42 lines
2.8 KiB
Plaintext
42 lines
2.8 KiB
Plaintext
Closed Source — Who Dares Call It Treason?
|
|
<p>The cat is out of the bag. During <a href="http://www.eweek.com/article/0,3658,s%253D701%2526a%253D26875,00.asp">testimony<br />
|
|
before a federal judge</a>, Microsoft executive Jim Allchin has<br />
|
|
admitted that some code critical to the security of Microsoft products<br />
|
|
is so flawed it could not be safely disclosed to other developers or<br />
|
|
the public.</p>
|
|
<p>Allchin was arguing against efforts by nine states and the District of<br />
|
|
Columbia to impose antitrust remedies that would require Microsoft to<br />
|
|
disclose its code. He constructed dire scenarios of U.S. national<br />
|
|
security and the war against terrorism being compromised if such<br />
|
|
disclosure were required.</p>
|
|
<p>Now turn this around. Allchin has testified under oath in a Federal<br />
|
|
court that software Microsoft knows to be fatally flawed is deployed<br />
|
|
where it may cost American lives. We’d better hope that Allchin is<br />
|
|
lying, invoking a “national security” threat he doesn’t actually<br />
|
|
believe in to stave off a disclosure requirement. That would merely<br />
|
|
be perjury, a familiar crime for Microsoft.</p>
|
|
<p>If Allchin is not committing perjury, matters are far worse — because<br />
|
|
it means Microsoft has knowingly chosen to compromise national<br />
|
|
security rather than alert users in the military to the danger its own<br />
|
|
incompetence has created. Implied is that Microsoft has chosen not to<br />
|
|
deploy a repaired version of the software before the tragedy Allchin<br />
|
|
is predicting actually strikes. These acts would be willful<br />
|
|
endangerment of our country’s front-line soldiers in wartime. That<br />
|
|
is called treason, and carries the death penalty.</p>
|
|
<p>Perjury, or treason? Which is it, Mr. Allchin?</p>
|
|
<p>There is another message here: that security bugs, like cockroaches,<br />
|
|
flourish in darkness. Experience shows that developers knowing their<br />
|
|
code would be open to third-party scrutiny program more carefully,<br />
|
|
reducing the odds of security bugs. And had Microsoft’s source code<br />
|
|
been exposed from the beginning, any vulnerabilities could have been<br />
|
|
spotted and corrected before the software that they compromised became<br />
|
|
so widely deployed that Allchin says they may now actually threaten<br />
|
|
American lives.</p>
|
|
<p>Thus Mr. Allchin’s testimony is not merely a self-indictment of<br />
|
|
Microsoft but of all non-open-source development for security-critical<br />
|
|
software. As with many other issues, the legacy of 9/11 is to raise<br />
|
|
the stakes and sharpen the questions. Dare we tolerate less than the<br />
|
|
most effective software development practices when thousands more<br />
|
|
lives might be at stake?</p>
|
|
<p>Closed source. Who dares call it treason?</p>
|