Subject: Re: anti/Law
From: kragen@pobox.com (Kragen Sitaker)
Date: Wed, 14 Apr 1999 11:54:58 -0400 (EDT)

Ian Taylor writes [although he says he doesn't believe these arguments]:
> Free software has the potential bad effect which has been cited by
> sources as diverse as Microsoft and Larry McVoy: because free software
> makes it possible to easily change the source code, it becomes easy to
> introduce interoperability problems in network protocols and file
> formats.  To put it another way, in some cases centralized control is
> desirable; free software removes that control, reducing it to a sort
> of honor system.

That's an interesting argument.

Empirically, it has not been borne out, and it is not likely to be
borne out.  Here's why.

Interoperability benefits the users of the software.  Interoperability
problems (possibly) benefit the makers of the software at the expense
of the users.  Free software gives the users of the software control
over what's in their software; proprietary software gives the makers of
the software that control.

The users will generally try to eliminate interoperability problems,
because interoperability problems cause problems for them every day.
So free software will have fewer and smaller interoperability problems.
This is not just a special case of free software having fewer and
smaller problems in general, but a separate phenomenon.

> A variant of this is using free software in safety critical systems.
> It becomes possible for the end user to modify the software, and thus,
> through some sort of misunderstanding, inadvertently introduce bugs.
> Admittedly, this is just a subset of the general case of using a
> safety critical system in some inappropriate way.

Using free software in safety-critical systems also means that it
becomes possible for the end-user to certify the software as safe, to
make it safer (which in many situations will require a recertification
before being used), to find safety problems in ways other than
observing failed tests (a notoriously poor method of finding bugs), and
to alert other potential end-users of flaws.

Indeed, much safety-critical software is developed in-house today for
exactly these reasons.  [I have Cced a couple of folks I know who have
worked on such software recently so they can comment.]

> Another reason that distributing source code can be bad is that it
> magnifies insecurities.  Genuinely secure software is secure whether
> or not you distribute source code.  For insecure software, on the
> other hand, much as we all scoff at security by obscurity, it is quite
> a bit better than no security at all.  Distributing the source code
> eliminates the obscurity.

Probably true.  Certainly insecure free software will get safer faster
than insecure proprietary software.

I tend to think, though, that the incidence of vulnerability discovery
has more to do with the amount of effort directed at finding
vulnerabilities than with the availability or non-availability of
source code.  Recent years have seen quite a number of vulnerabilities
discovered that were far from obvious, with or without source code.

Of course, once a vulnerability is found and published, it is no longer
obscure.  :)

> Similarly, distributing source simplifies third party deceptions, in
> which a third party modifies the source code to introduce a security
> hole, and then replaces the original code with the modified source
> code.  As I recall, this actually happened once.  This sort of attack
> is easier with the source code, because it is easier to introduce the
> security hole.

There are thousands of people who have made a hobby of modifying
proprietary software without access to source, to cheat at games and
defeat copy-protection, for instance.  The recent Happy99 virus
included a binary patch to the socket DLL to intercept outgoing SMTP
connections.

I tend to think that backdooring software is not too difficult, with or
without source.  But with source, the backdoor is likely to be
discovered quickly; in the recent cases, it was discovered within
hours.  Without source, it may remain undiscovered for years.  Ken
Thompson's "Reflections on Trusting Trust" binary-only backdoor
apparently remained undiscovered for several years, despite thousands
of brilliant people using the backdoored software daily, and indeed was
never discovered at all, but rather announced by its inventor.

(Of course, not everyone is Ken Thompson.  But there are surely dozens
of people capable of doing a similar thing scattered among the NSAs and
MI5s and Mossads of the world.)

-- 
<kragen@pobox.com>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
This is exactly how the World Wide Web works: the HTML files are the pithy 
description on the paper tape, and your Web browser is Ronald Reagan. 
  -- Neal Stephenson, at http://www.cryptonomicon.com/beginning_print.html