By now you’ve been sufficiently terrorized by the Heartbleed bug in OpenSSL; a rotten bounds checking error in the C code for that security library that secured about 40% of the Internet. If you have not checked your servers, you should do so now here. I’m rocking mostly IIS in my private cloud so I’m mostly worry free.
The amazing thing about this bug is that even though it basically implies that there is a chance that almost everyone’s bank accounts, email accounts, and so on; are compromised (the bug is 2 years old; exploits have been in the wild since at least November 2013), the outcry has been pretty sedate. Not the media, nay that has been adequate. The outcry. You’ll understand this if you go back to say the outbreak of the Nimda worm (exploit in IIS). The hue and cry was just cacophonic.
It’s almost as if because it was an open source issue, the finger pointers are more restrained. Bruce Schneier, who I admire and respect was this astonishing mix of measure calm and alarm. I could imagine a much different posture if the exploit had been found in code in closed source software.
Part of this is tribal. By now it is received wisdom that open source is NOT bad for security. The latent ability to openly audit code, the reasoning goes, is good for rapidly fixing things as they emerge. And the ‘many eyes’ theory takes care of the velocity of emergence and subsequence fixing in the first place. There are reasoned arguments why this is not always true, but the feeling persists in the software engineering community. So imagine my surprise when I asked an ordinary citizen what they thought and they said, more or less “maybe open source is a bad way to do security.”
You have to understand, that this is near heretical at this stage in hacker culture. Open source is too big to be smeared so cavalierly. But I thought about it for a second: what if we’re exiting an age when depending on the many arguments for better open source security is no longer sufficient? Consider:
- Reputation – anyone can join an open source software. A ditch digger in rural Idaho who taught himself programming or an agent of the NSA posing as a harmless student. There are no real checks on who contributes. This means that open source code bases are susceptible to social engineering if the contributor has malicious intent.
- Device proliferation – open source is the go to foundation of the Internet of things – a trendy new word for what we used to call embedded software (it hardly matters that the things we’re embedding into are getting smaller). The problem with the IOT is that once it’s in the field, there are very diffuse responsibilities and incentives to update the software running on these devices. So there is an expanding risk of vulnerable and exploitable software even when security patches exist. Think your fridge, your router, your wristband, etc.
- The Cloud – we live in very different times from 5 years ago. At that time, most consumer data lived on laptops, desktops and such. Yes, the security was shitty, but the pipes to get to their data could be tiny; the computer could be turned off – basically it sometimes wasn’t worth it. Well imagine if you got everyone to take all their gold bricks from under their mattresses and put it in a bank with just a rent a cop to watch it? Yes you could burgle a few homes expertly before, but now you just show up at the bank, know off the rent a cop and make off with an entire nation’s wealth in one smooth fell move. Well that is the potential security situation we are in with a bunch of consumer and corporate data moving into the cloud. Successful digital heists are that much more spectacular. See Target.
- Human apathy and capability – the one thing I always thought was inane about the open source security trope was the “many eyes” theory. The fact is many FOSS projects can barely attract contributions when moderately popular. OpenSSL is very valuable piece of FOSS and yet the Heartbleed bug persisted for 2 years. How many of this kind of bugs are out there right now even when we fix Heartbleed? Suddenly “many eyes” doesn’t sound as comforting.
- Human avarice – as FOSS underlies more and more of the economy, both state actors and gangsters have an incentive to mount an arms race on finding 0-day flaws. There are already million dollar companies who make it their mission to do this. Most flaws in a prior age were found by benign security researchers doing a public good with a certain kind of skill and toolset. Now all bets are off. I can bet there are people poring over key parts of internet software infrastructure in the public domain to find exploits. Why not?, they’re being paid handsomely for it. You can literally take all the FOSS in the world, rank it by criticality to internet safety and employ a team to go to town and read every line of code for exploits.
This is not to say that closed source is better security, although in this particular case I feel good about my decision to use IIS (had nothing to do with security at the time). It’s to say that open source security orthodoxy is bad. And every once in a while, the geek community has to look around at the world we live in, not the world we made our assumptions in; and adjust to that reality.