BEHIND YOUR BACK - DANGERS OF UNTESTED CODE.
By Micha³ Ren
Arguments supporting the following thesis will be presented: anyone using computers is sentenced to using programs and hardware which can not always be trusted. Because of incompetence or, in some cases, malicious intent of developers, the user is inconvenienced or taken advantage of. Even products of large and well-known companies are not exempt. It is very hard to defend against it, since most commercial IT products are sold “as is”, and there is no possibility of looking through code or blueprints and testing them.
Computer technology today makes work simpler, faster, and more effective. We have seen it become more and more mature, and accessible to larger numbers of users. Every technological field follows this pattern. As ease of use increases however, the products become “magical”. The ideal item must become similar to a black box, performing its function with as little input as possible. From one point of view, this approach is beneficial, but on the other hand, black boxes are hard to understand, their inner workings are invisible, and they require specialized personnel to maintain and repair. Whether this is a good thing or bad is open to debate, but more importantly, it is a natural thing. The automotive industry is already past the growing stage – the cars remember different drivers, adjust mirror angle, and remind about maintenance – everything short of driving themselves. The computer industry has not reached that point yet. Perhaps in another fifty years we won’t have to know terms like: “file” or “extension” . Now however, we have to contend ourselves with computers as they are today. Hardware and software that makes a computer system work is often exceedingly complex, so nobody can claim perfect understanding of it. In essence, we are sentenced to use things that no single person can understand perfectly. When the inevitable happens – namely: “it does not work!” – it is hard to find a cause. But computer users are subjected to a greater, and unique danger – that “something” in the computer system works against them, without their knowledge. This can be due to errors in design or implementation, but sometimes no explanation except for malicious intent seems plausible. In the following sections I will present ways in which users can be affected by parts of their computer systems (both software and hardware), of which they are not aware, or which are outside of their control. I will also try to present simple methods of protection against unwanted behavior, where possible, and discuss them from ethical standpoint, since sometimes it is not clear whether those solutions are morally acceptable.
Today’s computing experience is quite different for the average user, than it was twenty years ago. Instead of a cryptic command line interface and typing series of obscure commands we can enjoy graphical user interfaces, mouse-clicking, and multiple windows opened at once. This has allowed the computer to become much more accessible - many users sensibly don’t want to spend days learning how to type in a document and then print it out; everything should “just plug in and go”. It can be made possible only if someone took on the difficult task of creating the tools that enable such ease of use. Only if every single of these tools performed exactly as expected, and seamlessly interfaced with every other necessary program, the user could expect no errors. Unfortunately, it is generally considered impossible to write error-free programs. And sometimes, the user’s idea of how the program should work is different from the programmers’, who are only human, and can’t foresee every possible situation. Therefore, even with the best of intentions, user interfaces which try to outguess user’s wishes sometimes fail miserably. And when intentions are less honorable, the program might stealthily do things that the user would never approve of.
Description
The most common attack on a user is theft of privacy. Perhaps it is because of opportunities that are offered by the Internet today – it is relatively easy to cause information to leak out from user’s computer to some other place. In some cases it is also profitable to do so, since information about surfing habits, income, interests, medical history, etc. is valuable.
Technique
Information about the user is most commonly disseminated in three ways – through software that uses unique identifiers, through well-meaning software configured incorrectly, such as web browsers, and through “spyware”. [Lalonde , 2001] The last method is described in more detail in the next section, and will not be dealt with here.
Unique identification numbers are, as their name implies, unique strings assigned to the user or the computer on which the program is run. It can be done for legitimate purposes, as is the case with many instant messenger programs. It can also be done with no apparent purpose in almost any other program that creates files of any kind, or connects to the outside world.
