Mobility

If open source can't accommodate Android Lusers, it ultimately fails

TechRepublic member dcolbert asks the TR community, "What good is inherently better security through open source and 'many eyes' if manufacturers can effectively short-circuit the benefits in consumer applications?"

The Android platform has recently been subjected to increasing backlash among tech writers. There's a growing concern that carriers and manufacturers are hijacking the Android platform and perverting Google's intention of providing a consumer-oriented, friendly, and secure open-source mobile platform for phones and other personal electronic devices.

For 20 years, Linux advocates with a chip on their shoulder against Microsoft have talked about how open source empowers end users, administrators, and developers and frees them from the control of monopolistic, unresponsive corporations more concerned with profits than the security, safety, or stability of the platforms they sell to their customers.

For 20 years, they've talked about the freedom of installing OS platforms that don't have bundled crapware that hurt performance pre-installed on their hardware by manufacturers in lockstep with the Evil Empire of Redmond.

(Image by Google/CBS Interactive)

Yet, the largest commercial, consumer success of an open-source, Linux-based platform is Android - or at least it seems to be headed in this very direction-and the only difference this time around is that you'll be able to pick any number of large corporations who will roll you like a bum. Sometimes it might not even be clear exactly which corporation is taking advantage of you. Is it HTC? Google? Verizon? T-Mobile? AT&T? Probably.

How can this be? Isn't open source supposed to route around this kind of behavior the way that TCP/IP handles damage from a nuclear strike? How is it that Motorola or Verizon can lock end users into their vision of an Android handset with limited features, custom markets, the inability to side-load apps, and flashable ROMs that are designed with a fuse that will brick the phone if you try to root it?

Android should be open-source's moment of self realization and fulfillment. It's their chance to run to the windows (no pun intended), throw them open, and yell to the world, "WE TOLD YOU SO."

However, and I admit I take a small amount of satisfaction in this, it looks more likely that it'll be the chance for the Windows users of the world to look at the Linux community and say, "Meet the new boss, same as the old boss."

In my recent post about Linux that came to a dubious conclusion - other than to establish that the vast majority of people involved in OS platform debates are on one side or the other for any reason but logic - much of the forum discussion focused on whether or not the open source "many eyes" security model was superior to the closed source "security through obscurity" security model.

Well, if the biggest commercial success of open source is co-opted by corporations, manufacturers, and carriers - and through control of hardware, networks, and ToS agreements, they prevent users from fully realizing the benefits of open source, then it looks like - in practical application at the consumer level - "many eyes" may effectively be no different than closed source.

(-Solution image by Spekulator, royalty free/Google/CBS Interactive)

I can hear the uproar to this statement now, so let me elaborate. Open-source advocates will say, "The technically adept will be able to get around this." But in a consumer market, that doesn't matter. While 20 million iPhone users may have the ability to jailbreak their phones, a very small number of them actually ever do. It may be a geek ideal, but it isn't a practical reality for a popular electronic device aimed at average consumers.

Likewise, if Android has 88 serious flaws, you're at the mercy of Google, your handset manufacturer, and your carrier if you'll ever see the solution. The "open source, many eyes" model may have already determined the problems and provided solutions - but it simply isn't feasible for the vast majority of Android platform users to find those fixes on the web, via torrents or otherwise, and apply them to their devices themselves.

(Credit: J!NX)

So, what good are open source and the many eyes security model in this situation, which is the largest commercial success open source and Linux have ever enjoyed? The kind of Linux open source arrogance that says, "Lusers who are too dumb to manage their own phones and devices deserve what they get," misses the point.

If those Lusers are the mass consumer market, and the choices are to either raise your technical skill or to be beholden to your device manufacturer and carrier, then open source ultimately fails to deliver on all of the "superiority" it has always claimed is solely inherent in its philosophical ideology of openly shared coding design.

The user experience will be insignificantly different from what they've always known. They'll have to wait for the large corporations to provide solutions - but we already know that manufacturers and carriers are slow to release fixes and that many 1st generation Android phones never received OS updates, even though they were available.

Ultimately, the net result (which is what counts) is virtually indistinguishable from the detested Microsoft closed-source model. The only difference I can see is that the flaw is public knowledge, but you still have to wait on a "monolithic" manufacturer to release the fix at their leisure, for all practical intents and purposes.

We'll hear all kinds of cop-outs, excuses, finger pointing, and blame. "I'm attacking open source and the many-eyes model, when the Android platform I predict is nothing like the ideal." And that is the problem. The "ideal" doesn't work on a large scale, in particular with multi-billion dollar revenue-generating consumer electronic platforms. It is a flawed, broken concept - an ideology that only works in special niches with highly skilled technical users... actually, administrators.

But no one wants to be the administrator of their smartphone, tablet, or TV set. No one wants to go to Source Forge, verify a checksum, download source code, and then compile and install it on their personal electronic device - that is, no one but hardcore Linux advocates.

(Credit: Google/CBS Interactive)

However, if they're not doing that, and they're not getting it from a vendor, then they're putting their trust in the "many eyes" who have made a "bootleg, unauthorized" patch or upgrade. That's like downloading a Microsoft Service Pack from an unverified torrent, especially for the average Android user. They're going to remain prone to all the same risks and dangers that they faced on closed-source platforms.

"This is not the failure of the open source, many eyes model - it's a failure of the users." But this is what the users ARE, it's who they are, and they are legion, they are the mob, they are massive consumer acceptance. If "open-source, many eyes" cannot accommodate them, then it's a failure. You can't ask users to accommodate it and then blame it on them if they can't do so.

One way or another, with the direction Android is heading - even though the platform is open source and protected by many eyes - the benefit becomes moot in practical application. It's either too difficult for the target audience to leverage the benefits, or the control of delivering those benefits in a consumer-friendly package is controlled by corporations that are practicing business virtually identical to closed-source vendors.

This is a disaster for the ideals of open source, many eyes superiority. What good is inherently better security through open source and many eyes if manufacturers can effectively short-circuit the benefits in consumer applications?

About

Donovan Colbert has over 16 years of experience in the IT Industry. He's worked in help-desk, enterprise software support, systems administration and engineering, IT management, and is a regular contributor for TechRepublic. Currently, his profession...

138 comments
apotheon
apotheon

Is your understanding really this simplistic? 1. One of the benefits of open source software is that, if the current steward is doing a bad job, you can fork it and do it better. 2. One of the problems with the current Android situation is closed hardware. The PC as we currently understand it is a largely open architecture; cellphones, however, are not. The attempts to provide open smartphone platforms run up against governmental regulation that effectively makes it impossible for us to make use of an open architecture (see FCC). 3. You obviously know little or nothing about what knowledgeable open source advocates want to say. I don't think anyone was chomping at the bit here to say "technically proficient people can get around it". 4. Service providers are, in addition to the hardware problem, a major source of restriction. If you want a really open smartphone platform that is actually legal to use, get a Nokia N900, not an Android device. Of course, people don't get them, and it doesn't really take off, precisely because Nokia refuses to let service providers lock down the platform. Google does allow it. 5. It's interesting that the Android platform is still more open -- and provides some benefits as a result of that -- than Apple iOS and Win7 Mobile. Elsewhere you linked to this, claiming that it was more tailored to discussion than previous attacks on open source development models and the people who use them. From what I see, though, you're still just trolling. The title sets the stage (again). edit: pluralization oops

