Comment by Syonyk
4 years ago
... against nihilism? They're just sort of handwaving and saying, "Well, uh... we should do better, somehow... and expect Apple to do better, and... uh..." How's that any different from saying "The problem is basically impossible"?
The core of the problem is complexity. Our modern computing stack can be broadly described as:
- Complexity to add features. - Complexity to add performance. - Complexity to solve problems with the features. - Complexity to solve problems created from the performance complexity. - Complexity added to solve the issues the previous complexity created.
And this has been iterating over, and over, and over... and over. The code gets more complex, so the processors have to be faster, which adds side channel issues, so the processors get more complex to solve that, as does the software, hurting performance, and around you go again.
At no point does anyone in the tech industry seem to step back and say, "Wait. What if we simplify instead?" Delete code. Delete features. I would rather have an iPhone without iMessage zero click remote exploits than one with animated cartoons based on me sticking my tongue out and waggling my eyebrows, to pick on a particularly complex feature.
I've made a habit of trying to run as much as I can on low power computers, simply to see how it works, and ideally help figure out the choke points. Chat has gotten comically absurd over the years, so I'll pick on it as an example of what seems, to me, to be needless complexity.
Decades ago, I could chat with other people via AIM, Yahoo, MSN, IRC, etc. Those clients were thin, light, and ran on a single core 486 without anything that I recall as being performance issues.
Today, Google Chat (having replaced Hangouts, which was its own bloated pig in some ways) struggles to keep up with typing on a quad core, 1.5GHz ARM system (Pi 4). It pulls down nearly 15MB of resources - or roughly 30% of a Windows 95 install. To chat with someone person to person, in the same way AIM did decades ago. I'm more used to lagged typing in 2021 than I was in 1998.
Yes, it's got some new features, and... I'm sure someone could tell me what they are, but in terms of sending text back and forth to people across the internet, along with images, it's fundamentally doing the exact same thing that I did 20 years ago, just using massively more resources, which means there are massively more places for vulnerabilities, exploits, bugs, etc, to hide. Does it have to be that huge? No idea, I didn't write it. But it's larger and slower than Hangouts, to accomplish, as far as I'm concerned, the same things.
We can't just keep piling complexity on top of complexity forever and expect things to work out.
Now, if I wanted to do something like IRC, which is substantially unchanged from the 90s, I can use a lightweight native client that uses basically no CPU and almost no memory to accomplish this, on an old Pi3 that has an in-order CPU with no speculation, and can run a rather stripped down kernel, no browser, etc. That's going to be a lot harder to find bugs in than the modern bloated code that is most of modern computing.
But nobody gets promoted for stripping out code and making things smaller these days, it seems.
As long as the focus is on adding features, that require more performance, we're simply not going to get ahead of the security bugs. And, if everyone writing the code has decided that memojis are more important than security iMessage against remote zero click exploits, well... OK. But the lives of journalists are the collateral damage of those decisions.
These days, I regularly find myself wondering why I bother with computers at all outside work. I'd free up a ton of "overhead maintenance time" I spend maintaining computers, and that's before I get into the fact that even with aggressive attempts to tamp down privacy invasions, I'm sure lots of my data is happily being aggregated for... whatever it is people do with that, send ads I block, I suppose.
The bugs we're talking about have almost nothing to do with the underlying message transport, but rather the features built on top of it. Replacing iMessage with IRC wouldn't solve anything.
No, but my point is about complexity.
If all iMessage allowed were ASCII text strings, do you think it would have nearly the same attack surface as it does now, allowing all the various things it supports (including, if I recall properly, some tap based patterns that end up on the watch)?
In a very real sense, complexity (which is what features are) is at odds with security. You increase the attack surface, and you increase the number of pieces you can put together into weird ways that were never intended, but still work and get the attacker something they want.
If there were some toggle to disable parsing everything but ASCII text and images in iMessage, I'd turn it on in a heartbeat.
Virtually no one wants to use a messaging platform that just sends ASCII strings.
It's true that if you constrain the problems enough, ratcheting them down to approximately what we were doing with the Internet in 1994 when we were getting access to it from X.25 gateways, you can plausibly ship secure software --- with the engineering budgets of 2021 (we sure as shit couldn't do it in 1994). The problem is that there is no market to support those engineering budgets for the feature set we had in 1994.
6 replies →
The "and images" part has historically been a rich source of software exploits. I would guess that chat with full Unicode support but no images would be easier to implement to a high degree of security than ASCII text plus images.
First of all, getting rid of Unicode is not going to happen. Don’t ask.
Getting rid of images might be doable, but still difficult. Talking features away from people is politically difficult.
1 reply →
Well put. The market values features. With present system engineering approaches, the path of least resistance is to add complexity to enable said features and reap the financial rewards. It takes more effort to build smaller attack surfaces, so nature tends to avoid that path. Regulation helps little. Security is not additive, it is subtractive. Less is more. There is very little incentive to simplify, except in niche segments. So, zero surprise commodity systems fail so horrendously.
This is a really good point here. Most corporate development that I have experienced is centered around "features" and speed. "I'm working on a new feature", "there has been a feature request", "the feature has a bug." The only time the complexity of the project is considered is by the time it fails and the team is canned.