Here are a few signs that you might be doing crypto the wrong way:
I expect to have more signs later.
A tale to chill the blood of developers everywhere: “My IDE ate my source code” [For non-developers, “IDE” means “Interactive Development Environment”, and is how developers like to edit source code.]
My attention was drawn to the line “I’ve been using Borland IDEs on and off for the past 17 years or so, and nothing like that has ever happened before.”
Quite frankly, I gave up using Borland IDEs oh, a little over ten years ago, because the IDE I was using did exactly that – ate my source code.
I’d typed in a bunch of new code, and wanted to test it, so I pressed the button to debug my code. Of course, the code crashed, and this being 1995, and on Windows 3.1x, it took the operating system with it.
After I rebooted, it became clear that my last several hours’ worth of work had not been saved. Say whuh?
The Borland IDE of the time would happily compile code without first saving it. [My first thought was “how can it even do that? The compiler works from source files on the disk, surely?”, but I confirmed that you could create and compile an entire application without it ever hitting the disk except as object and executable code!]
[How is this security related? Let’s say you fix a security flaw, and make a bug fix elsewhere. You test the code – the security flaw fix works, the bug fix crashes when you test it. So you reboot, and go make the bug fix in a different place, thinking your security fix is still in place…]
Not only don’t I run your software all the time, but actually I run it about once every couple of weeks.
So why on earth does your software run all the time?
Okay, so this particular complaint is about Sun’s Java, which I use once every two weeks, to sign my timesheet so that I can get paid. It stays memory resident even after I close the web browser that took me to the page. But the complaint could equally well be made against RealPlayer (or whatever it’s called this week), which likes to remain in my system tray (down by the clock) even though I view .RAM files about once every two or three months.
Maybe Java and RealPlayer occupy very small amounts of memory, but when you combine them with every other program whose developers assumed that everyone would be using their software 24×7, you wind up with a lot of memory used by a lot of programs that are all plodding along unused, but stealing a little time here, a little network resource there, and a bucket of memory.
Every now and again, I rebel, and remove a bunch of applications that I rarely use. But then, “rarely” comes around and I have to reinstall because there’s a persentation I want to hear in RealPlayer, or an algorithm demonstration in Java. Then I have to uninstall again (and reboot) if I don’t want to waste my resources.
While I was at Microsoft, every so often the question would arise “how can we do more to prevent users from running all the time as administrator?”
There’s something sexy and powerful about being “administrator”. Suggest taking administrator access away from someone who has it now – say, a developer, or a small business’ financial officer (thanks, Quickbooks!), or a home user (thanks, Turbotax! – by the people who brought you Quickbooks) – and you’ll get thrown the look of an alcoholic who’s just realised that you’ve figured out where he’s stashed his hooch.
Okay, so undeniably, there is power in that account – and that’s the main reason why you should spend as little time with that power as possible. “Power corrupts”, remember, and in this case, the thing most likely to get corrupted, by that power being constantly “on”, is the important data you use to run your business.
In Vista and Longhorn, this has been significantly addressed by use of UAP / UAC / LUA or whatever it’s called this morning.
For some reason, nobody ever took up my suggestion, which was brought on by the observation that my kid thinks the guy with power at his school is the janitor. He has the keys to every classroom, he knows where the secret tunnels are, and how to open up the locked cabinets with the electricity in them. To those of us beyond secondary education (high school), the janitor is somewhat less cool – without him, the school couldn’t function, but we wouldn’t like to do his job unless it was absolutely necessary that we do so.
So, I think that we should rename “administrator” to “janitor”, at least in our minds, if not in our systems.
This highlights that administrator access should only be used when you need to work on the ‘plumbing’ of the system. It’s not really the power-house, and the secret areas to which it has the keys are only the boiler-rooms and fuse-boxes of your system.
Where’s the harm in being administrator all the time? It’s like leaving all those locked cabinets open, for any old virus to abuse as it pretends to be you; it’s like spending time in the boiler room, where you could drop your bottle of cheap whisky and set off a fire that burns down the whole school.
