27 August 2006

Safety First

Personal computers have gone from geek hobby, to useful private tools, to ubiquitous globally-connected life repositories. Today, we're as likely to conduct finance and store memories on the PC as we are to cruise around the web - on the same PC.

That means "make it easy to use" should change to "make it easy to use safety". Yet the level of knowledge needed to use the PC is way lower than skills needed to use it safely, and IMO it borders on criminal negligence to deepen that trend. That's like making handguns lighter with less trigger pull required so that toddlers could use them "more easily".

To use a PC...

...you need to know how to press a button, click one of two mouse buttons, and familiarity with the alphabet so you can type. It's useful to know about "folders", but Vista seeks to remove even that semi-requirement. If you can click what you see, you can use the PC.

To use a PC safely...

...you need to know about file types and the levels of risk they represent, and that information is hidden from you by default. In fact, the UI that makes things "so easy" does nothing to help you assess risk, nor is it constrained to act within the risk indicators it displays.

You also need an unhealthy amount of de-spin and paranoia. Almost everything you see has to be reversed through the mirror of suspicion; "value" isn't, "free" can gouge you, "click to unsubscribe" means "don't click else you'll get more spam", and so on. The endless cynicism and lies can be damaging to the psyche, and I often wonder if usability studies into UI stress ever take this factor into account.

What we need to know

You wouldn't dream of wiring house so that it wasn't possible to know what sockets and wires were "live" or not, nor would you make firearms such that it was impossible to tell if they were loaded or not, had the safety catch on or not, or which way they were pointing.

So why do we accept computers that use the meaningless term "open" that hides what a file can do when used? Why do we use an interface that makes no distinction between what is on our PC and what is from some arbitrary system out on the 'net?

The basic things we need to know at all times are:
  • Whether a file is "code" or "data"
  • Whether something is on our PC or from outside the PC
  • Where we are in the file system
We also need to be able to rely on this information, i.e. it should not be possible for material to mis-represent itself and have the OS take risks larger than the UI implied.

As owners of our own PCs, we have the right to whatever we like with any file on our systems. We may not expect that right when we use our employer's PC at the workplace, but at home, there is no-one who should override our control.


In the old days of DOS, you had to know more to use a PC, but beyond that, all you needed to know was not to run files with names ending in .exe, .com or .bat or boot off strange disks. Hidden files weren't that hidden, and it was quite easy to manage risky files because they wouldn't be run unless triggered from one of two editable files. Only when viruses injected themselves into existing code files or boot code, did one need antivirus tools to clean up.

The first safety failure was loss of the data/code distinction, when Windows 95 hid file name extensions by default, and when MS Office applications started auto-running macros within "data" files. Windows 95 also hid hidden files, as well as where you were in the file system.

The second safety failure was when Internet Explorer 4 shell integration blurred the distinction between what was on your PC and what was not. Local material was often presented in a web-like way, while the local file browser could seamlessly display off-PC content. The new web standards also allowed web sites to spawn dialog boxes that looked as if they were part of the local system, as well as drop and run code on visitors' computers.

The third safety failure includes all mechanisms whereby code can run without user consent; from CDs that autorun when inserted, to code that gropes inside file content when all we wanted was to see a list of files, to "network services" that allow any entity on the Internet to silently initiate a machine dialog, as exploited by the Slammer, Lovesan and Sasser generations.

The fourth safety failure will be a loss of awareness as to where we are within the file system. As long as different files in different parts of the file system can present themselves as being "the same", we need to know the full and unambiguous path to a file to know which it is.


Vista tries to make computing easier by dumbing down "where things are", but makes "safe hex" as difficult as ever. File name extensions and paths are still hidden, as are hidden files and ADS. You still need to know an arcane list of file name extensions, you still need to bang the UI to actually show you these, and if anything the OS is more likely to ignore the extension when "opening" the file, acting on embedded information hidden within the file.

Just as the web enraptured Microsoft in the days of Internet Explorer 4, so "search" is enrapturing them now. Today's users may rarely type in a URL to reach a site; they are more likely to search for things via Google, and Vista brings the same "convenience" to your own PC. You're encouraged to ignore the namespace tree of locations and names, and simply type what you want so that the OS can guess what you want and "open" it for you.

