Dan Appleman: Kibitzing and Commentary

My personal blog

The Future of Computer Security: A Question of Analogies

Friday I expect to be on a panel at Gnomedex called “The Future of Security.” In preparation, I’ve been putting some thought not so much into the future of security, but into how we even go about figuring out that future.
Let’s start with some basic facts – the axioms of security if you will:

  • There will always be “bad guys” who try to break into systems, write viruses, steal, etc. They’ve existed throughout history, and there’s no reason to expect them to vanish from cyberspace.
  • Technology alone will never provide perfect security. Every walled city ultimately fell. However, technology may, for a while, provide “good enough” security.

The challenge with predicting Internet security is that the Internet is a new phenomena. We don’t really know where it’s going or what it will be like in 20 years. Even though we are in some ways better off than those who pioneered the Internet, because we’re at least paying some attention to security, that is offset by a huge increase in complexity (and complexity is the enemy of security).

In predicting the future, we try reaching for analogies from the past. But in doing so it’s sometimes tough to choose the right analogy. For example: those who expected “nation building” in Iraq to be analogous to post WWII Europe seem to have been woefully mistaken.

There are two analogies that I currently find useful in thinking about Internet security. One is inspired by the information superhighway, a term has lost some of its popularity but remains useful. In this analogy, the original ARPA-Net was the equivalent of dirt roads. Visitors rode primitive Model-T vehicles, at relatively low speeds. There were few accidents, no seat belts and no drivers ed.

As the highway system grew into its modern form, accidents became more common. Society dealt with this in two ways – using technology to make both cars and highways safer, and instituting strict requirements for drivers education. Even so, accidents still occur in huge numbers, but we’re presumably better off than if nothing had been done.

On the information superhighway some work has been done on safety features. Computers have antivirus tools and firewalls available, though like seatbelts they are optional and not always used. ISPs are adding security features to the “highway” itself. But we have no equivalent to driver’s ed – any clown can buy a system and get on the highway without learning a thing about security. I’m not suggesting we legislate computer security classes, but I wonder – what if a major ISP like AOL raised their prices $5 overall, but offered a $10 discount to anyone who passed an online security quiz?

The other analogy I like is the biological analogy. It’s not a new one – many elements of computer security are named for their biological analogs. The security implications of this analogy suggest that computer security is not a problem to be solved, but a chronic condition. That spam, viruses and hoaxes are destined to become a permanent part of the Internet that might, like today’s bacteria, even have beneficial results (I know of people who have cleaned up a severely infected computer by just buying a new one – which is presumably good for the economy). The book “The Shockwave Rider” portrays an Internet that follows this model, with some surprising consequences (it’s a great book and I highly recommend it). Of course this analogy has its disturbing sides – everyone dies, after all.

I’m looking forward to seeing what my fellow panelists think about the future of security, and if there are other relevant analogies that might work. I’d be interested in hearing your view either here, or even better, if you’re at Gnomedex please introduce yourself and let me know what you think.

Funniest Election News Ever (or how to tell if you're an extremist)

Ok, I admit I am jet-lagged, which certainly explains why I’m awake at 5:00am in a London hotel room. But it doesn’t explain why today’s election news isn’t the funniest thing I’ve heard yet. And if you don’t find it funny too you’re probably way too extreme (in either direction), are a conspiracy theorist, or have no sense of humor.

Today’s Donald Rumsfeld was quoted as saying:

“Let’s say you tried to have an election and you could have it in three-quarters or four-fifths of the country — in some places you couldn’t because the violence was too great,” Rumsfeld said. “So be it. Nothing’s perfect in life. You have an election that’s not quite perfect. Is it better than not having an election? You bet.”


“Will there be elections? I think so. Might there be some portion of the country where the terrorists decide they’re going to mess things up? Possibly. Does that mean that there won’t be elections? No.”

Reports left out that this is the map he was pointing too at the time:

Picture of map illustrating areas where elections might not occur.

Windows Forms to Developers: I'm not Dead Yet

In my recent blog “Spolsky 1: Scoble 0 – Stegman’s Video, while Great, doesn’t apply to the API war” the most surprising results were in the responses. While many did address the focus of the item (that of API changes), there were a number of responses directly relating to Windows Forms as a technology. Recently, Mike Harsh elaborated on this topic as well. Clearly there is interest in where Windows Forms fit into the greater scheme of things. I think this is worth of further discussion.

