One of the selling points many people like to tout when talking about Open Source, is that it’s available for general perusal.
They’re correct—those who make such statements—but the assumption is, that’s inherently good.
The truth is, when you have access to the source code used to perform a given task, you can work to determine how to exploit it. That’s it! That’s the sum total of this blog entry.
Or at least it could be.
Having made the statement I just openly did, I want to take a moment to establish my credentials.
I wrote my first lines of code sometime around 1978 in a work experience program in Darwin, in the Northern Territory of Australia.
It doesn’t take a math major to recognize, that’s more than forty years ago.
You’ve likely never heard of me (and frankly, you’ve likely seldom heard the name of a person with whom I’ve co-developed code). I’m not famous. I’m not rich. Frankly, I’m nowhere near the best developer out there. That should probably scare you.
I work for a fairly large company (I would guess, on the large side of medium sized, to be more specific).
I spend my days making things work as folks want them to. “This web page should do this when I click the Submit button, at present it does that.”
I mostly do web development these days.
It might surprise you to hear that many of the pages with which I work, have potentially thousands of lines of code behind them.
At present, for example, I’m working on something that has probably five hundred plus lines of just validation code attached to it (think, “This field is numeric,” or “This control must contain a valid date).
If you think that’s in the least unusual, you need to be aware it’s not.
It seems like more modern applications are simpler. In reality though, that’s not the case.
Rather, the way things are done these days (and this has happened in past, though it’s a little better managed these days), is that people count on libraries and application programming interfaces (APIs for short) to simplify and “rapidize” coding.
Here’s the rub.
Say you’re using JQuery in your application. You may have a pretty good idea how it works and that’s great.
That said, a person wanting to get access to some sensitive information, might spend weeks or months, poring over JQuery, to find ways they might inject things into it, that will expose vulnerabilities at some point along the process.
Don’t know what JQuery is? You’re one in a veritable sea of faces that counts on it each day, with little to no knowledge of its existence.
Of course, that’s a single example of a point at which an exploit may be launched.
What I’m getting at is, there’s an untold number of people out there, who spend their days, working to crack or hack things upon which you count every day.
I was advised just today, that a company I use, has been hacked or cracked.
Those of us in the development field work very hard to keep people from getting access to information to which they have no right.
That said, we’re each of us subject to dealing with a similar situation to that company, all our work and training aside (and you may rest assured, many of us regularly train in cyber security of various types).
Years ago, I had a coworker (back in my days in military service) who said something in computer security training (referred to at the time as COMPUSEC), that has stuck with me to this day. Paraphrasing, their statement was, “If you want a secure computer, unplug it from the wall.”
You need to know, at that point, they weren’t talking about the network cable, they were discussing the power cable.
In the facilities in which I worked at that point, standard AM and FM radios were not allowed. Instead, they were outside the facility. The speakers inside, were connected through a fiber optic link. This was to keep people from using the signal over the wire, to “listen in on” what was occurring inside.
Getting to the point, if you believe Open Source is some kind of “magic bullet” that will keep people from meddling with software, be assured, you’re sadly mistaken.
I’m not disparaging Open Source, after all it’s been said that Andrew Tridgell “reverse engineered” Server Message Blocks, when he created Samba. I don’t know the status of Samba these days, but I believe it’s Open Source. SMB was proprietary.
Even so, Open Source is not the “complete answer to your question” if you’re looking at software security.
In fact, it’s not even close.
If there was one thing I would want to make as plain as I could, it’s that even most people who hang around, and think they understand the software industry, are just plain mistaken.
With all my time in the industry (and I can claim quite a bit), I still learn things I didn’t know, more or less daily.
If you think a talking head, who doesn’t spend their days wading through code does a better job understanding things, than someone like me, chances are good you’re deceived.
Remember earlier in this piece, when I indicated I was far from the best developer out there?
Want to bet some of those really talented folks, are sitting behind a monitor, trying to get access people’s bank accounts as I write this? If you wouldn’t take that wager, I’m sorry to tell you, you’re not thinking straight.
When I say things like, “Voting should be done and tabulated by hand, and monitored closely even then.” Maybe now you’ll understand a little piece of the why.
Of course, there are other places where a “step backward” might make a lot of sense as well (the aforementioned banking comes to mind). They can be dealt with in much the same way as stop loss in supermarkets—by beefing up security, and dealing with fraud as it occurs.
When it’s all said and done though, don’t make the mistake of thinking Open Source will somehow magically save the day.