Text / Benedict Evans
Translation / Su Benru
Source: CSDN (ID: CSDNnews)
If you remember the "Ancient" concept, the Melisa virus, you may find that the current Facebook "Privacy Gate" event has striking similarities with Microsoft 20 years ago. The difference is that Facebook is trying to take the initiative to make some improvements and make a fundamental architectural change that Microsoft can't do...
The following is a translation:
Organized data abuse on Facebook and Facebook's attempts to respond in the past 24 months, with malware on Windows and Office that happened on Microsoft 20 years ago, and Microsoft's attempt to respond between —— Amazing similarities.
For both crises, the initial response of the two companies was to take two measures:
· Make some strategic changes to system development and API practices to make existing models more secure;
· Simultaneously scan known malicious actors and their malicious behavior (similar to the current virus scanner and the current manual intervention program).
However, for Microsoft's malware problem, this is not the ultimate solution. Instead, the problem was solved because the entire software industry turned to SaaS and the cloud, and then turned to a completely different operating system (such as ChromeOS, iOS), making the threat of malware irrelevant, and finally the problem was solved.
Facebook turned its focus to messaging and end-to-end encryption (partially) to achieve the same goal: changing patterns and making threats irrelevant. But the difference is that the shift to SaaS and the new operating system is not Microsoft's participation and promotion, and this time, Facebook is trying to take the initiative to implement this change.
Back in 1995, when there were only 150 million personal computers on Earth, some people came up with a good idea. Or, as Grinch (the protagonist of the movie Green Monster) said, a wonderful, but terrible idea.
Microsoft has made tremendous efforts to turn Office into an open development platform. A wide variety of companies, large and small, have created programs embedded in Office documents (let's call them “macro”) so they can create beautiful, automated workflows. A large community of developers has formed around the creation and expansion of macros.
But Grinch saw that we have an API for viewing the address book, an API for sending emails, and an API for automatically running macros when opening a document. If you put these APIs together in the right order, then you create a virus that sends an email to everyone you know through a seemingly harmless Word document, once the other party opens it. Email, it will continue to spread to everyone they know.
This is the virus called “Concept”, which actually only infected about 35,000 computers. But four years later, “Melisa” did a lot of the same thing, and that time it really spread like a virus, and even at some point, the Pentagon had to close some of its facilities.
In the past year or two, when I saw news about abuse of platforms and other negative activities on Facebook, YouTube and other social platforms, I often remembered this ancient history. Because, like Microsoft's macro virus, Facebook's "bad guys" have also done what is written in the user manual. They didn't open the locked windows behind the building. They just knocked on the front door and walked in easily. Then do something you can do, but they combine these things in a sequence that people can't predict and malicious intentions.
It's interesting to compare the public discussion of Microsoft and Facebook before these events happen. In the 1990s, Microsoft was called an “evil empire”, and much of the discussion in the tech world focused on how to make Microsoft more open, making it easier for people to develop some monopoly software that works with Microsoft Office. Software, and making it easier to exchange information with them and Office. If Microsoft does something that makes the life of the developer harder, then it is evil. Unfortunately, no matter how you look at these open discussions, it points Microsoft in the wrong direction for these scenarios. The truth is that Microsoft is too open, not too closed.
Similarly, in the past 10 years, many people think that Facebook is too much like a “walled garden”, it is difficult for people to get your information, and it is difficult for researchers to get the information they need across platforms. It is widely believed that Facebook's restrictions on the use of this platform by third-party developers are too strict. It is also widely opposed to Facebook trying to force users to use a single true identity. Like Microsoft, these allegations may be fair, but like Microsoft, when it comes to this particular scenario, these allegations point to the wrong direction. Because this makes it too easy for some research organizations to develop applications for Facebook, it is too easy to get data from Facebook, it is too easy to change your identity. Therefore, Facebook's “walled garden” is far from closed.
This situation continues when we think about how these companies and the industries around them are trying to respond to the behavior of these abuse platforms:
“In 2002, Bill Gates wrote a memo in the company titled “Trusted Computing”, which marked a shift in the company's perception of product safety. Microsoft will try to think more systematically about how to avoid manufacturing system vulnerabilities and how to reduce the chances of "bad guys" using vulnerability manufacturing tools.
At the same time, security software (first from third parties, then from Microsoft) is rapidly evolving. These security software attempts to scan known malware and scan the existing software on the computer to detect possible malicious behavior. malicious software. ”
Conceptually, this is almost what Facebook does: eliminate the possibility of existing abuse, avoid creating new abuse opportunities, and scan/review malicious actors (“bad guys).
It's worth noting that these steps are what people used to insist on "evil". Things: Microsoft decided what code we can run on our own computer, Microsoft decided what API developers can use, and Facebook decides who can publish and publish. what.
However, although Microsoft has made a lot of efforts to make existing software models not maliciously exploited, in the past 20 years, the software industry has turned to a new model, which makes various types of malicious exploitation of Microsoft software become It doesn't matter anymore. The development environment moved from Win32 to the cloud, and clients moved from Windows (sometimes Mac) to a Web browser, and then moved to devices where viruses and malware could not appear or appear to be orders of magnitude more difficult, such as ChromeOS, iOS. And even include the Android system.
If you don't have any data stored on your computer, the attack on your computer won't be too harmful. If an application is sandboxed and cannot read data from other applications, then it cannot steal your data. If the application can't run in the background, the application won't run in the background and steal your password. If you don't use an application, then no one can fool a user to install a "bad" program. Of course, human creativity is infinite. This change only leads to the emergence of new attack patterns, the most obvious being the emergence of phishing. But no matter what, it has nothing to do with Microsoft. By moving to the new architecture, Microsoft is no longer there, eliminating the need for the virus to generate the soil, and thus "solving the virus problem."
In other words, Microsoft installed better locks and activity detection sensors on the windows, but the world is shifting toward a model where the windows are 200 feet off the ground and cannot be opened.
So —— not long ago, Mark Zuckerberg (Mark · Zuckerberg) wrote his Bill · Gates-style "trust computing" memo: "The privacy of the social network vision". There are a lot of interesting things in it, but in the context of this discussion, two things are important:
· (He hopes) that most of Facebook's use is personal-to-individual messaging, not one-to-many sharing.
· All of these messages will use end-to-end encryption.
Just like moving from Windows to the cloud and Chromeos, you can think of it as an attempt to remove the problem instead of fixing it. Without a News Feed, Russians can't be popular in your News Feed. If Facebook doesn't have your data, "researchers" can't get your data. If you want to solve the problem, you have to make the problem irrelevant.
This is a way to solve the problem by changing the core mechanism, but there are other ways. For example, Instagram does have a one-to-many feed, but it doesn't recommend content that you don't follow in the main feed, nor does it allow you to forward it to your friends' feeds. There may be anti-vaccination content in your feed, because one of your true friends decided to share it with you. At the same time, issues such as the spread of dangerous rumors in India are due to information transfer rather than sharing. Therefore, information transmission is not a panacea.
In fact, Zuckerberg’s memo raises as many questions and answers. The most obvious is how does advertising work? Is there an advertisement in the message delivery? If so, how does it target the target audience? Encryption means that Facebook doesn't know what you are talking about, but the Facebook app on your phone should know (before encryption), then will targeting be happening on the local device? At the same time, encryption also poses a problem for other types of abuse: If you can't read the information of child exploiters, how can you help law enforcement to solve the problem of child exploitation? (The memo explicitly calls this a challenge)? And what role does Facebook's blockchain project play in all of this?
There are many big problems that need to be solved. Of course, if you say that all enterprise software will enter the cloud in 2002, there are of course many problems. But the difference here is that Facebook is trying (or talking about trying) to take the initiative to make these improvements and make fundamental architectural changes that Microsoft can't.