Helping people with computers... one answer at a time.
It's not uncommon for folks to ask why computer systems seem as fragile and as vulnerable as they so often do. It's a legitimate question.
My question is perhaps more of an industry one than a personal computing question. Because malware, viruses, spam and the similar user-beware problems affect just about everyone who uses the ‘net for their daily informational needs, why hasn’t the technology industry tackled these issues head on? These are the problems that ultimately affect the non-computer savvy general user the most devastatingly.
Perhaps the question can be simplified: On the foreseeable horizon, will there be a time when users will not have to worry about viruses and malware? And why can't computer developers simply make one that is virus-free now?
Are there existing machines, platforms, etc, which can affordably take the risk out of using the internet? It just seems that no matter how careful one is or what virus software they use, the "bug" eventually gets them and huge problems ensue. You would think that the profit potential would be so significant that the developers out there would be jumping all over this opportunity - the bug-free system.
•
You're actually asking two separate questions:
Is it possible to create or write bug-free software?
Is it possible to create a computer system that is impervious to malware?
The practical answer to both is, unfortunately, no.
•
Bug Free Software
It sounds really simple: if we just wrote software more carefully, used better tools or techniques, or hired better programmers, we should be able to get rid of every possible bug, right? No mistakes. Ever.
There is no such thing as bug-free software. Period.
Yes, some software is better or worse than others, but as an absolute measure, no software ever reaches perfection.
There are three problems at play here: complexity, time, and functionality.
Complexity
What most people fail to grasp is the incredible complexity behind most of our computer systems today. It's truly mind-boggling to think of the thousands, if not hundreds of thousands of man-years of effort that have gone into getting any your computer to boot and run effectively. (I'm being OS-agnostic here. I don't care if it's Windows, Mac or Linux - they're all incredibly complex beasts.)
People that understand are amazed that they work at all. I know I am.
Make it less complex? Well, that means making it do less, be capable of less, and be less functional.
Whatever you decide to cut out is important to someone. I don't care which feature you hate the most and would love to see cut completely from the next version of whatever product you care to name. There's someone, perhaps lots of someones, who care deeply about that feature and would be incredibly upset to see it removed.
Computers are general purpose devices and people expect computers to be capable of many things - even many things that haven't been thought of yet.
And that leads to incredible complexity.
Time
So why not just take more time to get it right?
There's a strong argument for that, and you'll often see difficult decisions being made throughout the life of a software project, jettisoning features and functionality so that more time can be spent on getting what remains correct. Or you'll see projects take longer than planned because of the extra time that it required to meet a minimal quality bar.
But the practical reality is that software that never ships does no one any good. At some point, a trade-off has to be made between spending more time developing software or deciding that it's good enough, knowing that it will never, ever be perfect.
It's not that the people working these projects are stupid - far, far from it. Writing today's intensely complex systems in a way that meets everyone's expectations in a reasonable amount of time is hard. Very hard.
It's not an excuse, it's a reality. And the reality is that mistakes will be made.
Malware Resistant Software
As I said, computers are general purpose devices. We use them to do an amazing variety of things simply by loading different software. When you think about it, it's pretty magical.
So, tell me this: what is malware?
Seriously, how do you define a strict set of rules that defines what software can do that is "good", and what it should never, ever do because it's "bad"?
Sure, some things are obvious, but that's not the point. The point is the grey areas.
Just about any activity that you can think of as being malicious can also be viewed from a different perspective as being potentially useful. Consider for a moment Data Execution Prevention (DEP). Being able to execute data as if it were a program can be a useful programming technique; look at how many programs break when preventing that ability is enforced. And yet, it's enforced because it's a common vector for malware.
I'm certainly not saying that there aren't ways to make things better than they are. I'm sure that there are additional improvements or rules that, along the lines of DEP, might break things for a while, but would ultimately result in a more secure environment.
What I am saying is that short of turning your computer into a device which cannot be programmed at all, there is no way to prevent malicious software in any absolute sense.
As Long As...
As long as there are bugs (and there always will be)...
As long as there are folks with malicious intent (probably also always will be)...
As long as we can be fooled into running software with malicious intent ...
As long as we can't limit what computers might be legitimately expected to do ...
Malware will be with us.
And for the record: I'd love to be wrong. Truly.
I just don't see it happening. At least, not in my lifetime.
Article C4744 - February 17, 2011
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
I think my favorite example of a simple program that turned out to have a bug in it was one from IBM mainframe (System/360) days. IEFBR14 consisted of only one instruction, and was 2 bytes long. The first APAR (bug report) resulted in a fix which doubled the instruction count, and doubled the program length. As technology advanced, another APAR resulted in a much longer program to conform to standards for reentrant code and other subtleties.
Posted by: Mikey at March 15, 2011 9:43 AMBTW, the Commodore c64 ran at 1 MEGAHertz, not 1 Hertz as was commented on previously. If it had been 1 Hz as commented, we'd all still be waiting for the first production unit to boot up ....
Posted by: Obiwan Computerguy at March 15, 2011 10:20 AMCould afficiandos of C64s, Sinclairs, Spectrums etc, be compared with the Railway/Railroad Preservation Movement?
With the steam locomotive; it is relatively easy to repair, refurbish etc, using well-proven machining and casting techniques mainly of yesteryear - and there is a great satisfaction in doing so.
Over here in the UK, a "brand-new" loco, "Tornado" of the LNER A1 Class has been built from scratch, although completely new drawings had to be produced, in part to satisfy modern safety reuirements and machining methods.
But could today's preservationists take on today's latest rail prime movers?
Theoretically possible - but seems very unlikely.
Posted by: Alex Dow at March 15, 2011 12:08 PMRegarding Tony who wrote - "Oh - by the way - it was not a probe but the wonderful Hubble Telescope where they screwed up with centimetres and inches! The UK and France did it with Concorde too!"
Quite incorrect actually. It was a Mars probe that crashed into that planet because of an incorrect conversion of Metric to Standard, not the HST.
The HST's flaw was different altogether and not caused by faulty conversion.
I've been decompiling and analyzing Malware since 1997 and I'm not going to go in-depth about this article, but I will say this....as long as we have "code" there will be flaws in that code that someone will find. Modern OS's are massively complex as stated, and will always have flaws to be exploited, and that will not change until we have a quantum leap in Artificial Intelligence which can be built into systems to actively change code in real time, to defeat system changing Malware. But then again, the malware writers will have AI to use against that too...an endless loop.
Posted by: Daved at March 25, 2011 10:33 AMUser ignorance is usually the target for Malware writers now, (Social Engineering) and as long as we have humans, we'll have ignorance. LOL! Unfortunately, most PC users don't have a clue about what it takes to be a secure user, they don't know where to look, nor do they take the time to look, and that's where the bad guys will always target first.
Your not going to like it but the fact is that the malware industry is self perpetuating. What do I mean by that? Well the simple fact is that the industry itself is responsible for creating the threats in the first place before creating the so-called fix.
Yes some companies have a team of virus writers as well as a team of antivirus writers. The former disperse the code into the wild and wait a few days or weeks for it to get noticed before suddenly coming up with the perfect fix. Good that.
Only two professions are truely recession proof. That of an undertaker and that of a programmer working for an antivirus company. Its a bit like a fireman starting his own fires.
25-Mar-2011
Posted by: Neil at March 26, 2011 10:30 AM