The other growing risk in Vista, is that of automatic metadata processing. The converse of "any non-trivial code has bugs" is "if you want bugless code, keep it trivial". The traditional DOS directory entry is indeed trivial enough to be pretty safe, but I suspect the richer metadata embraced by NTFS is non-trivial enough to offer exploit opportunities - and that's before you factor in 3rd-party extensibility and malicious "metadata handlers".

Vista continues the trend of XP in that metadata and actual file content may be groped when you display a list of files, or when you do nothing at all (think thumbnailers, indexers etc.). If something manages to exploit these automatically-exposed surfaces, it allows loose malware files to run without any explicit integration you might detect and manage using tools such as HiJackThis or MSConfig. Removing such files may be impossible, if all possible OSs that can read the file system are also exploitable by the malicious content.


By now, we know that any code can be found to be exploitable, so that actual outcome of contact with material may bear no resemblence to what the code was supposed to do with it. Some have suggested this means we should abandon any pretence at a data/code distinction, and treat all material as if it posed the high risk of code.

IMO, that's a fatuous approach. Use of the Internet involves interaction with strangers, where identity is not only unprovable, but meaningless. That requires us to safely deal with content from arbitrary sources; only when we initiate a trust relationship (e.g. by logging in to a specific site) does identity start to mean something.

Instead, the message I take home from this is that any subsystem may need to be amputated at any time - including particular file types, irrespective of how safe they are supposed to be. For example, if .RTF files are found to be exploitable, I'd want to elevate expected risk of .RTF to that of code files until I know the risk is patched.

A pervasive awareness of exploitability dictates the following:
  • No system-initiated handling of arbitrary material
  • Strict file type discipline, i.e. abort rather than "open" any mis-labeled content
The first may be a bitter pill to swallow, as we may have come to enjoy the convenience of metahandling. However, some contexts should default to full safety rigor; mOS, "Safe Mode", content that can be expected to be hi-risk such as new drives or incoming material, and whenever the user selects "safe view" from the shell's UI.

Making safety easier

Vista tries hard in the wrong places (user rights), though that approach is becoming more appropriately tuned - but that's another subject! What we need is:

Run vs. View or Edit

Let's see the death of "open"; it means nothing, in a context where we need meaning.

First, we need to re-create a simple data vs. code distinction, and force the OS to respect this so that we as users can trust what is shown to us.

Every time material is shown to use in a context that allows us to interact with it, we should be shown whether it is code or data. It's no use hiding this as a pop-up toolbar, extra column in detail view, some peripheral text in a status bar, or requiring a right-click and Properties.

Then we need to use terms such as Run or Launch to imply code behavior, as opposed to View or Edit to imply data behavior. You could View or Edit code material too, but doing so would not run it!

It would also help to show the file type as well, so that if a type that should be "data" becomes "code" due to code exploitability, we could avoid that risk. It's important that the system derives this type information in a trivial way (i.e. no deep metadata digging) and respects it (i.e. material is always handled as the type shown).

Safe handling and context awareness

Microsoft has juggled with various "My..." concepts for a while now, but there's no safety aspect to this as yet. Indeed, Microsoft encourages you to mix arbitrary downloads and incoming attachments with your own data files, as well as recommending the storage of infectable code fiels within "My Documents" as a way of hiding them from System Restore.

What we need is a new clue; that incoming material and infectable files are not safe to treat as if they were data files, nor should they be mixed with your data files that would be restored in the case of some system melt-down. I've applied this clue for many years now, and it does make system management a lot easier.

Once you herd all incoming and risky material into one subtree, you can add safer behaviors for that subtree - such as always showing file name extensions and paths, and never digging into metadata even to display imbedded icons.

These safer behaviours can be wrapped up as a "Safe View" mode, which can then be automatically applied to other hi-risk contexts, such as when new drives are discovered, or the system is operated in Safe Mode, or when one is running the maintenance OS from DVD boot.

Change the mindset

Currently, we encourage newbies to jump in and use everything. Then we suggest to interested survivors that they learn and apply some safety tips.

Newbies may see a suggestion to turn on the firewall, install and update an antivirus scanner, and swallow patches automatically - but we don't talk about file type risks, and we encourage them to send attachments without suggesting they should avoid doing so.

IMO, the first mention of sending email to more than one recipient should explain and recommend the use of BCC:, and users who know nothing about file types or the need for meaningful descriptive message text should not be shown how to send attachments.

In other words, safety should be learned at the same time as how to do things, rather than offered as an afterthought, and it should be as easy to operate a PC safely as it is to operate it at all.


Dan W. said...

I agree with you Chris and I appreciate your work. I hope and pray Microsoft will realize the value of what you are trying to accomplish. I continue to dual-boot with 98SE and XP PRO. because 98SE is simply awesome. 98SE lets me get into DOS and makes things very simple and does not have so many unnecessary services like XP PRO. has and I can only hope that 98SE will continue to have a great deal of support. I look forward to more comments from you in the 98 general newsgroup.

Chris Quirke said...

Thanks! These days it *is* possible to maintain XP as one did Win9x (via DOS mode), using Bart CDR boot. See...


What's more difficult, is using apps from this mOS, compared to running DOS apps from DOS (mode). That has more to do with apps written for Windows that have to be installed before use.

If your XP is installed on FATxx rather than NTFS *and* HD is < 137G, you can use DOS mode as you would from Win9x. No registry access, tho (i.e. the real-mode Regedit from Win9x is very unlikely to work).

What NTFS doesn't give you, is data recovery and controllable file system repair tools. If you're used to DiskEdit and interactive ScanDisk as ways to repair/recover FATxx, you have to fall back to dumbo "the PC blinked, so I lost my data forever".

I agree on Win9x safety being improved due to less "network" services waving themselves at the 'net, and would feel safer with unpatched Win9x than unpatched pre-SP2 XP. Unpatched pre-SP2 XP is a death trap, as is unpatched Win2000.

Alas, timecrush has kept me out of the newsgroups, but I'll be back when the smoke clears!

Anonymous said...

