Blogs

RSS FeedBlogs
RSS FeedSubscribe to this blog
About Author
Glyn Moody

Glyn Moody's look at all levels of the enterprise open source stack. The blog will look at the organisations that are embracing open source, old and new alike (start-ups welcome), and the communities of users and developers that have formed around them (or not, as the case may be).

Another Reason to Use Open Source: Auditability

Article comments

The Norwegian Ministry of Finance seems to be taking a bit of stick at the moment. It wants all the existing cash registers in the country thrown out and replaced with new ones, as the Norwegian site E24 <a href=http://e24.no/lov-og-rett/alle-kasseapparater-maa-byttes-ut/20320484>reports (via <a href=https://twitter.com/ThAOSteen>Thomas Steen and <a href=http://translate.google.com/translate?sl=no&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&eotf=1&u=http%3A%2F%2Fe24.no%2Flov-og-rett%2Falle-kasseapparater-maa-byttes-ut%2F20320484>Google Translate)

The plan is to be adopted by Parliament before Easter and all bank systems need to be upgraded / replaced by next summer.

NHO is now calling for a thorough review before the rules change for the country’s 80,000 businesses that will be affected.

No existing disposal systems meet the technical requirements one has thought to ask. Directorate’s own analysis shows that up to 90 000 systems must be renewed, while Accounting Association believes the figure could be much higher, said attorney Halvor E. Sigurdsen the Technical Review.

Not surprisingly, this massive upgrade is not popular. But it is apparently being pushed through in an attempt to prevent cash registers' figures being massaged downwards in use so as to reduce tax. Here are the main requirements for the new systems:

suppliers must be able to prove that the system can integrate with external software that allows changing the online journal.

It shall not be possible to change the entries in retrospect or change preset text on goods and services at registration.

It shall not be possible to record sales without a receipt is printed.

It shall not be possible to drive out more than one copy of the receipt.

It shall not be possible to mark some groups so that they are included in the reports.

Of course, the big problem is how do you prove all these things? Simply showing that your cash register stops you doing them is not enough: there might be hidden functionality that allows it to be switched into fraudulent mode when people aren’t looking, perhaps using some weird keypress combination.

The article in E24 quotes the Norwegian association of tax auditors, which has an eminently sensible suggestion for solving this problem:

The source code must be opened

Without source code it is not possible to determine whether or “hidden” functionality exists or not. Just knowing that the tax authorities have access to the source code of the application, will reduce the effort to implement hidden functionality in the software

Although this is a very particular case, it raises crucially important issues that are likely to crop increasingly frequently. Essentially, any electronic device that has built-in digital capabilities is a fully-fledged computer these days. That means – potentially – code that allows forbidden behaviour might be shipped with it. The only sure way to catch this problem is to insist upon the source code being made available – and for inspectors to check that it really is the code being run in units in the wild.

This makes the advantages of using open source software for these kind of devices even more compelling. Open source is already taking over the world of embedded software because it is cheaper, more secure, more compact and more customisable than comparable closed-source code. To that can be added that it is also more easily audited, because it is open for everyone, all the time – not just for inspectors when they make their visits.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Share:

Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open