dcolbert
dcolbert

Although you started off poorly, I'm going to assume it is just in your nature to be rude, abusive and abrasive, and give you the benefit of the doubt this one time, and respond to your points. 1. One of the benefits of open source software is that, if the current steward is doing a bad job, you can fork it and do it better. We'll talk when someone DOES this, and it is such a success it presents a challenge that it gets Apple to seriously reconsider negotiations with Verizon. If something like that happens and the platform is *truly* delivering FOSS ideals, then I'll gladly say I was wrong. But you're talking about "what-ifs" and I am talking about "what is". 2. One of the problems with the current Android situation is closed hardware. The PC as we currently understand it is a largely open architecture; cellphones, however, are not. The attempts to provide open smartphone platforms runs up against governmental regulation that effectively makes it impossible for us to make use of an open architecture (see FCC). I've addressed this, both in the forum and in the original post. The *why* doesn't matter, when mobile devices are set to be the single largest way by which all facets of digital content consumers interface with technology. Again, why FOSS can be thwarted, by Corporations, by Government Regulators, or by anyone else, is immaterial. If FOSS cannot deliver on the promise of Free-as-in-Libre because it runs into insurmountable obstacles, then FOSS fails at a core ideal which it promises to deliver. I'm less interested in hearing the FOSS community whine like Han Solo about how "it's not fair", than in seeing how the FOSS community is going to get angry and overcome the evil empire despite having all the odds stacked against it. Does the FOSS community have a little Han Solo in it? Or is it just a whiny emo kid dressed in black complaining that society mocks him for wearing mascara? 3. You obviously know little or nothing about what knowledgeable open source advocates want to say. I don't think anyone was chomping at the bit here to say "technically proficient people can get around it". Calling BS on this. We *all* know that lots of FOSS advocates constantly trot out the, "If you can't do it, you're too dumb to do it". As a matter of fact, it is kind of ironic that you started this off with, "You obviously know little or nothing about..." This is FOSS defense 101. If there were a Hogwarts of FOSS, it would be the first defensive spell Snape would teach 1st year *nix wizardlings. "Proclaimus Opponentus Idioticus". 4. Service providers are, in addition to the hardware problem, a major source of restriction. If you want a really open smartphone platform that is actually legal to use, get a Nokia N900, not an Android device. Of course, people don't get them, and it doesn't really take off, precisely because Nokia refuses to let service providers lock down the platform. Google does allow it. I'm not so sure about that. The question of why people don't get Nokias is probably important, but also probably real open to subjective interpretation. Can you NOT get an open, unlocked Nokia on ANY domestic carrier? Or is it that it requires a certain level of technical inclination to do everything required to achieve this? Either way, I think there is probably a balance of reasons why people don't get Nokia phones. Accessibility (both natural and artificial - that is, how difficult it is to do and how difficult it is MADE to do), features, marketing and brand recognition. The Amiga was a "better" PC than the PCs of the era. There were lots of different reasons why it failed, not just ONE. But in the long term, the only thing that matters today is, it FAILED, and most people are using IA/86 Windows based PCs. 5. It's interesting that the Android platform is still more open -- and provides some benefits as a result of that -- than Apple iOS and Win7 Mobile. I agree with you, and disagree with you. It offers some benefits, it also offers some pretty significant liabilities. We still haven't seen much of what Win7 Mobile can achieve, and it is a 1st generation release. Why not give it some time before we drag it into the fray? Either way, let's break this statement down two ways. The way you worded it is a little tricky. It's interesting that the Android platform is still more open -- and provides some benefits as a result of that ... Well, that doesn't say a WHOLE lot that way. "It is interesting that iOS and WinMo7 are far more closed, but still offer some benefits as a result of that." How about this: "and provides some benefits as a result of that -- than Apple iOS and Win7 Mobile." Well, that doesn't work at all. But if we put it together like THIS - "It is interesting that the Android platform is still more open than Apple iOS and Win7 Mobile, and provides some benefits as a result of that". It doesn't sound quite as impressive as the way you put it together as a whole. Ultimately, there probably are some benefits of being more open. There are probably some benefits to being more closed. I'm not sure that it has any impact one way or another on *this* topic. I don't usually provide the titles. I've said that in many of my blogs. I'm not a "headline" kinda guy. Did I claim it was "more tailored to discussion"? I don't think I did. I think I said that the previous discussions had helped me refine or tailor my position to a sharper edge in this blog. Honestly, I felt the relative silence in this forum might have been the result of me getting the edge a little TOO sharp, where my traditional "adversaries" were hesitant to try and get a grip on it. I can understand why. Addressing the actual THESIS of this one is far more difficult than even the previous one. I'm actually pretty convinced that my points are nearly impossible to argue as I've crafted my position this time. I'm not trolling at all, by the way. Trolling would imply that I'm making claims here that I don't believe in, simply to upset people. I honestly believe that what I've outlined here is the apex of my argument against the practical application of FOSS, against the possibility of FOSS achieving it's most foundational goals. I've even provided and agree with many of the examples I've seen on how it *might* be avoided. I just don't think it *will* be. I think that market forces will always adjust to make the delivery of FOSS ideals a utopian ideal, not a practical reality. I wish you could come to grips with the fact that I'm not trolling, and see the *much* bigger picture I am talking about. You seem lost in the smaller arguments that don't matter to my overall claim. So, let me ask you, do you think that a pure FOSS will *ever* achieve the market traction of OS X, iOS or Android, let alone Microsoft platforms? I'm saying, with no hesitation, it is VERY unlikely, maybe impossible. Not to troll, but because I believe in that.

Neon Samurai
Neon Samurai

" I'm not so sure about that. The question of why people don't get Nokias is probably important, but also probably real open to subjective interpretation. Can you NOT get an open, unlocked Nokia on ANY domestic carrier? Or is it that it requires a certain level of technical inclination to do everything required to achieve this? Either way, I think there is probably a balance of reasons why people don't get Nokia phones. Accessibility (both natural and artificial - that is, how difficult it is to do and how difficult it is MADE to do), features, marketing and brand recognition. " Since the topic is Linux and FOSS heathenism, I'll focus on the N900. The phone can be bought unlocked. Your only limitation for carriers is if they use one of the cell technologies the N900 hardware supports. If your carrier uses sim cards; golden, pop it in and your on. I'm not familiar with the non-sim setup but it's not really relevant since one would need to setup any non-sim unlocked phone; the OS is not applicable. There is no special technical level of knowledge required if you simply want to pop in the sim and use the phone. There is barely any technical knowledge required if you want to install additional apps from the repository or Maemo.org. There is a little more technical knowledge if, after installing RootSH, you want to really get around the *nix behind the makeup. You'll need applicable knowledge if you are going to write your own software or muck about with the non-gui apps. The Nokia N900 was originally offered as an example of a real manufacturer providing an honest effort to deliver an open OS. I've actually discussed the N900's low sales numbers with others including staffers. In Europe, the phone has been quit popular; starving the US and Canada of shipments didn't help sales figures around these parts though. Still, if you can find one, you've probably got competition from other interested buyers. Nokia also priced it pretty high to match the low volume shipments; it should have shipped at 400$ or 500$, they pushed it out at a little over 700$. They also focused on the existing N## community so the N900 was targeted at the more geeky who quickly recognized what they could do with it or where looking for the next hardware/os after the N810. General public perception of any particular OS really had nothing to do with it. It remains as an example of a mobile device that accommodates both the common consumer sticking to factory defaults right on through to warranty voiding nerd needs without the hardware vendor feeling threatened by losing control of product they had already sold to customers.

tbmay
tbmay

LOL OK. You guys have kicked this horse 2 weeks after the buzzards were finished with him. Why don't you argue about the allegation of an FBI backdoor in OpenBSD's ipsec implemetation? That's new material.

apotheon
apotheon

That's the article. Funny how Donovan calls that a balanced article while in other subthreads he calls the exact same arguments I made there unreasonable and unbalanced.

