In our case, the software we use is now highly interconnected. We don't build systems from the ground up. We rely on software built by others to make it work. There are operating systems, compilers, databases, browsers, networking stacks, libraries, etc. and those are just the major categories. More importantly, the lines between these categories have blurred.
Twitter is a great example of this. At some level twitter is an application hosted on some set of servers in the cloud. This is why it was subject to the Denial of Service (DOS) attack that affected it recently. Like many network applications, it can be (and often is) accessed via html using a browser. Thus, twitter is subject to all the flaws present in your browser and any pages it serves up can trigger those flaws. Like many html applications, the rich interactive interface cannot be served up by html alone, so browser extensions like Javascript are used to program features not present in raw html. That introduces a whole new layer of flaws that can be exploited. Moreover, that rich content, often uses other extensions like Flash players that we have to download onto our computers, which is a very rich vein of flaws to exploit.
The potential weaknesses don't stop there. Because web pages get traversed by "spiders" like Google looking for content, they have to be sophisticated to help defeat those who "game" the system doing "Search engine optimization" (SEO) and attempt to get all our searches directed to their pages. Those pages can be legitimate or they can be malware (i.e. that get us to download fake versions of a flash player, which is really a virus) or pornography or a scam. Twitter turns out to be particularly sensitive to attacks by malicious web pages because it allows "applications" to enter web pages into the system, and it then runs those pages on your computer.
That vulnerability turns out to be the new weakest link. It means just by running twitter on the web you can be "sent" to a web page that you have never clicked on--a malware writers dream.
The bright spot in this particular cloud is that reading your tweets with an application like tweetdeck, you don't have quite as rich an experience and it doesn't send you to the web page. Therein lies the protection.
Eye candy such as animated web pages do make for a very compelling internet experience and have let companies like Google offer web-based applications that are slowly breaking the control of the desktop away from Microsoft. However, this rich experience has come with a very high price. The bazaar we inhabit on the web has not only a wide variety of goods at very cheap prices but also pick-pockets, con-men, drug lords, and all the other undesirables.
A less "rich" experience would make us safer. Certainly, I love playing Sudoku on my computer, but I fear getting addicted to a twitter version of some immersive reality game, where behind my back many different hidden transactions are occurring and downloading and uploading all sorts of things I don't know about and can't control.
For that reason, for a long time, I kept my email off of servers like Hotmail and Google and read it through a text only service (on an unpopular architecture) where to read a mime message, I had to manually copy the file to a different location, and run a special program, which then put the text somewhere I could read it using a different program. If that sounds inconvenient, it was, but in all that inconvenience was safety, because breaking any one of the links did not break the whole chain. Unfortunately, like everyone else, I slowly succumbed to the siren call of the rich and simple internet experience. My work email is in Microsoft Outlook and personal email is on Google. Those services are more protected than they were, but I am still vulnerable like everyone else to any flaws in them.
Therein lies the crux of the problem to me. to fully participate in this world, especially to take advantage of what's new and exciting, one has to expose oneself to a whole variety of software built on long chains of leaks, each of which can be broken, and over which one has little or no control. Even though most messages I send and receive are text, I can't go back to a simple text only world. The interconnections and dependencies have grown so strong that even to send plain text I need to participate in a much more complex ecosystem of interacting applications doing things for me automagically, often without my knowledge or asking my consent.
In that way, it is surprising that we don't suffer more infections and breakdowns. However, I attribute that to the fact that most people are actually honest and honorable and as a result we can keep some reigns on the attacks we are subjected to. That inherent honesty is an aspect of human nature that helps blunt all the bad aspects and why in most cases we can depend on there to always be security researchers like David Naylor who find the flaws in our software and don't exploit them, but instead attempt to get them fixed by posting blogs with advice. before someone does exploit them and this is not just an icon.
No comments:
Post a Comment