No, Dave, it's just you

I just upgraded this blog to the latest version of WordPress, due to a WordPress worm that was infecting all sorts of sites. I wasn’t vulnerable, but it doesn’t pay to be complacent.

The reason I wasn’t vulnerable is because the worm needs to be able to create an account, and I’ve disabled new account creation. I used to require an account to comment, as an anti-spam feature. Now I require people to answer a question about octopodes, or octopuses. Turns out the plural is questionable. Regardless, it has blocked 100% of the spam, and as long as I’m the only one using that question, it’s likely to remain effective.

Recently I joined Facebook in order to coordinate a project with the high school kids at church. Facebook really isn’t designed for this sort of thing; Yahoo Groups might be more appropriate, except that communicating with teenagers is hard. They all have email, but most of them never check it. Some of them check Facebook several times a day. (Others refuse to sign up.)

Ever since then, I’ve been getting “friend” requests. For the most part, I’ve been pleasantly surprised with how many of these are people I know quite well. But I occasionally get one from someone I barely remember– but who might have good cause to remember me.

I went through the same thing with Friendster when it was popular. I’m a minor celebrity at Opus (and only at Opus), so after I got home from Opus one year, I got 50 friend requests. Mind you, I’m sure I had meaningful conversations with most of those people, but my brain is terrible with names and faces.

In everyday life, we assume that friendship is commutative. That is, if I am your friend then you must be mine. That’s absolutely not the case with social networks, where friendship is linked to one’s access another person’s information. A celebrity who wants people to know what he or she is doing needs to approve everyone as a friend.

Twitter has a more natural model. Signing up to follow one person’s tweets doesn’t imply that that person needs to follow yours. As does Slashdot, which lets you declare “fans” and “foes.”

Social networking sites need to forget friends and just have fans. The interface on Facebook wouldn’t need to change much. (Although the underlying data model would need to be significantly revamped.) When you sign up as someone’s fan, that person could be given the chance to deny you access. (In practice, that probably wouldn’t stop a committed stalker.) You’d also be given a chance to be that person’s fan.

In real life, friendship isn’t as commutative as people pretend it is. How close one really feels to another is often a guarded secret or an unspoken assumption. Doctors regularly feign familiarity with their regular patients, whom they see far too infrequently to remember. As do ministers and a host of other people in a variety of professions.

Recently, Mac expert John Gruber has been asking why there is effectively no malware [malicious software] for the Mac. So far, the theories people have offered don’t match what I see as the reason.

In a nutshell, it’s because malware is no longer a hobby. It’s big business, with all that entails: economies of scale, industry consolidation, and standardization. All of which make it cheaper to target Windows and abandon the Mac.

There are lots of ways you can make money from controlling someone else’s computer. You can steal information (bank account numbers and passwords), or you can do things you wouldn’t want traced back to you, such as sending spam.

It turns out that if you want to get information, it’s often easier to ask people than to search their computers. Just send out email that looks like it came from the bank, using some scary pretense to urge them to log onto the bank website through a phony link provided in the email. This is known as a phishing attack. (Banks make this easier by regularly sending email that looks less legitimate than the phishing attacks.)

Much of what criminals want to do with random people’s computers involves sending spam. And the rest is similar enough that for the sake of argument, I’ll just focus on spam.

Back in 1997, there were plenty of unprotected mail-forwarding computers (”open relays”) so you needed only a little technical skill to send all the untraceable email you wanted. By 2000, the open relays had been closed, but security was still lax enough that you could hire someone to break into enough computers to send your spam. If you (or the person you hired) were a Windows expert, you’d break into a Windows computer. Otherwise you might target Mac or Unix machines.

We’ve come a long way, security-wise. These days, all the really dumb mistakes have been fixed. As a result, you can’t just hire a smart kid off the street and start spamming. You have to hire someone who’s got some specialized skills.

