| > As far as I can tell, this prevents countries from demanding source code to a closed source product as a condition for selling into a country. Seams reasonable? How could this possibly be reasonable? Being able to look at the source code is a huge part of regulating code in life-and-death applications. Medical devices, cars, planes, train systems, etc. all need to be held to safety standards, and not allowing regulators access to the source code significantly inhibits their ability to do their job. > If you want to audit a closed-source program for bugs and backdoors, people have been able to do this successfully hundreds (of thousands?) of times with standard tools like debuggers, disassemblers, and automated program analysis tools. The fact that a program is closed source has not stopped anyone from researching how it works. Ask ANY security researcher if it suddenly becomes impossible. First of all, there are cases where you're just flat wrong. The Gauss virus contains an encrypted payload which is encrypted with a few system strings, meaning that when it runs in that system it will execute the encrypted code. It's impossible to audit the encrypted code without knowing the properties of the system it's intended to run on. Admittedly this is currently an unusual case, but given the incentives, it's unlikely that this will remain unusual. Hiding proof of code like the code in the Volkswagen emissions scandal[2] presents a large barrier to regulation, and it's not hard to imagine cases where it would make proving wrongdoing outright impossible. Even in cases where an encrypted payload is not used, you cannot in good faith argue that the capability of auditing a binary is equivalent to the capability of auditing the source code. Yes, it's possible in most cases, but obviously it's significantly harder to audit computer generated, optimized, and decompiled assembly code than it is to audit code written in, say, C. The skill and time required to audit a binary is such that it's cost prohibitive in most cases: in the Volkswagen case, they discovered the fraudulent code with a $50,000 study that white-box tested the code by driving the car.[3] My guess is that an audit of the C code could have revealed something like: if(car_is_being_emissions_tested()) {
...
}
...and such an audit could have been done by a junior in college working at a $15/hour internship. As these ways to cheat regulation become more sophisticated, under-funded regulatory agencies will be unable to keep up. It may be mathematically possible to audit binaries effectively, but it's not monetarily or organizationally an effective way to do regulation.In short, it's absolutely not reasonable to tie the hands of regulators by preventing them access to the source code. Doing so is equivalent giving up on regulating a large fraction of possible anti-regulation behaviors. And this is only talking about regulation, when the binary being audited is produced by a company trying to skirt regulation. Even more concerns arise when the binary being audited might be partially created by a government. The NSA has well-known capabilities in this area, and we have no reason to believe that China (where many devices in the US are manufactured) has similar capabilities or will in the near future. [1] https://securelist.com/blog/incidents/33561/the-mystery-of-t... [2] https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal [3] https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal#U... |