User confidence and the software developer


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

User confidence and the software developer

  1. 1. from the editor E d i t o r i n C h i e f : Wa r r e n H a r r i s o n ■ P o r t l a n d S t a t e U n i v e r s i t y ■ w a r r e n . h a r r i s o n @ c o m p u t e r. o r gUser Confidence—and theSoftware DeveloperWarren Harrison with Guest Contributor Terry Bollinger ore and more everyday functions ternet security will stall the strides that have M can be done online. I can shop, pay my bills, transfer funds between bank accounts, buy stock, and per- form all manner of everyday busi- ness online. Not only does this save time in my already busy day, but it also contributes to a vibrant and healthy software been made over the past decade in establishing an online society? Amazingly, even when the criminals who are helping bring down the Internet are caught, they’re often given ridiculously light sentences. In some cases, they have even par- layed their criminal behavior into well-paying jobs. For example, as I write this, I just read an Agence France-Presse news story reporting that Securepoint, a German computer security company, has hired the accused (and self-con- fessed) author of Sasser—the worm that was responsible for infecting as many as 18 million computers and causing untold economic dam- age. There was even a fan club of sorts that was soliciting money for the worm’s accused author ( There’s no doubt: the Internet as we know it is in grave danger. industry because each of these applications As I pondered these issues, Terry Bollinger, needs someone to develop and maintain them. IEEE Software’s past associate editor in chief Recently however, my friends and I have for construction, was having his own encoun- been inundated with spyware—applications ters with spyware. I asked Terry to share his that lurk in the background and capture every- experiences and thoughts with you. I hope you thing from keystrokes to the URLs of Web find his tale as interesting as I did. sites I visit. While I’m obviously concerned about my personal information getting into In his own words: others’ hands, I’m equally concerned about the Terry deals with spyware effect of widespread security threats such as Despite having a very tightly configured spyware and viruses on the confidence of on- system at home, somehow I was hit with a line users who, like myself, have started to do keylogger. Keyloggers are worse than having a more and more of their everyday business on- high-resolution video camera focused on your line. Many people have already quit making keyboard because they’re much more effective online purchases because of such threats. How at capturing every key you enter. Fortunately, long will it be until a lack of confidence in In- the software incarnations of these password-0740-7459/04/$20.00 © 2004 IEEE Published by the IEEE Computer Society IEEE SOFTWARE 5
  2. 2. FROM THE EDITOR stealing critters aren’t as transparent as likely to be screamed about from the the companies who make them claim. highest housetops by their competitors. D E PA R T M E N T E D I T O R S (Yes, they do sell them openly, to my These vendors are competing in a mar- amazement.) Symptoms of keylogger ket where trust is a substantial part of Bookshelf: Warren Keuffel, infestations include odd hesitations what they’re selling. Construction: Andy Hunt and Dave Thomas, and pauses while you’re doing simple My multitool strategy benefited {andy, dave} operations such as typing text or open- substantially from the fact that three of Design: Martin Fowler, ing and closing folders, although the tools were free for home use and Loyal Opposition: Robert Glass, viruses and bugs in your operating sys- the fourth was quite cheap. Cost tem can also cause such behaviors. counts, and ultra-low costs enable Open Source Software: Christof Ebert, Obviously, the consequences of strategies that might not be practical home PCs getting hit with active key- for large, costly systems. Also, during Quality Time: Nancy Eickelmann,, loggers can be catastrophic. Do you do the selection process itself, running and Jane Hayes, online banking? Have you entered a multiple spyware checkers is a great Requirements: Suzanne