apotheon
apotheon

> You lack in all meaningful measure, the abilities of common social grace. The fact I have no particular reason to share such social graces with you is not proof of their absence from my array of skills. Choosing to use a car to go grocery shopping does not mean I do not know how to ride my motorcycle; it just means that I selected the vehicle I thought best suited to the job at hand. Social graces might be more appropriate to dealing with you if my goals were to foster a friendship with you or otherwise ensure that you think well of me. At this point, that is not my goal. Brutal honesty suits my aim more perfectly in this case. > You *did* try to pull out of that nose dive, though. I see you made an effort to curb your venom. I assume it is probably difficult for you. Actually, in your case, any civility was largely prompted by editors' urging and the fact that I had simply decided to change tactics in dealing with you when I realized how much I was letting a troll bait me.

apotheon
apotheon

> Told us about it IMMEDIATELY?!? First of all, what I said was immediate was working on verifying the alleged problem. You're misrepresenting my words, here. Secondly, my reference was to transparency, and not to perfection in ability to recognize a problem with great alacrity. What happened here, in terms of a problem in the source code -- a problem that happens to have been intentionally created, if the problem is for real -- could happen to a software system regardless of whether the source is open or closed. The chances are, I believe, greater that this could happen with closed source software (all else being equal), especially given that government agencies have been directly involved in the development of Microsoft Windows as well as indirectly involved in the development of OpenBSD. The major difference is that, when the alleged problem is revealed a decade later, the OpenBSD project founder, Theo de Raadt, announced it publicly so that people could take steps to minimize their risk while others dove into the code to verify the state of that source code. Microsoft CEO Steve Ballmer would surely have kept it under wraps as long as possible in similar circumstances -- or may even have been complicit in the first place. You decided to ignore that though, dcolbert. Why do you ignore the majority of salient points made by those who disagree with your gloomy, highly negative, often insulting portrayal of the value of open source software development? I have never suggested that open source software projects are impervious to all error. In fact, I have said quite the opposite in response to you several times. Pointing out that it is not impervious to error -- even an error as potentially troublesome as this one -- does not disprove anyone's point about the "many eyes" effect improving the chances that problems will be discovered and fixed. > That is a whole other tangent - but if this turns out to be factual and is confirmed, what does it say about the Many Eyes model and quick discovery and correction of issues? It says the same thing it would say about anything else: there is no silver bullet. That is not the same as saying that there is nothing that can provide an advantage over its alternative, though. > It wasn't peer review that exposed the issue - it was a whistleblower. . . . who reported it to the OpenBSD project's equivalent of Bill Gates but, unlike anyone in the upper echelons of Microsoft would be likely to do, de Raadt decided to share the news with a public mailing list so that the problem can be addressed quickly, effectively, and transparently. You keep ignoring the salient fact that much of what separates open source and closed source software development models is the responses that are enabled and encouraged by those models. > From my perspective - if this *is* true, we have to assume that there were similar operatives placed in similar positions in any other platforms distribution team whenever possible with the same goals. We don't have to assume that -- but I have acted for years understanding the possibility that such unwelcome alterations to MS Windows, MacOS, Fedora Linux, Ubuntu Linux, FreeBSD, OpenBSD, and countless other OSes might well exist. Part of that was the belief that such changes are more likely to exist in closed source software than in open source software because: 1. It's easier to hide in closed source software, even from the core developers since they do not have the help of outsiders the same way the core developers of open source projects do. 2. It's more likely that the closed source software developers and distributors would actually be acting in collusion with government agencies to do this kind of thing, thus improving such opportunities for government agencies. 3. Even if enacted without the collusion of developers and distributors, and even if they discover it, the closed source developers and distributors are more likely to hush it up and perhaps do nothing to change it than their open source developer counterparts. I still believe closed source software to be more susceptible than open source software. This revelation about OpenBSD, if it proves to be factual, does not prove that only OpenBSD was compromised. Rather, it suggests that -- since open source is probably less prone to this kind of problem -- the danger of this kind of problem is probably much greater than we might have suspected, and all that closed source software we use just became much more suspect than before. It's also worth revisiting the question of relatively recent fears of modern elliptic curve cryptography algorithm research at the NSA included intentional weaknesses that could be exploited by government spies. Maybe there's something to those concerns after all. > In that case, a whistle-blower with any sense wouldn't go to Steve Balmer - he would go to the news media or some other media outlet which would want to break such a scandal. Maybe. Keep in mind, though, that in this case the whistleblower was blowing the whistle on an outside provider, and not the core project. Code could have been snuck into MS Windows by contractors, just as effectively happened with OpenBSD, without Ballmer's knowledge. If it's more likely that Microsoft would have been involved in the inclusion of such backdoor code in its flagship software, it's only more likely because the likelihood of it happening at all was increased by the addition of the likelihood of Microsoft executives being in on it -- and that the likelihood of it happening without such collusion remains constant even as the likelihood of it happening with such collusion increases. clarifying hypothetical example: If there's one chance in ten that something like this could happen to OpenBSD without the OpenBSD project leader's knowledge, and zero chance that it could happen with his knowledge; if there's twice as much chance it could happen to MS Windows with Ballmer's knowledge as there is that it could happen without his knowledge; I posit this would effectively mean that there is a total of a one in ten chance it could happen to the OpenBSD project, and still a one in ten chance it could happen to MS Windows without Ballmer's knowledge, but a two in ten chance it could happen with Ballmer's knowledge, resulting in a three in ten chance it could happen to MS Windows with or without Ballmer's knowledge. With odds like that, I'd rather take the one in ten chance than the three in ten chance. What about you? > With FOSS, as a "lead designer" or "project head", the only solution with such a disclosure, for self preservation alone, is to come out "immediately". If you didn't disclose, and then it went public - it would ruin your reptuation among the FOSS community. Yes. That is a good thing. You have done a good job with this statement of explaining one of the benefits of open source software.

tbmay
tbmay

I've noticed the same thing. Reality is just too boring.

Neon Samurai
Neon Samurai

" I simply think that finding out the truth isn't quite as cut and dry as you're seemed to imply. " I suggested two ways of investigating the allegations in order to "finding out the truth".. if you have other avenues of investigation then please, by all means, suggest them. (I take it you didn't bother with any of the links to information I offered)

dcolbert
dcolbert

Actually a really balanced, good article from my first skim. I'm busy as heck and will be travelling tomorrow. I'll probably be on the dark side of the moon for the next week. If I get time, I'd like to get involved in the discussion on that thread, as well as respond to several posts here. We'll see - but right now, I don't have the time.

dcolbert
dcolbert

I'm disinclined to believe the FBI would have an NDA that would allow folks to spill the beans on this kind of covert activity after 10 years. Best observation yet. I think it is probably another self-important nerd with delusions of grandeur making up James Bond/Ninja Assasin stories. Our industry seems to attract a LOT of people who left behind "Monte Carlo, Aston Martin" spy lifestyles to become "Honda Accord driving" IT guys developing code or supporting corporate desktops. Too many comic books when we were kids, I guess. I'm actually a crime-fighting vigilante in a black armored body suit by night. The balding middle aged IT manager gig is just my cover.

