WIRED: As software grows ever more complex, even in music players, the stakes rise for bug fixes, writes Danny O'Brien
THOUSANDS OF owners of Microsoft's iPod competitor, the Zune, got a lump of coal this Christmas. On December 31st, 2008, the world's 30GB Zunes fell into an endless, buzzing loop, victims of a piece of computer code that couldn't comprehend why it had reached day 366 (2008 was a leap year).
The problem solved itself with the advent of the new year, although that was hardly reassuring to Zune owners; Microsoft cheekily advised its customers to just let the batteries run down on their players and wait until January 1st to recharge.
Even now, Microsoft is rolling out a "firmware update" - a fix that will be automatically installed into Zunes when they're plugged into a PC. In this case, Microsoft can take its time: the next time this bug will hit will be in four years.
But not every bug is as tactful or punctual; and as software grows ever more complex, even in our humble music player, so the stakes rise for workarounds and bug fixes.
Of course, we'll always have bugs, and there will always be a non-zero chance of a really terrible, crippling bug. But perhaps there's a new incentive to get a little sloppy. Bugs are fixed, these days, by software updates - incredibly frequent software updates.
Since I've owned it, my G1 Google mobile phone has had two upgrades, distributed "over the air" (that is, over the phone network). The updates take their time to arrive, because they need to be scheduled to be sent to every phone on the network. But what if rather than four years, you only have a few hours to put out a patch.
I'm reminded, in a timely fashion, of a past time in Windows's ignoble security history, when a friend of mine estimated that the average time it took to download the "Windows updates" that would fix the security flaws in a brand-new PC's copy of Windows exceeded the time it took for a malicious hacker to find a vulnerable computer on the internet and take it over. There was a good chance your fresh computer would be invaded and compromised while you were still downloading the security fixes.
I doubt that is still the case (downloads are faster, Windows is more secure these days). But it could be true for any other piece of software. Microsoft takes the stick for these problems because its software is ubiquitous as well as being particularly bad at security. And while you could argue that the PC is by its nature a machine vulnerable to actively malicious attack, music players, mobile phones and all kinds of other computing devices are just as prone to Zune-like bugs.
The exploding world of non-PC devices is not quite as diverse as it might look: Google's Android phone operating system and Apple's iPhone OS may look very different, but they both use the same codebase, WebKit, to serve up the internet.
Web-based companies such as Google have largely sidestepped this problem - apart from in their cellphones - by centralising their software on their own servers, rather than distributing it on millions of users' desktops, like Windows.
But even the most "Web 2.0" of web applications relies on some software out there in the wilds of the net: that's why those web browser vulnerabilities are so dangerous.
And Google's centralised approach poses its own dangers. Your computer has some "herd immunity", being one of millions out there on the net. Google is keeping hold of everyone's data, including credit card numbers and other precious information. All it takes is for one person to break Google's security and everyone's data is vulnerable. There isn't even a race against time: the game is over before it began.
An example of that came this week, when microblogging site Twitter was compromised and various accounts accessed. The public side of that hack was mostly amusing: celebrity users such as Britney Spears and Barack Obama were made to blog unlikely public statements. But the vulnerability came from a flaw in the site's administration software - which meant that one hacker had access to hundreds of thousands of users' (somewhat) private comments.
It looks like we're caught between two worlds of bugs: one where millions are vulnerable to a single failure, and another where we can be individually picked off while waiting for our bug fixes to slowly arrive. The real solution is a world where our software is more resilient to bugs; a world where computers can recover from crashes and are built from the ground up not to trust third parties.
Promising research is continuing, but we're not there yet. The truth is we can do nothing but hold on for the next update (or next announcement of a data violation) while we wait.