Okay, enough with the analogy, here’s some real reasons why. If you run as administrator, a virus or trojan that you run (and you will run one, one day) will be allowed to destroy not just your immediate files, but the entire system on which you depend, or worse, install extra components that can be used to attack others, or to filch off your private information. If you run as administrator, you will accidentally type a command that deletes an important system setting or another user’s important files.
Do I run as administrator? No. In my job I run as a Restricted User. Not even “Power User” (another bad term that equates to “administrator”). I spend my day as a Security Engineer, and Developer, in Restricted User mode, because I don’t trust that I can detect every virus or trojan, or that I can control my actions sufficiently well not to do something disastrous. At times, it sucks, because there are programs I can’t run (but there are usually alternatives), and features I can’t access (but I can often open them up with appropriate tools and settings). I still can’t debug as easily in Visual Studio .NET 2003 (but the 2005 version fixes this).
There will always be “Elevation of Privilege” attacks, sure, but the answer is not to give up on separation of privilege completely. It’s tricky to right code to use least privilege, because you constantly have to think “what access do I have to this object, and what access do I need?” Again, that’s no excuse for doing the wrong thing. Any time you see a company whose software insists on unnecessarily running as administrator, think to yourself “I’m running a tool that is written by people who haven’t learned anything new since at least 1995”.
Great – hot on the heels of a WMF vulnerability (“why does Microsoft keep having buffer overflows when the rest of the industry doesn’t?”), we get a TGA/TIFF/QTIF/GIF/media-file overflow vulnerability in QuickTime – the warning seems almost designed to get lost in the noise surrounding Microsoft’s regular updates – but that would be a cynical view.
When I visited the page referenced above, which is at Apple’s own site, I could not find a link to the patch, or to download the current version of QuickTime for Windows. I’ve been doing this “computer thing” for a couple of decades now, and so has my cube-neighbour, who went looking for it as well, without success. [Hopefully Apple will read this, and edit the page so that by the time you read this, the link is prominent and obvious, but if you can’t find it, read on…]
You can find the current version of QuickTime for Windows at http://www.apple.com/quicktime/download/win.html
Finally, yes, the version of QuickTime at the Apple download link is 7.0.4, which is supposed to include the patches against remote exploit through image vulnerabilities.
The main thrust of this rant has been that this is really not so useful in terms of a security update – but there’s a subtle theme throughout – in order to get a tool that I want, I have to install and then remove a tool that I don’t want. Bundling is a fine tradition – and if Apple was to bundle QuickTime and iTunes such that iTunes was required, I’d simply refuse to watch .mov files. But this method of bundling – requiring it be installed, but allowing uninstallation afterwards – seems to be more like punishing people who want to view QuickTime format movies.
Programmers are, by nature, a very arrogant bunch. We know this – and it comes from the nature of what we do. In our own little world inside the computer, we are a god.
For this reason (and perhaps a few others), it becomes very easy for us to forget to think outside of our little world, and remember that we are also acting as servant to the people that own the box we’re writing our software for.
This is particularly true of developers of off-the-shelf software, who spend next to no time actually dealing with the people that use, or will use, their programs.
So, I’m going to start a topic on the arrogance of developers.
My first example is multiple – Real Networks, Apple Quicktime, and several other programs insist on placing their icons on the system tray – down in the bottom right-hand corner, with the clock.
Now, if these were just icons, that would not be such a bad thing – after all, your system is littered with icons that represent shortcuts, data files, executables, and so on.
Unfortunately, the icons in the system tray are special. Each one represents a running program. Each one is placed there by a programmer who believes that his or her program is so important to all users that it should remain permanently running.
Me, I play a Quicktime Movie, or a Real Audio file, about once every couple of months. It can be a month or more before I notice that the icon is on my system tray, taking up time, communicating who knows what, and exposing goodness knows how many application-related flaws to the Internet.
So, a plea to developers – unless your software positively requires to be run all the time in all its possible installation modes, make it go away when I’m done using it.
No offence, but I’m just not that into your program.