I recently confronted the maintainers of bitcoin software as to the “source” of their source code. They replied “it’s open source!”. This is a problem. Being able to inspect a codebase is not the same as understanding where it came from and more importantly *who* it came from which denotes intent, purpose and capability.
Linux is a great example of this. We all know that Linux came from one Linus Torvalds. A notable figure in his own right, we understand and empathize with his motivations and can trace the fragilities of Linux to him in the early days and can even sense in the code the expression of his ego in regards to what he was trying to accomplish.
But we should be extremely wary of open source which has no such progeny, which comes out of nowhere or is delivered by shadowy figures and left on our doorstep as if if we only inspect the code we can see it’s benign nature.
Certain kinds of software especially cryptographic software is only written by certain people for certain purposes and when its spread via peer to peer networks and self sustaining must be held up with an eye of the utmost suspicion.
The number of people cooperating in the Bitcoin network are thousandfold. The number of people who actually understand bitcoin are a handful of those. The number of people who know where the code came from and what its true purpose is are exactly zero.
This is a huge cause for concern given the amount of public computing power that is currently dedicated obstensibly to a (seemingly trivial) brute force attack on SHA-256 public/private keys. (bitcoin mining)
Given that this is being done in the open, and completely without restraint, with imaginary incentives for infinite expansion of this capability one has to ask, if one’s goal were to use such a network for brute force attacks on encryption, how hard would it be to pose the problem in the form of bitcoin transactions to enlist this peer to peer network to do the work for you?
The answer could be either, 1) its not possible, 2) its very easy or 3) theres no work to do at all because this is the design of bitcoin.
I believe we are looking at option 3.
Theoretically, if option 3 is reality, would the conclusion that merely inspecting source code is not a panacea for understanding the real world consequences of a piece of software be rational?
For example, what if all malware and virii were open source? Would that make them good? Would you or even an expert know what the code did just by looking at it? Would the code tell you what its ultimate consequence could be upon execution? Absolutely not.
So we have in the case of bitcoin a serious disconnect here, as we not only have no idea where the code came from, but we know not what its ultimate purpose and therefore consequence will be. Caveat Emptor.