But why pay $80,000 to hire an unscrupulous professional, when you can rent all the compromised computers you want at a reasonable price? That’s the value proposition of a botnet. The best and the brightest criminal minds write malware (such as the Storm worm) to take over millions of computers. Then they resell computer time at a price that maximizes their profits: low enough to attract as many customers as possible, but as high as those customers are willing to pay.

The costs of running a botnet are something like:

• The cost of developing the software to recruit computers, which is an ongoing expense as exploited computers get cleaned off or retired, and as security holes get closed.
• The incremental cost of adding one more computer to the network. Practically zilch.
• The cost of developing and maintaining the software used to access the botnet.
• General business expenses: sales, marketing, etc. For a business this big, organized crime is probably involved.

Like so many software businesses, there are virtually no incremental costs. A virus that is good enough to spread to 100 computers will likely spread to 10,000 computers. And if you have enough of the compromised computer market, you can hire a whole team of people to keep you one step ahead of the security experts.

The economics favor taking over more computers than you need and using each one as little as possible, since people aren’t likely to fix their computers if the malware never becomes a nuisance.

So let’s say you have a big botnet, and you want to make it bigger. Which is the cheapest way to grow it by 5%? (A) Have your existing staff (plus maybe a few new hires) make your existing malware 5% more effective, or (B) hire some Mac or Linux experts, and capture a comparable portion of those computers?

To target a Mac or Linux computer, you need to know some sophisticated details about how those operating systems work. And it’s a moving target: as exploits become known, they get fixed. You can’t just hire run-of-the-mill programmers. Plus you’ll need to rewrite your payload (the software used to access the botnet.) And the more software you have on target machines, the more information you’re providing to your adversaries. So you’d end up nearly doubling your development staff and end up with a software platform that’s harder to maintain and leaves you more exposed. It’s hard to imagine a scenario where that makes sense.

And that’s assuming that you even want to grow the botnet. Once you have enough computers to satisfy the demand, being more clever just gives your adversaries more bugs to fix–and more incentive to fix them.

Mr. Gruber asks what the situation would be like if the PC market were more evenly divided between Mac OS, Windows, and Linux. So long as there are enough PCs to satisfy the demand for zombies, there is no reason for the entrenched players to branch out into Windows or Linux. And the cost to develop a competing botnet would be big: software development, sales and marketing, law enforcement evasion, kneecap protection, etc. One could imagine a world where Windows computers are in the minority, but common enough to satisfy all of the demand. Indeed, it may be the case that a large percentage of the zombies today are running Windows 98.

In short, the notion that Macs should get 5% of the malware because they have 5% of the market is based on the notion that there are lots of independent malware writers. If there are a small number of big players, and Macs aren’t strictly needed, then it makes sense for there to be no malware to speak of for the Mac.

.

As a postscript, I’d like to mention that this discussion is just about malware. I mentioned phishing before, and that’s just one example of a cross-platform attack: persuasive ploys are just as effective against Mac users as Windows users. And computers have become hardened to the point that the Storm worm, responsible for the world’s largest (known) botnet, requires human intervention to spread.

Focusing too much on the OS misses the point: the weakest link in computer security is no longer the computer. We can debate whether the Mac’s “are you sure you want to install this?” warnings are better than Windows’ but at the end of the day, a sufficiently motivated user is going to bypass any security feature.

My new laptop has a sticky mouse button, so I went to the Apple Store at Ridgedale for repairs. A few thoughts:

• The window display is a pair of mock iPhones made of of HDTVs on their side, which gives the impression of an impossibly high resolution display. If only real iPhones had that many pixels. Then again, it makes me wonder how they came up with the demo; the easy thing to do if you’re an Apple developer is to use a development version of the OS which supports that resolution. Then again, the marketing department might not be able to do that. But this is Apple, so you never know; The Steve might have personally commissioned the demo.
• Tech support is at the so-called Genius Bar, with a young, hip employee who looks different from the other employees because his T-shirt says “genius” on it.
• They had a 2-hour wait to get to the Genius Bar, but you can’t tell, because you sign up online. This was on a random Tuesday at a small Apple Store in a modest suburban mall.
• It didn’t pay to show up a few minutes early for my appointment.
• It does pay to wait in “standby,” especially if you have a quick question. Two people without reservations managed to squeeze in front of me, even though they were running late.
• To verify that my mouse clicks smoothly, they needed a username and password, which is printed on your reciept and stored in their database. Fortunately, they were willing to take my guest account, even though the reciept says “admin.”

