Tuesday, 3 September 2013

Crashing blog post

I have had a rather odd comment from someone about my previous blog post, which I would point out does not crash my safari due to some aspect of the way blogger are presenting the characters. It was also tested with several other people.

The comments were :-

19:11 So I'm really curious why you think it's acceptable to crash people's software on purpose?
19:12 I consider that un-professional, childish and in general a jerk move.


To my view this is very very misdirected anger. The error lies with Apple, not me. And I wonder what would happen if the sequence that crashed browsers was something like "flubble" or even something simpler like "hello" - would posting such, even knowing it crashed people, be unacceptable. What if it was someone's name (even if in Arabic)? Saying that everyone should avoid posting that person's name, even knowing that some people with broken software have some inconvenience, would be crazy. The fact it is a more obscure sequence of characters does not really change the fact that it is a valid UTF-8 sequence and there is no reason I should not post it.

He went on:-

19:12 I'm sure that if someone did the same to you you'd be all waving "Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer" http://www.legislation.gov.uk/ukpga/2006/48/section/36 at them or some such

This gets rather interesting. I is being suggested that technically, an act as to impairing operation of a computer is a crime. But if this Act was applied to this sort of thing, then I'll tell you now that I will be using a browser which crashes (is impaired) when it sees the word Cameron (as a made up example), so anyone tweeting or posting that on any forum is being reckless as to the impairment of my computer and breaking the law so must not do it. The scale is not a factor in breaking the law - intending to impair one computer is enough. Bingo, I now have a new troll hammer. It clearly makes no sense. In practice the legislation talks of unauthorised acts. For a start neither I, not the web server, did any "act" at all, the person choosing to navigate to my blog did the act, but even if you consider the server somehow complicit in an act, the act of "displaying text in a broswer" in such a context is clearly authorised bt the browser user, so IMHO(IANAL) it is not covered by the CMA anyway, so tough!

Yes, there is a risk that my blog caused some annoyance, or rather Apple's incompetence has caused some annoyance, not my blog post. Some people using rss feeds have suffered, apparently. The fact the blog post itself did not crash the browsers I tested meant I believed that it was not an issue, and so was not in fact reckless.

The annoyance needs to be directed at the party that has made the error, Apple.

My particular annoyance is not directly at the making of the error - I write software, I know the issues. The concern is the time taken to fix it. I am quite shocked that 24 hours after I knew about it Apple have not taken the current stable code on iPhone, iPad and Mac and patched it and released a patch with no other changes. They have the update mechanisms in place. Even with serious change control procedures, a patch like this that has such major impact should have been released.

What is worse is that one web site suggested Apple knew 6 months ago. Expecting 24 hours is probably optimistic for a large company, but not unrealistic for something major, but 6 months delay is totally unacceptable.

So, as it says at the top of my blog, "If you find any words or pictures menacing or offensive, stop reading now." Maybe I need to add "or likely to impair your computer".. I'll do that.

5 comments:

  1. Personally I'm not convinced apple knew for 6 months. Recently they had an issue with ios 7 App Store purchases. You'd buy x but get y. They fixed that within a few days. And as we know that they've already fixed/not had the issue with ios7 then it wouldn't take much I'm sure to deploy the patch.

    In this case I suspect it became apparent to apple over the weekend when most of us heard about the flaw and due to the labour day holiday, bureaucracy and the needed regression testing it's will be a few days before we see a patch. Or they're being lazy and expect us all to upgrade to ios 7 on the 10th of September.


    I'm surprised your troll hasn't also complained to me, as I also posted the nasty string.

    ReplyDelete
    Replies
    1. Indeed, I know I am feeding the troll, sometimes hard not to. You may be right that they are weathering it if IOS7 really is the 10th Sep. Will that have MacOS updates too do you think? I was not convinced on the 6 months report, but every day that goes by I am less happy with the inconvenience.

      Delete
  2. They haven't fixed OSX either and I can't imagine everyone is going to upgrade to Maverick that fast.

    It's even easier for them on OSX - there's a mechanism for patching it that's used regularly.

    ReplyDelete
  3. I think this is about intent rather than whether or not something ends up crashed. Someone who posts the word "Cameron" on a blog post about politics is probably not intending to crash browsers and is therefore innocent, whereas someone who posts سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتخ with the intention of causing problems should probably be considered guilty. (Note: I'm not saying that you did intentionally cause problems - you say you tested it and believed it wasn't going to break things, so maybe not; although you probably had a fair idea that *something* would break.).

    By your argument that a website can do what it likes to a client machine, even intentionally taking advantage of security holes in the browser, seems wrong to me - that would legitimise drive-by malware.

    ReplyDelete
    Replies
    1. I am not saying it is not tricky to work out where such a line should be drawn. You are right, someone posting Cameron is not intent to crash - but the second they are told that it does crash things, then they posting knowing it will - that surely would come under the same principles as malware. TBH the whole CMA and its implementation is problematic - it could be heavily abused as written but is not used when it would actually be useful (DoS attacks).

      Delete