On the “Crystal Prison” – EFF gets it right but so wrong.

May 31, 2012 at 3:09 am (secondlife)

I have to disagree with the EFF in this article. 

They make some good points. Sure Apple’s ecosystem is closed. The FOSS community doesn’t like them, etc. But I have to view the FOSS position as somewhat naive. Computers, and especially mobile computing devices should, in most cases, be closed systems. There’s two problems here.

Hardness:

You can harden a FOSS system against attacks and malware, but you need to know what you’re doing. iOS promotes that security using two methods outside the developer/consumer’s control.

  • Closed APIS – with sandboxing and lockdown you can do no evil.
  • Closed ecosystem – Apple’s approval process makes sure code doesn’t sidestep security.

Open(ish) systems such as Android are basically a free for all regarding security and code behavior. Some of the most popular apps on Android _require_ root access, as they’re process killers – effectively apps to manage other badly written apps that break out of their sandbox.

Such an app doesn’t exist within Apple’s ecosystem, prompting Kapersky to complain that iOS is too locked down to enable root access to run anti-malware software – that same root access which is the primary attack target of malware. They are yet to find any malware outside a jailbroken device. Android on the other hand is rife with exploits by design.

Your phone and computer are mission critical systems these days. Most consumers don’t have the technical expertise to harden them against malware or keep them stable in the face of poorly written software they may install. There is a lot to be said for the Apple way, and consumers are certainly voting with their wallets.

Licensing:

There are many complaints that Apple and Microsoft licensing systems are incompatible with FOSS licensing. This is particularly the case in the App store. I am only going to say one thing about this. The FOSS community asked for it.

The main issue here is the legal problems inherent in viral copyleft licenses like GPL. The spirit of their design is in software “freedom”, but they seek to enforce that freedom by restricting distribution under certain circumstances. Where GPL is incompatible with a 3rd party license, FOSSers can complain all they wish, but it’s their license that has the restriction. Commercial interests are as afraid of GPL as the GPLers are afraid of things like h.264, MPEG, MP3, GIF, JPEG2000, etc.

When it comes to the issue of licensing, you have to assume some sense of trust. I haven’t seen Apple going after the FOSSers. They tend to only flex legal muscle against other corporations. But they certainly can’t relax when dealing with the FOSS community, as there have been plenty of cases of hairy anarchists with lawyers nipping at the heels of Apple.

The FOSS argument against Apple has several complaints:

That they require you to be a registered developer for $99 bucks a year. Not precisely true. You are only required to register to be a publisher within the Apple ecosystem, and you become a registered validated entity by doing so. Your code is uniquely signed and validated by a third party authority, and you get access to a whole bunch of other resources including their global market. So it’s not just a tax, you get value. You don’t need any of these things to write code, but then you can only distribute it to unsecured jailbroken devices or macs, outside the app store. Oh, you’ll need Xcode, which costs a one-off payment of five bucks last time I looked. Maybe you can borrow it from your mum.

Jailbreaking. Contrary to popular belief, it’s not illegal. You can hack your phone any way you wish. It _does_ preclude you from the Apple ecosystem (i.e. app store), and that, also contrary to popular belief, is a good thing. It offers a layer of protection for developers from having their backend services widely reverse engineered and potentially screwed with.

A third complaint, that Lion Gatekeeper stops unsigned software from being installed… well we’ve had that since windows vista on the MS side, and at least Lion’s implementation is less braindead. Similar systems exist on hardened linux boxes. From there the argument becomes “it’s secure by default”, to which the answer is “Yes, and a good thing too.” Feel free to make your system insecure if you feel up to it.

So in conclusion, It’s good that the EFF is watching these developments closely. The complaints of the FOSSers though are a bit misguided. I do wish though they’d put more of their effort into things like software patents. Now that’s an area that _really_ needs some oversight.

For my part I am rather glad these systems are moving towards being hardened out of the box. I’ve had 12 phones, tens of pcs, two Amigas, two Atari STs, an Apple ][ clone, 6 macs, and a bunch of linux boxes. Of them, 4 phones had viruses, most pcs, both amigas. One of the PCs was rooted (and blue screened) by a Sony cd DRM system!

Friends with Android tell me it’s malware central, but the phones I had with malware were java or symbion based, and rooted over the air. The linux machines were always malware free, but that was mostly luck and being a small target. Yet to this day, no viruses exist in the wild for OSX or iOS, and with the App-store/gatekeeper model, trojans are minimized. Frankly, I like it that way. I have better things to do than root my phone, to check for malware that’s rooted my phone using the same exploit. Life is too short.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: