 Wednesday, November 5, 2003
|
|
|
|
Clive (in comments) carries on the debate about whether voting machines should be open-sourced. He says that Al-Qaeda or other bad guys could never insert malicious code into open-source software:
But the whole point behind open-source code is that anyone can look at it -- and anyone does. It's essentially impossible to insert secret code into an open-source project, because there will always be infinite monkeys ready to pounce on it. That's why Linux is so superbly crash-proof; no bugs can exist in it, because of the enormous marketplace-of-ideas geeks out there who want to win points for being the coolest by finding the flaws.
Linux is crash-proof?!@! Is that why Matthew Szulik, CEO of Red Hat, says users should stick with Windows? Linux has no vulnerabilities? Go to CERT and see for yourself! Linux never crashes? Type "Linux" and "Crash" into Google and see what you see.
OK, deep breath. First point: when these bad things happen -- as they will -- who do you call? Red Hat? Suse? Some programmer living in who knows where who does this for fun part time? It's all about accountability, as I mentioned earlier.
Second point: there's this myth that if you encounter a bug, you or your IT department should just open up the (open) source code and fix it. That's utter nonsense. The second your IT department changes the operating system or the application they are now accountable for it. They own it. Do you really think that your IT department has the domain expertise to become responsible for every component of your OS and all your apps?
Third point (related to previous): modern operating systems and apps are complex things. Changing them is something that should be done only with the utmost care; it's often not obvious what the effects of a given change will be up front, which is why software vendors spend literally tens of billions of dollars testing the effects of code changes before releasing them to the public.
Final point: let's just say for a moment that some Bad Programmer (e.g. from a terrorist organization) did slip some code into the distribution. (Not that unrealistic: there are some very smart people out there who hate us.) Let's even say for the sake of argument that a Good Programmer somewhere along the line catches it. My question is, once word of that attempt gets out, would anybody ever trust a voting machine again? Would you?
Now, let me be clear: I don't condone the behavior of companies that sue individuals for pointing out security flaws in their code; quite the contrary. Moreover, I do agree with Clive that the government has the right, indeed the duty, to inspect and certify the code that powers voting machines, so critical to the functioning of our democracy.
But I do think they should get that code from a vendor who stands behind it, who is motivated to make it successful, and who will fix it if problems occur.
|
|
|
|
November 2003 |
Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
1 |
2 |
|
|
5 |
|
|
8 |
9 |
|
|
|
|
|
15 |
|
|
|
|
|
|
22 |
23 |
24 |
|
26 |
27 |
28 |
29 |
30 |
|
Oct Dec
|
