threat of viruses, consumers were happy with this marketplace. Two things have changed in the technology area. One is viruses. The other is the emergence of smartphones and tablets.

Phones and tablets are treated by consumers as appliances, and the last thing they want is to do system administration or application installation. Despite the fancy installers you see on games for the PC, I personally think installation and system admin for home computers is horribly bad compared to what it should be. Along with the virus problem, this has opened an opportunity for these App Stores.

Currently, the tablets aren't running the complex applications, and aren't being used much for content creation. The existence of the PC takes the pressure off tablets to be open. As the tablets and laptops blend together, perhaps this will change. Either people will run unlocked operating systems on their tablets, or perhaps the App Stores will have to loosen up.

The longer an open net lasts, the more pressure it will put on these closed systems. There will be that game or that social media app that won't run on a tablet because it can't get approved. Or more apps will migrate into the browsers where they bypass the publishers. Perhaps open tablet hardware will come along and put pressure on closed tablets.

A new security architecture and system admin model would really be nice. The current approach is based on designs from the 1960s and is nearly obsolete. Reworking that level of system design is impossible for Microsoft or Apple with all the legacy applications they have to support. I'm not sure it's possible for the Linux crowd either, since they seem very wedded to the existing code base. Perhaps we will have to wait for a new system to be created.

Many of you reading this are programmers. All of you are software consumers. If we don't put our foot down on these issues, we're going to see more App Stores and a less open internet. It would be a shame to get rid of gatekeepers in the form of record companies and book publishers just to recreate them in the form of Apple, Microsoft, Amazon and Google.


Finally, here's my photo for the week, so I can track RSS hits. I've been wondering for awhile now if I should just use real world topography for my SeaOfMemes worlds. I could perhaps mix it somehow with procedural landscape. I look at the topography in images like this and I don't think I can match it with what I know of procedural generation.

Near Portland, Oregon

Home       About Me       Contact       Downloads       Part 68    Part 70   

blog comments powered by Disqus