| Home | Table of Contents | Please view with Internet Explorer (version 5.00 or higher) and enable scripting. For reasons, see Browsing This Web Site. |
There was a time, round about 1999, when I entertained some hope that the computer security industry might welcome methods for studying software without having to execute it. Especially at the occasional suggestion by Richard M. Smith of problems that might benefit from more than passing attention, I did investigate a few threats, mysteries and abuses.
I particularly liked looking into the abuses, since a recurring theme of my interest in software is consumer protection. The software industry takes advantage of consumers, mostly because it can. Much of this is not deliberate and is even relatively innocent. With so much commercial pressure for mass production of what is essentially still a hand-crafted product, some slippage in rigour is only to be expected all round. Even with all the ideals that one might want for precision and vigilance, outcomes are inevitably not at the standard that they might be. Errors and vagueness at this website are testament to that!
Yet everyone must suspect that sometimes there is more to it. There is just so little risk of being caught. As much as it is human nature to slack off, it is also human nature to see an opportunity and exploit it. Even if errant behaviour in the product is demonstrated beyond dispute, software companies say what they want by way of euphemism, excuses and even outright denial. And sometimes, perhaps not often, but certainly sometimes, they actually do plan a mischief—and then cover with euphemism, excuses and denial.
Though these investigations were fun, and even seemed important at the time, only one ever got written up for my old website, and I have updated it here: America Online Exploits Bug in Own Software. Another that was at least as interesting was written up by Richard: The RealJukeBox monitoring system.
I have not been much interested in computer security since. Mostly this is because my skills and interests turn out not to make a good fit. An investigation for computer security is primarily concerned with identifying a threat, having people confirm it by reproducing the observations, and then devising some means to defeat or at least deflect the threat. Detailed explanation is rarely wanted. Something’s bad. You build recognition of it into the next round of security products, or you bring the loophole to the attention of whoever makes the susceptible program or operating system, and they build a solution into their next version. Upgrading is encouraged. The something bad has been turned into something good. Everyone moves on.
To me, this does not seem like an entirely commendable process. It may be the best that is practicable with the resources that are most readily to hand, but it also smacks of convenient dealing in matters that are rife with conflicts of interest. Of course, I am a self-interested agitator and I also have to admit that I nowadays feel confirmed in what I used to think were merely prejudices.
Without going so far as saying that anti-virus manufacturers, etc, play both sides of the fence, I can’t help noting that the natural symbiosis between those who threaten and those who would defend is unnaturally strong when it comes to computer software.
When it comes to abuses, the part of the software industry that devotes itself to computer security is possibly worse than the industry as a whole, because they justify their own bad behaviour as being necessary compromises in a good cause. Indeed, they don’t so much justify it, as take it for granted or overlook it, or anyway never admit that there might be reasonable concerns about what they do.