It’s possible Mike may be too conservative about the future of Windows forms. Curiously enough, the very issues that Joel brings up with regards to the API war actually work in favor of Windows Forms. You see, even though Windows Forms is a managed wrapper for User32, the key point is that it does wrap User32 – the old Win32 GDI API that every Windows developer in the world is familiar with.

So here comes Avalon – a new approach and new API. Do the features that Avalon promises truly justify the investment in learning this new API? It’s too soon to say. It will likely prove compelling to those developers who really need to take advantage of new UI features, just as the DirectX API is worth learning for those who need that capability, but that may prove to be a minority of Windows developers.

My point is this – you have a huge number of Windows programmers, who grew up and know User32, how it plays with VB6, MFC, ATL and now Windows Forms. Do you really think they’re all going to just jump to Avalon overnight? Over a year? Over 10 years? .NET has compelling advantages over COM, and the transition is proving very slow. There’s every reason to believe that the transition to Longhorn and Avalon (that in my mind are still classified in the category of vaporware) will be as slow or slower. If there is no compelling economic advantage, Windows Forms might be the dominant managed forms package for many years.

Unless, of course, Microsoft abandons Windows Forms, either on purpose, or by implication (say, by failing to make interop work as smoothly as promised on future OS’s).

It’s a tough problem. Technically, I do believe Windows Forms is better than VB6 or MFC. But it suffers from the .NET distribution issue. Even ClickOnce may not change that (a topic I’ll be writing about soon). Avalon will suffer the same runtime distribution issue, plus the additional problems of limited OS support and the need to learn a new API.

I was discussing this earlier today with Christian Gross, and he suggested I take a look at GTK# . I doubt it’s as cool as Avalon, maybe not even as cool as Windows Forms. But I must confess, the idea of a forms package that runs on Windows, OSX and Linux is intriguing. Something to look at… in my copious spare time.

Hurricane Ivan and the X-Rayed Water Bottle

The other night I was watching the Hurricane Ivan show on CNN. It consisted mostly of newscasters standing in the rain and wind right outside of their hotel room, while waiting for a large planter to blow over (I’ll avoid comment about reports being smart enough to come out of the rain, and observe that the individual covering Hurricane Ivan for Jon Stewart’s Daily Show also stood in blowing mist – outside a carwash – thus fulfilling the journalistic obligation to be soaked while reporting on a storm).

Today, on my way to a conference in Germany, I saw someone carry a clear plastic water bottle through security – only to have it taken back through the metal detector and run through the X-Ray (I confess to being at a loss to imagine what an X-Ray might see in that bottle that we couldn’t).

This got me thinking. We all know that we’re spending lots of money to defend against terrorism and to X-Ray water bottles. About 40 billion in 2003 (not counting the war in Iraq, whose relationship to homeland security is an interesting question in and of itself). I wondered how it compared to what we are spending on various other threats – like hurricanes.

This is certainly a bad year for hurricanes, though we don’t know yet how much they’ll really cost. But looking at NOAA data, it looks like hurricanes and other storms typically cost 5 to 10 billion each year. Hurricane Andrew in 1992 was 27 billion (about the same as the direct costs of the 9/11 attacks). The NOAA budget is about 3.3 billion – that’s on all their activities, not just hurricane and storm tracking.

Terrorism though is worse than Hurricanes though. Why? Perhaps because it can strike at any time without warning.

So let’s consider earthquakes – they also can strike at any time without warning. I’m a California boy, and I got to ride the Loma Prieta quake (and trust me, “ride” is the operative word). That one cost about 6 billion. The Northridge quake cost 20 billion. The USGS annual budget is about 1 billion, of which 100 million or so goes to earthquake and volcano research and prediction.

But Terrorism is worse than earthquakes. Why? It kills more people (and why are we talking damage costs when lives are at stake anyway?)

World wide deaths from terrorism have been running under 4000/year (though increasing). The 9/11 attacks cost 2700 lives. Definitely more than have been killed by hurricanes are earthquakes (at least in the U.S.)

So let’s consider traffic accidents. In 2003 there were 42000 traffic fatalities in the U.S. (2.9 million injured). That’s more than killed by terrorism in the past decade. How much are we spending on high way safety? How does 3.6 billion sound?

But terrorism is worse than traffic accidents. Why? Because it has a greater risk of mass casualties due to possible use of weapons of mass destruction. But how much of that 40 billion is going towards controlling spread of nuclear weapons and detection, prevention and preparation for biological attack? I can’t help but wonder if that 40 billion is really being spent wisely.