A unique identification number can be embedded in the document, and later on used to identify its creator, or the computer it was created on. The best known example of this is Microsoft Word [Mehdi, 1999]. There are precedents of tracking individuals using this information, for example during investigation of Melissa virus outbreak. [CNet News, 1999]
Finally, information about the user can find its way out because of misconfigurations. For example, old browsers allowed the email address entered by the user to be automatically sent as password to an ftp server, and easily obtained by a web site creator. Nowadays, browsers are quite eager to disclose their names, and names of operating systems on which they run – this information can also be obtained by web site owners. [Privacy.Net, 2001]
How to defend
In many cases, the reason for embedding unique numbers is an error, or oversight. Some companies are quick to provide a fix, but only after the problem is pointed out to them. Therefore, it is important to keep abreast of news about one’s favorite programs. Going back to the example above, Microsoft not only provided a fix for MS Word, but also made available a small utility which removes identification numbers from existing documents [Microsoft Corp., 1999].
Second, and quite educational way to defend is to peek inside files saved by the application using a binary file viewer. It is sometimes surprising how much unrelated information finds its way there.
Finally, no revealing information should be made available to programs which can potentially distribute it, such as web browsers. There are also applications (web proxies) which filter information disclosed by the browser.
Ethical considerations
To some, the explanation about “oversights” leading to introduction of unique identification numbers can seem suspect. After all, it is hard to believe that storing LAN card numbers or hard drive names is done to “enhance the
editing, viewing, filing, and retrieval of Office documents”. [Microsoft Corp., 2000] Even programs which have to use identification numbers in order to operate may also use it for other purposes. The user has no way of knowing, in the vast majority of cases. Most companies don’t distribute source code of their applications; it follows that they should not rely on users to spot flaws in them, but rather design with more common sense.
The user does not face such ethical issues when defending against those threats – they should be regarded as program errors, and treated accordingly.
Description
A few years ago a new model of generating revenue from software was introduced. It consists of forcing users to watch advertisements while they use the program. Such programs are called “adware”.
Technique
While in use, the program connects to a remote server, downloads advertisements, shows them to the user, and reports which ones were shown (which is necessary in order to bill the advertisers). Sometimes this connection is also used to breach user’s privacy and report other things – browsing habits are especially vulnerable. Some programs even utilize user’s computer as a source of computing power. [Juno Corp., 2001]
User profiling can also be effected by means of “web bugs” [University of Denver, 2001] – invisible images which, when combined with “cookies” allow advertisers to keep track of sites visited by a particular user.
How to defend
The solution seems to be simple - remove all malignant software from the system. There are programs which help to determine if an application is ill-behaved. There are also lists of software that uses the guise of advertising to spy. [Lalonde, 2001] It is important to check beforehand, since under Windows operating system removing any program completely is difficult, and even more so if the authors took pains to ensure that. The preferable solution is not to install suspect software at all. Unfortunately, not always there is a choice. Some time ago, I've had to install a Logitech digital camera, and in order to do that, I needed appropriate drivers. The provided installation program insisted on installing RealPlayer; there was no way to decline. Of course, RealPlayer would not uninstall, so I ended up manually deleting it. In short, in order to use the hardware, I was forced to install software which I neither wanted, nor needed, and which was difficult to remove.
Fortunately, there is also a different way to defend. Since spying programs rely on the ability to send information back, it is possible to foil them by exercising control over data which leaves the computer. This is most often accomplished by using firewalls – programs which allow legitimate traffic to pass through, but block everything else. Recently, there appeared many such applications tailored specifically to be used in the desktop environment.
Protection from cookies and web bugs can be obtained by using a web-filtering proxy, which can be installed by the ISP or individually by the user.
