Helping people with computers... one answer at a time.

It's not uncommon for folks to ask why computer systems seem as fragile and as vulnerable as they so often do. It's a legitimate question.

My question is perhaps more of an industry one than a personal computing question. Because malware, viruses, spam and the similar user-beware problems affect just about everyone who uses the ‘net for their daily informational needs, why hasn’t the technology industry tackled these issues head on? These are the problems that ultimately affect the non-computer savvy general user the most devastatingly.

Perhaps the question can be simplified: On the foreseeable horizon, will there be a time when users will not have to worry about viruses and malware? And why can't computer developers simply make one that is virus-free now?

Are there existing machines, platforms, etc, which can affordably take the risk out of using the internet? It just seems that no matter how careful one is or what virus software they use, the "bug" eventually gets them and huge problems ensue. You would think that the profit potential would be so significant that the developers out there would be jumping all over this opportunity - the bug-free system.

You're actually asking two separate questions:

Is it possible to create or write bug-free software?

Is it possible to create a computer system that is impervious to malware?

The practical answer to both is, unfortunately, no.

Bug Free Software

It sounds really simple: if we just wrote software more carefully, used better tools or techniques, or hired better programmers, we should be able to get rid of every possible bug, right? No mistakes. Ever.

There is no such thing as bug-free software. Period.

"There is no such thing as bug-free software. Period."

Yes, some software is better or worse than others, but as an absolute measure, no software ever reaches perfection.

There are three problems at play here: complexity, time, and functionality.

Complexity

What most people fail to grasp is the incredible complexity behind most of our computer systems today. It's truly mind-boggling to think of the thousands, if not hundreds of thousands of man-years of effort that have gone into getting any your computer to boot and run effectively. (I'm being OS-agnostic here. I don't care if it's Windows, Mac or Linux - they're all incredibly complex beasts.)

People that understand are amazed that they work at all. I know I am.

Make it less complex? Well, that means making it do less, be capable of less, and be less functional.

Whatever you decide to cut out is important to someone. I don't care which feature you hate the most and would love to see cut completely from the next version of whatever product you care to name. There's someone, perhaps lots of someones, who care deeply about that feature and would be incredibly upset to see it removed.

Computers are general purpose devices and people expect computers to be capable of many things - even many things that haven't been thought of yet.

And that leads to incredible complexity.

Time

So why not just take more time to get it right?

There's a strong argument for that, and you'll often see difficult decisions being made throughout the life of a software project, jettisoning features and functionality so that more time can be spent on getting what remains correct. Or you'll see projects take longer than planned because of the extra time that it required to meet a minimal quality bar.

But the practical reality is that software that never ships does no one any good. At some point, a trade-off has to be made between spending more time developing software or deciding that it's good enough, knowing that it will never, ever be perfect.

It's not that the people working these projects are stupid - far, far from it. Writing today's intensely complex systems in a way that meets everyone's expectations in a reasonable amount of time is hard. Very hard.

It's not an excuse, it's a reality. And the reality is that mistakes will be made.

Malware Resistant Software

As I said, computers are general purpose devices. We use them to do an amazing variety of things simply by loading different software. When you think about it, it's pretty magical.

So, tell me this: what is malware?

Seriously, how do you define a strict set of rules that defines what software can do that is "good", and what it should never, ever do because it's "bad"?

Sure, some things are obvious, but that's not the point. The point is the grey areas.

Just about any activity that you can think of as being malicious can also be viewed from a different perspective as being potentially useful. Consider for a moment Data Execution Prevention (DEP). Being able to execute data as if it were a program can be a useful programming technique; look at how many programs break when preventing that ability is enforced. And yet, it's enforced because it's a common vector for malware.

I'm certainly not saying that there aren't ways to make things better than they are. I'm sure that there are additional improvements or rules that, along the lines of DEP, might break things for a while, but would ultimately result in a more secure environment.

What I am saying is that short of turning your computer into a device which cannot be programmed at all, there is no way to prevent malicious software in any absolute sense.

As Long As...

As long as there are bugs (and there always will be)...

As long as there are folks with malicious intent (probably also always will be)...