dcolbert
dcolbert

FOIA request 1; please provide a list of all documents which mention "OpenBSD", "IPSec" and "PF" (clarifying that you mean the firewall software). While your filter might help you narrow the field of which documents might be relevant to *you*, the Federal agency you are serving an FOIA request on still has to sort through all documents that contain any of those queries. One of the benefits of bureaucracy *to* the bureaucracy. They can tie it up for years. This is no different than any other FOIA request. I simply suggested the most relevant mechanism given that it would have been documented. (one of the benefits of bureaucracy) Your assumption here is that there *is* a paper trail. If it is for real, they very well may be. There may not be. Heck, a smart enough person might have decided early on not to document any common key words - so the documents may exist with no reference to OpenBSD, IPSec or PF. That is going to throw a monkey-wrench at any FOIA that don't have specific documents in mind. You'll be reading about a bunch of criminal investigations that involved systems built on FreeBSD and employed IPSec and PF... but you'll be missing *all* of the documents that contain any reference to inserting backdoor code *into* FreeBSD. Serioulsy. You don't see how easy that would be to accomplish by someone with the foresight to think, "I don't ever want these documents discovered by a FOIA inquiry"? Well, that is the question isn't it? Could the FBI infiltrate the BSD project and maintain a hidden back door while leaving the source out in plain view (as if that's something different from any other developer joining the project and earning upload access)? Yes.. let's all respond and react to rumor and speculation; don't let hassles like evidence get in the way of a good panic attack. Who said I'm in a panic. Are you? I simply think that finding out the truth isn't quite as cut and dry as you're seemed to imply. "Just file an FOIA request and we'll get to the bottom of this". The things you are suggesting aren't trivial. The responses I've posted aren't "oh Lord, Seriously" implausible. As repeating it prior to any evidence is designed to do; cause fear leading to uncertainty and doubt. I'd be equally skeptical of the rumour about any other product be it open or closed source though. It's not development model specific where your thesis was. This is ABSOLUTELY a case where FUD can be a very effective tool and achieving a goal. Denying that doesn't make it not true. I'm not saying that it *isn't* FUD, or at the least a great way to generate FUD. Stop assuming that this is an attack supporting the creation of FUD to further the impact of that FUD. It is an analysis of how it works, and how difficult it is to fix it - regardless of if it is FUD *or* a legitimate situation. Why does a legitimate analysis of how the situation is most likely going to play out irritate FOSS advocates so much? OpenBSD is in a horrible situation all around here. If it is true, it is *really* bad, even if it isn't true - the FUD may be bad enough to deal with, anyhow. Neither you or I have the qualifications on which to base trust in regard to OpenBSD. I trust neither of us which is why continue to suggest waiting for conclusive investigation. I'm just nutty that way though. This isn't about legitimacy or qualification of placing trust in regard to OpenBSD. It is about how systems like these work. It is about how you can create communication systems that do not set off flags or alerts but are still effective at documenting plans, processes and projects in cases where discretion or plausible deniability is desired. It is about how perception is frequently as powerful as reality in conditioning responses or desired situational outcome. Stop worrying about defending OpenBSD or projecting what I describe as *my* position. You know, the best way to prepare for an assault is to try and figure out what your opponent's next move will be. Unless you brainstorm and think about what course of action that might be, you're just sticking your head in the sand and hoping he goes away. I often come back to this in discussions with FOSS advocates. I frequently feel as if I'm talking to people who are covering their eyes and ears while yelling, "Nyah Nyah Nyah, I can't HEAR you!!!" whenever I describe a direction that they don't like. Why is denial so desirable?

Neon Samurai
Neon Samurai

The Internet hype machine goes into full swing and now we call that "legitimate news stories".. wow.. journalism just coughed up blood and rolled onto it's other side.. kick it again, kick it again!! Do you reverse this critisism also? Wouldn't it be more possible for Microsoft to hide a back door and more plausible for them to do so given the greater pupularity and habit of hiding source behind compiled binaries? Actually, you know what.. I was not present when you wrote this article. I did not stand over your shoulder as you typed or discuss every grammatical string with you. It's possible that not a word of it is true. It's even plausible that you where paid to feed the fires of doubt. Based on your position, I should take this possibility as gospel and discount anything you say. I'm going to do exactly what I've been suggesting be done with FOSS and the OpenBSD rumor; I'm going to wait for evidence before leaping to conclusions. " My counterpoint would be that a commercial, for profit entity has far more to risk by a disclosure of this nature. " You need to go understand how a gifting society and meritocracies work including the role that reputations play before you come back to this point. If you think only commercial interests only have great risk of loss then you may want to give your head a shake. At minimum, read Eric Raymond's relevant essays. Even if you don't agree, they won't take you long and may give you a better understanding. http://www.catb.org/~esr/writings/cathedral-bazaar/ You may find some further interesting stuff up a level in /writings/. " If a disclosure of this sort was released about OS X or Windows, it would be implicit that the highest levels of the corporation were complicit with the authorities not just to allow this to happen, but to most likely *enable* and assist it. There would be no blaming it on a couple of rogue developers in charge of a specific part of the kernel. It would have organization-wide, damning repercussions. I also think that the FOSS community in particular, would be out with torches and pitchforks at the very suggestion, not "waiting for the truth to come out with an open mind". " Yeah.. cause Apache would have nothing to loose right? No impact there if a backdoor was found coded into the main source tree. A backdoor coded into the Debian Stable source tree wouldn't affect the entire Debian organization.. just a few of it's little neck bearded developers right? " You think out of the millions of lines of code that make up a Debian base distro that the development and overall management process would necessarily discover a few hundred lines, even a couple thousand lines, of code embedded in a larger routine or class, even if that code wasn't causing any problems and was commented out to intentionally distract attention? " I think the management processes and developer overlap do utmost to mitigate a "malicious developer" attack. A FOSS developer found putting malicious code into any distribution would instantly become a Peria who's only recourse would be to fork there own distribution for lack of upload access to any other reputable distribution. The affected distribution itself would loose reputation and respect too so it's in the individuals and organizations best interest to maintain a secure source tree. Consider Gentoo's reputation drop for not properly checking hash values before blindly including source code. Notice that they where the only distribution which included and was affected. A developer's reputation may not mean much in a monetary economy but in the FOSS gifting economy, reputation is the developer. You don't get access to upload for a distro like Debian without earning that access in major part by developing your reputation with Debian and in greater FOSSdom. The beauty of FOSS is that it would essentially be just another bug in the source fixed promptly and a proof of concept that something in the distributions management processed needed to be changed. We're dealing with engineers after all, they fix the problem and move on to the next. " If I trust that people are brilliant enough to design such amazing code and review it and find and fix flaws quickly, and that there are people so brilliant that they can discover and EXPLOIT flaws with equal speed... " Sure, and the entire process is out in the open not behind closed doors. You can actually go do the research to build a list of cases where malicious developers have attacked there own distributions. The OpenBSD rumor was not hidden because it was potentially embarrassing; it was publicly posted for peer review. Gentoo's error was seriously emberassing; again, handled promptly and publicly. We don't need to play "what-if" with FOSS in terms of possibility of malicious developers. Go on.. document the extensive cases of insider security breaches within FOSS projects and distributions. Your the one suggesting rampant opportunity for insider attack so the burden of substantiation is on you. Could make for an interesting future article. " One thing that anyone who works in IT for any length of time should know for certain is, "No matter how good you are, there is always someone else that makes you look like a noob and can do things you didn't even think were possible". " Exactly why I like the infosec field and pentesting specifically; the puzzle only ever gets more complicated. Pilots have a similar saying; The moment you think your a great pilot beyond error, you crash. Hence, as always; trust but verify.

