It’s a fact, as also Bruce Schneier often says: Security is about of trust. We have to trust about our hardware, software and cloud service vendors, we have to trust to their security and privacy politics and, if we don’t trust them, the only alternative is to quit from a service or renounce to use some hardware/software: quite drastic!
In this scenario, free software is a winning mentality that could help us to build trusted environments starting from the capillary control of the system by a world wide team of professionals, and amateurs too.
With Free Software anyone with programming skills can read the source code, searching for vulnerabilities, correct them a release the improved program with the imperative to release the new source code too, so other developers may cross check every patch.
Heartbleed is a major example, as the worst vunerability of the history of the Net was not found by the OpenSSL Heartbeat extension’s developer but was found and immediately patched by external teams before official changes.
What if OpenSSL was ClosedSSL? May we still aware of Heartbleed? And what if Heartbleed was deliberately put into the system as a backdoor? Maybe we will never be aware of the worst of the vulnerabilities affecting secure communications in the Internet.
So, the publishing of the source code, in this case has saved us, slowing or almost stopping the impact of the already catastrophic situation generated by this bug in the past two years.
Also we can imagine that there are some scenarios where a software compiled by third parties is not trusted enough. In this case free software may be successfully recompiled by the system administrator after the planned analysis, constantly checking the community for news about security flaws, applying sometimes emergency patch where needed. This is only possible in an Open Source or Free Software based system, otherwise the only way is trust in providers.
Actually, OpenBSD team is working on a fork of the OpenSSL library (LibreSSL) to be integrated on their operating system starting from version 5.6. This is a good news, this is why open source works. I know, OpenBSD’s team has particularly strong development process, aiming on formal code correctness and pointing all the efforts on security, so LibreSSL may became a new powerful project, usable in critical situations.
I’ve talked about the Free Software mentality (but Open Source too) because we need to apply freedom to all security appliances: like software, hardware and also services. Today we are coming back to the era where computers had his own hardware and his own ROM, forming a single bock and that’s the same now with smartphones or smart devices in general. We can’t control them, we are bond to the vendor for the hardware and for the software, and unlikely the old Commodore like computers we can access only to a minimal amount of informations and technical specs. Next step is in the cloud, where we don’t know anything where our data lives, how is used and how is secured. From a perspective of a simple user, technical details doesn’t matter but, out there, there are not only simple users! And simple users can count to a great number of experts and amateurs reading and patching the code for them to improve security.
In this world where we are only blind users, we need to work the Free Software’s way and take back the control over infrastructures that own our life: asking transparency, researching on more free alternatives to let the world participating to improve not only usability but security too.