Is "Ship it then fix it" a good business model? It is likely an approach to get a product to market early, or perhaps more honestly, to market on time. But after an experience I had on the weekend, I wonder about the sense of this approach and worry that the push to get Linux and Unix adopted on the desktop, through low cost outlets such as Wal-Mart , will depend on this strategy. The consequence will be a rash of viruses written for these platforms, and the reputation of Unix and Linux will take an equivalent hit.
I was helping a friend on the west coast set up a wireless network covering his property. Instead of the usual selection of computer stores to make our purchases, we had to make do with the computer department of a large drug store. When purchasing the wireless access point and border router, I discovered a device that advertised itself as filling both roles. Once I had hooked up the router I had enormous problems connecting to and maintaining a connection to the broadband network.
My first response was to blame the cable company (always a good first response in my experience), but after fearing the fight required to get through to their help desk, I decided to eliminate all other possibilities first and upgraded the router with new firmware. Unsurprisingly, this fixed the problem the router previously had in maintaining the connection, as well as a few other small annoyances in the interface.
The next day, back in the computer department of the drugstore, I planned to exchange an older card we had grabbed by mistake. I casually mentioned to the manager of the computer department the router's problem and the fix. I also suggested that if others come in reporting this issue he might suggest upgrading the firmware. He glanced at me, and said that he did get about 50 per cent of the routers returned because they "don't work". How many other people have simply put up with the broken performance and have continued using the product?
Geeks are different then the general populace
This little adventure got me thinking about the "ship it then fix it" nature of computing today. Some of this behavior in the computer business came about because people can't take a "test drive" of their purchase to find out where the bumps are going to be. Another reason is that us techie geeks are an impatient bunch. Raise your hand if you were the first on your block to have an MP3 player. How about the first to have a 100+GB hard drive, or a wireless network? With impatient people who will forgive a few technical glitches, being at the front of the line, even if you're there with a broken leg, is best. We geeks who buy the latest and greatest will often gleefully trade work-a-rounds, hacks, or other tidbits of information needed to make things work.
Mass marketing software, especially a new product, requires a different approach. Otherwise, the manufacturer risks alienating a large portion of their future customers. This shift in approach is doubly important when we are dealing with security. How many people have a grandma or brother that wouldn't know how, or couldn't be bothered, to download and apply a security patch? After all, everything works fine doesn't it?
Over the last year, a lot of attention has been paid to the movement of Unix-like systems into the end-user desktop world. There have been startups dedicated to this endeavor (Lindows, renamed Linspire, for example) and recently, one of the Unix big-guns, Sun, entered the end-user market selling their Java Desktop, announcing distribution through Wal-Mart . Most of these endeavors involve Linux, and there are many benefits that are attributed to Unix-like systems to try and entice people to move.
Fanfare of trumpets
One of the benefits often trumpeted by supporters is increased security and the assurance of this increased security is the availability of the source code. Everyone can see how things work so it's not possible to hide bad software design that would lead to security flaws. "No security in obscurity" is the phrase trumpeted by the supporters. While I won't debate whether obscurity is a good or a bad thing for security (I am a user of open source alternatives when available), this notion that the lack of code obscurity is the reason there is greater security deserves additional thoughts.
Viruses, generally speaking, are written to target popular systems. If we consider the number of end user systems (popular targets for social engineering viruses), it is likely that a large majority of these systems are running Windows. It seems to me that Unix and Linux users are relying heavily on security through obscurity, in that the number of Linux/Unix systems deployed are not great enough to warrant learning how best to manipulate them. This might be considered obscurity via scarcity, but it still has allowed Linux and Unix advocates to hold up the virus statistics for Windows systems as a reason to switch. What happens when you make Linux less obscure on the radar of the virus writers?
Linux in Wal-Mart - a powder keg?
So what is going to happen when Aunt Tilley goes to Wal-Mart, buys a cheap PC running Linux, gets it home and plugs it in? One of the few ways that a company selling open-source software can make money is to charge for the automated, timely distribution of patches. Aunt Tilley is forced to sign up to this service to receive patches automatically (she may get a year subscription included in the price), but does she see value in it? This problem is, in my view, compounded by the fact that many open source projects seem to live by the mantra "Release Early, Release Often". How many software projects are adequately tested in this release methodology? This sure sounds like a "Ship it now, fix it later" approach. What happens when someone doesn't realize they are running a broken version?
Here are a few of my ideas for how this can be fixed.
- Ship with all services turned off. If a service is being turned on, check when the last update was done, if it was too long ago, prompt the user to confirm telling them they may be running an insecure service.
- Allow users to manually download updates without charge. Charge for auto-updates.
- Don't let users run as a privileged user everyday, and if they do, pop up warnings.
- Find some visual way to identify scripts or binaries not installed by the root/privileged account.
The last idea is to try and limit the ability of viruses to socially engineer themselves as images or other attachments. I believe that one of the reasons why Windows mass mailer viruses are so prevalent is the "attachment hiding" that makes it hard for a user to make an informed decision.
Not making an attempt to make things better will likely result in the powder keg exploding.
Daniel Hanson manages the Focus Incidents area of SecurityFocus as well as the Incidents mailing list.