Web Development

General discussion


Open Source software vs. Proprietary software

By KaceyR ·
In keeping up with the Open Source software movement, I've come across a single, basic flaw.

The only way to ensure that your executable is as it should be, is to perform a comprehensive review the source code and to recompile it yourself.

I can, very easily, set up a distribution web site that contains both the source code and compiled executables, complete with my own hooks in the executables that will do whatever I want them to. The typical user will download the executables, maybe even the source, but will never perform a compile, and I certainly won't have my hooks in the source that they can review.

Without a complete review of the source code and an independent compile yourself, you have absolutely no assurance that the code you are running matches the source code that it's supposed to. Should that code damage or otherwise compromise your system, what's your recourse? Rebuild your system.

In addition, if you have the time and intellect to review and completely understand the source code, why are you wasting your time downloading someone else's product when you can make your own with the same level of effort?

By example, let's say you download a copy of Firefox, and it's been tweaked with a hack that allows an external user into your system. You're browsing around the internet and everything is great, then one you realize that you've lost all of your data. During a post-mortem, you discover that Firefox was the culprit, so you go after the developers at Mozilla. Oops! The signature of the executable doesn't match ANYTHING the original developers have ever released. They're not responsible. Time to rebuild your system.

Now let's say that you're running proprietary software and the same thing happens. During the post mortem you discover the culprit is the ABC product from XYZ company. The file signatures are compared and, sure enough, they match. XYZ company is clearly responsible, so they will be inclined to assist you in determing the exact cause and fixing the problem, as well as you (possibly) having a legal recourse against XYZ company.

This is both a level of protection and a level of assurance that the program will perform as expected.

Companies today are very paranoid (and rightly so) about system intruders and industrial espionage. With this in mind, why would you turn to Open Source software?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Check sums before installing

by gralfus In reply to Open Source software vs. ...

Most open source code comes with checksums to begin with, and if downloaded from a legitimate site should be hack-free. Check the hash prior to installing. A bit of responsibility outweighs potential legal hassles later.

The high cost of proprietary software is driving people to seek alternatives, and those so driven often find that there is some pretty great software out there for little to no cost. Used with the proper precautions (checksums, reviews, backups) open source can leave proprietary in the dust. Great help can often be found in forums dedicated to such software, though sometimes it is hit and miss. But you won't be generally charged for support, unlike some companies, unless it is used in a business.

Collapse -

Valid checksums

by KaceyR In reply to Check sums before install ...

The problem is that I can just as easily generate my own checksum (most I've seen use MD5) for the "tainted" executable. That leaves only the code review, which again is only worth the effort if you're going to perform your own compile. Even if I were to provide a build module of any sort, the code for it must be reviewed as well.

Personally, I do use some open source software, and I did download the source. Although I didn't perform a complete code review or even compile the source myself, I went to the "main" site for the software, located one of their approved mirrors, downloaded the binaries and the checksum, then I visited *all* of the other mirror sites and downloaded their checksums (for the same version). If all of the checksums match, that provides me with some assurance that an individual programmer didn't inject malicious code. It still doesn't prevent the original author(s) from doing the same, but there's at least a level of reasonability.

Collapse -

Not the same issue

by BDWolfman In reply to Valid checksums

This is not an issue of trusted code then, but of trusted URLs...and MS has no more protection against DNS poisoning and Phishing attacks than anyone else.

Collapse -

You just raised another issue

by KaceyR In reply to Not the same issue

You're issue doesn't address trusted code at all, just trusted URL's.

Since the primary distribution method of Open Source software is via download, I perceive both issues as a greater threat to the validity of the Open Source software than to Microsoft software.

Microsoft's primary distribution is through retail outlets. The odds are in Microsoft's favor that the CD's in their packaging will not be replaced by a retail vendor. In fact, Microsoft's biggest threat comes from piracy, not the Open Source Community, and even the pirates aren't injecting malicious code into the products (yet).

Collapse -

Trusted code, think twice...

by romeroGT In reply to You just raised another i ...

Piracy is MS best ally. If all people who uses MS products really where required to pay, they would just go for alternatives or MS would already decreased their prices. Take away piracy, then market rules would force this change, leaving commercial products on a one-to-one with FOSS.

If you are paranoid about code, and your point stands on malicious intention and conspiracy theory, I have a question for you:

Couldn't it be all flaws that any product (OSS or Commercial) has and are found, are backdoors they left intentionally ??

If so, OSS at lease has a greater auditing base than commercial software. (Have you seen THE NET?)

Collapse -

Actually, MS uses piracy to increase market share

by awfernald In reply to Trusted code, think twice ...

