In honor of #opencybermonday, it seems to be a good moment to point out that security minded folks tend to also be open source advocates. To sum up the problem, commercial product manufactures rely on “Trade Secrets” to protect the IP of their lock design, this replaces actually making better locks. Companies that hide their code can be more easily pressured into installing back doors. They may conceal vulnerabilities to avoid bad PR. The Open Source Initiative has posted a nice nontechnical primer with a bank-safe analogy.
When designing a secure system, every secret that must be kept provides a point of weakness. Bruce Schneier makes that point well, and pretty much every article on this topic quotes him. Let’s go straight to the source:
- The Non-Security of Secrecy
- Secrecy, Security, and Obscurity, from Crypto-Gram May 15, 2002
- Open Source and Security, from Crypto-Gram September 15, 1999
David Wheeler has maintained a website dedicated to teaching programmers how to write more securely since 1999. He comes down on the side of open source while acknowledging the issues. The Heartbleed bug scared many people off, but for the wrong reasons. Weaknesses in open source projects arise because people who use the code aren’t participating in maintenance, even thought there are good reasons to. Even if you don’t feel comfortable contributing code yourself, support the foundations that run big projects (via Hack-a-Day). If you’re in the market to buy a product, check to see if the company about to get your money supports the cause.
Don’t only require open source from your desktop operating system. Reach out to companies like car manufacturers with the reasons open source would be better for their products, and why that’s a shopping criteria for you. If you are a manufacture consider using a platform like IoTivity to underly your products. The Open Source Hardware Association has recently started a certification process. You can use Crowdsupply to fund it. There are several open source laptop projects. This open source hardware philosophy can be pushed down to the silicon.
To learn more, go ahead and check out #opencybermonday on twitter.
[updated] to add reference to Crowd Supply via BoingBoing in last paragraph.