Trust and open source
Google Hints of Online Storage 3349
BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2006-03-07, The Ghost In The Machine spake thusly: Great post! I remember...
We hear it all the time from the winvocates, "You need to trust someone," and then they go on to try to equate trusting a debian or a redhat is no different than trusting a Microsoft.
A phrase that I've coined, and believe is this;
"Trust without verification is not trust, it is faith, and faith is not the basis of sound decisions."
There are many levels of trust. There is direct trust, where you have direct experience with the integrity of an enbreasty. This is the strongest trust, obviously, not perfect because it is only as good as your ability to validate. An example of this is advice from your most trusted friend.
Then there is trust by proxy, this is using agents that you trust to evaluate the integrity of a third party. You trust your agents to be trust worthy and provide good information. This method of trust can be a better source of trust than direct trust because your agents may have better ability to evaluate than yourself, but you must be sure that your agents have your best interest as their motivation. An example of this is RSA or Thawt signatures on web sites.
Windows for Linux Wannabe's 3347
I don't recall the Mac version having transparency. The Mac I used is no longer mine (it...
Windows for Linux Wannabe's 3348
BearItAll on Tuesday 07 March 2006 15:07 I have seen another virtual desktop-pager combo-application for Win32. Live...
Another form of "trust by proxy" is the notion that "they can't all be lying," this is in essence how most of us come to most of our trust in the world around us. It does not require that we trust any specific agent, but that we trust that not all agents could be lying about the same thing. An example of this is the daily news, surely not all news channels will lie about the same events? Right?
The "they can't all be lying" paradigm doesn't work with large multi-national corporations or government agencies who can buy all the advertising they want and sponsor whole programs to promote their view, especially when the agents involved either do not understand the subject matter, are not motivated to discover the real facts, or are themselves corrupted. They will accept the information given to them as fact regardless of truthfulness, and report in kind.
When it comes to computer security, the "they can't all be lying" paradigm works for Open Source. There are many agencies and individuals who can inspect and test open source unconstrained. This mulbreastude makes it unlikely that any one, or any group of agencies, can lie effectively.
Closed source companies like Microsoft, on the other hand, do not allow unconstrained inspection and testing of their code. Furthermore, since independent agents can not inspect the code, we must buttume *all* reports about the trust worthiness of the products are suspect or corrupt. Even further, those who have access to the code are almost always constrained by NDA as to what they can or can not say and are further threatened by economic damage if they rely on the technology for revenue, which is reasonable to buttume if they have access to proprietary code. If they offend the company by honestly critiquing they code, the company may take punitive measures by limiting access to information or raise prices on OEM versions of software.
In the end, there is no method by which one can verify any trust in proprietary closed source , one has to have faith that the maker is telling the truth. In the case of someone like Microsoft, that faith would clearly be unwarranted based on prior behavior.