Robertson, keyword to access your bank accounts way to get an idea of who might be a lately? Would you be upset if you “wolf in sheep’s clothing,” as some STAFF EDITORS found your life savings missing the spyware pretends to be spyware check- next time you log into your bank? ers. The advantages of cross-checking Senior Lead Editor Dale C. Strok As you’d expect, I’ve changed a lot of extend into operational use: if any one passwords since my little visit from a of the group goes bad for whatever rea- Group Managing Editor keylogger. But the important part of my son, cross-checking makes it easier for Crystal Shif message is this: Even though I don’t the other tools (and you) to notice the Senior Editors know how my PC got hit, I know al- transition. Shani Murray and Dennis Taylor most exactly when it happened based on Staff Editor Assistant Editor Rita Scanlan Rebecca Deuel earlier checks and an instant-start iden- Make vendors compete for Editorial Assistant tification of the problem. My system your trust Brooke Miner probably nailed the keylogger before it To decide on the four programs, I Magazine Assistant Hilda Hosillos, had a chance to do any serious damage. used them to see what they could find Art Director (I changed my passwords anyway.) out about my system and each other. Toni Van Buskirk Are you curious about how my sys- There were some revelations. For me, Cover Illustration Technical Illustrator tem caught the keylogger so quickly? the most unpleasant surprise was that Dirk Hagner Alex Torres my top-end, professional Internet secu- Production Editor Production Artist Competing for your trust rity and antivirus package sat like a Monette Velasco Carmen Flores-Garvey Executive Director How can I be so sure I caught it stony statue on its pricey pedestal, re- David Hennage early? Because I used a trio (now a fusing to say anything significant about Publisher Assistant Publisher quartet) of spyware checkers that col- the goings-on. Keyloggers? No prob- Angela Burgess Dick Price lectively gave me a much higher level of lem! After all, they’re not viruses—just Membership/Circulation Marketing Manager Georgann Carter trust than would be possible if I’d been little tools for taking over systems di- Business Development Manager relying on only one checker. rectly, without having to bother with Sandra Brown But why use three or four? Wouldn’t the hassle of writing a virus. Senior Production Coordinator it be easier just to use one that seems to That experience taught me a lesson Marian Anderson work well? It would be easier, yes—but about relying too much on tool reputa- CONTRIBUTING EDITORS not necessarily safer. The real problem tions as my primary criteria for trust Robert Glass, Thomas Centrella, is this: How do you construct a rea- and system safety. I’m now convinced Anne Lear, Molly Mraz, Keri Schreiner sonable case for trust when your that it’s a lot better to keep a variety of sources aren’t fully certified, as is often similar applications engaged in a con- Editorial: All submissions are subject to editing for clarity, the case in leading-edge software prod- stant knock-down, drag-out brawl, so style, and space. Unless otherwise stated, bylined articles ucts such as virus checkers? that none of them can start getting and departments, as well as product and service descrip- tions, reflect the author’s or firm’s opinion. Inclusion in Although by no means a total solu- sloppy without the others taking notice. IEEE Software does not necessarily constitute endorsement tion, my own approach was simple: The other lesson is more ominous: If by the IEEE or the IEEE Computer Society. Seek help from diverse sources and let you use a standard PC, you really, really To Submit: Access the IEEE Computer Society’s them check each other out just as thor- should do some spyware checks, and Web-based system, Manuscript Central, at http://cs-ieee. Be sure to select the oughly as they check out my system. soon. If you are trusting in antivirus right manuscript type when submitting. Articles must be The result is a competition to be hon- software and firewalls alone, you’re go- original and not exceed 5,400 words including figures and tables, which count for 200 words each. est, in which unethical behavior by a ing to be sadly let down. You could member of the checker community is find, as I did, that you can have a fully6 IEEE SOFTWARE w w w . c o m p u t e r. o r g / s o f t w a r e
