Wednesday, March 17, 2010

Caveat venditor

I've just been reading perhaps the most thoughtful essay I've ever seen come out of a Microsoft source. It describes why computer security is a waste of time.

Not "waste of time" in the normal colloquial sense, that it does no good. "Waste of time" in the strict economic sense, that the costs (in time) associated with basic security measures outweigh the plausible economic benefit. Basically, if (in any given year) 0.1% of computer users suffer direct monetary losses averaging $5,000 to computer-based fraud attacks, then the expected benefit to the average user of protecting themselves from such attacks is $5.00 per year - or, about half an hour of time at a low wage. Since it's impossible even to read the current set of security advice, much less implement it, in so little time - and since it provides no guarantee of safety anyway - most users, quite rationally, ignore it.

The paper goes on to dissect three popular "security" provisions: password rules (password expiry "will help only if the attacker waits weeks before exploiting the password"), user education about URLs ("a user who conscientiously follows the rules on URL parsing shoulders a considerable burden. The ΔBenefit is that he avoids some subset of phishing sites") to SSL (secure website) certificates ("Ironically, one place a user will almost certainly never see a certificate error is on a phishing or malware hosting site. [...] The rare cases that employ certificates use valid ones.")

Or there's the occasionally-quoted figure that "an unpatched Windows machine connected to the Internet will be compromised within 12 minutes" - the intended message being that you should keep your machine patched. But of course, to patch the machine, you need to connect to the Internet. And it would take considerably more than 12 minutes connected to download the patches on such a hopelessly outdated machine. You could only do it safely from behind a solid firewall - the kind that would make the security patches redundant.

Anti-virus software. What is it good for? It prevents someone else from installing and running software on your machine that you don't want. But it requires you to instal and run - and worse, maintain - software on your machine that you don't bloody want. It protects you from a limited set of types of damage (that might potentially cost you money and time), but it inflicts other costs (in money and time). It updates itself to protect against new threats, but only if you connect to the Internet and thus expose yourself to those threats. (If you haven't connected in a while, your anti-virus will start nagging you to update it - even though "not connecting to the Internet" is far better protection than it can ever offer.)

(Incidentally, most of these objections to anti-virus software also apply to Windows itself.)

The trouble with computer security is that it's been left up to the market. If seatbelts had never been mandated in cars, how many people would choose to pay extra to have them fitted? If there were no government regulation of food safety, how would we think about the steady trickle of deaths from poisoning and disease? Judging by our attitude to computer viruses, the default response would be: "It's their own fault, I always check my Symantec Bacteriograph before eating anything".

The market's solution to such things is not based on making things or people safer: it's based on selling stuff, which is best achieved by making people feel threatened. When the question is about safety, "the market" is not only not the best answer - it's quite possibly the worst.

It's probably too late, now, to try to impose seatbelt laws and driving-license requirements on computers, as well as being way beyond the competence of any government anyway. But there's nothing to stop us passing laws that put the costs where they belong: on the people who sell crappy software. Everyone who sells software should be directly liable for any damage occurring to its users as a result of security holes in that software, and there should be no disclaiming of that responsibility, no matter what contract the buyer signs. After all, it's no more than we expect of people who sell cars, or food, or electrical goods, or drugs.

Of course there are problems with vendor liability (how do you decide which piece of software was at fault? what do we mean by "selling" software? what about "free" software? what about people who charge you to instal or customise someone else's software?) But these are just the sorts of complications that the industry likes to throw up, to make it seem as if the whole idea is impracticable. In fact, once you get over the sheer number of such objections, it's not hard to come up with simple, equitable answers to all of them. Once we've agreed to the principle, the details will be solved in short order.

No comments: