Auto Pwn

Once upon a time, a software upgrade was a physical box with a CD. It looked like this:



Then the internet happened, and companies started using “update managers”.



Things got spammy. Every time you’d turn on a computer, it would ask you if you want to update Java and please upgrade to the latest Adobe Acrobat Reader.

A lot of people just ignored the upgrades, leading to version skew. (That where people are using many different versions of the same software.)



So if you made a web app as recently as 2011, you had to make sure it works in Internet Explorers 9, 8, 7, and best of all 6. Fun!

But in 2008, Google shipped Chrome with a new invention to fix this problem.

As Chrome developer Ben Goodger explains,

Autoupdate is one of Chrome's killer features. [...] Long before we launched publicly in 2008, the autoupdate project was one of the very first we started working on. The idea was to give people a blank window with an autoupdater. If they installed that, over time the blank window would grow into a browser.

How cool is that! 

No more version skew. No popups. Every time you run Chrome you get the latest greatest version. 

There was just one problem.

It worked so well that auto update became ubiquitous. Today, the thermostat where I live auto updates itself, over WiFi. Things that used to be simple are now complex and flaky. For example, my phone will occasionally just grow a new bug one morning and, say, the camera stops working. Not all teams are nearly as reliable and careful and awesome as the Chrome guys.

Not all teams are as trustworthy as the Chrome guys, either, which means there's a much bigger problem:


Through ubiquitous auto updaters, we’ve totally pwned ourselves.

There are now probably 10+ separate organizations that can run arbitrary code on my laptop whenever they want. Same for my phone. Fundamentally, that’s how most auto update mechanisms work.

Most updaters connect to a central server, and if there’s a new version available, they automatically download it and run it.

That’s convenient, but now you're at the mercy of whoever controls that server and has that signing key (assuming they even sign updates, which not all of them do). Just last week, Kazakhstan announced they’re going to MITM all HTTPS traffic in their country. Other governments with similar impulses but a bit more subtlety can leave HTTPS alone but compel their companies to issue an autoupdate. If they want to be sneaky, they can serve a clean version to most users and a compromised version only to specific people, filtered by IP. Compelling Google to do that for you is probably hard, but what about some dude who wrote a Notepad++ plugin?

A popular program with an autoupdater is a lot like a botnet. The owners can push some code. Within a few days and without any more human intervention, millions of computers are running it. The difference is users install them by choice!


How can we fix this?

Autoupdaters aren't going anywhere. They're too useful. So the question is not "how do we get rid of autoupdaters", it's "how can we make a secure autoupdater".


If we must have autoupdaters, I’d like mine to use multisigs and deterministic builds.

It works like this: multiple people have to sign each update, say four out of a list of six trusted keys. Those are held by six different people, ideally spread across different countries. Trustworthy people and organizations, the same ones who are doing the code reviews and audits. When a new version is ready, each of those six checks out the code and builds it themselves. Because it’s a deterministic build, if they’re all using the same commit hash, they’ll all get the same binary, byte for byte. Finally, they sign with their key.

This makes pwning people thru the auto updater a lot harder. There’s no single private key that one person can lose, giving an attacker that power. Getting four out of the six signers to sign an update with, say, a backdoor, is a lot harder than one.

Finally, it would add some accountability. Companies, auditors, and open source developers would be signing their name to each release. I’d like to know which people have the power to run code on my machine. Today, there are a lot of people who have that power, and I have no idea who they are.


Let's fix it!

Yanis & the United States of Europe

The first time I heard of Yanis Varoufakis was in 2012, because Valve had just hired him as Economist in Residence. Valve, the games company. He described himself as a Marxist, wrote an essay called “Arbitrage and Equilibrium in the Team Fortress 2 Economy”, and I was amused.

The second time I heard of Yanis was three years later. The Communists had won an election, Greece was on the verge of default, and as Finance Minister, he was leading the bailout talks. Wow.

Lots of people have already written about Yanis’ style, or his politics. Even more people have written their opinions about Greece--whether it’s better for ordinary Greeks to stay in the Euro or leave, whether Europe’s richer countries should forgive part of the Greek debt or risk a Grexit where they’d see none of it, whether Greece should have ever joined the Euro in the first place, and on and on. I have nothing to add there.

Instead, I wanted to write about the idea of a united Europe--a “US of E”, where people would think of themselves as Europeans first and Germans, Dutch or Italian second.

It’s a beautiful idea. You can feel hints of it already today, driving down the highway from France, when the only sign you’ve left the country is the one that lifts all speed limits, next to the one that says Welcome to Germany / Willkommen in Deutschland. No checkpoints. It’s starting to happen. A Danish grandmother and a Dutch one might have a hard time understanding each other, but the young and educated all speak pretty good English. They travel and increasingly they share a common culture.

You can feel it at Tomorrowland in Belgium. Look at all of the different flags flying above the crowd!



Or check out this astronaut’s Twitter. Why does he describe himself as a “European of German nationality”? Maybe because calling yourself “a German” or “a Frenchman” seems a bit petty when you’re in Low Earth Orbit, circumnavigating the globe every 90 minutes.



The US of E is coming.

No country needs this idea more than Greece. Greece is a mess. 50% of its young people can’t find a job. They need investors from the rest of Europe to help grow their cities and rebuild their industry. They need immigrant entrepreneurs, the kind America has so many of and takes for granted. They need tourists. Some of their smartest and most talented kids want to go to ETH Zurich in Switzerland or Oxford or Cambridge. Greeks need to move freely to places like London and Berlin and back, to live and work and learn. Their businesses need to sell to all of Europe and buy from all of Europe.

Most immediately, they need help.

The more we feel like we’re in this together, helping our fellow Europeans, the better for Greece. The more we are “Euroskeptics”, Germans or Dutch or Danish or whatever, trying to collect a bad debt from a foreign country, the worse off they’ll be.

So what has Yanis done to help?

  • Belittled the other European leaders. He wrote a blog post called “A lesson in democracy for Mrs Merkel”

  • Got especially mad at the creditors. Criticized the “terrorist methods by which they blackmail us”. (Video.)

  • Went to Germany. Played the Nazi card in a pretty crass way. His party also demanded $300 billion -- about five thousand euros from every German citizen -- in new war reparations. That went over well.

  • After being asked to resign, he wrote that he’d “wear the creditors’ loathing with pride”

He’ll certainly get to do that. If you watch the summit videos, Angela Merkel, Jean-Claude Juncker, Mario Draghi and the others are visibly, personally angry at Syriza in general and Yanis in particular.

I think Yanis will be used as a case study for a long time. He’s a cautionary tale for anyone who needs to negotiate, and a reminder of the importance of being nice. Simple kindness goes a long way, and the relationship between the different Euro nations has to be one of unity and respect.

Life will get better for the Greeks. Maybe Yanis will go back to working on Team Fortress. And maybe it will take another few decades, but I'm optimistic that we'll eventually have a unified federal Europe.