free game, play free game, free online game, free game downloads, free internet game, free yahoo game, play free online game, free casino game, free sex game, free arcade game, free adult game, free kid game, free pc game, free full game download, play free yahoo game online, play sims game online for free, play free online game rpg, free car racing game to play, free game to play and download, free golf game to play online, play free online adventure game, play free yahoo game, play super mario game for free online, play free casino game online, free internet game play
play free online game, free online kid game, free online casino game, free online rpg game, free online sex game, computer free game kid online, free online multiplayer game, free yahoo game online, free online adult game, free online shooting game, play free yahoo game online, free online car racing game, free arcade game online, free online adventure game, free online racing game, free online poker game, free disney game online, free online flash game, free online role playing game, free online game site, free online bingo game, free online puzzle game, free online bowling game, free online pool game, free fun online game
soap opera, soap, soap opera digest, soap central, soap making, soap opera central, cbs soap, abc soap, soap city, natural soap, soap opera update, handmade soap, soap opera spoiler, yahoo tv directory soap opera, soap spoiler, general hospital soap opera, soap digest, soap dish, soap making supply, soap dispenser, yahoo soap, soap zone, passions soap opera, soap opera weekly, liquid soap
trip advisor, trip, road trip, trip planning, fishing trip, boat trip, trip planner, las vegas trip, fishing trip alaska, cheap trip, game trip, trip hedley, street and trip, rafting trip, ski trip, field trip, honeymoon trip, euro trip, camping trip, trip advisor.com, microsoft street and trip, last minute trip, trip reward, trip hop, road trip planner
cheap fare, family fare, southwest airline fare, fare, best fare, lowest fare, greyhound schedule and fare, low fare, cruise fare, amtrak fare, travel fare, greyhound bus fare, amtrak schedule fare, american airline fare, best airline fare, fare consolidator, low fare flight, bus fare, plane fare, low fare airline, fare chase, air travel fare, lowest air fare, last minute air fare, earth fare
lyric, song lyric, music lyric, high lyric musical school, panic at the disco lyric, a z lyric, az lyric, fall out boy lyric, disney high lyric musical school, lyric search, rent lyric, james blunt lyric, brown chris lyric, rap lyric, dont hip lie lyric, eminem lyric, kelly clarkson lyric, gospel lyric, nickelback lyric, rascal flatts lyric, flatts hurt lyric most rascal, green day lyric, bad day lyric, love lyric, johnny cash lyric
book, kelly blue book, computer book, audio book, phone book, book store, blue book, buy book online, blankson book samuel, sport book, amazon book, book worm, used book, child book, borders book, comic book, cook book, address book, book club, borders book store, yellow book, sports book, blue book value, book review, book case
travel asia, travel, travel mexico, travel europe, travel south america, travel spain, travel central america, travel france, travel china, travel canada, travel taiwan, travel switzerland, travel germany, travel austria, travel argentina, travel japan, travel italy, travel russia, travel real estate career, air travel, travel brazil, travel portugal, travel holland, world travel, travel guide
credit report, free credit report, online credit report, free annual credit report, annual credit report, free credit report online, equifax credit report, trans union credit report, credit report score, credit report repair, check credit report, experian credit report, free equifax credit report, business credit report, free credit report .com, fix your credit report, free instant credit report, government free credit report, instant credit report, free credit report and score, personal credit report, canadian credit report, credit report dispute, one time free credit report, free yearly credit report
credit card, credit, apply online for credit card, credit report, free credit report, apply for a credit card, credit union, home equity line of credit, bad credit, 0 apr credit card, bad credit loan, credit repair, business credit card, credit score, credit card debt, credit counseling, credit card application, online credit card approval, bad credit mortgage, bad credit personal loan, chase credit card, navy federal credit union, credit card processing, low apr credit card, chase.com credit card
tie, how to tie a tie, silk tie, neck tie, bow tie, dye tie, hog tie, railroad tie, tie tie, cable tie, neck tie tie, tie up, man tie, simpson strong tie, down tie, tie tying, knot tie, family tie, tie wire, black tie, bow cincinnati tie, instructions tie tie, how to tie a bow tie, tie rack, tie my shoes
dvd player, dvd online, portable dvd player, blank dvd, dvd shrink, dvd movie, dvd rental, dvd burning software, movie dvd video rental, dvd recorder, dvd movie online rental, dvd movie rental, download dvd movie, dvd movie club, burn dvd movie, download free dvd movie, adult dvd movie, copy any dvd movie, new dvd movie release, new dvd movie, buy dvd movie, dvd movie cover, basic dvd instinct movie, netflix dvd movie, copy dvd movie
dating, dating site, free online dating, online dating, dating services, online dating service, adult dating online, adult dating, free dating, internet dating, christian dating, lds dating, free dating services, adult dating free, match dating, single dating, adult dating services online, dating web site, sex dating, gay dating, black dating, senior dating, free dating site, asian dating, dating personals
alternative dating, dating tip for man, adult dating site, dating chat, dating game, christian dating services, dating direct, gay dating site, adult sex dating, dating woman, adult dating personals, adult dating services, international dating, yahoo dating, texas dating, new york dating, dating ads, double your dating, dating guest book, dating idea, chicago dating, dating sims, uk dating, seattle dating, arguing checklist dating