Neon Samurai
Neon Samurai

" You've got to *know* the specific document exists to file a FOIA act. You can't just say, "If you put a backdoor into OpenBSD, I want you to release any documents you might have that pertain to that". " " Said, another way, if you don't know what you're asking for, how do you know what you got is what you wanted? " FOIA request 1; please provide a list of all documents which mention "OpenBSD", "IPSec" and "PF" (clarifying that you mean the firewall software). FOIA request 2; please provide documents identified on the following list of documents from our previous request. Document included with requested documents highlighted. This is no different than any other FOIA request. I simply suggested the most relevant mechanism given that it would have been documented. (one of the benefits of bureaucracy) One does not need an engineering degree to figure this out but for anyone interested, thanks to FOSS's parent Hackerdom, one can even learn how to make their own FOIA requests here (among many other places): http://www.thelasthope.org/media/audio/64kbps/A_Hackers_View_of_the_Freedom_of_Information_Act.mp3 A Hacker's View of the Freedom of Information Act (FOIA) - Phil Lapsley " Second: If the FBI could infiltrate and inject backdoor code into a high profile open source OS (or any other OS, for that matter) and keep it quiet for a decade, do you think you can trust any "completed code review"? " Well, that is the question isn't it? Could the FBI infiltrate the BSD project and maintain a hidden back door while leaving the source out in plain view (as if that's something different from any other developer joining the project and earning upload access)? Yes.. let's all respond and react to rumor and speculation; don't let hassles like evidence get in the way of a good panic attack. " Like any conspiracy theory, it is brilliant because it is as impossible to prove as to disprove. The very suggestion injects an element of doubt that can be more powerful that the truth or untruth of the claim. " As repeating it prior to any evidence is designed to do; cause fear leading to uncertainty and doubt. I'd be equally skeptical of the rumour about any other product be it open or closed source though. It's not development model specific where your thesis was. " Come on... we're talking about the power of manipulating people's perception regardless of truth. Who you gonna trust on a matter like *that*?!? Yourself? Or ME. " Neither you or I have the qualifications on which to base trust in regard to OpenBSD. I trust neither of us which is why continue to suggest waiting for conclusive investigation. I'm just nutty that way though.

tbmay
tbmay

...reasonable doubt cast on the entire thing. This thing was viral before anyone even knew if the person alleged to have sent Theo the mail was actually the one who did send it. I'm inclined to believe Scott Lowe never worked for the FBI. I'm inclined to believe Jason Wright's denial...and call for apology. I'm disinclined to believe the FBI would have an NDA that would allow folks to spill the beans on this kind of covert activity after 10 years. That probably is the biggest stretch of all for me. I haven't a clue what this person's motivation might be. But I don't know why some people write malware either. Headfulls of bad wiring is all I can guess in some instances.

Neon Samurai
Neon Samurai

If I claim that I know a guy who slipped a back door into Windows, do we all start jumping up and down decrying Windows or do we wait for evidence? Sure, it's possible my friend Eve the developer but how probable is it to have happened? " That mere possibility took 10 years to be *discovered* and for them to start to address, and only then when the person who claims to have inserted this code came forward and disclosed it. " Anything is possible. A 200 pound upward draft could possibly give me the ability to temporarily fly. What is the probability of that event actually happening? " That is a whole other tangent - but if this turns out to be factual and is confirmed, what does it say about the Many Eyes model and quick discovery and correction of issues? It wasn't peer review that exposed the issue - it was a whistleblower. " If it is confirmed, the question will indeed be "how was it possible to implement and why was not not found" along with "do other distributions share the same practices that led to the OpenBSD vuln?" Additionally; How fast was it validated and corrected? What changes insure this does not happen in the future? So far it's rumor and cherry picking fodder for opportunistic cheerleaders. Fear mongering doesn't automatically invalidate the "many eyes" approach to development. I mean, if it's proven to be a true claim then you can bet I'll be right beside you asking how future FOSS development works around the currently alleged damaged process.

dcolbert
dcolbert

This is "Look! When the mere possibility of a reputation-damaging problem with open source software security arose, they told us about it and immediately set out to verify the threat!" That mere possibility took 10 years to be *discovered* and for them to start to address, and only then when the person who claims to have inserted this code came forward and disclosed it. That is a whole other tangent - but if this turns out to be factual and is confirmed, what does it say about the Many Eyes model and quick discovery and correction of issues? It wasn't peer review that exposed the issue - it was a whistleblower. From my perspective - if this *is* true, we have to assume that there were similar operatives placed in similar positions in any other platforms distribution team whenever possible with the same goals. The commercial, closed source platforms (and perhaps even the commercial, open source platforms) were likely complicit in this process (if it in fact took place). They wouldn't come foreward and make a public disclosure in the same situation - because they were in on it from the start. In that case, a whistle-blower with any sense wouldn't go to Steve Balmer - he would go to the news media or some other media outlet which would want to break such a scandal. With FOSS, as a "lead designer" or "project head", the only solution with such a disclosure, for self preservation alone, is to come out "immediately". If you didn't disclose, and then it went public - it would ruin your reptuation among the FOSS community. The reasons why a large corporate entity like Microsoft or Apple would be complicit with a program like this to insert backdoors into encryption routines are obvious. There is a corporate incentive to working with a Federal Government who can engage your organization in all kinds of distasteful investigations and accusations. There is an incentive to have some good will between your organization and an outside organization with this kind of power. There is perhaps, from a certian perspective - even a moral justification in engaging in such cooperation. "We allowed the Federal Government to put the backdoors in because we believe in protecting children, we believe in protecting liberty from terrorist elements, we believe in giving authorities the tools to fight crime". Many in our democratic representative republic are OK with giving up certian liberties in exchange for such implied securities. Obviously, among the more libertarian audience that is attracted to FOSS and *nix, such a direct approach would only result in a PR disaster. I'm not endorsing *any* of this, if it happened or is happening, with one opinion or the other. I'm simply presenting what is the most likely scenario that something like this would come to pass, if it did - from the perspective of a realist. Again, I think it is unlikely. I think that even if it is true, it is unlikely we'll ever hear the *true* story. A government powerful enough to inject an operative into a FOSS development team to insert backdoors that went undiscovered for 10 years until that agent disclosed the information... Is powerful enough to cover up the damage from that agent blowing the whistle. I don't think we'll ever really *know*.

dcolbert
dcolbert

I just recently watched The Voyage of the Dawn Treader, and was reminded of a singularly unpleasant character described in that book which I had forgotten as part of the story. In that light, while I may share some of the character flaws of an early Edmund Pevensie, you are clearly a boy who could be improved by spending some time in the body of a dragon. You lack in all meaningful measure, the abilities of common social grace. This is, not without coincidence, one of the larger liabilities of the FOSS community - taken as a whole. You *did* try to pull out of that nose dive, though. I see you made an effort to curb your venom. I assume it is probably difficult for you. As for the details of your claims, there are enough mouth-pieces of the FOSS community promoting the hypothetical and unrealized dreams of FOSS solutions. It is refreshing to find an outlet that is willing to entertain contrary opinion. Hopefully Tech Republic will continue to present alternate viewpoints to the voice of FOSS rhetoric in the future.

apotheon
apotheon

The unreasonable open source advocates claim that open source software provides guarantees of perfect security. The unreasonable closed source advocates use that, and every little vulnerability found, as guarantees of perfect fallibility. Neon Samurai and I fall into neither extremist camp. We both refer to tendencies toward greater security under certain conditions, greater opportunity for security under certain conditions, the value of transparency as a way to improve the odds of honesty in what you receive, and similar probabilities. None of them are guarantees, except that in many cases it is guaranteed that the opportunity for benefit exists. If anything, when trying to argue against the reasonable advocates for open source software development, this case of the OpenBSD project's current snafu works against closed source advocates like you (and, whatever you may pretend to be, your commentary has essentially advocated for closed source software). It does so because it shows some of the benefits of open source software development actually coming into play, where the same situation in a closed source context would not produce the same positive responses. This is not "Look! Open source software is insecure!" This is "Look! When the mere possibility of a reputation-damaging problem with open source software security arose, they told us about it and immediately set out to verify the threat!" If you're reading this as a bloody nose for the "theory" of the actual beneficial effects of open source software development, you must be looking at it while standing on your head, because that take on the matter is upside down.