There are some other things I wonder…

For example: I recently read that Afghanistan has become a leading export of Heroin and other drugs (70% of the world’s opium comes from there). I realize that the war on drugs has been preempted by the war on terrorism, but still, it’s hard for me to see that hunting for Bin-Laden is incompatible with getting a country out of the drug business.

And it does seem curious that Iraq seems to be developing into a new home and school for terrorists. I mean, freeing the Iraqis from Sadaam Hussein is all very nice, but exactly how did that make us more secure?

Anyway, these are some of the questions I’ve been wondering about. Not that I have any answers, but it did lead me to one thought I’d like to leave you with. Virtually all of the political discussion has related to Bush vs. Kerry as individuals (and what they may or may not have done 30+ years ago). Let’s remember that we aren’t just hiring a president – we’re hiring their staff. If you rehire Bush you get Cheny, Rumsfield, Ashcroft, Rice and maybe Powell in the bargain (it’s not clear if Powell’s staying on) – not to to mention the likelihood of a Supreme Court justice or two. With Kerry you get… Hmm… who do you get? Hopefully we’ll hear soon.

Ok, I’m out of questions. It’s raining outside, but I’m safe and warm in my hotel room, drinking water from a nice, safe, thoroughly X-Rayed bottle.

(P.S. it’s not really raining outside. That part is poetic license).


National Oceanic and Atmospheric Association (NOAA).
Center for Contemporary Conflict – U.S. Navy.
Centers for Disease Control and Prevention (CDC).
U.S. Geological Survey (USGS).
US Department of Transportation.
Congressional Hearing: Afghanistan Drugs and Terrorism and U.S. Security Policy Feb 12 2004.

Spolsky 1: Scoble 0 – Stegman’s Video, while Great, doesn’t apply to the API war

In a recent blog item, Robert Scoble suggests that Joe Stegman’s video on Windows Forms answers Joel Spolsky’s article “How Microsoft Lost the API War.”

Sorry Robert – but it doesn’t.

Make no mistake, Windows Forms is great stuff. Ok, perhaps you hype it a bit too much – that great looking Outlook application that is created with 100 lines of code largely looks like Outlook because it uses an Outlook control. But nevertheless – it’s great.

And yes, Windows Forms will “play” with Avalon. Microsoft’s “Developer’s Guide to Migration and Interoperability in “LongHorn” on MSDN chapter 5 addresses this.

But “play together” in this sense is an interoperability issue. Avalon and Windows Forms represent two different programming models or API’s.

Let me stress the word “interoperability” here. Sure, Avalon can host Windows Forms and vice versa. Just as Windows Forms today can host COM ActiveX controls. But do you know many people writing COM ActiveX controls for use with .NET? No.

Why not?

  • Because people are reluctant to trust an interoperability layer, both from reasons of compatibility and reasons of performance.
  • Because once Microsoft adopts and promotes a new technology (.NET), they tend to stop development and gradually support on the old one (COM).
  • Because psychologically, developers want to play with the latest technology, and managers feel pressure to adopt the latest technology.

Having two technologies that have different API’s have all the costs Joel discusses such as the cost to learn a new technology and the cost to port applications (even when there is no feature, performance or economic benefit in doing so).

With Avalon and Longhorn we are faced with the same process. Sure Windows Forms is being invested in big time. Sure Windows Forms controls will be hosted in Avalon through an interop layer (and vice versa). It doesn’t matter. The same pressures will apply in just a few years to migrate to Avalon. There will be inevitable problems in the hosting, concern about long term support, and pressure in the media and development community to use the latest and greatest thing.

Sure, if you’re writing software with a lifespan of a few years, Windows Forms is a great way to go. But we all know that software, enterprise software especially, lives a long time. Can Microsoft categorically promise to maintain a full commitment to development, maintenance and support of Windows Forms for the next 15 years? (A more typical lifespan for enterprise software). Will they maintain that commitment during at time where their marketing department and media are pushing Avalon and Longhorn?

Do you really want to invest full bore in Windows Forms today given the uncertainty of which technology will become dominant, run on the most platforms, and have the best long term support?

For smaller applications, absolutely. But if you’re going to invest in a large project, this is a very difficult decision, and waiting for Avalon might be the better strategy. It’s too soon to know.

RSS feeds for sites referred to in this item:

Joel on Software