A Thousand Eyes

OK, so Steve Ballmer last month said what he had to say as Microsoft CEO:

"Should there be a reason to believe that code that comes from a variety of people around the world would be higher-quality than from people who do it professionally? Why is its pedigree better than code done in a controlled fashion? I don't get that... The vulnerabilities are there. The fact that someone in China in the middle of the night patched it--there is nothing that says integrity will come out of that process. We have a process that will lead to sustainable level of quality."

And then news has recently broken out that somebody tried to slip in a back-door to Linux.

"If it had gotten out, it could have been really bad, because any Linux kernel that had this in it, anybody who had access to that machine could become root."
- Larry McVoy

Does what happened vindicate Ballmer's statements? Or does it actually break it?

I think that what happened actually lends weight to the Open Source community's idea that a thousand eyes worth of dedicated and skilled programmers may be better than a small group of paid workers.

Admittedly the problem was caught by an electronic eye. A program detected a difference between a version of Linux under development and a version repackaged for use by particular users - they should have been the same, but two lines had been added. A discussion sprang up on the linux-kernel mailing list and it became clear that this was no accidental inclusion, and that somebody had tried to deliberately add a back-door to the kernel.

Hence if somebody hadn't been paranoid enough to assume that somebody may have wanted to compromise the code, this problem wouldn't have been caught.

But let's assume that this had slipped undetected. There would have been a Linux kernel that was open to all that knew the secret. And maybe that Evil Person would have been able to cause serious damage with this exploit. However, the key point is this: as soon as more than a few people knew about this, the problem would have been looked through and fixed, and with something of this magnitude you would have had, well, a thousand eyes looking at it. Turn-around time would have been short.

Now, let's look at the closed-source model. If somebody wants to put an extremely subtle backdoor in the program and it had slipped through, with fewer resources at their disposal, MS would have taken longer to discover and fix the problem.

Let's go one step further. Let's say you suspect that there is a back-door entry in a program. You can actually check the code in an open-source model, but not in a closed-source. I wouldn't know until the program manufacturer themselves came forward with it. And even if they did, you wouldn't be able to fix it yourself.

Admittedly, not everyone's a good enough hacker to fix their own operating system, but it only takes a few to benefit the many.

However, despite all this, I believe that the Microsoft PR machinery will try to turn this to their own advantage. They will point to the fact that anyone can write code for Linux as a disadvantage - who knows what they will put in? An Easter Egg for their girlfriend? Or something more malicious? They'll saw that Open Source is inherently unsafe since any old Joe Programmer could make Evil Changes to the code.

They'll conveniently ignore the fact that the code change happened through a subversion of the normal process and that such a problem could also happen to them. They'll also not admit that if such a thing did happen to them, not a peep would make its way out to the press, so who's to know how many such problems MS have had in the past with this?

But then, money buys PR and the ability to obfuscate the truth.
posted on Wednesday, November 19, 2003 - permalink
Comments: Post a Comment

Searching the Microsoft Way

If you were a company with a variety of interests, and you controlled a search engine, wouldn't you be tempted to tweak the results so that things went your way? Well, some people noticed that searching for Linux on MSN and Google gave vastly different results, and some people dug a little more.

The upshot is this: MSN seems to present the user a lot of paid-for-results without making it clear which is which. Google actually had been criticised for this in the past, resulting in the layout now where the paid-for results lie on the right-hand side in small boxes, and the search-engine results take up the main proportion on the left.

The paradox is that while the Internet has made it easy for an individual to have their say, it's also made it easier for large organizations with sway to dominate the landscape with their messages. Just imagine if the integrity of Google as a search engine was compromised and all you saw was one side of the story for an issue like abortion and (most critically) this was done without the user realising it.

I guess the solution for this is the same as with other mass-media outlets: variety. Do try to see as much as you can out there in the Internet. Try not to stick to the same sources, and dip from time to time from competing sites, even if you disagree with them. It's not the technology which stifles, but how we use it.
posted on Tuesday, November 18, 2003 - permalink
Comments: Post a Comment

Osama's Guide to Terrorism

I mean, how cool is The Smoking Gun? Just browse through the website, and one of the things you'll come across are scanned pages of "Military Studies in the Jihad Against the Tyrants". This document was seized in a raid and, according to the website, "was placed into evidence last year by prosecutors during the federal trial of four men accused of involvement in the 1998 bombing of U.S. embassies in Kenya and Tanzania" - hence it's now public domain. It's 180 pages long, so I haven't really gotten through it, but I suppose this should represent an invaluable document for today's concerns. What is it that so many people are scared of? What does this hidden enemy think of? What is it they can do? It's all in here.
posted on Tuesday, November 18, 2003 - permalink
Comments: Post a Comment

Security Risks of Monoculture

A take on why it may be bad for all to use the same thing. It's a little like why some suggest bananas are at risk of extinction - there's little variation between them, and they are all succeptable to a single parasite.

I can certainly testify to this. For years - ever since 1997 or so - I've been using Netscape Mail to read and write my emails (current version is Netscape 4.75). I've consistently resisted using Microsoft Outlook, for two reasons: (a) I don't like the look and feel of Outlook (certainly not the ones I tried in 1998 and 2000); and (b) I consider MS Outlook a security risk.

Well, my fears for the latter have certainly been borne out. There have been virus after virus targetted at MS Outlook flaws, especially the one that causes programs to run when you view an email.

However, as far as I know, I've not been infected by a single e-mail borne virus while using Netscape Mail. None of the Microsoft Outlook flaws affect me. I've received many potentially infectious emails (I still receive a few every month) but I do not get infected by them.

I also do not read suspicious looking emails whilst online nor do I open dodgy attachments.

Of course, I am not suggesting that Netscape Mail 4.75 is inherently more secure than Outlook. In fact, I'm quite positive that there may be some sort of vulnerability in there (there's one from 1998 that should have been fixed by ver 4.7), but because so very few people use Netscape Mail, it isn't a popular target for virus writers. I may change my mind once the hordes of people out there read this article and decide to switch to Netscape Mail... ;)

Anyway, if you are looking for Netscape 4.75, I'm not sure you can so easily find the binaries for that anymore, and it has now been superseeded by Mozilla Thunderbird.
posted on Tuesday, November 04, 2003 - permalink
Comments: Post a Comment

Is Wi-Fi Bad for Your Health?

Some parents are suing their children's school because they use Wi-Fi and they don't want their kids to be inundated by evil Wi-Fi rays. Really. Honest.
posted on Tuesday, November 04, 2003 - permalink
Comments: Post a Comment