The Active Network

Amazon.com

Rotten Software: What's the right policy?

January 4th, 2000

Face it, software simply rots. It's organic. It's unstable. You can't trust it after it's been "on the net" too long. Unfortunately, you can't just keep it in the refrigerator like last night's leftovers.  It's not that the bits lose their "flavor" overnight; the ones are still ones and the zeros are still zeros!  But as surely as night follows day, the popular, non-trivial software you bought last month is less reliable and more subject to attack today.  Here are a few of the reasons:

  • New applications assume your PC functions "as designed" and trip over device firmware or driver bugs that slipped through testing and were not visible when using older applications (see my IBM Aptiva story below); 
  • new work habits (e.g. email with embedded HTML, using Web Servers as document repositories, software handling meeting scheduling and other secretarial tasks, etc.) place new demands on old systems;
  • new "security flaws" are discovered and publicized, increasing the risk your system will be compromised.

Consider my Christmas present.  Last June I ordered Linux Mandrake "Power Pack 6.0", paying about $50 for the CDs.  (Heck, I didn't have RoadRunner then.  That's why I paid so much for "free" software.)  Then my wife gave me Linux Mandrake 6.5 for Christmas having paid $29 at the local Barns and Noble!  I started to take it back when I noticed virtually every "product" in the package had gone up by at least one minor version number during the 6 months the original box had been sitting on my shelf!  So much for the "stability" of Linux, even though it is, in essence, based on a 25 year old design!

Consider Windows 98:  I have 6 PCs in the house and 2 more away with kids at college.  Five of these 8 run Windows 98, updated last summer to "Second Edition".  The Millennium edition is due out this spring, but rather than waiting, I run Windows Update fairly regularly on the PCs that my wife and I use most often.  

I just checked the Windows Update history on the OFFICEPC machine.  This is a K6-2 with 128 Meg serving as the home LAN print server, my wife's PC / graphics terminal, and local web server for Front Page 2000 development.  In addition to the printer, it has a scanner, video capture card, graphics tablet and voice recognition software.  It's on all the time as a print server and I can't remember the last time it crashed.  Windows Update history goes back to July, 1998.  Since that time, nearly 100 update installations were performed, some two dozen being security critical and the rest being feature enhancements or add-on installations.  

Am I crazy to so blindly trust Microsoft?  Well, I DON'T trust the corporation!  I trust that developers at MS are just like the developers that worked with me in AT&T: they all want to run with the latest software and personally know the developers responsible for each update.  Hence the most stable and best supported version of any OS is the one the developers are using themselves!  That's why I'm so satisfied using Windows Update!

Consider my oldest daughter's IBM Aptiva E2N.  I bought this 18 months ago for her to go to college.  It came home at Christmas for Dad to fix.  Her brother had installed a collection of "jukebox" and MP3 players, shortly after which the CD-ROM disappeared from the configuration.  Before looking into the hardware, I used Windows Update to install all missing critical and recommended updates.  Still no joy.  Then I noticed the "IBM Internet Update" wizard in the start list.  This is IBM's automated update tool for performing the hardware-specific updates that Windows Update doesn't handle.  The wizard analyzed the PC and checked with the IBM support server; it reported 16 updates had been released since we bought the PC.  These included two BIOS firmware updates, a CD-ROM firmware update, and updates of drivers for the IDE controller, the CD-ROM and the modem.  I let the wizard work it's magic and the problem with the CD-ROM was solved.  Even firmware rots!

As a final example, consider the web support for the McAfee virus scan software.  They too are offering automated "update" of scanner and signature files.  Trend Micro's House Call doesn't visibly need a download.  The scan engine runs as an ActiveX control downloaded and digitally certified when you click "Scan Now" on their website.  Keeping your PC safe is more and more a matter of keeping it up-to-date.

The pathology of modern software/firmware rot could fill books, but the fundamental cause is our inability to write perfect software.  As mentioned in last week's article, only trivial software is likely to be flawless; all other claims are likely lies or the result of ignorance.  The easy answer is to continually watch for software updates as suggested.  But.... 

Caution!  The security policy for many large corporations with centralized and bureaucratic IT support often forbids users to update their company PCs.  These are good people supporting a historically correct policy.  Their motivation is to prevent you from introducing software they have not tested, approved, licensed and are prepared to support.  If you company requires you to use Windows 95 because "Windows 98 isn't  stable enough yet," you likely work for such a corporation.  So kids!  Don't do this at work without checking your corporate parents first!

I believe this old "castle, moat and drawbridge" policy no longer fits the needs of the e-World user.  It isolates the user in a world cut-off from new features, new tools, free support forums, free updates, etc.  But most of all, it ensures that the user is running software without the reliability enhancements and security fixes necessary for safe operation.  The IT managers believe they are avoiding trouble by "freezing" applications, systems, networks, etc.  I believe they are locking themselves into the middle ages.  In the short term, they may save money.  In the long term, they are ensuring their support staff is backward looking and out of touch with new technology, their employees are inefficient, all their software includes old security flaws which attackers know well how to exploit, etc.  Most of all, they're ensuring themselves of rising costs as their technology becomes harder and harder to support, followed by a massive conversion and retraining cost when the pressure for technology upgrade becomes irresistible.

Their security depends upon traditional firewalls, increasingly poked-trough with holes as employees try to get access to outside services they learned about at home.  At the same time, study after study shows that the serious damage is usually done by the disgruntled or criminal employee behind the firewall.  Frankly, isolationism is dead.  Military tactics abandoned fixed defensive positions early in WW-II and switched to a dynamic defense strategy.  It's long past time for a much more dynamic approach to information security.

The alternative is to focus more on holding users, vendors, employees and corporations accountable for what they do via the web.  We currently try to prevent people from violating the rules, often interfering with much that is good and seldom blocking the serious attacker.  That type of mandatory control is necessary in wartime where we can't hold the enemy "accountable".  If the type of e-World we need to develop, people are justly held accountable for what they do and thus regulate themselves.  This is the basis of a successful free society.  A future InfoSec article will begin to focus on what it would take to provide just accountability without destroying personal privacy.

Meanwhile, stay tuned for Thursday's article on Software Development.  In this world where software "product" rots on the shelf, is the software industry in need of a new business model?  As always, comments welcome.

Copyright 2000 Information Security Analysis LLC. All Rights Reserved.
 
http://www.infosecana.com/flinkink


Return To The Flink Ink Section

 

This site is not related to the Microsoft Corporation in any way. Windows and the Windows logo are trademarks of the Microsoft Corporation. ActiveWindows is an independent site. The information and sources here are obtained from series of hard work & research.