As long as we can be fooled into running software with malicious intent ...

As long as we can't limit what computers might be legitimately expected to do ...

Malware will be with us.

And for the record: I'd love to be wrong. Truly.

I just don't see it happening. At least, not in my lifetime.

Article C4744 - February 17, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

26 Comments
Bob
February 18, 2011 3:55 AM

A step towards a 'malware-free' environment would be if manufacturers made computer products that were so limited in their scope, that taking over the device was simply not worth it - or in the best cases, not even possible.
You could have a 'FacePad', that only wirelessly connected to the Facebook servers. Similar idea - the BankPad, issued from your own bank.
If everything important was hard-wired and solid state, it would focus the criminals away from the general internet and make surfing safer.

Yep, but after a while you'd have how many devices for how many different services? I expect people would still opt for a single device that they can use for multiple purposes.
Leo
18-Feb-2011

Gene McGuire
February 19, 2011 1:04 PM

Unfortunately, I have to agree with you. In this world, NOTHING will EVER be perfect! I'm a 71-year-old PC junkie that has been waging war on these infernal things since we had our first Commodore 128 in 1980 --- keeps me young, I guess, or makes me old before my time, the jury is still out on that. I'm fighting a problem now with some AOL software that I eventually cancelled, but, after uninstalling it the old fashion Add/Remove way, it left a stupid little window that comes up EVERY TIME I click ANYTHING on the WEB. Oh well, I'll be calling AOL on that one today sometime---that thing flat out drives me NUTS! I did download REVO, AFTER I deleted SafeCentral. I used it to remove my TV tuner which I could not make work and, after doing that, and removing all the leftovers, it again worked beautifully. I'm afraid malware, bugs, etc. will be the bane of this generation from here on till the second coming of you-know-who.

scott huggins
February 20, 2011 5:37 PM

The CR-48 running chrome os is close. I don't worry about viruses or malware with this system.

Bob
February 21, 2011 3:35 AM

My comment about service-specific hardware was simply to illustrate the lengths we as an online community would have to go to, to reduce (not eliminate) the threat of malware.
A single pad that accepted 'service cartridges' (like DS game cartridges) might be a better way to look at it.
My point is, until virus-writers have it made difficult for them, they are not going to stop. As it stands, they can write one virus to 'steal' all the relevant information in one go - not have to write one for each bank, each e-mail, each online community, etc. etc.

Mike
February 22, 2011 8:46 AM

I suppose it's similar to asking if we can ever have a free society that is crime-free. Or find a high return investment that's risk-free. It's always a matter of trade-off's; how much opportunity or versatility is limited in return for how much protection, and whether it's considered to be a fair balance.

I'd rather be my own guardian, learning how to protect myself, than to be limited by others for my own good, even though I'm quite capable of avoiding the pitfalls already.

Jonny B
February 22, 2011 9:28 AM

Does Malware programs like Superantispyware and Malwarebytes scan all user profiles on a computer if you are logged into just one account? Will it do the entire whole hard drive with all the files, folders and users? Now what if you went into Windows Explorer and right clicked on each account and scanned that folder as well as the main folder. Programs like Malwarebytes have an icon if you right click on a folder and you can set a scan going just for that folder. I did that and it did scan each individual username folder.

Sometimes I take out the drive and slave it to another computer via usb cord and do scans. Now the other day I did a SAS scan externally this way and found around 20 bugs. I then put the hard drive back into the laptop that it came from and did an SAS scan again within the computer itself. SAS then found around 60 more bugs. So what does this tell us about external scans?

Louis Benton
February 22, 2011 10:49 AM

I would agree that large software programs are unlikely to be bug free. However, I do not consider that task to be impossible as long as a bug is defined as software that does not behave as specified. If you include what people expect the software to do, that would be impossible because expectations and specifications are two different things. Of course specifications are also not always complete.

Computer systems have been built that perform perfectly, but to my knowledge, that has been limited to special purpose applications such as controllers for a microwave oven. I have even managed to create a few of these microcomputer controllers myself that never had a reported failure in operation except for hardware failure.

As for isolation from malware, that is also possible if you eliminate the possibility of modifying programs that run in the computer by on-line means.

