|Subject: [NYLXS - HANGOUT] open everything
The coming push for open source everything
By Paul Venezia
Created 2013-07-22 03:00AM
Frankly, I can't say I was surprised when I read that RIM's BlackBerry
10 transmits user email account credentials to RIM servers , which
then log into the account. Obviously someone at RIM thought this would
be a good idea, but anyone who does anything that requires keeping email
private -- say, an executive discussing sensitive negotiation strategies
with colleagues, or a doctor or other health care worker, or, well, just
about everyone -- should be appalled that RIM covertly collects their
username and password, then logs into the account.
With the news about PRISM and other clandestine data-vacuuming
operations in place all over the world, it's clear there's a problem.
It's not just about hoovering up information from millions of people --
it's the vast number of devices that can no longer be trusted for use in
business and government. When the code running anywhere along a data
path is not open source, there's a chance it's doing something you can't
know about and potentially transmitting data to someone who shouldn't
have it. That possibility should serve to upset even nontechnical
executives, to say nothing about governments all over the world.
[ Also on InfoWorld: The firewall threat you don't know  | The
perfect Trojan horse  | Keep up with key security issues with
InfoWorld's Security Adviser blog  and Security Central newsletter
Last year I wrote about how easy it is to place backdoors within
corporate networks  using Swiss Army knife-type tools, but those
still require someone to physically place them within a building or at
least to be hooked up to a network jack. Wouldn't it be easier for the
spies to make sure the network devices you purchase, such as routers and
firewalls, are already backdoored ?
This goes well beyond the software or firmware layer. This goes straight
into the chips themselves. The code on proprietary commercial firewall
chips is unlikely to be accessible to security admins; even if it were,
it's unlikely they would be able or allowed to perform rigorous code
I'm sure some extraordinarily sensitive organizations do this or take
similar action for extraordinarily sensitive deployments, but you can
bet that the costs explode. Vendors like Cisco aren't going to let just
anyone sniff around their IP unless it's a huge contract. Even then, the
vigilance must be maintained to ensure that every single device is
running the very same code. All of this has to be done all the way up
the stack, across every device that will touch the network.
Open source closes the backdoors
With open source, the veil is already lifted, and an army of developers
inspects the code all the time. The potential for hidden backdoors is
dramatically reduced. But that doesn't really matter if you go deep
Sure, you can install pfSense on a server and know it's not backdoored,
but what about the hardware within the server itself? What about the TCP
offloading code in the NICs? Or the BIOS? It could contain a nefarious
element that you simply can't trust -- unless, of course, all that code
were open source as well.
Options for open source
At some point in the near future, concerns over this type of corporate
and governmental espionage may force larger organizations to make hard
decisions. There would seem to be three options.
Companies could increase their IT budgets dramatically to counter
this threat by validating every since piece of commercial code in use
anywhere on the network.
They could start building their own hardware and writing their own
software, from desktop OS through to the ICs in their routers.
They could turn to open source solutions the whole way around.
The first two options are not possible for the vast majority of
organizations, but the last one certainly is. If significant dollars
start flowing in that direction, there will be a bumper crop of
companies that will mold and develop open source solutions and sell the
hardware and support for them, while giving away the code for free.
Detractors will say that this will potentially open up security threats
in the form of bugs and unintentional exploits, but that's always been
the case with software of any flavor, open source or otherwise. At least
with open source solutions, when a compromise is discovered, it's
usually made public and patched quickly.
As far as cloud computing goes, that's outside of the hands of the
business and can't be completely trusted. However, the use of open
source encryption can mediate that threat to a degree. But make no
mistake -- these concerns are only going to make the argument for cloud
computing more difficult. As an example, think of how trivial it is to
capture data flowing into and out of a cloud server instance at the
hypervisor level, straight down into encryption instructions delivered
to the virtual CPU.
If we're at a point where no piece of commercial hardware or software
can be trusted, then the only reasonable option is to rely on large
communities of like-minded people to develop, extend, and inspect freely
available code on a continuous basis. Essentially, we may need to open
This story, "The coming push for open source everything," was originally
published at InfoWorld.com . Read more of Paul Venezia's The Deep End
blog  at InfoWorld.com. For the latest business technology news,
follow InfoWorld.com on Twitter .
Source URL (retrieved on 2013-07-22 10:14PM):