Ethical considerations
The authors are often trying to blur the distinction between adware and freeware (software available for free). In one way they are similar – the user does not have to pay money for the software. But there are other costs of using it, some easily quantifiable - many people pay for connection time, and downloading advertisements can take a while. There are often hidden costs, such as loss of privacy, if a program really does more than just show advertisements. Often programs advertised as adware could be better described as "spyware", since they intentionally spy on the user, collect intimate information, and then phone home at an opportune time to transfer it. Sometimes, the user is aware of what actually happens, and condones it – anonymous information about browsing habits can be of use in generating better content, or organizing web sites. However, there is always the issue of identification – can the information be linked with a particular person? If yes, then collecting this information is really spying. If the information obtained is highly specific, or there is a lot of it, there will be some middle ground where it becomes hard to tell if the linking is possible even if no names are stored in databases. For example, there is probably only a handful of people living in Poland, who own a cellular phone, don’t own a car, earn a certain amount, are from a specific age group, are female, single, work as architects, and whose blood type is A-. Someone sufficiently motivated could conceivably identify those people by linking the information above with other databases and medical records. Motives of companies which resort to tracking their users will always be under scrutiny, so it is in their best interests to expend some effort to ensure that there is no way of linking the information to the individual. The step from merely technical ability to place specific people under surveillance to practical use is small, and can be taken by any time by an unscrupulous employee, for example. This should be kept in mind during the design of the program, as even the simplest databases can contribute to the “information mosaic”. [Forester & Morrison, 1995]
In light of all this, it would seem that the user should not lose sleep over the decision to restrict the flow of data from the computer to the Internet. After all, why shouldn’t I decide what I let my computer to give out? There is only one possible consideration – as already mentioned, sometimes the user might condone the actions of the program. The information obtained can be used to better the user’s surfing experience, or become a commodity which will help to pay the bills of the application’s author. Although undesired operation of such programs can be dealt with as described above, the consequences of doing so should be kept in mind.
Description
The Internet enables easy and quick communication across the globe; that is its strength, but it may easily be turned against its users. Viruses now spread quickly and sometimes without the need of human cooperation (not even unwilling cooperation). Direct attacks through the net are also possible, in which the affected computers are disconnected at best, or crash at worst. Unsolicited mail, or spam, can be easily sent out to millions of people with little cost to the sender.
Technique
Today, most dangerous viruses are so called “script viruses”. Instead of directly modifying other programs, they attach themselves to email messages, and rely on email clients to execute them and send them further; because of that they are more like computer worms. A few years ago that would be impossible on computers running Windows – today Microsoft Outlook or Outlook Express together with Microsoft Office suite are most common culprits as far as spreading viruses is concerned. [CAI.com, 2001]
The usual goal of attacks through the Internet is denial of service. This can be accomplished simply by generating traffic to the victim’s computer. Often many computers assist in generating this traffic, taking part in a so called distributed denial of service attack.
Spamming is very straightforward – it consists of sending a message, usually of the “buy now” variety, to hundreds of thousands of people, in hopes that a few will indeed “buy now”.
How to defend
Defending from viruses used to be easy – it was sufficient to install an anti-virus program, and “not to click on attachments”. The latter recently seems not to suffice, as clever virus authors find ways to coerce email clients to execute virus code without user intervention. Fortunately, most anti-virus software now checks every file automatically, before it is open. It is very important to update one’s anti-virus software often; nowadays, there exist free programs, with frequent updates available.
Defending from denial of service attacks can be accomplished by installing a firewall, if the computer is not intended to be used as a server; protecting servers is a different matter, and out of scope of this paper.
Effective protection from spam also requires intimate knowledge about tracking it [CAUCE, 2001]; this is also out of scope of this paper, but the simplest tip is not to give out email address to anyone.
Ethical considerations
Creating viruses which destroy data and letting them loose is analogous to concocting concrete-dissolving chemical and spreading it liberally over urban area. It might be argued that it forces producers of operating systems to tighten security, but the same laudable goal can be accomplished by other means. Even viruses which are supposed to be harmless, can bring entire networks to halt just by replicating quickly. The role of email clients in spreading viruses warrants close examination, because it is the best example of trying to be too user-friendly, doing something that users do not intend, and ultimately hurting them. Such design mistakes should be avoided, even at a cost of decreasing user-friendliness.