For example, for years we used a device called Pocket Mail that did nothing but send and receive emails without attachments. As far as I know, the device could not be updated on-line. It did the one job very well and without ever being compromised. It did have a bug or two, but given time, I believe its program could have been made bug free because of its limited abilities.

You are right that most people have more than one job they want to do, and the beauty of general purpose computers is that they can add capabilities not even conceived of when they were built. Of course many times by the time these applications appear, the old computer is ready for replacement anyway.

The question is: would people give up unknown future capabilities for secure and reliable on-line functions such a email without the constant need for updates to fix security problems. The other question is whether people with other desires would be willing to opt to use two computers, one to do secure normal on-line use such as email, banking, etc, and one to do risky computing. I would suggest that both could be built into the same physical computer.

However, many people do limit their needs to just a few common applications and it would be possible to build in those few in a way that they would be very reliable and still not susceptible to malware. Simple word processor, simple spreadsheet, email without attaching programs, and using the Internet as a research tool would satisfy a great number of people. Those people would also have to give up the ability to get the latest clever function and "eye candy" to get that stability and security.

Cloud computing also has great possibilities for providing programs to process data without the possibility of messing up the computer the users would have in their homes to interface with the cloud computing. Those computers, at least for the on-line abilities, would only have the ability of a smart terminal like those that existed a few years back. Those programs could be stored in PROMS that would preclude any updates to the programs without some action on the part of the user. The terminal could even have a verifiable hardware identity that would limit the use of the cloud programs to known users. Of course, security would then depend on physical security of the terminal and the computer identifying the terminal.

Things like off-line game playing could be added to such a terminal without compromising security of the on-line usage.

Alex Dow
February 22, 2011 11:31 AM

I suggest that the Questioner used the word "bug" as an alternative for Virus, Trojan etc; rather than an "innocent" error in the software/programs.

Taking that first aspect, the harder it becomes to inject a Virus or Trojan, the greater will be the effort of the malware fraternity to break through the Anti-Virus programs etc.

Just think of rhe various "high-security" systems that hackers have managed to break/break in to etc.

Taking the other interpretation of an innocent error within the software, in my experience going back 35 years now, the hardest and biggest part of any software project is TESTING it.

You think that you have exhaustively tested a program - but the minute Users get their hands on it, such an error shows up.

This is partly because the software developers, with the best intentions in the world, can NOT envisage the full range of inputs etc that the users will subject it to, whether accidentally or deliberately.

Even asking another programmer to test the software, alpha, beta, gamma releases, is asking someone with a generally similar mind-set, so not likely to spot or encounter every error.

So computers will never be "malware and bug free"!


johnpro
February 22, 2011 2:10 PM

Having been let down consistently by traditional protection which at best is ad hoc and hit & miss,
I have road tested Sandboxie by deliberately going to infected sites.

My computer was infiltrated by malware immediately ...esp fake antivirus sites which are bad.{Also try Whitesmoke products for some good infection}
I closed the sandbox and my computer is completely unscathed with no evidence of any infection.{I trippled checked by traditional methods}
Marvellous ...
This program is basically free and can be downloaded from all trusted sites like download.com & Hippo et al.

Jp

Why go through third party download sites? Get it directly from the author: http://www.sandboxie.com/
Leo
23-Feb-2011

GREG JACKSON
February 22, 2011 3:29 PM

Jonny B RE: External scans--- Agreed. I performed an external scan on an XP(sp-2) HDD I knew was infected, and thought was healed. Using my other Vista PC & usb patch, Yikes! 3 more viruses were discovered. Who would have thought. This was a learning experience I'll consider next time.

Ron
February 22, 2011 7:07 PM

Your article covered the topic pretty well. I would add a couple of points.

I was taught, and in my experience, there is a trio of factors: Money vs Quality vs Speed. You can get 2 by sacrificing the third ie
- Save money and good quality by spending extra time

Your point about complexity is valid, and it could easily fit in to make a quartet of factors: pick 3 at expense of 4th...

Can bug free code be written? You say no, I say yes. The prime example is the code that took Apollo to the moon and puts the Shuttle into space. You haven't heard of any problems caused by those 1960 era IBM 360 computers and their programming. The problem is that the quality control on that programming make the cost about US $1000 per line in 1960's dollars!

