Forced Features: Why Unwanted Upgrades Are Bad Security

The Telephonic Treatment

Like most people who own one, I love my smartphone.  I love that I can use Activator to keep my phone from automatically playing music, even over Bluetooth.  I love that I can select text and move the cursor without leaving the keyboard.  I love having five icons on the dock, speeding up the OS’s animations, and running a terminal session on my phone.

What I don’t love is running an old version of the OS so I don’t lose my jailbreak, and thus, all the above features.

As my phone’s manufacturer rolls out the latest OS and new phone after new phone, I’m running hardware and software that are now five and three full generations behind, respectively.  My phone is still vulnerable to Heartbleed, and every attack since.  I take risks with my digital security every time I browse the Internet.

And I hate it.

So why not fill those gaping holes, you ask?  It’s because they, like so many other companies, have decided that in order for me to patch bugs and vulnerabilities on my systems – the systems I own, mind you – I must also accept their new “features”, whether or not I want them.

For example, it has recently been shown that the new “flat” heuristic design interfaces so popular of late slow down user productivity by 22%.  And since certain manufacturers only allows upgrading devices to the most recent OS, I can’t get patched without robbing myself of more than 1/5th of my time.  How is that an improvement?

Some Simple Solutions

As Fornetix’ Product Manager, it falls to me to decide what features and fixes make it into each of the releases of our products.  And given the negative experiences I’ve had over the past decade – with PCs, gaming consoles, phones, tablets, and even televisions – inextricably conflating bug fixes and features, I knew we needed a different approach.

The Fornetix Key Orchestration Appliance is, at its heart, a security device.  KO can manage millions of keys per day without breaking a sweat, providing first-class cryptographic infrastructure services for an immense range of enterprises: from small shops to massively-distributed IoT networks.  It was built on four pillars of security: Confidentiality, Integrity, Availability, and Accountability, and makes the once-time-sucking task of cryptographic management an automated and policy-based breeze.

But we’re not perfect – like all developers, we can always make our product better.  We think of new features we’d like to see.  We find ways to improve the features we have.  And yes, we even sometimes find bugs that have somehow made it past our incredible QA team.  We stay busy (and paid) by making our products better than they were yesterday.

The problem comes in knowing how to deliver those improvements to our customers… can we really say that a product design is “better” if it interrupts our customers’ workflow, forcing them to re-learn a product they’re already proficient in, costing them time and money?  Of course not.

What’s more, just like with a phone, requiring an “upgrade” to fix vulnerabilities and bugs will discourage some customers from applying them, reducing their security profile and exposing them unnecessarily to malicious attacks.

Free From Forced Frustration

So instead, we at Fornetix have decided to de-couple feature releases and bug fixes.  It is one of our basic development principles to ensure consistency in feature and function of each given release, even while maintaining security, through its end-of-life.  As long as a product is supported, we will provide bugfix and vulnerability patches without affecting the features of the release, even after new versions are released.

Combined with our perpetual licensing, this method ensures that once you’ve purchased a Fornetix product, you are assured consistent, stable, predictable performance for as long as you own it, with the peace of mind of knowing that you will always have the latest fixes and security updates without affecting the core features of the product.  And when you are ready to add in the amazing new features we’ve created for the next version, you can upgrade on your schedule.  So you’ll always have the best of all worlds – up-to-date security, consistent operational performance, and new features when (and only when) you decide you’re ready.

Now, if I can only figure out how to convince a certain smartphone company to follow our lead…