Thread: Glass panels: what OS?
View Single Post
  #54  
Old June 26th 04, 07:48 AM
Greg Copeland
external usenet poster
  
Posts: n/a
Default
On Fri, 25 Jun 2004 23:00:14 -0700, Peter Duniho wrote:

"Teacherjh" wrote in message
...
People don't mind using mechanics or A&Ps because we're told it's
necessary.

The difference is, anybody with a nearby library can learn how to fix a
car or
an airplane. This is not true of Windows, or any closed source software.
The
innards of windows are a secret. You cannot be sure of what the operating
system (or any commercial program) is =really= doing.

There is no such thing as "closed source software", not as you describe it.

I disagree.


The operating system is only mysterious to people who don't take the time to
look at the software. 100% of the operating system is delivered to every
person who installs it, and it is right there for anyone to look at.
Deciphering what the operating system does is orders of magnitude harder
than reverse engineering an airplane engine (for example), but it is not
impossible by any means. How do you think independent third parties
discover vulnerabilities in any operating system?


That's a different issue.

You can be every bit as sure of what the operating system is really doing as
you like. You need only invest the time and effort to do so.

The difference is one of practicality and man hours. With even the source
code, it would take man-years to review NT's code, for example. It would
probably take several orders of magnitude more man-years if it all had to
be done as the machine language level. Ack!


Open source
is somewhat easier to review,

Somewhat? Try, practicle versus nonpractical. Now, consider the number
of C and C++ programmers. Now, consider the number of even semi-decent
assembler and/or machine language programmers around these days. Starting
to see a resource problem?

but the truth is, if you aren't looking at the
compiled machine code that is actually running on your computer, you don't
really know what the software is doing.

This is, of course, a valid point. Just the same, a *mostly* moot point
given the openess of today's open source compilers. GNU's compilers, for
example, are self hosting. That means it compiles a compiler, which
it then uses to compile a new compiler. Then, the new compiler is used to
compile another compiler to compare with the previous compiler, to ensure
that everything is built properly. So, about the only way you're going to
get a surprise there is **if**, your current compiler is trojaned AND it's
smart enough to pass the trojan on to the new compiler. That means it
would have to know when it's compiling a new compiler.

Aside from that, compiler bugs are really the only issue to worry about.
Which means, for the vast, vast, vast majority of the cases, source code
is king!

The high-level C/C++ (or whatever)
code is very useful for giving you a good idea, but only the actual compiled
result can be considered to be a 100% certain description of what the
computer is doing.

Basically, short of a hidden compiler trojan, the source is still the
preferred reference, by anyone's measure. The compiled code is only
checked to ensure proper optimizations or to validate unexpected behavior
which may seem to not coincide with the source (compiler bug, for example).

Long story short, there is a world of difference between open source and
closed source software. The biggest being, it's completley unpractical to
even aspire to audit a closed source OS or application of any significant
scope without the source. Chances are, it would be much easier to write
your own software solution rather than attempt to audit a closed source
solution at the machine language level.


Greg