The point about complexity is important. A complementary point is "flexibility". Currently our desktop computer is designed for too much flexibility. The average computer is trying to combine the functionality of a dump truck, a school bus, a messenger's bicycle, a bill board, a telephone switchboard, a commuter vehicle ... If we can switch to some more dedicated devices, we can lock them down and limit them to a degree that severely reduces the problem of hacking.

Lets face it, 90% (?) of users need: basic word processing, email and web browsing. Does that type of processing need ghz processors, GB of RAM and GHZ of video cards. No, a very low end, simple, locked down dedicated platform would do the trick for them. But our PC's are still generalized, do-it-all, platforms.

My 20 year old VCR has computer processing in it for commercial skip and fast forward. Has anyone ever had their VCR turned into a spam bot? No. But how long will it be from now that Blu-Ray HD players that require internet connection to provide all of their features and allow firmware updates.

DaGeek247
February 22, 2011 7:54 PM

Debian Linux is thouroghly tested for four years before it is released, and is one the most stable operating systems out there. It may very well be the best answer to virus free and extremely stable.

That's very true, but I have to say I'm amazed at the fairly constant stream of updated and security fixes on that platform as well. It all works, but like any complex system it's certainly not perfect.
Leo
23-Feb-2011

Nils Torben
February 23, 2011 12:51 AM

Leo, you ask for a definition of "malware". Here is a simple one: Malware is any program or input that is capable or determined to make changes to a computer, which are not initiated or wanted by the user of it.
According to this it is an act of malware, when Firefox insists to rename the filetype "htmlfile" to "Firefoxhtml", Apple Quick Time will call an avi-file "quicktimeavi" and various programs will install toolbars without asking and so on, but this behaviour I certainly consider irritating although a mild kind of "malware".
Using malware is a matter of depressing human rights by neglecting peoples free will and privacy.

That's certainly one definition of malware. Unfortunately it's not one that everyone would agree on. That's the nut of the problem. One man's "feature" is another's "depression of human rights". Neither are neccessarily right or wrong.
Leo
23-Feb-2011

Snert
February 23, 2011 9:11 AM

Off the subject, maybe, so delete at will, Mr Leo, you won't hurt my feelings. I've read the rules.
I've found lots of good programs/apps that were designed to do one thing and they did it very well. The pocket protectors involved thought to add extras which weren't needed or wanted and thereby degraded the original preformance to something awful. I mention no names, but I'm sure you've noticed several.

Dan from SoCal
February 23, 2011 4:29 PM

Those computers that took the Apollo to the moon were very basic. NASA had the time and money to bang away at them to get all the bugs. And since they were simple computers, they still caused problems. Don't forget the first lander just about crashed because the user forgot the throw one switch and the computer was overwhelmed - and they were not user friendly at all. Yes - simple programs can be written bug free, but the more complex - the more entities you have working on the code, the more 'treasures' you are going to add to the code. Somewhere in there you are going to be passing 'Meters', and someone else is going to think they are getting 'Yards'. You can test it all you want, but testing it for every scenario, with every permutation just takes too much time - and you can't think of every test that should be done. As for reducing the complexity - yep - you can do that - but then someone else will sell something that not only is a phone, but can take pictures and do texting, and you won't have to worry about the software not being complex - because you won't sell any more of your bug free limited gadget!

That brings to mind: the space agencies are noted for using very old equipment compared to what we have available today in part because of the extreme amount of time they need to take to ensure the highest quality possible. That didn't stop one probe from failing (at the last minute, I believe) because of a mismatch between programmers using metric and English measurings systems; meters versus yards.
Leo
24-Feb-2011

Peter Ballantyne
February 24, 2011 2:20 PM

Well written article Leo. I started in early DOS days writing programs in BASIC of all things! When I whack away at my good old Windows XP computer I am constantly in awe at the utter complexity of what is going on behind the facade. When Windows first came out (I started at ver 3.1) I knew my days of hobby programming were over. I simply didn't have the time to get into the complexities of the new OS.

When friends ask me to look at their machines and get all frustrated because they are broken I try to tell them how incredibly complex the processes going on are, but they never believe me - SIGH!

Can I print off a few copies of your article to hand out to these folk who think a computer is about as complicated inside as a pocket torch? Puh-leeeeze!

Well, the terms for making copies of my articles are spelled out here. I'd apprecaite it if you could just point them to this article. You can use this short URL if you like: http://ask-leo.com/C4744. Thanks!
Leo
24-Feb-2011

Ken
February 26, 2011 6:31 PM

One of my programing teachers had a saying "there are no bug free programs, only bugs that haven't been found yet".
And also, that three fourths of any program is made up of checking for user input errors.
I once took a temp job as a computer operator and I got to where I was afraid to click the start button because not a day went by without something crashing, even programs that had been running for years. Someone would input something in a way that the programmers had not thought to check for, and the program would crash!
I finally decided that I did not have the nerves for doing computers for a living. Computers are fun, but ...!#$%*

Glenn P.
February 28, 2011 12:21 PM

Leo, you wrote:

"What most people fail to grasp is the incredible complexity behind most of our computer systems... Make it less complex? Well, that means making it do less, be capable of less, and be less functional."

Surely the  ultimate in "less capable, less functional" in computers today must be the Commodore-64. Believe it or not, there is still a fairly large hobby group who still uses this ancient thing (I use a C128 myself, in "C64" mode). It has NO multitasking, NO graphical interface whatsoever (anyone remember DOS?), operates at only 1Hz (no, that's not 1Ghz! I said 1Hz!), runs on BASIC v2.0, and has only (and I quote) "38911 BASIC Bytes Free" for programming use. Drop your jaws, folks: this thing is limited. Even primitive. And I love  it.

Here's the thing, though. I had programmed a little routine years ago to determine whether a program written to a disk drive was locked or unlocked. It worked flawlessly, and I considered it absolutely reliable.

          Until...

Until, years later, new third-party, aftermarket disk-drives came out! These produced directories which looked  right, but which in technical detail didn't precisely conform to the Commodore standard, and in consequence my little program would sometimes misinterpret a locked file as being unlocked! That could have been disasterous!

I was forced to rewrite the entire algorithm to account for the change.

MORAL:  Even in so-called "simple" computer systems, unexpected bugs are bound to arise and updates are bound to become necessary from time to time!

Glenn P.
February 28, 2011 1:09 PM

This is specifically for Bob, who wrote:

"A step towards a 'malware-free' environment would be if manufacturers made computer products that were so limited in their scope, that taking over the device was simply not worth it - or in the best cases, not even possible. You could have a 'FacePad', that only wirelessly connected to the Facebook servers. Similar idea - the BankPad, issued from your own bank. If everything important was hard-wired and solid state, it would focus the criminals away from the general internet and make surfing safer."

Oh. Did I mention tha the Commodore-64 (and C128) store their operating system in ROM (Read-Only Memory), which is then loaded into RAM at the start of every boot-up (which, by the bye, only takes five seconds!), producing a completely fresh, pristine system each and every time? The C64 is as close to possible to being virus-proof: simply reset it, and any virus resident is simply wiped out...          :)

Tony
March 1, 2011 9:17 AM

Hi Leo and everyone.
I worked for IBM PC Development division back in the 1970's before the first DOS-based PC hit the market.
I don't hink I break any confidential clause when I say that a good bunch of our development capital came from US Defense budgets? The military saw the value of a PC long before the public or industry.
The systems we produced were indeed TOTALLY protected from 'outside' influence such as (nowadays called) spam, bugs, malware, trojan horses etc We acheived this by the very simple method of writing MICROCODE (look it up in Wikipedia?) so that absolutely NOTHING got into the memory or onto the hard/floppy drive that had not been 'confidentially secured'!
The DOS based systems were REALLY slow compared to today's but it all had to pass through a 'pre-processor' that checked it against an acceptable set of parameters. Neveertheless it delivered military information in the 'field' way faster than the paper system or big central systems.
I cannot talk about what or how this was done but - believe me - it was seriously secure!!
We tried/intended to bring this level of security and system management to the public marketplace but had to drop it after the US Govt and others suggested it was contrary to the vicious Antitrust laws! I recall a prophetic company meeting in California where the current scenarios of malware etc was discussed at length although we never realised that the general public would be the main agressor? Bearing in mind we were still in the Cold War it was always thought that attacks would come from other governments?! But then that happens too of course...?
I could go on at length about 'what might have been' but it is in the past and we have to live in the future...?
Oh - by the way - it was not a probe but the wonderful Hubble Telescope where they screwed up with centimetres and inches! The UK and France did it with Concorde too! T