I’ve been playing around with GWT recently, Google’s toolkit for making Gmail-like applications in Java. The idea is pretty slick: you write both the client (web browser) and server portions in Java, and then it translates the client-side Java into several dialects of Javascript (one for each of the major web browsers.) You get to use a Java debugger and keep all your code in one language, without having to learn all the nuances of each web browser. It works great if you’re writing something that works like Gmail, but it’s totally inappropriate if you just want to add a few flashy effects to a web page.

That said, here’s an example of something I whipped together in GWT. For the record, my three-year-old thinks it’s funny, most people think it’s mildly creepy, and Seebs says it’s disturbing to autistic people like himself– but only due to color asymmetry.

Why do financial institutions insist on pretending to be identity thieves? I just made a big purchase on my Discover Card, and to verify the transaction they left a message on my answering machine telling me to call a number that’s not listed on my card or their website. (1-800-347-4996) Indeed, without calling Discover, their phone company, or the police, there’s no good way to track a random toll-free number. (It’s a little more dangerous for a crook to set up a nefarious number than a nefarious website, but it can be done.)

The irony is that Discover’s website has a quiz on the front page, where one of the questions involves a phishing attack identical to what Discover itself did, except that it’s done through email rather than the phone.

It’s not just Discover. This behavior is rampant among financial institutions. My retirement account (through Charles Schwab) has an option to send monthly reminders to check your online statement. The email has an embedded link, so you can click on it rather than typing the URL into your web browser. Which is exactly the behavior you shouldn’t do, since the link may be to an imposter site.

The reason they do this, of course, is because your security isn’t their priority. They’re not to blame if you fall for an imposter: except for training you to fall for the trick, they’re not even involved.

Actually, that’s not quite true. Credit card companies are on the hook for all but $50 from a fraudulent transaction. So Discover should be trying to prevent this sort of attack. Why don’t they? For one thing, it’s not a common attack yet. But the root cause is more subtle.

Companies secure assets, information, and transactions. Thieves attack the weakest link in an ecosystem. Companies worry about their own infrastructure and how people interact with it. Imposters aren’t part of that world: they create their own faux world. Banks aren’t used to worrying about how customers can verify their identity. Typically you know it’s your bank because you walked into it. Or called the number printed on your statement. That’s not a safe assumption now, if it ever was.

More important, security often consists of reacting to known attacks, rather than preventing potential attacks. In many cases, that’s a good thing, since attackers won’t try something novel unless the tried-and-true stops working, and you can waste a lot of time preventing imaginary threats. With credit card theft, tricks that worked decades ago work just as well today. But identity theft is still evolving, and the preventative measures– in this case, using the same phone number for all incoming calls– are cheap and easy.

(Computer security has the opposite dynamic: preventing whole classes of potential attacks is usually more fruitful than fighting known attacks. That’s because an attack can go from being unknown to being common in a matter of hours. And attacks need to be novel, since once a security hole is patched, it is fixed permanently.)

For the record, I called 1-800-DISCOVER, which is the number printed on my credit card, and had an agent transfer me to the fraud prevention department.

Jussi Hagman from Finland writes:

I was just left wondnering whether the 18-bit test image should have
been dithered, the display manufacturers could perhaps use some kind of HW based dithering to give an illusion of a better color depth.

Good question, and if I get the time I’ll do a follow-up on exactly that issue.

