Security cruft means every exploit lives forever



Life of an engineer, life full of fun.

1 Like

(The CA system is highly broken, and the topic of many thousands of other words. “It’s like a taxi medallion,” Soghioan says of being a CA baked into an OS or browser.)

It’s more like a nearly universally accepted extortion racket. I have to pay a third-party swindler in order to persuade the public that my pages are secure, but that swindler has no obligation to deliver meaningful value (and quite often doesn’t) and there’s really little or no connection between my site’s actual security and whether I’ve paid a swindler or not.

Taxi medallions are at least regulated (nominally) by a representative government. This is like taxi medallions issued by the mafia.


Your article sounds as if you wanted built-in obsolescence being inserted into internet-enabled devices, as if you were forgetting that their real built-in obsolescence is their lack of support from manufacturers or vendors. Sometimes there is an active user group backing the product, but even that group abandons the product after 4-5 years, leaving it unsupported. I stopped using linux when modern linux distros stopped supporting some (previously supported) pieces of hardware…

There’s a similar sense of dispair when people talk about trying to harden our civil infrastructure against terror attacks. So much vulnerability! So little attention available to protect it!

What I wish we could talk about more, is focusing on the relarively small number of bad players, changing the game to remove the profit motive, effective prosecution, that sort of thing. Too bad that the bad players have already poisoned the well with FUD, making such discourse impossible.

To be fair, the exploits in older software require two things to become a problem. One, exposure to uncontrolled traffic such as an outside connection to the tubes. Two, a malicious attack. In many situations, it’s possible to have exploitable software running in a non-hostile environment such as a heavily fire-walled internal network.

Even if manufacturers wanted to disable older software, the public outcry would be too much. The evolution has been towards providing constant and frequent updates but we’re all still faced with factions of the collective intelligence of the web constantly trying to find the weaknesses. In other words, much security still remains the job of the customer to remain vigilant. The proof of this is the recent “social hacking” of some celebrity cloud accounts. No amount of software security is going to fix that.


It’s complicated. Nobody wants their device to stop working because it’s a certain age or stops being supported. But the persistence of utility of older devices with outdated software means we have no end.

But it’s asymmetric. Older devices can continue to work, but the services with which they work can stop allowing insecure devices/software to connect.

There are a lot of elements that are unfair, partly related to cheap electronics pushed heavily without any thought of or need for future support.

I can’t imagine a worldwide fix, but imagine if the electronics industry guaranteed security upgrades for a period of time. “This device will receive security fixes through at least 20__.” In fact, some devices and software do have a span-of-life promise.

“How much longer are the rest of us going to be forced to put up with those users?” Soghoian asks rhetorically.

As one of those users, I’d gladly update tomorrow, if Soghian will buy me a new machine. In the meantime, I’m stuck with this old hardware until either it breaks or the economy improves. Maybe Soghian can answer the question, “How long are we going to be forced to put up with luminaries who think that the poor are a personal inconvenience?”


I can afford to be exploited, so all you people who can’t are just whiners. Stopping the regulatory capture and broken intellectual property system that empowers this behaviour is out of the question, of course. I’d have to take time out from watching Game of Thrones to do something about that.

OK, too much duclaw sweet baby jesus. I’m going to bed before I get myself in trouble.


Despite that, there’s little urgency to make SHA-1 obsolete. Soghoian
points out that browser makers, like Mozilla and Google, have little
leverage with the certificate authorities (CAs) that continue to allow
SHA-1 certs to be issued

Of course they have leverage: just de-list those rogue CAs from the next version of your browser and see how quickly the CAs start screaming when browsers no longer recognize their certs.

They don’t. Some are connected to government. Some are clients. In general, there’s enough problematic behavior that if one browser maker did this, it would look to users like the browser was broken. It’s not a good situation.

If you knew Soghoian’s work or followed Boing Boing’s feelings on this matter, you’d know that the intent is that everyone should have access to update their own hardware and software. If hardware is abandoned that’s still used in large numbers, it should be possible and even easy for people who want to keep it secure, up to date, and add new feature should be able to do so and distribute it legally.

Part of the failure (of which this article is too brief to encompass) in this area is that people can’t upgrade their own gear, usually, for love or money.

One regulatory method would be to require that any hardware sold has to have user-upgradable software, or an escrow for the code so that if the item is obsoleted or abandoned, the code gets pushed to a public repository or a free/open software foundation.

There are lots of ideas in this area, all of which would help users in general plus the security profile.


I like code escrow. That should be a thing.


If possible, also publish the schematics and other docs. Handy things to have around.

1 Like

What a lucid little article. I wonder if a good solution will ever be found?

It is. I use escrowed code nearly every day. You just have to be a corporation.

I do work for a US company that uses a very large and complex software suite developed and supported by a Canadian company. The source code is escrowed by a third party, and if the Canucks ever go out of business or refuse to provide ongoing support, the sources are turned over to the client.

Yeah, but I get the snark on when I’ve had a few. Sorry! You do see the California Liberal Intellectual “but why don’t they just eat cake?” arrogance that Nelsie pointed out, right? Everyone having access to update their own hardware and software is certainly a step in the right direction, but it’s not in any sense a solution to the problems outlined in either your article or my tipsy post.

You’ve already made the point that installing CyanogenMod is not really practical for huge segments of the population. I’ve done it, on a B&N Nook, and I agree with you. Not everyone has the privileged upbringing that allows them to even understand that they should update, much less be able to do so, and it’s frankly impossible for many consumers to discriminate between friendly hackers like Team CyanogenMod and unfriendly predators shipping malware. So obviously just opening the sources is not enough. Any proposals that rely on large segments of the population having the educational and economic resources of the average bOINGbOING denizen are inherently unworkable.

1 Like

For phones and other small devices the solution seems to be shoddy charger/USB connectors. :wink:

1 Like

Absolutely, but it’s partly a conflation of multiple ideas in the article — Soghoian is most concerned with being held back by the idea that supporting every user forever at the expense of everyone else harms everyone. It’s not “please buy new stuff!” But I see how it can come off that way.

1 Like

Agreed. It is has to be something that is free and easy (single click), and distinguishable from malware.


Kind of… mutually exclusive requirements… I admit I am not too optimistic here.

The really really really good news about shellshock is that I may be able to root my ebook reader now. So not everything bad is only bad.