apotheon
apotheon

> I came in here expecting the title to be misleading... > > And an insult to be contained in the body. > > So color me surprised, as well. Here's your insult: You're surprised because you come into these discussions not only expecting people who disagree with you to be bad and unreasonable, but trying to make them bad and unreasonable by front-loading your commentary. That, at least, is certainly how it looks. If that's not what you are trying to do, then you are achieving it despite your efforts, because what you say is exactly the kind of thing someone trying to do so would say. edit: That's not really an insult. It's an honest assessment based on your antics. I realize it might well be taken as an insult, however. > Just because we disagree doesn't mean that either of us hold an *unreasonable* position. When we start calling the other person unreasonable, that is when it deteriorates into a zero-sum game. Unfortunately, your claims that you just want reasonable discussion appear wholly unreasonable after reading one of your articles. Seriously. > I play rough, I disagree with a LOT of what you say, and I use somewhat mean-spirited but humorous, exaggerated examples *frequently*. Translation: You use insults, misdirection, and blatant dishonesty to try to make points. I find the idea of screwing with people's understanding of facts with such tactics highly offensive. You are, in short, the very embodiment of one of my pet peeves -- and you have a soapbox with the TR logo on it, which makes it kinda personal. > Those examples are VERY rarely aimed at an actual individual - but instead apply to my "*nix user stereotype". . . . which you aim at individuals. Even now, you use misdirection to distract from the truth of the matter to try to make points in an underhanded manner. > I think if we could bridge that gap, we might have more productive conversations. As long as you keep taking the classic sophist's approach (not the Classical sophist's approach, necessarily), that gap will never be bridged. "Win at any cost, regardless of the falsehood generated" is not something with which I can simply sit around and enjoy company. > Somewhere in my subconscious I've got a gnawing feeling that is probably the most unfortunate result of all of this. My impression of the most unfortunate result of it is that people's biases being fed by your balderdash may actually armor them against reason.

apotheon
apotheon

I don't think Selena got around to reading it yet, and she obviously wouldn't still be at work at this point.

tbmay
tbmay

...that doesn't help it's image in the eyes of FOSS advocates. I suspect even you would suspect the closed source vendors are possibly complicit with authorities on back doors...and we KNOW they would like to eliminate competition. I use OpenBSD...a lot. I really hope this isn't true and, frankly, I doubt it is. Nevertheless, it is possible. Cryptography is a particularly complicated thing to begin with so if someone were going to hide a back door, that would be the place to do it. Unfortunately that's exactly where someone wanting to spy on you would want it. At the end of the day though, I'm not going to put server08 firewalls in a business. There is STILL no comparison between openbsd's security track record and ANYONE ELSE'S. I would hope nobody thinks FOSS is perfect. I'll agree we migrate to our comfort levels. I'll agree it is all but impossible for any team of coders to sufficiently review all the code they use, even if everyone including MS and Apple open-sourced their code. But Theo DID post the mail. Named technologists have given their side of the story. A lot of developer time will be auditing the ipsec stack now. If they find something, they'll fix it. If they don't...that doesn't mean something wasn't missed...but it does get us closer.

dcolbert
dcolbert

In seeing what your take on this issue will be. When I read it, I didn't go, "I've got a great BLOG" about this... Which is usually an indication I don't have a REAL strong opinion on the issue. I was sure it would create good discussion in these threads - but it didn't give me enough (at this point) to sit down and write 1300 words dedicated just to it.

dcolbert
dcolbert

A couple of observations: You've got to *know* the specific document exists to file a FOIA act. You can't just say, "If you put a backdoor into OpenBSD, I want you to release any documents you might have that pertain to that". So, for example, UFO nuts file FOIA reports on specific, well known cases. "We want Air-Force Radar logs from the evening of 12-22-2007 for Russert Nevada between 3 AM and 6:30 AM. Because they've done this, and never gotten a document that really confirms any reasonable explanation for UFO sightings, do you think that their aren't any legitimate UFO sitings? Or is it possible that the Government is smart enough not to disclose or record any enlightening discussions about legitimate UFO sightings in any documents that might be discovered through a FOIA petition? Said, another way, if you don't know what you're asking for, how do you know what you got is what you wanted? Second: If the FBI could infiltrate and inject backdoor code into a high profile open source OS (or any other OS, for that matter) and keep it quiet for a decade, do you think you can trust any "completed code review"? Like any conspiracy theory, it is brilliant because it is as impossible to prove as to disprove. The very suggestion injects an element of doubt that can be more powerful that the truth or untruth of the claim. Come on... we're talking about the power of manipulating people's perception regardless of truth. Who you gonna trust on a matter like *that*?!? Yourself? Or ME. ;) And here you guys thought I was an MS-Shill.

dcolbert
dcolbert

Ask Julian Assange. Publishing could potentially have more drastic implications than embarrassment if it pisses the U.S. federal government off. As far as "proof positive" of my theory - my theory is that you can't *trust* any software (that you didn't write yourself or review and understand line by line), open source or not, to be free from back-doors or other intentional methods of compromising your security. I never expected to see confirmation of that theory to the extent that a rumor is generating legitimate news stories. But TRUST is just what you must do, at some point. Neither you nor Apotheon nor any other FOSS user has personally reviewed every line of code from every application that runs on their systems with complete comprehension of what each line is doing. It is practically impossible. Ultimately, you're putting your *faith* in the software. The argument has been that with Free and Open Source Software you have these built in assurances. But the fact that a rumor like this can be taken even somewhat seriously shows that it is still ultimately a matter of faith. It is PLAUSIBLE that something like this *could* have happened and could have been overlooked and undiscovered. My counterpoint would be that a commercial, for profit entity has far more to risk by a disclosure of this nature. Even if this rumor proves to be true, the argument will be that trusted members of the FOSS community exploited their position to compromise the values of FOSS - but that it isn't a reflection on the overall goals and ideals of FOSS. If a disclosure of this sort was released about OS X or Windows, it would be implicit that the highest levels of the corporation were complicit with the authorities not just to allow this to happen, but to most likely *enable* and assist it. There would be no blaming it on a couple of rogue developers in charge of a specific part of the kernel. It would have organization-wide, damning repercussions. I also think that the FOSS community in particular, would be out with torches and pitchforks at the very suggestion, not "waiting for the truth to come out with an open mind". "An intentional backdoor in Debian is not very plausible given an understanding of it's development process and overall management." You think out of the millions of lines of code that make up a Debian base distro that the development and overall management process would necessarily discover a few hundred lines, even a couple thousand lines, of code embedded in a larger routine or class, even if that code wasn't causing any problems and was commented out to intentionally distract attention? If the comments in the code made it sound pretty boring and there were no problems that were traced back to what that code claimed to do, how frequently do you think that code would be dusted off and examined and analyzed in depth by groups that weren't working specifically on that code? With what I understand about development, the development process, and overall human nature, I think there is probably a great deal of code in any platform that hasn't really been examined and understood by anyone for a long time. A long term developer is probably aware of where those "dusty corners" of the code are. Write your routine and hide it in the super-stable, haven't been changed for years, are rarely used, but generally have to be included "serial port interface" code. Hardly anybody ever goes down THAT hallway anymore - and no one is trying to figure out how the construction of that hall *works*. I might be off base there, I am *not* a developer. But I think I know enough that it seems plausible that a scenario like that could exist, and be exploited. I don't trust, on this one, by the way. I'm highly skeptical. I'd be *completely* shocked if this turns out to be true. But if it doesn't, I still won't trust that it *isn't* true, and that even a careful review missed the back-door. If I trust that people are brilliant enough to design such amazing code and review it and find and fix flaws quickly, and that there are people so brilliant that they can discover and EXPLOIT flaws with equal speed... Then why would I dismiss the possibility that even more *brilliant* guys could figure out how to inject routines that defy detection? One thing that anyone who works in IT for any length of time should know for certain is, "No matter how good you are, there is always someone else that makes you look like a noob and can do things you didn't even think were possible".

