Posts Tagged ‘threat’

Security Pros Are Focused on the Wrong Threats – Bits Blog – NYTimes.com

September 16, 2009

Security Pros Are Focused on the Wrong Threats – Bits Blog – NYTimes.com.

It’s endless! Not only do PC users have to handle constant operating system updates from Microsoft. Now the bad guys are focusing more on ancillary software that everyone has like Adobe PDF Reader and Flash. I seem to get at least one update a week from some type of software – and I try to run a very lean machine.

It is amazing to me that after many years of development these programs are not rock solid. They are backed by large companies with (we hope) the best developers and unlimited resources.

I think part of the problem comes from the features that companies are constantly adding. Originally the PDF Reader was just that – a program to read documents no matter what software produced them. But the companies had to make enhancements to make the documents “active”. They can go out to the web and update information, they can access my computer and so on.

Most people do not need or use those features. All I want to do is read documents that people have published. I don’t want it to do anything clever.

Same for Flash Movies. There’s a limit to the amount of damage a bad Flash movie can do if it is just running in a window on my computer showing me an animated demo or something. But no, Adobe had to make it “active”. Now it is a programming environment with all the attendant challenges and vulnerabilities.

I am a simple user but I have a computer that can do a lot of damage to others if it gets infected with a virus or worm. It can perform a lot of processing and communicating without me noticing. I need the computing horsepower for Photoshop and Lightroom but it is easy to subvert.

If I were Adobe I would distribute a rock solid “Lite” version of the PDF Reader and Flash Player. It would display documents and animations but that’s it. If users need the bells and whistles they can pay for a Pro version. I bet most of the bells and whistles are for corporate users anyway.

The Lite version would be stable – no more enhancements, ever. It will be a bit boring but I would know I can trust it.

The only development they will do is the minimum to support new hardware. But before it is released it should be tested to the same standards as mission critical software like flight or nuclear powerplant control.

Then Adobe will have an income stream from the Pro version and maybe more of an incentive to make them solid. As it is, its way too easy to fix a problem by doing yet another point release and asking users to download it.

In my day (a Mister Fredrickson phrase) it was very expensive to update software with bug fixes. They had to be distributed to customers on a tape. Thus we designed software conservatively and tested the heck out of it before releasing as we knew big fixes would be very expensive. I think we had the mindset that critical bugs were a firing offence.

The ease with which the Internet enables update distribution is a two-edged sword. I think it encourages developers and testers to let their end-users do the testing.

I don’t want to single Adobe out for criticism. I am tired of weekly updates to Mozilla Firefox too. Each one is touted as the safest most secure browser available. You said that last week! And the week before!

Firefox 3.5.2 Update - 4th September 2009

Firefox 3.5.2 Update - 4th September 2009

Note how I have to be concerned about my browser extensions and themes too – not just the browser. They all come from different vendors.

Firefox 3.5.3 Update - 9th September 2009

Firefox 3.5.3 Update - 9th September 2009

I’d like a rock solid web browser too. One that just displays web pages circa 2002 and does not purport to be yet another “platform”.

(Full disclosure: I think my software development career went downhill after I agreed to work on platforms rather than useful applications, so maybe I am biased.)

I guess one problem is that too many bright programmers are working for the bad guys and not for the boring corporations that make the applications they attack.

Back to Adobe. It is interesting that their major applications like Photoshop and Lightroom are on a much slower update cycle. Maybe once every six months. It seems to be a different world for those development teams.