By Scott M. Fulton, III, Betanews
Fair warning, everyone: What follows is my opinion. Given the propensity of opinion traffic on the Web, I shouldn't have to say this: It truly is my opinion. Nothing to which I attach my byline or my face has been adjusted or colored in order to more thoroughly polarize my characterization of the subjects I cover, or to agitate your feelings so as to prompt you to post comments.
In fact, in all sincerity, I realized long ago that I'm not a very polarizing figure, I've accepted that fact, and I've come to embrace it. The art of persuasion, I was taught centuries ago, was developed with the aim of getting other people to agree with you. I'd like to get a hold of the person by the tea bags who came up with this notion that popularity must be driven by populism, which in turn can only be generated through agitation, anger, and outrage, hoist him onto a flagpole, and tell him flat out, "Rush, Americans are smarter, more sensible, wiser, and more capable than you think they are or than you would have them become."
So the dozens of you who came into this article expecting the Boston Tea Party may end up being disappointed. This article is not so much to stir up debate as to relieve a headache. For that, you may accuse me of being self-serving, with my permission.
The problem in front of us
There is nothing about the architecture of the delivery mechanism for the Hydraq exploit -- the one that rang alarm bells at Google -- that is so particularly novel that it would prevent Windows users with the requisite amount of everyday vigilance from avoiding it. If what Google appears to be saying is accurate, the original attack was not directed at the general public anyway. Nonetheless, the release of a version of Hydraq's source code by a researcher to the general public earlier this week, probably did more to make the general public vulnerable than the original attacker.
Only in America, perhaps, will you find someone who's not only paranoid of being blown up by a bomb from the Chinese Communist Conspiracy, but has no problems with the idea of divulging how You, Too, can build your own at home and try it yourself.
I'm attaching my latest podcast to this article, and it's directed toward everyday users who may or may not be technically-minded. I invite you to share it with your friends, colleagues, and relatives who may have been alarmed by some of the general press coverage of the Google attack. It talks about a problem and its solution.
For anyone who has become a victim of the Insecurity Hype Machine, as perpetuated by local TV news, they should listen to this latest edition of the podcast. There are days when local TV news is more of a burden than a service: "It's the cold war all over again, this time in cyberspace! Google is saying China is attacking American servers! Are your PC and all your files at risk? We'll tell you in a minute, but first, here's this week's Adopt-a-Cat."
One really big problem we face -- certainly a subject for a separate article -- is that publishers of media of all types do not believe they can capture the public's attention for any longer than a minute without promising you a slice of Armageddon.
Hype is an insipid beast. It inflates the magnitude of the smaller issues facing us, it takes our attention from the larger issues we should be concerned with, and to an unappreciated degree, it thrives on a certain degree of automation. Like a David E. Kelley series, a bit that catches the public's attention one week, can be rerun the next week even if it doesn't fit the real direction of the plot. When a security engineer discovered a way that new code engineered to look like old code (so it gets run using a compatibility mode) can pretend to be part of the BIOS so it can bypass the need for privilege to determine how the operating system randomizes addresses using ASLR, the dusted-off headlines last Wednesday (which look about as stupid as yet another kooky "Boston Legal" character) called this a "14-year-old browser flaw."
To me, that's like saying an atom bomb is an exploit in the wild for a trillion-year-old flaw in atoms.
We don't do ourselves any service when we fail to address problems for what they are. (Please feel free to cc: the previous sentence to the Democratic National Committee.) A security engineer discovered that code that looks old can be manipulated in a new way so that it bypasses the new restrictions imposed by ASLR. It's a significant defect in Windows -- not in a Web browser, but Windows. But unlike the Google attack, this isn't an active exploit -- not yet. To make an active exploit based on this discovery, someone has to wrap it in the usual "exploit toolkit" package -- probably the same class of package in which Hydraq was deployed. And thanks to the irresistible urge among some certain individuals to make problems public rather than fix them before they hurt the public, Microsoft must now race against the usual Boys in the Basement to produce a fix before someone six or seven or eight days from now produces a "0-day."
Regardless of the sophistication of this newfangled method for tearing old code down, the method itself cannot be enabled unless we let our guard down -- unless we turn off the very feature (ASLR) that the method is designed to defeat. It's like a bomb for a bank vault door that only works from the inside of the vault. Say what you want about the stupidity of Windows architecture throughout the 1990s, but a bomb that can only blow the barn doors off a barn whose doors are already open, sounds like something from a Bugs Bunny cartoon.
If this type of stuff -- a stealth remote controller that only works on technology from the last Ice Age, and a bomb that only blows down open structures -- is all that's necessary to make us hoist the flag of revolution and start dumping our Web browsers in the river, then we are seriously overdue for a diaper change.
Next: The problem that should be behind us...
The problem that should be behind us
Technology platforms evolve extremely rapidly. The methods institutions choose to implement those platforms in their business, do not. Sometimes, those methods don't evolve at all.