Neon Samurai
Neon Samurai

Well, that's the question isn't it. An intentional backdoor in Debian is not very plausible given an understanding of it's development process and overall management. OpenBSD's reputation makes it less plausible but I don't know it's internal developer processes and overall management to point at specifics. On the other hand; you wouldn't have heard of this ever if it'd been an email sent to Steve Balmer claiming the FBI brokered a deal to have a backdoor in place. With an open source project like OpenBSD; the freaking head of the project, the "Steve Balmer" of OpenBSD project, posted the received email in the developer's forum. Calling it proof positive of your theory is a little premature. As always though with such rumors; trust but verify. Let's wait for some facts to come out of the OpenBSD folks. Thanks to open source ideals, they'll publish even if it is embarrassing.

Neon Samurai
Neon Samurai

Make a FOIA request. The claim is that it's nearly a ten year old intentional vulnerability introduced by the FBI. They'll have documented it. FOIA the relevant documentation. Additionally, or alternately, wait for the code review to be completed verifying the lack of vulnerability or confirm it's patch release to fix it. Until either of those outcomes; it's just rumor.

dcolbert
dcolbert

And an insult to be contained in the body. So color me surprised, as well. Ultimately, the closed source is just as likely to be doing this, and probably more unlikely to get CAUGHT doing it I can't reasonably defend againt not acknowledging something that is as evident as this. I'd point to the AT&T SF subsystem scandal, and Whistleblowing (for all the good it did), of a great example of a "Closed source" violation of the public trust being exposed. The outcome of that? Bush and Obama pushed for immunity for telcos when they violate our civil rights. Just because we disagree doesn't mean that either of us hold an *unreasonable* position. When we start calling the other person unreasonable, that is when it deteriorates into a zero-sum game. I play rough, I disagree with a LOT of what you say, and I use somewhat mean-spirited but humorous, exaggerated examples *frequently*. Those examples are VERY rarely aimed at an actual individual - but instead apply to my "*nix user stereotype". I think of him as like "Not Me" in the Family Circus (except for fat, bearded, and with skin problems). I think if we could bridge that gap, we might have more productive conversations. But generally, when we're *almost* repairing relations in one conversation, we're both busy destroying whatever good-will we might build up in some OTHER post on the site. Somewhere in my subconscious I've got a gnawing feeling that is probably the most unfortunate result of all of this.

apotheon
apotheon

I just submitted an article about that subject to the IT Security column. I'm going to see if I can get Selena to publish it sooner rather than later.

tbmay
tbmay

...because it looks like snopes material. Jason Wright... http://marc.info/?l=openbsd-tech&m=129244045916861&w=2 Scott Lowe also denies any involvement. But I couldn't resist because of the timeliness. Obviously I hope there's nothing to it. I do occasionally use ipsec. OpenVPN has taken its place for me for for road warriors but the s2s setups with ipsec are slick and quick. The thing is, Donovan has a good point and it applies to ALL solutions. The government wants in your business. They would outlaw cryptography completely if they could.

apotheon
apotheon

You made a good point: > Ultimately, the closed source is just as likely to be doing this, and probably more unlikely to get CAUGHT doing it This requires some further consideration, though: > a whistleblower is a whistleblower, inside or out. It only takes one person with a motive or a conscience In theory, yes. Whistleblowers need some things to go their way, though: 1. The whistleblower needs evidence, else it's easy to dismiss the person as a crank. Evidence is always available to anyone who wants it in public open source projects. Verification is a trivial exercise. 2. The whistleblower needs an audience that cares to open its collective eyes. That's a lot easier to find in the open source community than amongst the general run of MS Windows users, for instance. 3. The whistleblower needs a way to get the word out without the "powers that be" shutting down the venue for sharing information. Mailing lists in the open source community tend to be more effective for this than, say, CNN. 4. The whistleblower needs to be someone with both access to the "secret" and the conscience to do something about it. When the "secret" is published for all the world to see, as in the case of open source software, that set of conditions is much more likely. This all adds up to the first quote I pulled from your comment, so the second is kind of redundant, and means the opposite of what you seem to be trying to imply by preceding the second statement I quoted with the word "although". Anyway . . . thanks for making a reasonable point.

dcolbert
dcolbert

I hope it isn't true. I hope if it is true, the code can easily be discovered and removed. Whatever comes of it, though, I'm not going to know the truth first hand. I'm going to know what someone else told me was the truth of the matter. Like 99.9999999...% of the rest of the population. I'm sure I'll be incorporating it in discussions, though. I'm not sure where I am on blogging about it. Still have to find more and chew on my thoughts for awhile.

dcolbert
dcolbert

That is JUST what brought me back here today. http://www.networkworld.com/news/2010/121510-former-contractor-says-fbi-put.html THOSE are the good MANY eyes of security? It couldn't be more timely, could it? Ultimately, the closed source is just as likely to be doing this, and probably more unlikely to get CAUGHT doing it (although a whistleblower is a whistleblower, inside or out. It only takes one person with a motive or a conscience). Which at *best*, to me, leads one to the conclusion that it is all about as worthwhile as an argument over the Left versus the Right, Republicans versus the Democrats. It is all in who you are more comfortable getting felt-up by - but in the end result, you've still been taken advantage of. I've argued *this* for a long time, too - that for most of us, even those of us who are pretty good with technology - there is very little opportunity for us to KNOW what is going on. More likely, we're trusting (in blind faith), depending on what our gut tells us, where our comfort zone lies. This is a *very* timely article. It doesn't even matter if it is true or not. It matters that it is plausible.

tbmay
tbmay

...at this point it's just an allegation. As I said on another board....there's no reason to believe this any more than there is for me to believe I have $15 million coming to me if I just send my bank account number to my internet friend. Or to believe if you enter your cc number antivirusxyz2011 will make your computer safe. Theo posted an e-mail he got from someone making lots of claims about folks working for the FBI (who deny it) and cloak-and-dagger spies on the development team. Theo isn't really Mr. Popular and a lot of folks don't like him and like to try to push his buttons. Until I hear otherwise, that's all I make of this. It would be fun to watch Chad and Donovan argue about it though. ;)

tbmay
tbmay

I've been waiting all morning. :)

Neon Samurai
Neon Samurai

I was going to message a link to that story over to Apoth encase he wasn't already writing the article. I got bogged down in this though so you get first mention. Baud I hope it's just rumours though. The most hardened BSD with an intentinally vulnerability written in; man.. that would be news.. actually, both Donovan and Chad should be all over that one with throbbing.. er.. finger.. finger from typing feverishly on the keyboards.. ;)

RockerGeek!
RockerGeek!

Open source is open source. People will take it and make awesome stuff from it, or they will make crap. it's there for those who know how to use it, or want to learn more. The time open source anything is "the same" (and I say "the same" lightly, here) as closed source is when it's in the hands of a user who has no idea how to use it to it's full capabilities. And that is the vast majority of pc and phone users. I don't know how to mod open source stuff, but I'd like to learn. I am, however, pretty tech savvy. I work on the tech support team at my university doing your normal IT support stuff. But until I acquire the necessary skills to do the wonderful open-sourcey things on open source OS's, a Droid-based phone in my hands has just as many opportunities as in my sister's hands. Which is using it as-is, right from the box. And the most modification that happens is changing wallpaper, ringtone, and downloading apps.