health, health insurance, health club, health care, womens health, man health, mental health, health and beauty, united health care, health fitness, health insurance quote, health food, health club gyms, health health, health spa, low cost health insurance, california health insurance, health food vitamin, pet health, mental health services, individual health insurance, health care jobs, texas health insurance, dental health, dog health
skin care, mr skin, skin rash, skin treatment, skin care product, skin cancer, facial skin care product, dry skin, anti aging skin care, natural skin care, skin disorder, man skin care product, skin disease, sensitive skin, dry skin care, acne skin care, skin care treatment, skin tag, win amp skin, celebrity skin, xanga skin, skin problem, man skin care, facial skin care, yahoo messenger skin
cream, wrinkle cream, anal cream pie, progesterone cream, vaginal cream pie, cream pie cathy, teen cream pie, peach and cream, amateur cream pie, shaving cream, skin cream, eye cream, stretch mark cream, anti wrinkle cream, moms cream, black cream pie, asian cream pie, facial cream, acne creams, interracial cream pie, anti aging skin cream, whip cream, mature cream pie, face cream
eye glasses, black eye pea, eye, eye of the tiger, pink eye, third eye blind, laser eye surgery, lasik eye surgery, eye doctor, red eye, eye care, bullz eye, eye candy, eye drop, black eye, eye make up, eye contact, queer eye, cotton eye joe, allan eye poke ray video, eye surgery, all seeing eye, eye disease, eye problem, golden eye
music download, music, free music downloads, music video, yahoo music, free music, music code, dowload music, music site myspace.com, download online music, music video code, aol music, music lyric, downloading music, myspace music, country music, sheet music, myspace music code, madonna music, 50 cent music, live music, free music video, listen to music, music search, music store
master card, chase master card, platinum master card, master card international, bowl card master site spaces.msn.com super, card international master site spaces.msn.com, free and clear master card, card debit master mega reward, master card paypass, mosaik master card, sears master card, prepaid master card, citibank master card, master card super bowl, sears gold master card, capital one master card, master card credit card, card master paypass site spaces.msn.com, citi master card, mbna master card, household bank master card, orchard bank master card, canadian tire master card, visa master card, master card gift card
detroit news, ford detroit, detroit free press, restaurant detroit, chevrolet detroit, detroit, detroit lion, detroit piston, detroit tiger, used car detroit, dodge detroit, pontiac detroit, honda detroit, detroit red wings, flight to detroit, toyota detroit, detroit michigan, jeep detroit, bmw detroit, cadillac detroit, gmc detroit, chrysler detroit, detroit mercedes benz, hotel detroit, detroit metro airport
anti virus, anti virus software, symantec anti virus, norton anti virus, free anti virus, avg anti virus, free anti virus download, anti virus download, free anti virus software, panda anti virus, anti virus program, avg anti virus free, free nortons anti virus download, mcafee anti virus, anti virus protection, anti virus solution, anti virus product, yahoo anti virus, anti virus gratuis, norton anti virus 2006, free anti virus software download, norton anti virus download, free nortons anti virus, free norton anti virus, avg anti virus free download
bible, online bible, bible study, bible gateway, bible verse, bible black, holy bible, king james bible, bible commentary, bible scripture, blue letter bible, bible dictionary, audio bible, bible concordance, bible story, bible code, book of the bible, bible quote, bible search, bible lesson plan, woman in the bible, niv bible, bible quiz, bible college, bible coloring pages
hoodia, diet pill, weight loss pill, birth control pill, morning after pill, pill identification, breast enhancement pill, prescription diet pill, breast enlargement pill, phentermine diet pill, pill identifier, hoodia gordonii, abortion pill, diet pill online, sleeping pill, best diet pill, hoodia side effects, fahrenheit diet pill, pain pill, hoodia diet pill, h57 hoodia, pure hoodia, hoodia weight loss, hoodia diet, hoodia patch
university of arizona, university of houston, columbia university, university of kentucky, george university washington, howard university, boston university, online pheonix university, bradley university, university of miami, university of illinois, harvard university, university virginia, university of tennessee, michigan state university, stanford university, university of minnesota, arizona state university, georgia state university, northwestern university, university of south carolina, university of cincinnati, university of toronto, akron university, university of chicago
credit card debt consolidation, travel reward credit card, bad credit credit card, credit card offer, student credit card, accept credit card, secured credit card, uk credit card, low interest credit card, low interest credit card, the best credit card, credit card merchant account, consolidate credit card debt, online credit card, capital one credit card, credit card consolidation, eliminate credit card debt, prepaid credit card, credit card machine, credit card deal, free credit card, credit card company, hsbc credit card, citibank credit card, instant approval credit card
mutual funds, american funds, unclaimed funds, exchange traded funds, vanguard funds, oppenheimer funds, best mutual funds, fidelity funds, investment funds, ohio unclaimed funds, electronic funds transfer, janus funds, vanguard mutual funds, money market funds, fidelity mutual funds, top mutual funds, aim funds, college funds, investing in mutual funds, new york unclaimed funds, closed end funds, columbia funds, no load mutual funds, no load funds, franklin funds

Chris Quirke said...

I wondered when spambots would break the OCR and crash the party? Needless to say, I would consider every one of those links to be hostile.