« Music | Main | Fahrenheit 9/11 »
July 27, 2004
Open Source/Trojan Horse?
Some guy recently asserted that military defense systems based on open source projects are vulnerable to trojan horse attacks because such projects can be easily infiltrated for the purpose of adding trojan code. I'll accept that it is easier for a malicious coder contribute to an open source project than to get a job working for a software company with defense contracts. However, it seems to me that the integrity of the source will be protected in the same way in either case: peers will review the software before it's released. I believe that an important related question is whether closed source projects offer any benefit in the event that malicious code is released to a military defense system.
In the event that malicious code is introduced in spite of the review process, are we any better off with open vs. closed source? In the case of product manufactured for the government, vendors can claim exemption from prosecution using the Government Contractor's Defense - the gist is that if the government was responsible for product specifications and the defect occurred even though the product met the specifications, that the government is responsible rather than the vendor.
If this defense can be applied to software, the situation can be worse with closed source. If the government specifications were not precise enough to disallow a system compromise due to malicious code, not only will it be much more difficult to determine the nature of the problem but the vendor won't bear any responsibility and will be the only source for a fix. The situtation can be improved somewhat by limited release of the source under something like an escrow agreement; but in any case, open source will certainly allow more people to see the code faster in the event of such a compromise.
In the context of military defense systems, it seems to come down to this: with systems based on open source we must trust the government to protect systems from compromise by providing technical resources that can insure system integrity; and with systems based on closed source we must trust the government to insure responsibility in the event of compromise by providing technical and legal resources that can insure bulletproof system specifications.
Posted by nickh at July 27, 2004 02:30 PM