I started by looking at my brother’s PowerBook, where he did a quick test gradient in Illustrator. We saw banding on the machine, so it looked 18-bit, not dithered.

I’ve since started to question this initial test, since everyone seems to report that their computer looks fine. Adobe has a long history of doing things their way, and it’s possible that Illustrator is 18-bit on an allegedly 24-bit laptop.

At some point, time permitting, I hope to post an 18-bit dithered test image. I’ve done a quick test on my desktop (Ubuntu Linux with a generic desktop LCD) which makes me suspect that hardware manufacturers are doing built-in dithering. But I’ll need a better test image to be sure.

There’s a bit of a hubbub about the colors on Apple laptops. It seems they’ve been claiming to display millions of colors, but the LCD displays only support 8 bits of color. There has been a lot of talk about technical means to tell how good your color is, but none of these get at the core issue: can you tell the difference?

So here are a few pictures which can help you determine the visible quality of your display.

24-bit color test

Look at the 24-bit image first. If the colors look like a perfectly smooth gradation, you have a 24-bit display. If you see bands the size of the black bars, then your vision is better than a normal human’s. (Or so the conventional wisdom says.) If you see bands that are significantly wider than the black bars, then you probably have an 18-bit display, like the ones Apple apparently is using.

On 18-bit displays (6 bits each for red, green, and blue) the 24-bit color bands should look like the ones in the 18-bit test image. This is equivalent to the “thousands of colors” mode on Mac OS 9.

In case the color bands aren’t obvious in that image– which is typical in bright daylight and other adverse situations– here’s a 4-bit test image. Which brings up an important point: if you couldn’t see the color bands in the 18-bit image, you might want to turn out all the lights. Don’t do it right now, though, the after-images in your retina from looking at all these vertical lines will make you see bands where there aren’t any. That’s why I had you look at the 24-bit image first.

I haven’t tested this on any laptops yet, so it will be interesting to see what other people report. I can verify that my generic desktop 19-inch LCD is fully 24-bit. (I’m slightly red/green color blind, but that doesn’t matter for this test.)

So how did Apple come to be in the position of advertising 24-bit, but delivering 18-bit? This is pure speculation on my part, but here we go. Traditionally, laptop displays have been significantly worse than desktop displays. Desktops had bright cathode ray tubes (CRTs), while laptops had the most state-of-the-art liquid cristal displays (LCDs). State-of-the-art originally meant you could see beige-on-black, unless you were to one side, in which case you saw black-on-beige. Over the years LCDs have improved from awful to not so bad. My 7-year-old PowerBook has a slight greenish tinge, which you don’t notice unless it’s next to a better display. You wouldn’t notice the difference between 24-bit and 18-bit very easily on that.

It used to be that the video cards were the limiting factor in the color display, so once 24-bit cards became cheap, Apple started to discourage the use of the 18-bit color mode. From there, it became easy to forget that the laptop displays were still only 18-bit.

Assuming it really is 18-bit. Again, I haven’t tested it, but there are ways to cheat. Dithering across pixels (or sub-pixel, as some have suggested) won’t help in this case, but they could dither across time: you can cheat by flashing between two nearly-identical colors. If the LCD refresh is slow enough, the liquid crystal might actually remain between those colors– producing a real intermediate color. I’m skeptical that Apple would do this, since the LCD manufacturer has more interest in investing in these sorts of tricks, and I would suspect that true 8-bit-per-subpixel quality is easier for them to get at directly.

Lately I’ve been working with remote procedure calls (RPC). My experience is that they tend to be more trouble than they are worth, but I thought I’d give it another look. RPC is a way to program in which you write a program as if it were run on one computer, but some of the commands are run on a remote computer.

At its most basic level, RPC is just message passing. You send the message “what is 2+2?” to a computer, and you get back the message “4.” In fact, message passing is all computer networking ever is. Message passing isn’t hard, it simply doesn’t look like normal programming. So RPC decorates message passing to look better. And when you are working with complicated data, it can make life easier.

