Don Marti

Fri 16 Sep 2005 10:28:34 PM PDT

Should computers just work, or should users have freedom?

Seth Schoen brings up the point that a nasty alternative to user education is "paternalism"— putting in strict Code-Is-Law-o-logically enforced rules to allow a user to run only certain software, or to limit untrusted software to certain contexts.

That's fundamentally scary. I'd rather see every computer in the world out in a dumpster with an incurable spyware infection than one podcaster prevented from sampling one sound bite with one modified sound driver. My computer, cold dead hands, and so on. Seth, if it's really a choice between user education and top-down control, put me down for user education.

But the paternalistic route puts the network in just as bad a security situation, or worse, than the current mess. I know people get tired of me blaming Macromedia Flash for all the evil in the world, but let's blame Macromedia Flash. Users get used to "You need to install the new version of the Flash plugin to view this", and they're clicking through that EULA, then the "you need an updated driver" EULA, then the Claria EULA. Pwn3d!

Perfectly useful software, funded by perfectly legitimate investors, carries Claria's spyware payload. (Oh, sorry, "behavioral marketing".) So, is there any chance that this king of the security risks is not going to get a slot on that Master Approved Software List? Any trouble, they'd have lawyers on it and get whatever blessing they need.

But what about all the lawyerless attackers, the "Dear user of mail system, you have a virus, open attachment for details" attacks? The Master Approved Software List wouldn't cover them, and they're not presenting a EULA at all.

And you can't build a security system that can tell the difference between user A, who has been tricked into visiting a web server running on a virus-infected PC to download a piece of malware, and user B, who has decided to visit an independent developer's site to download a new utility for snipping Fair Use excerpts out of media files.

Any Master Approved Software List is fundamentally bad and scary. It's obviously bad for freedom, and from the security point of view, it's likely to let more of the industrial-strength, lawyered-up spyware in, since the very presence of the Master Approved Software List would lower any remaining user resistance to new software installs. Score one for industrial-strength spyware.

What the Master Approved Software List does do is keeps lawyerless social engineers out by excluding software that does bad things security-wise--right? Not exactly. The Master Approved Software List has been tried before, with the XBox. Remember "007: Agent Under Fire"? Was it a game that happened to have a security hole, or a devious plot to take control of millions of XBox consoles?

Seth raises the point that software could be approved to run in an insecure context only. That won't fly from the spyware vendor's point of view. Remember the "spy" part. "Excuse us, security people, we're doing behavioral marketing here and we can't even peek at the user's Wells Fargo transactions and instant messenger buddies with the user's explicit permission? Hook us up with some total information awareness or we'll see you in front of a judge on Monday morning!"

Now imagine every application developer in the world, with code in all languages and at all quality levels, queued up to get on the Master Approved Software List. Will the vendors of " Power RSS Aggregator, Sales Manager Dashboard and Discussion Forum 8.9 Pro" settle for a "sandbox-only" approval? No. Does their SMTP engine allow relaying? Is it possible to split it out, package it up and send it out as a nice social-engineering-ful attachment? I don't know, but I have a feeling we'd all find out on the same day.

Awkward example, but the software marketplace is huge, and anyone qualified to be a "second pair of eyes" to approve software for the Master Approved Software List is already the "first pair of eyes" on his or her own software package. Master Approved Software List approval would either be meaningless—"this MD5 hash is warranted legit by two random developers in a garage"—or would crush the software industry for your platform, except for mega-market packages that could afford a real approval process.

Crush the software industry for your platform and all those "developers, developers, developers" go write on another platform. Fail to crush it and you give everyone a false sense of security, and things just get worse.

The ultimate answer will have to involve more user freedom, not less. As Karsten Self writes, "adware / spyware / malware is the logical outcome of the competitive, proprietary software market of the past several decades. The system has promoted cut-throat competition, and by gum, it's got it. This is in marked contrast to a more cooperative model adopted elsewhere." Users are vulnerable to security risks not because they're insufficiently "educated" but because the IT industry has "educated" them to click through software installs and other counterintuitive, scary things in the first place. How many computer training classes start with "Just click OK on the license agreement and we'll get started"?

Automatic removal is not the answer, either. No matter what a spyware removal vendor does, a spyware EULA can prohibit users from taking advantage of it. Any spyware removal program that starts to make a dent in the problem is cruising for a lawsuit. ("Tortious Interference with Contract?") The only solution to spyware is not to enter into the nasty contract to begin with.

So we're stuck having to support users who aren't appropriately "educated", but are in control anyway. Seth quotes Doug Gwyn, who said, "UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things." Here's Raph Levien: "this would, of course, be the most Unix-like way of doing things - provide an incredibly powerful array of tools for solving problems, but don't go 1/200th of an inch towards making them do the right thing by default." Doing the right thing by default does not have to, and shouldn't, stop the user from doing clever things when he or she really wants to.

Finally, two recommendations.

A screenful of legal mumbo-jumbo is counterintuitive and scary. We shouldn't break a human being's healthy instinct not to have anything to do with it by teaching the person to click "OK".

Running new software—including a self-extracting archive— should have a different UI from opening a file using known software. The Macintosh got a lot of UI things right long before its time, but this one no longer applies. If you have software that can extract archives and interpret the file formats people send you, and you can make a transaction-cost-free request to an update service for more, installing random software that people send you doesn't need to be as easy as opening a file.

Anyway, there has to be a sensible middle ground between between "click here to let someone take over your computer" and "No software without approval of Higher Authority."

Jakob Nielsen writes, "Heavy user testing and detailed field research are a must." This is a hard problem, but my intiution is that freedom-centric development efforts will be in a better position to solve it first.