PC/Mac using people. We have a problem. That problem is our machines are
not remotely secure. 10yrs ago I used to not really worry about it
but I feel like the time as come that if something isn't done soon we're
all going to lose our data and have our bank accounts stolen etc...
Maybe this comes from working on Chrome where security is taken seriously.
That's not to say it's not serious in other places but rather working on Chrome
all the ways in which a program can do bad things and how to stop them comes
up. Of course a browser runs "untrusted code" by which they mean, unless you
shut off JavaScript, every page you visit gets to run code on your machine
via JavaScript and/or WebAssembly.
That's awesome IMO. It gives us things like Google Maps which is
amazing and things like Google.com/flights which gives instant and live
results but it also means browsers have to be vigilant and have to consider
how APIs are designed so that a random site's code can't do bad things
to your computer.
Sure, some people will read this and rant that browser's shouldn't run code
in the first place. I disagree. I think Google Maps is far better with JavaScript
than without. But, that's beside the point.
The point is NATIVE APPS HAVE THE SAME PROBLEMS!
The disinction is supposed to be that code in the browser could come from
anywhere. The ads on your favorite sites include code to track you. The site itself has code
to do whatever (get the latest posts live or send you a message notification).
You didn't explicitly say "I trust this code" so it's "untrusted".
That is supposed to be in contrast to apps you install on your computer.
The act of choosing to install a native app is implicitly saying "I trust this app".
That is a problem. You shouldn't trust apps. You should haven't to trust
apps any more than you should have to trust webpages. Apps can be just
as evil as a webpage. In fact apps can be more evil because at the moment
they aren't sandboxed on Mac or Windows or Linux so they can do far more
damage than a webpage.
An app can, read your entire hard drive or at least all the data in your
user folder which is probably where all your important data is anywhere.
That means it can look at all your photos, all your movies,
read though all your files including whatever finanical files you've
saved on your computer. If you're a geek and you have private SSH
keys stored in ~/.ssh all those keys can be read by any software you
install.
A native app can constantly read your clipboard even when it's not the front app
and send that to some server on the net. A native app can turn on your camera
or your mic without asking. It can scan your network
for other devices, some of which might have known exploits.
And of course a large percentage of apps, especially on Windows but even
on Mac, ask for admin perission to install which means they can pretty
much do anything they want. Install a key logger and watch all your keys.
Install a screen reader and download images of your desktop at anytime.
They can look at which apps you're running an report that back to their
respective companies. They can report the file names of which videos
you're watching. They can monitor your network to see which sites
you're accessing, what files you're downloading.
THIS HAS TO STOP!!!
The reason it's this way is basically historical. Before all machines were
connected to the internet it just never crossed anyone's mind that these things
might be problems. We had say 20-30yrs like that where it was just assumed
installed apps were trustworthy. So, we have the issue that if Windows
and MacOS and Linux were to switch overnight to prevent apps from doing these
things all old software would break. Because of that it's hard to
push sandboxing apps as the default.
Both Apple and Microsoft put a step forward on this with their respective
app stores. Apps installed from the Mac App Store or the Windows App Store
run somewhat sandboxed. Microsoft recently removed that sandbox requirement
though as the are shipping their Ubuntu integeration on the Windows App Store
and it has access to everything.
In general, I don't think any app should have perminent permission
to access your mic or your camera. Even Facetime should be asking for permission
each and every time. It wouldn't be that bad of a UX. You'd make a call
and the OS would prompt "Facetime would like to use the camera Y/N" and your
call would be made.
The problem is once you give an app perission then you
never know when it's turning on the mic or the camera. For mobile this might
be slightly less of an issue since, at least on iOS, only one app runs at a time
so you know some background app can't be using the mic (AFAIK). For desktop
that's not true so once you've given an app permission to use the camera
you really never know when it will do so. Of course on desktop right now
there is no camera permission even if sandboxed. You gave it permission
just by the act of installing it. You can see MacOS doesn't even have the
option to prevent an app from accessing the mic or the camera.
And, this isn't just an issue of trusting each company. You might trust
Slack and install their Slack app. Or you might trust Adobe and install Photoshop
but those companies are using 100s of 3rd party libraies. You're really trusting
1000s of people for each piece of software you install. Your trusting all 1000+
people are not trying to do anything bad. That all 1000+ people, every disgruntled
employee, every schemey person in the chain, didn't decide to try to sneak in
some backdoor.
And, even if they aren't intentionally doing something bad there are still bugs.
You install some game like Call of Duty. That game
sends data between players. Turns out because of a bug another player can
hack the networking on their computer to send your computer bad data through
the game. They can then own your machine, read all your data, use your camera, mic, etc,
hack your router, infect other machines on your network.