The problem is that there seems to be an inevitable slippery slope of feature creep, which ends up making RPC unusable. The cycle seems to be:

1. Start with general-purpose network protocol du jour, sending messages from a client to a server.
2. That’s not enough like regular programming, so add wrappers to let you send arbitrary commands to the server.
3. Oh, and the server should be able to send commands back to the client.
4. But wait! That’s not secure! Add security protocols.
5. (Optional) We don’t want to be restricted to one programming language; make it multi-language.
6. How do we know what the server can do? Let’s add a directory for finding services. Better yet, let’s add a directory for finding all servers– and maybe a directory for finding other directories!
7. This is unusable. Let’s start over with the new general-purpose protocol du jour.

Case in point #1 CORBA. Before CORBA, you used specific protocols (FTP, SNMP, etc.) which could be coerced to trigger remote actions. Even today, you can unsubscribe from an email list by sending “unsubscribe” email to a particular address. If those weren’t good enough, you passed C structures (massaged to be network-safe) from a custom client to a custom server. Then CORBA came around, and over time it obtained all of the features listed above. To make it multi-language, the CORBA spec required you to name your commands commands so they looked funny in most languages but would work in every language. And most implementations were buggy and expensive. But the killer for CORBA was that it required ORBs (service directories) on specific ports, and those ports are blocked on firewalls by default. When I worked at Net Perceptions, we discovered that many of our customers couldn’t use our product because the IT department which controlled the firewall was five layers of management away.

The solution was to piggy-back on port 80, the web server port. That is, run RPC through a web server. Someone had recently written an article on how much easier RPC was if it was done as XML messages through a web server. And that’s exactly what we did. Worked like a charm.

Next thing you know, a committee was formed to standardize SOAP (Simple Object Access Protocol) for XML over RPC. Sun and Microsoft announced that Java and Windows would both support SOAP. Everyone joined the bandwagon. Pretty soon SOAP was just as unwieldy as CORBA. Talking to eBay from Java yields 700+ auto-generated classes!

The fact of the matter is that for most things you want to use RPC for you use (1) a server you write yourself talking to (2) a client you write yourself, with (3) a small set of commands, which are known in advance. Directory services are almost universally a boondoggle– yet they are nearly always a required part of the protocol. Multi-language support is rarely needed, and if you do need it, the easiest way to do it is through a simple, clear message protocol; RPC auto-translation of one language’s structures into another yields ugliness in both languages.

My prediction is that in the next iteration someone will discover that you can use AJAX for general-purpose RPC. The new protocol will use all the so-called Web 2.0 technologies, including RSS feeds. A committee will be called together to standardize mash-up-style RPC. JavaScript (ewww…) will be used for sending arbitrary commands hither and yon.

Side note:

I’ve just spent a week trying to coerce Java RMI (Remote Method Invocation) to do what I want. As RPC goes, it’s better than most. But there are a few special requests I need to make of it, each of which doubles the complexity. And now I’m at a pont where I’ll have to add a special security policy to the Java runtime, which just plain isn’t feasible for this project. I could do it, but it would make our web server far more fragile. That or spend another day or two learning the bowels of Java security. So I’m about to rip out all my new code and go back to a simple socket-based message passing protocol.

Over the years, there have been countless arguments and counter-arguments about Linux security versus MS Windows security. Those of us who have to deal with computer security know that Linux (and other Unix-based OSes) makes it possible to mantain a secure system, whereas Windows is encumbered with a rich legacy of bad design decisions. Unfortunately, there are enough knee-jerk partisans and opinion-for-hire analysts to keep the water perpetually muddy.

These charts show just how much more needlessly complex Windows is, and by extension, how much harder it is to secure. They also help to explain why Windows Vista missed its deadlines by several years. This is why Linux (and Mac OS X, which is similar) get cool new features year after year, whereas every major Windows version is a deadline-breaking fiasco.