Microsoft Internet Explorer 6 was engineered and deployed at a time that the company was headstrong, cocky, and assured of its invincibility. At the time IE6 was under development, I asked a product manager what steps the company was taking to educate customers as to the value of the principles it had learned from what had, to that point in time, been the most recent security nightmare, IE5. Microsoft believes customers will take their own approach to security without the company imposing on their will, I was told in response. Right now, we're just focused on making a great Web browser.
When a corporation presents itself as self-assured, arrogant, and pre-ordained as leader of its market, the customer reaction starts to look like the outcome of the Massachusetts Senate race last Tuesday. In fact, when anyone takes on that air, usually the public rejects it. The exception is when the competition really does cower down, in which case, even arrogance becomes a relatively effective tool.
Microsoft's original marketing plan for Internet Explorer was crafted from a position of arrogance, a belief that users will choose the browser that's in front of their face over any alternative they'd have to try installing in its place. That belief was validated. As a result, for IE's first decade, the company had no incentive to improve it. IE's place on the desktop was hard-wired. The challenges before Microsoft did not appear competitive. The browser's reputation for poor quality (among those actually doing the judging, which is actually a minority) derives from people's expectation that since Microsoft does not have to try very hard to meet its goals, it doesn't.
As Sophos security engineer Chet Wisniewski told me earlier this week, when he tried to move his mom over to Firefox, she called him on the phone in distress wondering where the Internet -- you know, that thing with the big blue "e" -- went.
In the wake of changing circumstances, the continued rotation of the Earth, and the evolution not only of platforms but of people, IE's pre-ordained position on our desktop is no longer set in stone. Especially now in Europe, but moreover all over the world, users are being given a choice -- one which even now too many of them will not readily understand. They'll look first for the big blue "e."
What they'll find in its place is yet another vehicle for the delivery of ideology. In an open market, customers have equal access to the goods and services that compete with one another for visibility and to get their messages across. But ideologists who seriously believe that a pharmacy must devote equal shelf space to every brand of shampoo made in the world or else face fines and civil penalties, have successfully morphed the choice of one's Web browser into a human rights issue. Now, by some standards, every underdog will have guaranteed visibility alongside the major players; if you make a browser, a billion people will be see your brand even if your product sucks.
Congratulations appear to be in order for those who've flown the banner of "openness."
It was weird enough for us growing up as geeks wearing Atari T-shirts and hoisting flags on our car antennas printed in binary, to find our way in a world of mediocrity. But in recent years, those of us who elevate electronics brand names into the causes of our lives simply because we like to play with toys that blink and buzz, appear to the original homo sapiens genus from which our genetic strain was forked to look not just stupid but unrecognizable as persons. It's no wonder humans aren't so willing to breed with our kind any more.
Eventually, always, inevitably, the public will come to reject arrogance, along with the schemes put forth by arrogant people. Although the humbling of Microsoft has been likened in some circles to the toppling of Saddam, what matters most now is the world we make for ourselves in the absence of an overbearing, dominant player.
It is in that light that we need to trim the whole matter of the Web browser down to size. Perhaps just as humans out there in the real world have come to base certain elements of their personalities on the cars they drive, we who live in Binary-ville believe the message we send to the world is delivered through the browser we use to download Web pages. And the word for that belief is "sad."
Should you dump Internet Explorer? Here's my opinion: There are a lot of nice Web browsers out there. I'm okay with Firefox myself, when it doesn't leak memory like a sieve and crash like an RC car belonging to a kid who's fallen asleep on the sofa. But everyday life is about evaluating and re-evaluating the situation in which we work and live, and making the adjustments we need to make to stay efficient, vital, and relevant. Our lives should be about adjusting to the situations we face, not pledging undying loyalty or revoking support irreversibly from some brand.
You can choose not to use IE without flying someone else's flag of rebellion.
I'm reminded of the folks in my own family generations ago, God rest their souls, working in the oilfields of Oklahoma and Texas, who were dyed-in-the-wool "Ford men," and would not be caught dead even riding in the flat-bed of a Chevy truck for fear of insulting the memory of Henry Ford. Whenever I admired a Camaro or a Corvette, they'd remind me of the duty we owe to the memories of the first great labor union workers whom GM used physical violence to suppress in the 1930s.
We resort to brand loyalties and cause célèbres not because we're innovators, but because we're getting too old and set in our ways. We begin fighting and chanting and arguing on behalf of causes that have already died, and to protect assets that, in the light of day, aren't all that important. Internet Explorer could change tomorrow, and become the most efficient, feature-packed, and secure browser ever made. If we want to stay fresh, vital, and relevant to the times in which we live, we need not only to paste the word "CHANGE" on our campaign posters, but we need to do some of it ourselves.
Copyright Betanews, Inc. 2010