Geoff Chappell - Software Analyst
There was a time, round about 1999, when I entertained some hope that the computer security industry might welcome methods for studying software without having to execute it. Especially at the occasional suggestion by Richard M. Smith of problems that might benefit from more than passing attention, I did investigate a few threats, mysteries and abuses.
I particularly liked looking into the abuses, since a recurring theme of my interest in software is consumer protection. The software industry takes advantage of consumers, mostly because it can. Much of this is not deliberate and is even relatively innocent. With so much commercial pressure for mass production of what is essentially still a hand-crafted product, some slippage in rigour is only to be expected all round. Even with all the ideals that one might want for precision and vigilance, outcomes are inevitably not at the standard that they might be. Errors and vagueness at this website are testament to that!
Yet everyone must suspect that sometimes there is more to it. There is just so little risk of being caught. As much as it is human nature to slack off, it is also human nature to see an opportunity and exploit it. Even if errant behaviour in the product is demonstrated beyond dispute, software companies say what they want by way of euphemism, excuses and even outright denial. And sometimes, perhaps not often, but certainly sometimes, they actually do plan a mischief—and plan to get away with it through the euphemism, excuses and denial that work so well even when not planned.
This certainly was true for the investigations I did in 1999. Though they were fun, and even seemed important at the time, only one ever got written up for my old website, and I have updated it here: America Online Exploits Bug in Own Software. Another that was at least as interesting was written up by Richard: The RealJukeBox monitoring system. Note that in both issues a software manufacturer was caught in a lie, denying some alleged behaviour that compromised a computer’s security or its user’s privacy. To my knowledge, neither manufacturer was ever called to account for this dishonesty in any meaningful way.
Having seen such abuse and, as importantly, that nobody much cares to stop it, I was then not much interested in computer security for many years. My specialty is in the efficient extraction of the last details that anyone might conceivably want for proof. In an industry where that goes nowhere, my skills and interests just don’t make a good fit.
An investigation for computer security is primarily concerned with identifying a threat, having people confirm it by reproducing the observations, and then devising some means to defeat the threat or at least deflect it. Though it seems to be everyone’s habit to throw around words like “in-depth” and “comprehensive”, the fact is that commercial interests just don’t run as far as getting the sort of detailed explanation that I aim to produce. Instead, on seeing something bad, a security company builds recognition of it into the next round of security products, or brings the loophole to the attention of whoever makes the susceptible program or operating system, and they build a solution into their next version. Either way, upgrading is encouraged, the something bad has been turned into something good, and everyone moves on.
To me, this does not seem an entirely commendable process. It may be the best that is practicable with the resources that are most readily to hand, but it also smacks of convenient dealing in matters that are rife with conflicts of interest. Of course, I am a self-interested agitator and I also have to admit that I nowadays feel confirmed in what I used to think were merely prejudices. Without going so far as saying that anti-virus manufacturers, etc, play both sides of the fence, I can’t help noting that the natural symbiosis between those who threaten and those who would defend is unnaturally strong when it comes to computer software.
When it comes to abuses, the part of the software industry that devotes itself to computer security is possibly worse than the industry as a whole, because they justify their own bad behaviour as being necessary compromises in a good cause. Indeed, they don’t so much justify it, as take it for granted or overlook it, or anyway never admit that there might be reasonable concerns about what they do.