I lived in Bolivia, SA for 3.5 years, and during the first two years, I noticed that EVERYONE was switching over to Microsoft products. Previously, you had mostly Word Perfect, Novell, etc...

Well, the reason for the switch was that Word Perfect and Novell were actively pursuing all software pirating there. Microsoft wasn't.

After gaining a large share of the pirating market, MS went in and started chasing down the piraters and going after all of the companies with the illegal copies of MS software.

At that time... retail prices of MS products were DOUBLE what the same software was selling for in the US. i.e. from my old spreadsheets MS Office Standard purchased from the US and shipped to Bolivia was $475 fob, purchased from MS Argentina (via MS Select) the price was $895 (not quite double, but close).

MS W2k Server, Bolivian Price $2143, US price, $1372.

This is in a country that is considered one of the poorest in the Western Hemisphere (average FAMILY monthly income = ~$100).

MS uses piracy to establish market share, then they come in and charge outrageous prices to gain significant profits.

Collapse -

You're way off base, and off topic.

by KaceyR In reply to Actually, MS uses piracy ...

Examine your own statements. Individuals and businesses in Bolivia switched (your word) from Word Perfect and Novell to Microsoft.

That means that they either purchased the Word Perfect / Novell software or, as you imply, they pirated it.

It stands to reason that Word Perfect and Novell were pursuing the pirates because they were losing money. Microsoft wasn't involved because they weren't the ones losing money.

Suddenly, the pirates realized that Word Perfect and Novell were getting "too close", so they switched to Microsoft products. Now Microsoft started losing money in the region and their own marketing people saw companies running Microsoft products that had been pirated. The Microsoft response? Start pursuing the pirates. Just like Word Perfect and Novell.

As for the price difference, I've seen Microsoft product prices vary that much from vendor to vender just here in the United States. That a foreign country has a high price tag is no surprise. Shop around or, better yet, contact Microsoft directly and work out a purchase/support/upgrade agreement.

If that's not to your liking, turn to Open Source Software (whew! I thought I'd never get this back on topic). There are OS's, complete office software, management utilities, collaboration tools, etc. available at little or no cost.

Collapse -

CD's vs Internet

by scsAdmin In reply to You just raised another i ...

Don't know if this is covered somewhere else(haven't read all the posts), but are you saying that you distrust Open Source because you download it over the internet? Where you have to use checksum's to verify code and there can be DNS spoofing etc.

But because Windows comes in a box from a store its more reliable, e.g. hasn't been replaced with something malicious ...

Then instead of downloading linux from the internet. Why not buy one of the tested stable releases, burnt onto CD's and sold at stores. I know that you can buy Mandrake in that form at least.

I believe that before being added to a linux dist, all software is tested/audited not only by the organisations programmers but also by many independant programers - people cant just add in their code in a reliable distribution. So any programs/code being added is checked by multiple people.

As for someone actually at the organisation adding malicious code before the product ships, there is as much chance of that happening at MS as any other place.



Collapse -

Then it's not OSS vs proprietary

by Joe McTroll In reply to CD's vs Internet

I totally agree with james. If KaceyR's main complain about trustability of libre software is that it's primary method of distribution is download vs. pre-burned CD's or preinstalled copies, then his rant should also be directed to shareware, carityware, and even A LOT of proprietary software vendors who choose to force users to download their utilities directly from their main site once the user has paid.
Some of those software writers also have "trusted mirrors" or "bussiness partners mirrors" across the world... how can you say none of them will inject something into the program?? If I download something from tucows or download.com or anything, how can I rest sure a cracker hasn't broken into the site and replaced original version with a malicious one???
The key is: be it proprietary, OSS or "shared", you MUST compare and verify checksums and file sizes gotten directly from the main site of the project. If it's shareware, carityware or libreware, it's still your obligation as user not to candidly trust whomever says it's the original software the offered at their site until you verify that it sure is or the opposite.

Furthermore, speaking about hidden backdoors: just remember windows 3.11 had a secret function (revealed when decompiling the program, of corse) called _MS234_NSKey (or something like that) that never got explained, some say NSA forced microsoft to put a backdoor on their product just in case... acording to what i've read, that piece of code hasn't been found on 95/98, etc. But - do you really think it vanished?
I personally don't, me thinkest M$ guys just hide it better now...
And since its code is hidden, you can never really know...

Collapse -

Bug fix cycle

by Peter_es_uk In reply to Then it's not OSS vs prop ...

Just a thought but how many of you bought a cd each time MS ran an upgrade - I know that I downloaded XP SP2!

Related Discussions

Related Forums