  3. 3. FROM THE EDITOR EDITOR IN CHIEF Warren Harrisonvirus-free system that’s so bloated with effect, although it’s wise to update 10662 Los Vaqueros Circleresource-hogging adware that on a weekly to add blocks for new spyware. Los Alamitos, CA 90720-1314 warren.harrison@computer.orggood day it works like a turtle and on a An outstanding way to complementbad day it doesn’t work at all. SpywareBlaster is to use a more con- EDITOR IN CHIEF EMERITUS: servative and more rigorously stan- Steve McConnell, Construx SoftwareA spyware detector quartet dards-compliant browser, such as the By now you’re wondering what recently released, free Firefox 1.0PR A S S O C I AT E E D I T O R S I N C H I E Fquartet of tools I selected, so here they browser ( Education and Training: Don Bagert, Rose-Hulmanare. A word of caution: watch out for firefox). This surprisingly powerful Inst. of Technology; don.bagert@rose-hulman.edusimilar names. Several products try to and easy-to-use browser locks out Design: Philippe Kruchten, University of British Columbia; kruchten@ieee.orgfool people into thinking they’re an- many problems in its default configu- Requirements: Roel Wieringa, University of Twente;other product, and some of those prod- ration and can be made safer and even roelw@cs.utwente.nlucts are themselves spyware. Check the more specific by settings for it from Management: Don Reifer, Reifer Consultants Inc.; dreifer@earthlink.netnames and sites for exact matches be- SpywareBlaster. Quality: Stan Rifkin, Master Systems;fore downloading any of these products. Download: www.javacoolsoftware. Experience Reports: Wolfgang Strigel, com/spywareblaster.html. QA Labs; strigel@qalabs.comSpybot Search & Destroy Lavasoft Ad-Aware SE Personal Edition EDITORIAL BOARD This is THE free spyware checkerright now and a must for finding spy- This is free for personal use but re- Christof Ebert, Alcatelware. It’s remarkably fast and the most quires a fee for commercial use. It’s Nancy Eickelmann, Motorola Labs Richard Fairley, OGI School of Science & Engineeringthorough of all the checkers I tested. thorough, but considerably slower Martin Fowler, ThoughtWorks(Each spyware checker finds some spy- than Spybot S&D and thus might be Jane Hayes, University of Kentucky Andy Hunt, Pragmatic Programmersware that the others do not, no matter more appropriate for overnight checks Warren Keuffel, independent consultanthow thorough they are.) if you have many files. Ad-Aware Karen Mackey, Cisco Systems Be sure to use the URL below for this seems to go deeper into the registry and Deependra Moitra, Infosys Technologies, India Suzanne Robertson, Atlantic Systems Guildone, as there’s a product that has file structures, so it sometimes catches Richard H. Thayer, Calif. State Univ. Sacramentospoofed this real one in prominent ads. things the other checkers miss. Dave Thomas, Pragmatic ProgrammersThe spoof product is shabbily, even dan- Download: ADVISORY BOARDgerously done (it tries to delete nonspy- support/download. Stephen Mellor, Mentor Graphics (chair)ware files), and it tries to con you into Dave Aucsmith, Microsoftpaying money when the real and tremen- Webroot Spy Sweeper Maarten Boasson, Quaerendo Invenietisdously more effective product is free. A free trial is available, but this one Robert Cochran, Catalyst Software Annie Kuntzmann-Combelles, Q-Labs Spybot Search & Destroy has an op- does cost a modest amount of money— David Dorenbos, Motorola Labstional feature called Tea Timer. If you and in my opinion, it’s well worth it. Enrique Draier, MAPA LatinAmericadon’t mind being interrupted occasion- For example, Spy Sweeper has some Dehua Ju, ASTI Shanghai Tomoo Matsubara, Matsubara Consultingally by alerts about suspicious activi- useful shields that warn you instantly Dorothy McKinney, Lockheed Martin Space Systemsties, this is a powerful and useful feature when a piece of software is trying to in- Bret Michael, Naval Postgraduate School Susan Mickel, Lockheed Martinto activate. It warns you immediately if stall something into your startup files. Ann Miller, University of