This kind of bug is potentially true of any app that exchanges data between
users. Your chat app (slack, irc), your email app, your online games, your
social netorking apps (facebook, line, whatsapp), etc... You're trusting
there are no bugs. Right now there's an extremely popular app framework called
Electron. Lots of famous and not so famous apps use it.
And yet It's UNSECURE BY DEFAULT.
I'd guess if you're using an app based on Electron and that app communicates
with a server then odds are > 50% it's insecure. The app itself might be hard
coded to only ever talk to the app company's servers which means some random
hacker can't use it to pown your machine easily (though maybe they can when you're
on their fake wifi). But, unless all the security
adivce is followed then any disgruntaled employee or evil manager could
use the path between the company and your computer to use the insecurities
to do whatever they want to your machine.
Heck, even without frameworks like Electron, apps auto update and each update could add code to
do bad things to your machine. The nice people that started the app might
have been replaced with less nice people. The company that made the app
might have decided they wanted to do more spying on your machine for marketing
purposes so your
software that used to be trustworth no longer is.
Sandboxings apps solves, or at least is a step to solving all of those issues.
With a good sandbox an app can't read the data or files of other apps (without your permission).
With a good sandbox an app can't access the mic or camera. With a good sandbox even
if the app has bugs that let other users hack your app they can only affect that
app and it's data, not your entire computer and all data. A really good sandbox
could even prevent scanning your local network.
Steam recently had an exploit anyone could have used to hack your machine.
Sure they fixed it but that's not the lesson that should have been learned.
The lesson should have been that Steam should never have been in a position
to exploit your entire machine. It should be running in a sandbox!
People, in particular software developers, rebel at the idea of sandboxing their software.
This is especially frustrating because they should be able to see the dangers.
Dev software itself has this issue. Many devs install software almost daily.
They download software libraries as packages or as git repositories and trust
those libraires are not owning their machines or spying on them. Seriously,
typing npm install pick-your-favorite-lib
is like literally trusting
100s if not 1000s of people you've never met not to trash your computer
and or steal your data. Being told to type apt get some-package
and
or brew install package
should not be opening your data to getting stolen.
There needs to be a better way to sandbox even command line apps.
One way to solve this is to create a new VM for every project but at the moment that's
too burdensome so that almost no one does it. Microsoft is apparently adding
a feature to do this
but it doesn't sound like a serious solution. It's only
for temporarily running some software. It's not for putting each app in its
own sandbox.
Another solution is to run a more sandboxed os like Qubes OS.
Unfortunately the apps people want to run are generally not availabe on Qubes
so that isn't really a solution. Apple and Micrsoft are really the two
companies that need to lead the fix for this.
Unfortunately their current solutions so far are broken. First off their new
sandboxes are optional. You can stlll install software that runs
outside the sandbox and because of that that's still the norm to install un-sandboxed software.
Probably 95% of all the software installed in both OSes runs un-sandboxed. All games on steam
and pretty much all brand name apps run unsandboxed.
Secondly their desktop sandboxes are leaky.
See the fact that the camera and mic are not sandboxed yet.
And, finally and most important is they've conflated sandboxing
with their store. Getting apps from an offical store should be
separated from sandboxing apps. Any app, regardless of how it's
installed should be subject to sandboxing restrictions by default.
You shouldn't have to only get store apps to be sandboxed. The OS
should be designed to be safe by default.
I'm sure you can think of an exception, some software that can't
function in a sandbox and that's mostly fine but that should
be the exception and Apple and Microsoft and users at large
should shame and boycott any software that tries to avoid
sandboxing. This includes companies like Adobe that are known
for hacking your OS at a deep level to spy on you.
I'm not holding my breath and I'm sure I'll get some rants
about sandboxing in the comments. I've even seen arguments that
sandboxing isn't a solution. To that argument I'd argue back
that if you believe sandboxing is not a solution then you should
be fine to run your browser with sandboxing off and you should be
fine running all software as root/admin. If you aren't
willing to that then you do actually believe sandboxing has
an important role to play in protecting your computer.
At some point I expect the exploits to multiply like crazy.
I'll bet the majority of multi player games have exploits.
I'll bet lots of apps that have semi constant networking have
exploits. I'll bet that more and more desktop apps will be caught
spying on you in one way or another. And I'll bet this will
get worse and worse over the years until it becomes clear
we need sandboxes. I think iOS and Android have already shown
how important they are. Desktop PCs are no different.
Let's hope Microsoft and Apple make better sandboxes. Let's also
hope they separate them from their stores and from their certification
systems. Sandboxes should be the default.