Security Pros Are Focused on the Wrong Threats – Bits Blog –

Security Pros Are Focused on the Wrong Threats – Bits Blog –

It’s endless! Not only do PC users have to handle constant operating system updates from Microsoft. Now the bad guys are focusing more on ancillary software that everyone has like Adobe PDF Reader and Flash. I seem to get at least one update a week from some type of software – and I try to run a very lean machine.

It is amazing to me that after many years of development these programs are not rock solid. They are backed by large companies with (we hope) the best developers and unlimited resources.

I think part of the problem comes from the features that companies are constantly adding. Originally the PDF Reader was just that – a program to read documents no matter what software produced them. But the companies had to make enhancements to make the documents “active”. They can go out to the web and update information, they can access my computer and so on.

Most people do not need or use those features. All I want to do is read documents that people have published. I don’t want it to do anything clever.

Same for Flash Movies. There’s a limit to the amount of damage a bad Flash movie can do if it is just running in a window on my computer showing me an animated demo or something. But no, Adobe had to make it “active”. Now it is a programming environment with all the attendant challenges and vulnerabilities.

I am a simple user but I have a computer that can do a lot of damage to others if it gets infected with a virus or worm. It can perform a lot of processing and communicating without me noticing. I need the computing horsepower for Photoshop and Lightroom but it is easy to subvert.

If I were Adobe I would distribute a rock solid “Lite” version of the PDF Reader and Flash Player. It would display documents and animations but that’s it. If users need the bells and whistles they can pay for a Pro version. I bet most of the bells and whistles are for corporate users anyway.

The Lite version would be stable – no more enhancements, ever. It will be a bit boring but I would know I can trust it.

The only development they will do is the minimum to support new hardware. But before it is released it should be tested to the same standards as mission critical software like flight or nuclear powerplant control.

Then Adobe will have an income stream from the Pro version and maybe more of an incentive to make them solid. As it is, its way too easy to fix a problem by doing yet another point release and asking users to download it.

In my day (a Mister Fredrickson phrase) it was very expensive to update software with bug fixes. They had to be distributed to customers on a tape. Thus we designed software conservatively and tested the heck out of it before releasing as we knew big fixes would be very expensive. I think we had the mindset that critical bugs were a firing offence.

The ease with which the Internet enables update distribution is a two-edged sword. I think it encourages developers and testers to let their end-users do the testing.

I don’t want to single Adobe out for criticism. I am tired of weekly updates to Mozilla Firefox too. Each one is touted as the safest most secure browser available. You said that last week! And the week before!

Firefox 3.5.2 Update - 4th September 2009

Firefox 3.5.2 Update - 4th September 2009

Note how I have to be concerned about my browser extensions and themes too – not just the browser. They all come from different vendors.

Firefox 3.5.3 Update - 9th September 2009

Firefox 3.5.3 Update - 9th September 2009

I’d like a rock solid web browser too. One that just displays web pages circa 2002 and does not purport to be yet another “platform”.

(Full disclosure: I think my software development career went downhill after I agreed to work on platforms rather than useful applications, so maybe I am biased.)

I guess one problem is that too many bright programmers are working for the bad guys and not for the boring corporations that make the applications they attack.

Back to Adobe. It is interesting that their major applications like Photoshop and Lightroom are on a much slower update cycle. Maybe once every six months. It seems to be a different world for those development teams.


Tags: , , , , , ,

5 Responses to “Security Pros Are Focused on the Wrong Threats – Bits Blog –”

  1. Chris Eaton Says:

    As a professional Flash developer, I have to say that for the most part Flash’s security has been pretty well designed and that it is (at least in theory) strongly sandboxed so that a Flash widget can’t interfere with your computer directly.

    However, I agree with your sentiment, and when I was a poor Windows user (I’m now a smug Linux user – and happy) I found the constant barrage draining – especially because as a Technomad I spend a large percentage of my life in places where internet speeds are lower than what seems to be expected of the average user these days.

    Luckily, even in the Windoze world, there are signs of change and openess leading to real choice, and one such example is that of the opening up of the PDF format: I can’t recommend these guys enough for your PDF viewing needs, and philosophically they seem to be talking your language (even if some of their ‘Pro’ packages are beyond what most people would need) –

  2. BKKPhotographer Says:

    Thanks for the tip about the Foxit PDF Reader. Adobe Reader wanted to update itself again last night – multi megabytes over the slow Thai gateway to the internet. And for what?

    I don’t mind if they have a Pro package for those that need it. We can’t tie the industry to the tools that were available ten years ago.

    Maybe it is a bit like the automobile market. I can choose a simple Corolla or light truck that is stable, good quality and easy to fix (but boring). Or I can get a highest tech BMW or Lexus. I have a choice and understand the tradeoffs. With software vendors keep on forcing BMW features on Corolla owners.

    Slowly slowly I have been reducing my dependence on software that only runs on Windows. My last big dependencies were Thumbs Plus (now I use Lightroom) and Microsoft Office – particularly Access. I have migrated from my own Access databases.

    So the next time Windows gives me severe grief it’s “get a Mac” time.

  3. BKKPhotographer Says:

    There was another Firefox update today: version 3.5.3. It never stops does it?

  4. BKKPhotographer Says:

    I was given Firefox 3.5.6 today.

    “Thanks for your time! This update will make you safer on the web.” Just like all the other updates.

    Note the careful phrasing of “safer” – the comparative form in this case is less strong than the root form of the adjective. Nothing will make me safe, but if I download more software I’ll be safer. Geez.

  5. BKKPhotographer Says:

    Firefox 3.5.7 arrived today. 3.5.6 had a life of less than 3 weeks.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: