IN THIS CHAPTER
Defining Software Behavioral Space
Solving the Problem
Software does things; this is why you use it. Usually, you're hoping that it does something or some things that are of use to you in some fashion. The things that any given application does, however, are rarely limited to exactly the single thing that you think of that application as doing. When you want to read a file onscreen (using TextEdit, cat , more , less , or whatever viewing software you prefer), you probably think of the software's action as "displaying a file on the screen." This action, however, is made up of a number of subactions, such as asking the OS to locate the file on your drive, opening the file, reading data from it, asking the OS to open a window or display characters to a terminal, and so on. The subactions performed are not often things that endusers think about, and are also not always things that endusers expect or desire . Even the perceived main purpose of software is sometimes not exactly in line with what the actual primary visible function is, sometimes leaving endusers of the application in situations that they did not expect.
VIRUSES, WORMS, AND MALWARE
Virus, worm, and malware problems are one of the areas in which I cannot disguise my disgust for the way that some people think about computing security. The individuals who write various bits of malware are only a minor part of the problem. No amount of effort applied to stopping them will be sufficient to prevent people from writing and releasing software such as computer viruses, and regardless of what effort is expended, such software will continue to be created and will continue to be a threat to undefended systems.
Those who write and sell software that is designed to facilitate the action and propagation of such malware are the real problem, and should be the focus of everyone's efforts on changing computing culture. Effective and damaging malware should require the discovery of software bugs or faults in communication-system designs. Unfortunately, today it does not, because there are major software vendors out there who are willing to sell you software that has features (not bugs, but intentionally designed-in features!) designed specifically to allow the action of software such as viruses. Certain vendors, for example, sell email clients that come preconfigured to execute arbitrary software that is sent over the Internet, without informing the user or requesting permission to execute the code. They do this because it makes some features they'd like to sell you ever so slightly more convenient to implement, and they think that you're gullible enough to buy the software and take their assurances of its safety as valid. They know full well that it's not safe, because they're not actually stupid enough to have missed the lessons of 14 or more years of hard-won network security battles . However, they think that you are, and because those features also enable some " conveniences " that their competitors don't have, that you'll buy their software and not think about the consequences of the convenience you've bought.
So far, they're right. By far the majority of networked users seem to have been taken in by this ploy, and it's biting them every day. The software writers, however, don't care. Rather than fix the problem, they release patch after patch after ineffective patch. And if your machine has been "owned" by some 13-year-old kid who's wiped out your financial records and the patches don't fix it, well, hand over your credit card, because the next yearly update certainly will solve the problem.
This must change, and the only way it's going to change is if you, the consumers of computing software, speak out. So long as you, your coworkers, and your friends choose software that favors convenience over security, some software vendors will be happy to sell it to you. So long as you grudgingly use software that you know is a problem because "everybody uses it, so I am obliged to as well," (nearly) everybody will indeed be using it.