Missouri, Rollaa program is trying to change critical en- If you install Spy Sweeper and then Dave Moore, Vulcan Northwesttries in your registry. If you suspect your download and install some of the more Melissa Murphy, Sandia National Laboratories Grant Rule, Software Measurement Servicessystem has been compromised, activat- popular free multimedia players, you Girish Seshagiri, Advanced Information Servicesing Tea Timer is a must, as it can help can watch as the multimedia installer Martyn Thomas, Praxis Laurence Tratt, King’s College Londonyou identify and isolate the source of tries multiple times to plant a hidden John Vu, The Boeing Companyyour problems. (True geeks: Check out boot-time startup program on your Simon Wright, Integrated ChipwareFileAlyzer and RegAlyzer at the same computer without first asking for your Jeffrey Voas, CigitalURL.) permission. It’s enlightening. MAGAZINE OPERATIONS COMMITTEE Download: www.safer-networking. Download: Bill Schilit (chair), Jean Bacon, Pradip Bose,org/en/download/index.html. Doris L. Carver, George Cybenko, John C. Dill, Maximizing multitool benefits Frank E. Ferrante, Robert E. Filman, Forouzan Golshani, David Alan Grier, Rajesh Gupta, WarrenSpywareBlaster I should also mention two process Harrison, Mahadev Satyanarayanan, This is my most recent addition. Un- issues for maximizing spyware check- Nigel Shadbolt, Francis Sullivanlike the others, it’s not a scanner but ers’ effectiveness. P U B L I C AT I O N S B O A R Drather a roadblock to keep a huge First, when you download checkers, Michael R. Williams (chair), Michael Blaha,range of spyware from getting into be sure to keep copies of them around, Mark Christensen, Roger Fujii, Sorel Reisman,your system in the first place. You only such as on a CD. Why? Because some John Rokne, Bill Schilit, Linda Shafer, Steven L. Tanimoto, Anand Tripathineed to run it once to get the blocking forms of spyware try to shut off spy- November/December 2004 IEEE SOFTWARE 7
  4. 4. FROM THE EDITORWelcome ware checkers, just as some viruses try to shut off virus checkers. If a checker As 2004 winds to a close, we wish to announce a number of changes seems to stop working for no apparentamong our volunteer staff. Both Ann Miller, our associate editor in chief for reason, reinstall it, perform a freshmanagement, and Christof Ebert, our associate editor in chief for requirements, scan, and see what you find.will change roles within the magazine. Christof now manages our new column Second, if you’ve never done spy-on open source software, and Ann is moving to our Advisory Board. Also, Dave ware checks before, I strongly recom-Thomas and Andy Hunt, who have managed our Software Construction column mend taking the time and effort to per-for the last three years, are stepping down to pursue new projects. We’d like to form complete system scans using alltake this opportunity to thank Ann, Christof, Andy, and Dave for their many the active scanning tools of the quartet:valuable contributions to IEEE Software. Spybot S&D, Ad-Aware, and Spy We also have some new additions as we approach 2005. Don Reifer (of Sweeper. If all three find spyware, it’s aReifer Consultants, Inc.) will return to the magazine after stepping down as Man- good idea to repeat the cycle until theyager column editor last year to become our new associate editor in chief for find no further hits or Roel Wieringa (University of Twente) will serve as our new associ-ate editor in chief for requirements. In addition, Diomidis Spinellis (Athens Uni- e welcome letters from those of youversity of Economics and Business) is joining the Editorial Board to introduce anew column called Tools of the Trade, and Laurence Tratt (King’s College London)and Bret Michael (Naval Postgraduate School) have just joined our Advisory W who find spyware infestations with any of these tools. If you find inter- esting, ominous, or surprising hiddenBoard. We’d like to welcome Ann, Christof, Don, Roel, Diomidis, Laurence, and spyware problems in your system, pleaseBret to their new roles on the magazine. let us know about them. Write to us at For more information about our new volunteers, see warren.harrison@ andsoftware/experts. terry@terrybollinger. com. Terry Bollinger’s biography appears on p. 18.