Denial of service attacks are a different matter. A legal denial of service attack is fathomable – if I can convince a few (hundred or thousand) of my friends to start clicking on some company’s web site at a specified time, then I can, at the very least, make that site so slow as to be unusable, which could be potentially disastrous for that company’s profits. Should that be prosecuted? Should we scorn Christmas-rush shoppers for their denial of service attacks against shopping malls? Normally, it is easy to solve ethical dilemmas concerning computer crime by applying the “crime is crime, no matter if committed using computers” principle. [Forester & Morrison, 1995] In this situation it is not so easy, because it is hard to find a satisfying analogy of denial of service in the real world.
Under the same principle spam, is very easy to classify as a crime – it leads to loss of resources by the network through which it is sent. The usual practice of spammers is to give an opt-out address and, if replied to, respond with more spam, since by replying the user verifies that the messages are actually read. [CAUCE, 2001]
Description
Recently the use of specialized web-filtering software became commonplace for ISPs, libraries and public cyber-cafes. These applications disallow viewing of “inappropriate” content.
Technique
The web-filtering application serves as a filter between browser and web site. If the web site meets some specific criteria, it is not let through; instead the user is faced with a warning not to visit such inappropriate sites. Unfortunately, the criteria of “inappropriate” are seldom well chosen; if a user is not permitted to surf to “XXX” sites, then the filter will also block “Superbowl XXX”, for instance. It is disturbing that the use of filters in public libraries is mandated by law in some countries. [ALA, 2001]
How to defend
The preferable defense is to complain to the person who set up the filter or to lobby against the law that mandates it. [ALA, 2001] As a stopgap measure, a useful trick is to translate the page into a different language, in hopes that the offending words will be translated as well.
Ethical considerations
Automated filtering by software is censorship – there is no process to ensure that innocent sites are not included as well. Even if web-filtering is installed “for the good of children”, it is not effective because of the aforementioned methods of circumventing it. In my opinion it should be avoided in favor of some kind of peer-to-peer rating method; the amount of completely innocent sites blocked is simply unacceptable. [ALA, 2001]
Description
One of the strengths of the Internet is the ease of access to information. However, this also means that information about individuals is easier to locate than they might wish.
Technique
There are many directories on the web which list phone numbers, and addresses. They create not only the possibility of gathering information about someone against their wishes, but also creating indexes not normally available, such as a reverse (number-to-name) phonebook simply by accessing a normal one over and over, compiling a list and sorting by number instead of by name.
How to defend
Some directories allow one to opt-out of them. Another useful technique is to “vanity surf”, or enter own name into search engines to see what comes up; while this does not fix anything, at least it makes one aware of existence of personal records.
Ethical considerations
Storing and using personal records without knowledge of those to whom they belong seems not only wrong, but is also illegal in many countries. Europe seems more strict on this issue than United States. [Forester & Morrison, 1995] Making those records available to the public is even worse, and the possibility to opt-out is not enough, if the affected person does not know that the records are on display. Opt-in policies would make such databases much more reasonable. Even offering a service equivalent to an offline phone book should be carefully considered, because once information becomes available in the digital format, it can be easily processed, without costly human supervision, and that alone is enough to make abuse possible. Providers of directory services have an obligation to take appropriate precautions.
Even the simplest programs are unable to accomplish anything without hardware to run on. The problem of interoperability between soft- and hardware is often overlooked, and sophisticated users are likely to blame hardware as the last cause of their problems, only if no other explanation is satisfactory. These problems do happen occasionally, however, which is not surprising, considering the complexity of design. Hardware blueprints are even less likely to be available for inspection than source code of software, thus exacerbating the problem.
Description
Even the most rigorous testing can not weed out all errors, and hardware bugs are similar to software ones in the effects which they cause – a particular program does not produce intended results. An example of this is Pentium FDIV bug. [Farkas, 2000] For a casual user it is impossible to discern whether a crash or error was caused by software or hardware.
How to defend
Besides “caveat emptor”, no feasible precautions can be effective.
Ethical considerations
Producers of hardware fortunately realize that reliability of their products is essential for their bottom line – at least they are quicker to investigate and announce ways of circumventing the problems. [Farkas, 2000] However, end users stand to lose more because of hardware problems, because replacing hardware is associated with higher costs than is the case with software.
There are many ways in which user can be affected by code which is impossible to scrutinize. The Open Source movement is gaining momentum, which is ultimately good for consumers – there are many benefits of having access to source code; most of what is written above would not apply if code of all the software in a computer system was open for inspection and modification. While a nice idea to entertain, that probably will not happen in a long time. More likely is more rigorous testing (not likely to happen, since costs of testing are already very high [Forester & Morrison, 1995]), the adoption of better testing methods, designing on sound principles, and allowing adventurous potential users to beta-test. This is beneficial to the producers and the consumers alike. Appeals to morality and ethics seldom appeal to corporate entities, however. A better way to get the message across would be not to buy unreliable products. As long as rushing the product out of the door, and being the first no matter what, will be rewarded by market forces – the companies will do just that. For a consumer, the best long term strategy is to vote with money. Finally, it has to be pointed out that, at least for now, using tools with less user-friendly interfaces is safer, because by not guessing what the user had in mind, they are less likely to guess wrong.
I would like to thank professor Andrzej Kocikowski for his help, and my parents for their support.
American Library Association (2001), American Library Association files lawsuit challenging Children’s Internet Protection Act, online at http://www.ala.org/cipa/cipapressrelease.html accessed 28.03.2001
American Library Association (2001), Libraries, the Internet and Filtering Fact Sheet, online at http://www.ala.org/alaorg/oif/itk_libfactsheet.html accessed 28.03.2001
CAUCE (2001), The Problem [of spam], online at http://www.cauce.org/about/problem.shtml accessed 28.03.2001
CNet (1999), Melissa's mischief hits all sides, online at http://news.cnet.com/news/0-1005-200-340611.html accessed 28.03.2001
Computer Associates International (2001), Macro Viruses, online at http://ca.com/virusinfo/macro.htm accessed 28.03.2001
S. Farkas (2000), Engineering Ethics: The Flaw in the Intel Pentium Chip, online at http://sfarkas.net/papers/pentium.php3 accessed 28.03.2001
T. Forester & P. Morrison (2nd edition) (1995), Computer Ethics, MIT Press
Juno Corp. (2001), Juno Virtual Supercomputer, online at http://www.juno.com/corp/news/supercomputer.html accessed 28.03.2001
G. Lalonde (2001), The Spyware Infested Software List, online at http://www.infoforce.qc.ca/spyware/ accessed 28.03.2001
Y. Mehdi, (1999) Microsoft customer letter addressing possible Word privacy concerns, online at http://www.microsoft.com/presspass/features/1999/03-08custletter.htm accessed 28.03.2001
Microsoft Corp., (1999) Office 97 Unique Identifier Patch, online at http://office.microsoft.com/downloaddetails/off97uip.htm
and Office 97 Unique Identifier Removal Tool, online at http://office.microsoft.com/downloaddetails/pf_setup.htm
accessed 28.03.2001
Microsoft Corp. (2000), How to Minimize Metadata in Microsoft Word Documents, online at http://support.microsoft.com/support/kb/articles/Q223/7/90.ASP accessed 28.03.2001
Privacy.Net (2001), Privacy Analysis of your Internet Connection, online at http://privacy.net/analyze/ accessed 28.03.2001
University of Denver (2001),Web Bugs in Microsoft Office Format Documents, online at http://www.privacycenter.du.edu/demos/bugged.html accessed 28.03.2001