Mikey
March 15, 2011 9:43 AM

I think my favorite example of a simple program that turned out to have a bug in it was one from IBM mainframe (System/360) days. IEFBR14 consisted of only one instruction, and was 2 bytes long. The first APAR (bug report) resulted in a fix which doubled the instruction count, and doubled the program length. As technology advanced, another APAR resulted in a much longer program to conform to standards for reentrant code and other subtleties.

Obiwan Computerguy
March 15, 2011 10:20 AM

BTW, the Commodore c64 ran at 1 MEGAHertz, not 1 Hertz as was commented on previously. If it had been 1 Hz as commented, we'd all still be waiting for the first production unit to boot up ....

Alex Dow
March 15, 2011 12:08 PM

Could afficiandos of C64s, Sinclairs, Spectrums etc, be compared with the Railway/Railroad Preservation Movement?

With the steam locomotive; it is relatively easy to repair, refurbish etc, using well-proven machining and casting techniques mainly of yesteryear - and there is a great satisfaction in doing so.

Over here in the UK, a "brand-new" loco, "Tornado" of the LNER A1 Class has been built from scratch, although completely new drawings had to be produced, in part to satisfy modern safety reuirements and machining methods.

But could today's preservationists take on today's latest rail prime movers?

Theoretically possible - but seems very unlikely.

Daved
March 25, 2011 10:33 AM

Regarding Tony who wrote - "Oh - by the way - it was not a probe but the wonderful Hubble Telescope where they screwed up with centimetres and inches! The UK and France did it with Concorde too!"

Quite incorrect actually. It was a Mars probe that crashed into that planet because of an incorrect conversion of Metric to Standard, not the HST.
The HST's flaw was different altogether and not caused by faulty conversion.

I've been decompiling and analyzing Malware since 1997 and I'm not going to go in-depth about this article, but I will say this....as long as we have "code" there will be flaws in that code that someone will find. Modern OS's are massively complex as stated, and will always have flaws to be exploited, and that will not change until we have a quantum leap in Artificial Intelligence which can be built into systems to actively change code in real time, to defeat system changing Malware. But then again, the malware writers will have AI to use against that too...an endless loop.
User ignorance is usually the target for Malware writers now, (Social Engineering) and as long as we have humans, we'll have ignorance. LOL! Unfortunately, most PC users don't have a clue about what it takes to be a secure user, they don't know where to look, nor do they take the time to look, and that's where the bad guys will always target first.

Neil
March 26, 2011 10:30 AM

Your not going to like it but the fact is that the malware industry is self perpetuating. What do I mean by that? Well the simple fact is that the industry itself is responsible for creating the threats in the first place before creating the so-called fix.

Yes some companies have a team of virus writers as well as a team of antivirus writers. The former disperse the code into the wild and wait a few days or weeks for it to get noticed before suddenly coming up with the perfect fix. Good that.

Only two professions are truely recession proof. That of an undertaker and that of a programmer working for an antivirus company. Its a bit like a fireman starting his own fires.

I keep hearing this conspiracy theory, and refuse to accept that the reputible anti-malware vendors participate in this kind of thing. Absolutely there are specific malware that attempt to coerce you into purchasing a specific solution, but that's clearly malicious. The companies you see myself and other tech folk recommending don't create viruses.
Leo
25-Mar-2011

Mickelpartikel
October 17, 2012 8:36 AM

Complexity - Why would it be considered a problem when it comes to writing bugfree software? The logic in microprocessors are not more buggy nowadays than before, but the complexity is much greater. It is not harder to make software logic bugfree.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.