Letters to my sons.

Dear Son,

as technology continues to march on the idea of an Internet will slowly disappear as the system its self becomes ubiquitous. There will be no marvel that you can read your email on your mobile phone and that the half written reply is synced to your main computer so you can finish it off at home. These things will become normal, everyday occurrences but the way things are going this sort of technology is fraught with danger.

Most computer systems are not designed with security in mind, the low level checks that make sure the software can’t be exploited and taken over. The idea is to make a pretty looking program with loads of whizzy features – this is what people want and this is what sells. This mind set is very entrenched in the computer hardware and software world and at the moment the cost of a computer hacking isn’t killing anyone but in the near future it will.

Take the following quote:

“As Apple grows its market share and becomes a more mainstream operating system, there’s going to be a lot more interest in it from the whitehats and the blackhats,” said Randy Abrams, director of technical education at anti-virus provider Eset. “Apple users are going to have to get used to the same things that Microsoft and Unix users have dealt with for a long time and that’s that patches are a fact of life.”

The idea being floated is that computer software and hardware is not designed and implemented properly in the first place so get used to updating it as problems come to light.

Currently cars on the streets use physical mechanisms to speed up and slow down. When a person presses the brake pedal on their car they are pressing a mechanical device that pushes brake shoes against the wheels and when they press the accelerator they are physically opening a valve that allows more petrol to flow to the engine and therefore increase speed. But in the future this will not be the case, when a car driver presses the brake the intensity will be measured by a computer and it will then control the brake shoes; the same with the accelerator.

Cars of the future will be connected to the internet using wireless technology for navigation, work and entertainment purposes. If some one can hack you cars internet connection they would soon be able to disable your brakes and increase your speed. Even without hackers doing damage so much of today’s software is so badly written that a glitch could kill you.

There is another way of software development that builds in computer security from the start instead of trying to bolt it on at the end. There are software development methodologies that regard correctness and testing over features. There is even code review where people look at code line by line to find problems before the product is released and when they find issues they start looking again for this new issue. Not that any commercial software house seems committed to this way of doing things – for them the bottom line is more important that quality and that means more features in less time. Even non-profit software developers think being at the bleeding-edge is more important than standards, correctness and security; regularly major flaws are found in various Linux distributions and other open source software.

One descenting group from this feature-add disaster is the OpenBSD project. They believe in evolving the code over time and at all stages making security and correctness are the big issue, not features. If a feature can only be created by doing something wrong and/or insecure then it is not done.

There is nothing inevitable about having to patch a computer system every month. Patches should be seen as the exception and not the rule because the goal should be to get it right first time. This is difficult with very large projects so don’t have a large project. Have a very small project that delivers only something very limited but does it very well. When it has been tested to destruction and manages to keep working you start on the next task.

In the future our interconnected lives will depend on the rejection of the sloppy and the insistence on the correct and the secure.