Elementary Security

Index:

Naïveté

Only a very naïve person would allow a stranger to install an intelligent, programmable lock on the front door, or the valuables safe, if the installer refuses to divulge the details of the programming. Yet that is exactly what every person who entrusts valuable information to a proprietary computer software system is doing. To be precise, I am using the single word "proprietary" to mean "closed source copyright-protected". The alternative is open source, as in the GNU-GPL, Linux, and the OpenOffice.org program suite.

Closed Source Software

If your computer is running under Microsoft's operating system, you are not permitted to read the source code of the instructions being sent to your computer. The same applies in part even to the otherwise vastly superior Macintosh OS. You therefore do not have any way to audit what is going on. You have no way to call in an independent auditor. If an exceptionally ingenious independent software expert succeeds in "reverse engineering" Microsoft's compiled code, and provides you with the results so that you can discover what is going on, then you are both in violation of Microsoft's "End User License Agreement".

So if Microsoft Corporation decides to incorporate instructions in its software with which to spy upon its customers, you are not allowed to find that out. If you did, you are not allowed to fix it.
But of course Microsoft would not take that risk, so there's nothing really to worry about.
However, it now appears that not all of the people writing Microsoft's software are United States citizens.

The Potential Foreign Threat

Indeed, Microsoft, like many other companies, has found that even intellectual labor is cheap and plentiful in poorer parts of the world, like India. Which raises the following questions:
  1. How carefully does Microsoft ensure that not one of its foreign programmers is a fanatic dedicated to the destruction or grave embarrassment of the USA?
  2. How carefully does Microsoft double-check all code written by such programmers?

If the answer to either question is not "far better than the INS checked the hijackers before Sept 11" then we have a problem. The total amount of code in any computer operating system includes so much that ordinary system administrators only pay attention to the parts that they know have failed before. Indeed, so utterly mysterious is the operation of the Windows OS, that there is a hoax which persuades people that the presence of a certain perfectly harmless ordinary module is evidence that they have been infected by a computer virus, and they had better delete it. The module is sufficiently inconsequential that very few of the hoax victims ever notice any problem without it!

So an Al Qaeda sympathiser, living in India, could easily be working for Microsoft, and writing a software "mole" designed, not to crash that single computer and embarrass the management, but to make possible a simultaneous Distributed Denial of Service attack on every computer running that particular release of that software, and connected to the Internet so that the mole could communicate with all its clones. There are hundreds of "DLL" modules into any one of which such a mole could be placed.

The Alternative

By this point, Microsoft sympathizers will be saying "Hah! He's going to recommend Linux and GNU software, which has an even higher proportion of foreigners writing it!"
So I am, and so it does, and the difference of this alternative lies in the implications of the Russian words that we spell "perestroika" and "glasnost". Above all, the danger of closed source software is its lack of transparency. There are villains smart enough to find weaknesses in it anyway, and to distribute on the Internet code designed to exploit these weaknesses. The most dangerous of these villains are not the ones who show off with rude messages to tell the world how stupid your system administrator is. They are the ones who do it quietly, perhaps for profit, or perhaps in preparation for a serious attack upon all the computers to which you are connected.

Our airports now use X-ray machines in order to detect knives and guns in aircraft passengers' baggage. They make the bags transparent.

Likewise, "Open Source" software is a collection of transparent packages. So no mischief, no stupidity, nothing in these packages can hide from the thousands of first-class programmers who write, use, improve, and maintain this software, and who use their rights under copyright law only to forbid the closing of any work derived from their code.

As an immediate benefit, a package that is written to run on e.g. an Intel processor may very well need only a few supplementary changes to run on each of a half-dozen very different machines. The original author need not make these changes. Interested users, or even proprietors, of the other machines have the stronger motive to write the supplementary code. Linux itself was originally written for the Intel '386, and now runs on at least ten other very different processors. It even runs Beowulf supercomputers, including some at Los Alamos, where they have serious secrets. Usually, as a courtesy, the original author is sent a copy of the supplementary code, and may adopt it into the "official" expanded version of the package. As a further benefit, open source code likewise is relatively immune from obsolescence brought about by the real or alleged upgrading of the platform upon which it depends.

Some GNU/Linux Sources

Whom Do You Trust?

The US Dept. of Justice has established, in court, that Microsoft Corporation is both a monopoly and untrustworthy. Nevertheless, US DoJ is still using Microsoft software! Such is the power of monopoly and the timidity of the US Government. Or perhaps it is the difference between the Department's lawyers and the apparatchiks of its computer departments. Some people like to feel safe by using what "everybody else" is using. In contrast, Open Source software is written by programmers for their own use, or for the immediate requirements of their employers, and released not for profit, but for the pride in the work that comes from the endorsement of people who know how to write software. Surely it is more worthy of trust than stuff that depends for its existence upon secrecy, armies of lawyers, and the laziness and inertia of administrators?

Valid HTML 4.01!