Deadly Ernest
Deadly Ernest

I limit myself to changing the wallpaper and the ringtone as I don't care about the rest. A mobile phone is so I can make or receive calls while away from the house - END OF STORY.

dcolbert
dcolbert

It is a Linux based personal consumer digital consumption and creation device - it just happens to make phone calls, too. :) I hardly *EVER* make phone calls, anymore.

Deadly Ernest
Deadly Ernest

It's kind of like saying I want a car to go to work every day, but would be neat for it to be a mobile home with a large carry tray - so you make a large Winnebago with a bloody great big pick up tray at the back, and now say this is the perfect vehicle. The Android started life as a mobile phone, and they've warped into something else. I find I get several times the battery life out of my current mobile phone than other do, simply because I use it only as a phone. Anyway, that's a different discussion to the current one.

dcolbert
dcolbert

But I could jailbreak my iPad just as quick. and I *did* run a custom ROM on my WinMo 6.1 phone. Before that I hacked my dumb-phones with BitPIM. So Open Source, it either *makes a difference*. Or it *doesn't*. If you have to be a hacker to free your system, then it isn't FREE. If your system comes to you without restrictions, then it is free. If Android requires a HACKER to get to the free (free as in, use it how you want to, not how you're told you have to use it - not free as in free beer) of it, then open-source is in no way "inherently superior" to closed source. In fact, if that is the case, it is "inherently undifferent". In particular as it relates to massive consumer acceptence and the "benefits" that the "inherently superior" Linux FOSS platform should allegedly bring to them should they abandon closed-source paradigms and adopt Open-source.

RockerGeek!
RockerGeek!

my point was missed. Just a bit. I was meaning to be light-hearted in my response to the original post. Just b/c you root/jailbreak your Droid/iPad/iPhone doesn?t mean it?s b/c you?re a hacker. I know a couple ppl who had to go online to jailbreak their iPhone (one of whom faced the consequences when it later broke and he learned he?d voided the warranty). The biggest point was that, unless you normally use Linux, or at least know how it works, then you aren?t going to be buying an Android based phone to root it and use it in the full, unadulterated glory of open sourced fun. I bet most people aren?t aware of the fact that it?s Linux-based. An underlying point in my original post was that I would like to learn how to root a Droid. Or use Linux in all the glory that Linux is meant to be used. I would want to learn, just for the sake of knowing. In that same light, a lot of people get a droid just b/c it?s the ?latest and greatest!? Most people feel that Android based phones are superior just b/c it?s an Android. (Holy crap it?s got cool nicknames too! Mine has Froyo, wut aboot you?) I honestly think that there are ppl out there who think a phone is superior just b/c it has a touch screen. Then there are ppl who are ?loyalists?: the ones who will ONLY ever buy a phone produced by a certain manufacturer. (commence the eye rolling) As far as the ?inherently superior? phrase. Sadly, there are ppl who think phones w/touch screens are superior?just b/c of the touch screen. Superiority is in the eye of the user. Someone could, for example, could try and talk me out of using a Motorola Droid 2 Global and get an HTC Incredible b/c ?it has a better UI?, well maybe I think Motorola looks better? Also I like a physical keyboard. I can not STAND to text on a virtual keyboard. I really hate it. But I know ppl who think it?s better b/c there?s less hardware to break. While the interface is the breaking point on ?superiority? to one person, hardware is more important to someone else. (at the risk of sounding like I?m ranting, I?m not. I?m just trying to clear up my thoughts an though processes, which make sense to me in my head, but sometimes aren?t all that snazzy in text?so sorry if I offend anyone)

RockerGeek!
RockerGeek!

Who needs politics? People are far too easily offended now, hence my jumping out and saying "just FYI, I'm not being a b**** on purpose"... haha And it's rather sad that developers will make a device w/a logic bomb like that.... Scare tactics are scare tactics. Android Roulette is all the rage!! All the phone makers are playing!! *epic sarcasm* Right now I'm stuck w/my family's plan on Cincinnati Bell. So until I get a better paying job, I'm not getting a Droid anything from anyone. It'll be a while till I can delight in the glory of Android (sad, sad face)

royalheart
royalheart

the choice to only to cellular carriers. It was intended to encompassed ALL devices that have an in-built restrict, of whatever form, on how it can be used. And very likely, Apple would be the maker of our PCs.

CharlieSpencer
CharlieSpencer

"One would think that users being able to mod the device, use whatever software/hardware they want with their devices ... would INCREASE sales of those same devices." Remember who's selling the devices. It's not the manufacturers, it's the cellular providers. Their money is in keeping people on the reservation, especially away from VOIP apps that might cut into telephone profits or apps that might stress their bandwidth. "If IBM had NOT released the COMPLETE specifications to the (original) IBM PC ... what would the PC we know and use today be like?" Apple.

royalheart
royalheart

...before I posted above (1.3.1.1). As I stated there, and you above, it's the HARDWARE manufactures locking out those users who wish to use their devices as they whish, and not be limited by how the manufacturer ALLOWS the user to use their hardware. It's ridiculous. One would think that users being able to mod the device, use whatever software/hardware they want with their devices (within the capabilities and electrical and physical limits of said devices) would INCREASE sales of those same devices. Yet the makers seem to be shooting themselves in their collective feet by including lock-out and/or disabling "features" in their hardware. Counterproductive it would seem. Ask yourself this question (not THAT one! THIS one!): If IBM had NOT released the COMPLETE specifications to the (original) IBM PC (back in the 1980s), and not locked-in their hardware (where only IBM software would run on it), what would the PC we know and use today be like? Thank you, IBM, for giving us the choice. The choice to pick, choose, and use the offspring of your creation. However we see fit to use it.

dcolbert
dcolbert

(at the risk of sounding like I?m ranting, I?m not. I?m just trying to clear up my thoughts an though processes, which make sense to me in my head, but sometimes aren?t all that snazzy in text?so sorry if I offend anyone) I do both of these things so much, it is sometimes hard to tell where my rants end and "me in the process of trying to flesh out my thoughts" begins. If you're going to do either, the forums attached to my blogs are a great place to start. Just have a thick skin - the forums my posts generate are not always the most polite or politic on Tech Republic. I don't want to discourage people from exploring the limits of their personal electronics. In fact, I think it is a great trait for anyone interested in a career in technology. The "Cracking Open" series are what originally brought me to Tech Republic. I would say be careful and do you research - because it seems like our government is still trying to figure out what they want to allow and what they don't when it comes to any unauthorized modifications to your own electronic devices (iPhone jailbreak = OK. XBox 360 modding = only safe if you're facing incompetent prosecuting attorneys). To me, the most troubling issue as it relates to this discussion is Motorola including a "fuse" that can brick your Droid X if you try and root it. They haven't enabled this feature and assure us they won't, but why even include it. It is like they're holding a loaded gun to your head and saying, "we're just doing this to see what it is like, don't worry, we won't pull the trigger". Activated or not, it is a clear threat against the ideals of the open-source ideology on which Android is built. It may be the clearest threat. I'm assuming that the Linux kernel on which Android is built is based on a kernel covered by the GNU license. To me, it seems like the GNU license should be updated to reflect two things: 1: This software cannot be included, sold or installed on any device with any hardware designed to disable or destroy the device if the owner decides to exercise their right to leverage their guarantees and liberties under the GNU license terms. 2: This software cannot be included, sold or installed on any device sold by any service provider who has ToS (Terms of Service) that prevent the user from exercising their GNU license rights as above. Of course, I think what would happen is that Google, the handset manufacturers, and the wireless carriers would simply find a kernel that wasn't covered by the GNU license - and go with that one instead - even if it meant throwing the Android baby out with the bath-water.

Editor's Picks