Sunday, May 05, 2013

The case for open source software: no hidden bitcoin clients

Seems that an enterprising young man has figured out that he could make a little extra money on the side. How? By inserting Bitcoin mining code into proprietary software that is installed on computers that belong to the customers of the company he works for.

Users of the E-Sports Entertainment Association (ESEA) reported high GPU and CPU readings on their computers after installing the ESEA client software. The same users also reported that their antivirus was sounding alarms and that their computers were freezing or crashing. The reason for all this trouble is that the secret Bitcoin client software was, while trying to hide it, using spare computing power to mine Bitcoins.

To understand what this means, we need to know what Bitcoin is and what it's for. Bitcoin is computer generated currency. The currency is generated by running calculations that place a high demand on the CPU or GPU as work. The work is then calculated as a fraction of a Bitcoin. Once mined, or minted, Bitcoin users can trade Bitcoins on the Bitcoin network as currency for goods and services.

It might surprise you that Bitcoins are now being accepted as currency by a few places, which you can find here. There is even a bar in New York that takes Bitcoins.

So what is the problem? Unless a proprietary software company exercises very strict quality control, it is possible to slip Bitcoin code into the software that you install on your computer. How would you feel if you installed software on your computer only to find that your antivirus is sounding the alarm, your computer crashes from time to time and your GPU is running near 90% when your computer is idle? That's what was happening with this example of Bitcoin subversion.

When all of the Bitcoin activity was finally stopped, the total value extracted by the Bitcoin miner software was $3715. Not bad for a couple weeks of work. Of course, the source of the problem was discovered and removed. The company has apologized for the error and has pledged a matching sum to a charity.

This is just the start. Turns that there is a new malware industry sprouting to install Bitcoin mining software on computers without the user knowing it. The virus or worm is the preferred vector of attack, and with Windows, most users will not be aware that anything is wrong.

The problem of secret Bitcoin code can now be seen in legitimate proprietary software and in malware. But you won't find this problem in open source software. With open source software, the source code is examined frequently and checked often to ensure that it has not been tampered with. There is no place to hide Bitcoin miners in open source software.

The reason for this is peer review of the source code where many programmers are reviewing, modifying and improving the source code. Open source software licenses provide for access to the source code for any revisions made to the source code when the binaries are distributed. How does that work? All software is written by programmers in text editors in human readable code with comments to describe what the code does. When the programmer wants to run that code, he must compile the source code using a compiler. The compiler converts the source code into machine language that the computer can understand, and in the process, strips out the comments. 

Humans cannot easily read the machine language of software, but they can read the source code. If you don't have rights to access the source code for software you're running on your computer, it's not open source software. You don't get access to the source code of proprietary software like Windows, Microsoft Office or iOS. But you get the source code with Linux.

I think that the day will come soon where proprietary software vendors seek a legitimate source of revenue in the Bitcoin miner. Imagine this: as part of your license agreement to use proprietary software, you will permit the vendor to run Bitcoin mining software on your computer. This sort of enterprise makes open source software that much more appealing.

Open source software is about having the freedom to decide what runs on your computer. It is also about knowing what is running on your computer. You'll never hear that from Microsoft or Apple.

No comments: