Does your hardware's software do only what you expect of it?
Recently, a router vendor configured its product to occasionally redirect HTTP requests to a product ad Web site and defended the action as an "ease-of-use" feature. In this installment, cranky Peter Seebach discusses why this type of design is wrong and the technical (and ethical) problems it can cause.
Imagine you have a network product, perhaps a router let's say, and you've crafted a feature you think people might like. You might embed something in the documentation about it or perhaps even enclose a glossy brochure with the product. Alternately, you might want to just sniff network traffic and, about once every eight hours, redirect a randomly selected HTTP (you know, the Hyper-Text Transfer Protocol, the protocol used to browse the Web) session to an ad for your product.
A company that I'll call Company X just started doing this with one of their wireless routers.
The intent is obviously to sell a product to home users. However, commercial users might also install this product or one like it. Lots of people use computers. Lots of people use networks. Lots of people use wireless routers.
Imagine, if you will, a carefully crafted and meticulously implemented system which uses a wireless network to exchange information. It's designed to run in a fairly stable environment, so it doesn't do a whole lot of error-checking or second-guessing. It does, however, use HTTP to transfer data.
So in this system, every eight hours a randomly selected device from a set of devices will receive a Web page that's an ad instead of snagging useful, business-related information. The results can range from amusing (maybe it's an airport departure schedule listing) to inconvenient (maybe you're in a hurry at the airport) to fatal (maybe it's a piece of medical equipment).
The idea -- that it could be okay to reroute a user's request without any kind of permission or confirmation -- is a strange one. What if the user was trying to communicate with a bank or otherwise had private or secret information in the HTTP request?