malvasia bianca

A couple of weeks back, Apple remotely disabled some apps that Facebook had written: one that they were paying people to sideload so they could be spied on, with Facebook’s internal apps getting disabled as collateral damage. College-student me would have been horrified by this; present me is glad?

The main difference is that, basically, security wasn’t a thing when I was in college. Yes, we had passwords; but we also used rlogin and telnet (ssh hadn’t been invented yet), and X11 let you just stick stuff on the screen of other people sitting next to you, and (I’m fairly sure) snoop their keystrokes if you really wanted to. So, basically, all this depended on the internet not being serious business yet (this was in pre-HTTP days), and on good behavior.

Whereas, right now, we’re in an environment where we have unparalleled tools for distributing software and where both people who are aware that they are bad actors and people who don’t think of themselves as bad actors but who nonetheless spy on your constantly are actively taking advantage of that. We’re much more sensitized to the need for secure software, we’re much better at writing secure software, but yet the browser, the single most powerful software distribution platform, is constantly running other people’s software on your computer without any meaningful consent, software that you’d frequently very much prefer not to be running if you had a choice.

I don’t pretend to know how to resolve this tension. But I’m also glad that we’ve at least gotten some new tools to deal with this. Filesystems are great, but I’m really glad that my phone doesn’t expose a cross-app filesystem. And I’m glad that the set of permissions that apps can get on my phone are getting more granular and more restrictive by default every year. There’s still a large attack surface, but those are both very meaningful security improvements: I download software every week for my phone without thinking about it, whereas I download software much less often for my laptop, and doing so basically always terrifies me if I think about it too much.

These granular permissons only help if software doesn’t regularly demand expansive permission grants, of course. I’ve never used Android, but my understanding is that that’s a serious problem on Android: there’s a culture of apps asking for expansive permissions, and the Google Play store lets them get away with it? So, yeah, I actually do want a benevolent overlord in this instance: sure, I’d like freedom to do what I want with my hardware, but it’s also important to me that other people don’t have freedom to do what they want on my hardware. And, right now, I’m willing to give up some amount of the former in service of meaningful restrictions on the latter.

Apple’s recent use of kill switches on enterprise certificates is an unusual and extreme example of what that entails, but I think that ability is a correct part of secure design: I don’t expect review processes to be perfect, which means that I want a way to kill malware after it’s been deployed to phones. And I view the Facebook software in question as malware: surveillance software without meaningfully informed consent.

There are flip sides to my position, of course. One is that there are other aspects of Apple’s software policy that I don’t like at all. Security restrictions are great; content restrictions are the opposite of great, and Apple is using the security restrictions to give themselves a monopoly on app distribution. And Apple’s rent-seeking profiteering on their App Store is bad as well. What I really would like is for Apple to provide universal security reviews for a close-to-cost fee and for them to allow other people to run app stores with varying curation policies; not much chance of that happening, unfortunately.

And the other flip side is that, while I’m glad that my phone (and my tablet and my video game consoles) have a restricted app environment, I’m also glad that I have access to machines that are more permissive: I’m glad for personal reasons, I’m glad for employment reasons. I don’t really know how to square that circle, and I’m not even sure that there’s any need to square that circle: different devices for different purposes is okay, with some being more permissive but with me scared to install software on them and some being more restrictive but safer? As long as both categories remain healthy, I think I’m okay with that?

I have no good idea of what to do about the browser, though. And I’m definitely worried about IoT proliferation: so far I’ve been able to resist having significant transition from dumb devices to smart devices in my house, but I have no idea how long that will remain tenable, and I don’t have any faith in those vendors’ security models. And, speaking of vendors, while I’m right now happy in general with Apple’s security posture, that could certainly go bad too; I’m not worried about that over the next few years, but I don’t see any reason to believe in a beneficial security overlord once I start looking a decade or two ahead…