Il nemico nel software - Le Alternative -

💙 donations

This is a text automatically translated from Italian. If you appreciate our work and if you like reading it in your language, consider a donation to allow us to continue doing it and improving it.

The articles of Cassandra Crossing I'm under license CC BY-SA 4.0 | Cassandra Crossing is a column created by Marco Calamari with the "nom de plume" of Cassandra, born in 2005.

Cassandra on free software and Open source (but not only).

This article was written on June 5, 2024 from Cassandra

Cassandra Crossing 585/ The enemy in the software

Do we simply have to get used to considering software unreliable "a priori", or is the issue even more complex than that?

“I can't see the forest, because there are all those trees in the middle”

With this famous quote, Cassandra can summarize the typical reaction of those who listen, perhaps with interest and attention, to the news that talks about software security, and the disasters that are happening, particularly regarding attacks on software production chains.

And in fact this summary captures the two important aspects of the problem at the same time: the first is the intrinsic reliability of the software, both commercial and free, and the second is the interests of those behind it.

Cassandra is not talking about Facebook or the gangs that spread ransomware; those do it with the explicit consent of the users, or thanks to social engineering, and both are not software problems.

We talk about conflict, about war. Faced with a high threat model, software in general, including free software, cannot give any guarantee of security or reliability. Cassandra has already given you some the demonstration.

This is due to the ways in which software is produced and distributed or marketed. None of them are designed in terms of reliability or safety, but only of convenience, whether virtuous or vicious.

In the case of commercial software, as all those who have worked on it know, it is sold as soon as it is functional, and the reports from customers/betatesters are then partially implemented, according to the convenience and convenience of the producer, who in the meantime defends himself from economic risks with insurance policies and crowds of lobbyists and help desks.

In the case of free software, not even a complete scrutiny of the sources, a titanic undertaking if extended to the entire execution environment of the software itself, can give absolute guarantees, considering the level of sophistication demonstrated by those who professionally produce malicious software, or carry out actions hostile with information technologies.

Free software, and that too Open source, instead they live in the perennial bazaar, already theorized in the last millennium, and they will never be able to leave there. It will be well and carefully written software on average, but it will never be reliable against high-profile attackers.

To summarize again in a more “technical” way:

the software currently in use and the related development models, both commercial and open, are neither reliable nor modifiable to become so.
Therefore, for high-risk uses, or for uses in the context of asymmetric conflict, no "reliable software", no "a priori" defense will ever exist. Asymmetric wars will be trench wars, where whoever causes the most deaths wins.
Coexistence with great risks due to software is inevitable and unavoidable, like that with the Bomb or with so-called "industrial disasters".
Mitigation, and not a solution, can only come from diplomacy, treaties and alliances.

Of course, technology will never be able to offer us a solution.

We already live today with unreliable software, which can be used by "others" as a weapon, and we will have to live with it in the foreseeable future. Your favorite prophetess guarantees it.

All we have left is the hard work of all coming to terms with it.

Marco Calamari