[Infowarrior] - Schneier: Everyone Wants to 'Own' Your PC

Richard Forno rforno at infowarrior.org
Thu May 4 09:17:54 EDT 2006 

Everyone Wants to 'Own' Your PC

 http://www.wired.com/news/columns/1,70802-0.html
By Bruce Schneier
02:00 AM May, 04, 2006

When technology serves its owners, it is liberating. When it is designed to
serve others, over the owner's objection, it is oppressive. There's a battle
raging on your computer right now -- one that pits you against worms and
viruses, Trojans, spyware, automatic update features and digital rights
management technologies. It's the battle to determine who owns your
computer.

You own your computer, of course. You bought it. You paid for it. But how
much control do you really have over what happens on your machine?
Technically you might have bought the hardware and software, but you have
less control over what it's doing behind the scenes.

Using the hacker sense of the term, your computer is "owned" by other
people.

It used to be that only malicious hackers were trying to own your computers.
Whether through worms, viruses, Trojans or other means, they would try to
install some kind of remote-control program onto your system. Then they'd
use your computers to sniff passwords, make fraudulent bank transactions,
send spam, initiate phishing attacks and so on. Estimates are that somewhere
between hundreds of thousands and millions of computers are members of
remotely controlled "bot" networks. Owned.

Now, things are not so simple. There are all sorts of interests vying for
control of your computer. There are media companies that want to control
what you can do with the music and videos they sell you. There are companies
that use software as a conduit to collect marketing information, deliver
advertising or do whatever it is their real owners require. And there are
software companies that are trying to make money by pleasing not only their
customers, but other companies they ally themselves with. All these
companies want to own your computer.

Some examples:

    * Entertainment software: In October 2005, it emerged that Sony had
distributed a rootkit with several music CDs -- the same kind of software
that crackers use to own people's computers. This rootkit secretly installed
itself when the music CD was played on a computer. Its purpose was to
prevent people from doing things with the music that Sony didn't approve of:
It was a DRM system. If the exact same piece of software had been installed
secretly by a hacker, this would have been an illegal act. But Sony believed
that it had legitimate reasons for wanting to own its customers¹ machines.

    * Antivirus: You might have expected your antivirus software to detect
Sony's rootkit. After all, that's why you bought it. But initially, the
security programs sold by Symantec and others did not detect it, because
Sony had asked them not to. You might have thought that the software you
bought was working for you, but you would have been wrong.

    * Internet services: Hotmail allows you to blacklist certain e-mail
addresses, so that mail from them automatically goes into your spam trap.
Have you ever tried blocking all that incessant marketing e-mail from
Microsoft? You can't.

    * Application software: Internet Explorer users might have expected the
program to incorporate easy-to-use cookie handling and pop-up blockers.
After all, other browsers do, and users have found them useful in defending
against internet annoyances. But Microsoft isn't just selling software to
you; it sells internet advertising as well. It isn't in the company's best
interest to offer users features that would adversely affect its business
partners.

    * Spyware: Spyware is nothing but someone else trying to own your
computer. These programs eavesdrop on your behavior and report back to their
real owners -- sometimes without your knowledge or consent -- about your
behavior.

    * Internet security: It recently came out that the firewall in Microsoft
Vista will ship with half its protections turned off. Microsoft claims that
large enterprise users demanded this default configuration, but that makes
no sense. It's far more likely that Microsoft just doesn't want adware --
and DRM spyware -- blocked by default.

    * Update: Automatic update features are another way software companies
try to own your computer. While they can be useful for improving security,
they also require you to trust your software vendor not to disable your
computer for nonpayment, breach of contract or other presumed infractions.

Adware, software-as-a-service and Google Desktop search are all examples of
some other company trying to own your computer. And Trusted Computing will
only make the problem worse.

There is an inherent insecurity to technologies that try to own people's
computers: They allow individuals other than the computers' legitimate
owners to enforce policy on those machines. These systems invite attackers
to assume the role of the third party and turn a user's device against him.

Remember the Sony story: The most insecure feature in that DRM system was a
cloaking mechanism that gave the rootkit control over whether you could see
it executing or spot its files on your hard disk. By taking ownership away
from you, it reduced your security.

If left to grow, these external control systems will fundamentally change
your relationship with your computer. They will make your computer much less
useful by letting corporations limit what you can do with it. They will make
your computer much less reliable because you will no longer have control of
what is running on your machine, what it does, and how the various software
components interact. At the extreme, they will transform your computer into
a glorified boob tube.

You can fight back against this trend by only using software that respects
your boundaries. Boycott companies that don't honestly serve their
customers, that don't disclose their alliances, that treat users like
marketing assets. Use open-source software -- software created and owned by
users, with no hidden agendas, no secret alliances and no back-room
marketing deals.

Just because computers were a liberating force in the past doesn't mean they
will be in the future. There is enormous political and economic power behind
the idea that you shouldn't truly own your computer or your software,
despite having paid for it.

- - -
Bruce Schneier is the CTO of Counterpane Internet Security and the author of
Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can
contact him through his website.

More information about the Infowarrior mailing list