Who Owns Your Computer?. When
technology serves its owners, it is liberating. When it is designed to
serve others, over the owner's objection, it is oppressive. There's a
battle raging on your computer right now -- one that pits you against
worms and viruses, Trojans, spyware, automatic update features and
digital rights management technologies. It's the battle to determine
who owns your computer.
You own your computer, of course. You bought it. You paid for it.
But how much control do you really have over what happens on your
machine? Technically you might have bought the hardware and software,
but you have less control over what it's doing behind the scenes.
Using the hacker sense of the term, your computer is "owned" by other people.
It used to be that only malicious hackers were trying to own your
computers. Whether through worms, viruses, Trojans or other means, they
would try to install some kind of remote-control program onto your
system. Then they'd use your computers to sniff passwords, make
fraudulent bank transactions, send spam, initiate phishing attacks and
so on. Estimates are that somewhere between hundreds of thousands and
millions of computers are members of remotely controlled "bot"
networks. Owned.
Now, things are not so simple. There are all sorts of interests
vying for control of your computer. There are media companies that want
to control what you can do with the music and videos they sell you.
There are companies that use software as a conduit to collect marketing
information, deliver advertising or do whatever it is their real owners
require. And there are software companies that are trying to make money
by pleasing not only their customers, but other companies they ally
themselves with. All these companies want to own your computer.
Some examples:
- Entertainment software: In October 2005, it emerged that Sony had distributed a rootkit
with several music CDs -- the same kind of software that crackers use
to own people's computers. This rootkit secretly installed itself when
the music CD was played on a computer. Its purpose was to prevent
people from doing things with the music that Sony didn't approve of: It
was a DRM system. If the exact same piece of software had been
installed secretly by a hacker, this would have been an illegal act.
But Sony believed that it had legitimate reasons for wanting to own its
customers' machines.
- Antivirus: You might have expected
your antivirus software to detect Sony's rootkit. After all, that's why
you bought it. But initially, the security programs sold by Symantec
and others did not detect it, because Sony had asked them not to. You
might have thought that the software you bought was working for you,
but you would have been wrong.
- Internet services: Hotmail allows you
to blacklist certain e-mail addresses, so that mail from them
automatically goes into your spam trap. Have you ever tried blocking
all that incessant marketing e-mail from Microsoft? You can't.
- Application software: Internet
Explorer users might have expected the program to incorporate
easy-to-use cookie handling and pop-up blockers. After all, other
browsers do, and users have found them useful in defending against
Internet annoyances. But Microsoft isn't just selling software to you;
it sells Internet advertising as well. It isn't in the company's best
interest to offer users features that would adversely affect its
business partners.
- Spyware: Spyware is nothing but
someone else trying to own your computer. These programs eavesdrop on
your behavior and report back to their real owners -- sometimes without
your knowledge or consent -- about your behavior.
- Internet security: It recently came out
that the firewall in Microsoft Vista will ship with half its
protections turned off. Microsoft claims that large enterprise users
demanded this default configuration, but that makes no sense. It's far
more likely that Microsoft just doesn't want adware -- and DRM spyware
-- blocked by default.
- Update: Automatic update features are
another way software companies try to own your computer. While they can
be useful for improving security, they also require you to trust your
software vendor not to disable your computer for nonpayment, breach of
contract or other presumed infractions.
Adware, software-as-a-service and Google Desktop search are all examples of some other company trying to own your computer. And Trusted Computing will only make the problem worse.
There is an inherent insecurity to technologies that try to own
people's computers: They allow individuals other than the computers'
legitimate owners to enforce policy on those machines. These systems
invite attackers to assume the role of the third party and turn a
user's device against him.
Remember the Sony story: The most insecure feature in that DRM
system was a cloaking mechanism that gave the rootkit control over
whether you could see it executing or spot its files on your hard disk.
By taking ownership away from you, it reduced your security.
If left to grow, these external control systems will fundamentally
change your relationship with your computer. They will make your
computer much less useful by letting corporations limit what you can do
with it. They will make your computer much less reliable because you
will no longer have control of what is running on your machine, what it
does, and how the various software components interact. At the extreme,
they will transform your computer into a glorified boob tube.
You can fight back against this trend by only using software that
respects your boundaries. Boycott companies that don't honestly serve
their customers, that don't disclose their alliances, that treat users
like marketing assets. Use open-source software -- software created and
owned by users, with no hidden agendas, no secret alliances and no
back-room marketing deals.
Just because computers were a liberating force in the past doesn't
mean they will be in the future. There is enormous political and
economic power behind the idea that you shouldn't truly own your
computer or your software, despite having paid for it.
This essay originally appeared on Wired.com. [Schneier on Security]
9:13:32 AM 
|
|
