Web Development

The problem is that I can just as easily generate my own checksum (most I've seen use MD5) for the "tainted" executable. That leaves only the code review, which again is only worth the effort if you're going to perform your own compile. Even if I were to provide a build module of any sort, the code for it must be reviewed as well.

Personally, I do use some open source software, and I did download the source. Although I didn't perform a complete code review or even compile the source myself, I went to the "main" site for the software, located one of their approved mirrors, downloaded the binaries and the checksum, then I visited *all* of the other mirror sites and downloaded their checksums (for the same version). If all of the checksums match, that provides me with some assurance that an individual programmer didn't inject malicious code. It still doesn't prevent the original author(s) from doing the same, but there's at least a level of reasonability.

This is not an issue of trusted code then, but of trusted URLs...and MS has no more protection against DNS poisoning and Phishing attacks than anyone else.

You're issue doesn't address trusted code at all, just trusted URL's.

Since the primary distribution method of Open Source software is via download, I perceive both issues as a greater threat to the validity of the Open Source software than to Microsoft software.

Microsoft's primary distribution is through retail outlets. The odds are in Microsoft's favor that the CD's in their packaging will not be replaced by a retail vendor. In fact, Microsoft's biggest threat comes from piracy, not the Open Source Community, and even the pirates aren't injecting malicious code into the products (yet).

Piracy is MS best ally. If all people who uses MS products really where required to pay, they would just go for alternatives or MS would already decreased their prices. Take away piracy, then market rules would force this change, leaving commercial products on a one-to-one with FOSS.

If you are paranoid about code, and your point stands on malicious intention and conspiracy theory, I have a question for you:

Couldn't it be all flaws that any product (OSS or Commercial) has and are found, are backdoors they left intentionally ??

If so, OSS at lease has a greater auditing base than commercial software. (Have you seen THE NET?)

I lived in Bolivia, SA for 3.5 years, and during the first two years, I noticed that EVERYONE was switching over to Microsoft products. Previously, you had mostly Word Perfect, Novell, etc...

Well, the reason for the switch was that Word Perfect and Novell were actively pursuing all software pirating there. Microsoft wasn't.

After gaining a large share of the pirating market, MS went in and started chasing down the piraters and going after all of the companies with the illegal copies of MS software.

At that time... retail prices of MS products were DOUBLE what the same software was selling for in the US. i.e. from my old spreadsheets MS Office Standard purchased from the US and shipped to Bolivia was $475 fob, purchased from MS Argentina (via MS Select) the price was $895 (not quite double, but close).

MS W2k Server, Bolivian Price $2143, US price, $1372.

This is in a country that is considered one of the poorest in the Western Hemisphere (average FAMILY monthly income = ~$100).

MS uses piracy to establish market share, then they come in and charge outrageous prices to gain significant profits.

Examine your own statements. Individuals and businesses in Bolivia switched (your word) from Word Perfect and Novell to Microsoft.

That means that they either purchased the Word Perfect / Novell software or, as you imply, they pirated it.

It stands to reason that Word Perfect and Novell were pursuing the pirates because they were losing money. Microsoft wasn't involved because they weren't the ones losing money.

Suddenly, the pirates realized that Word Perfect and Novell were getting "too close", so they switched to Microsoft products. Now Microsoft started losing money in the region and their own marketing people saw companies running Microsoft products that had been pirated. The Microsoft response? Start pursuing the pirates. Just like Word Perfect and Novell.

As for the price difference, I've seen Microsoft product prices vary that much from vendor to vender just here in the United States. That a foreign country has a high price tag is no surprise. Shop around or, better yet, contact Microsoft directly and work out a purchase/support/upgrade agreement.

If that's not to your liking, turn to Open Source Software (whew! I thought I'd never get this back on topic). There are OS's, complete office software, management utilities, collaboration tools, etc. available at little or no cost.

Don't know if this is covered somewhere else(haven't read all the posts), but are you saying that you distrust Open Source because you download it over the internet? Where you have to use checksum's to verify code and there can be DNS spoofing etc.

But because Windows comes in a box from a store its more reliable, e.g. hasn't been replaced with something malicious ...

Then instead of downloading linux from the internet. Why not buy one of the tested stable releases, burnt onto CD's and sold at stores. I know that you can buy Mandrake in that form at least.

I believe that before being added to a linux dist, all software is tested/audited not only by the organisations programmers but also by many independant programers - people cant just add in their code in a reliable distribution. So any programs/code being added is checked by multiple people.

As for someone actually at the organisation adding malicious code before the product ships, there is as much chance of that happening at MS as any other place.


cheers

james

I totally agree with james. If KaceyR's main complain about trustability of libre software is that it's primary method of distribution is download vs. pre-burned CD's or preinstalled copies, then his rant should also be directed to shareware, carityware, and even A LOT of proprietary software vendors who choose to force users to download their utilities directly from their main site once the user has paid.
Some of those software writers also have "trusted mirrors" or "bussiness partners mirrors" across the world... how can you say none of them will inject something into the program?? If I download something from tucows or download.com or anything, how can I rest sure a cracker hasn't broken into the site and replaced original version with a malicious one???
The key is: be it proprietary, OSS or "shared", you MUST compare and verify checksums and file sizes gotten directly from the main site of the project. If it's shareware, carityware or libreware, it's still your obligation as user not to candidly trust whomever says it's the original software the offered at their site until you verify that it sure is or the opposite.

Furthermore, speaking about hidden backdoors: just remember windows 3.11 had a secret function (revealed when decompiling the program, of corse) called _MS234_NSKey (or something like that) that never got explained, some say NSA forced microsoft to put a backdoor on their product just in case... acording to what i've read, that piece of code hasn't been found on 95/98, etc. But - do you really think it vanished?
I personally don't, me thinkest M$ guys just hide it better now...
And since its code is hidden, you can never really know...

Just a thought but how many of you bought a cd each time MS ran an upgrade - I know that I downloaded XP SP2!