I have looked for new podcasts to subscribe to lately, and one of the new ones that I’ve just begun listening to is Security Now! on TWiT. The link is to the mp3 feed.The show features security researcher Steve Gibson of Gibson Research Corporation. Listening to their latest #282 podcast (48,8MB) on my cellphone on the way to work this morning, I was so annoyed I actually decided to do something about it. To let the world hear about these atrocities! To blog!
If you head to 1:25:00 in the mp3 file, they are talking about question #7 from some guy in Utah mentioning disk encryption and the quote unquote bad guys who encrypt a victim’s data for a ransom by using full disk encryption. This is called ransom-ware. And apparently it’s making a come-back using public key encryption.
First of all, there is no such thing as bad guys. The notion of bad guys goes back to kindergarten, where one would hope it remained. Especially if you’re a security expert, understanding the motivation of possible attackers is a major part of the game. There are criminals, however, but criminals are motivated by cash or politics or something else; and what makes a hero in one country could be the devil in the next. I suppose this sort of anal grammar nazi inspection wasn’t expected by the show host nor Gibson, who were both probably answering the tone of the e-mail. But nobody expects the anal grammar nazi! The terminology is still childish and annoying, and we are responsible for the world we portray.
Second, Gibson is ranting on the Open Source way of security in a way that makes himself and his closed-source company look relatively bad. Here’s a transcript of what Steve Gibson’s saying:
«Think Truecrypt. Truecrypt is whole-drive encryption. It is for example, what the ransom-ware people might use, AND it’s open source. So here you’ve got an industrial strength, I mean […] so bad guys – insofar as I know they did, I have no knowledge of that but – they’ve got Truecrypt out there and they’ve solved all the problems for you, why not just take it [and use it]?
[..Gibson’s detailed answer to the listener..]
.. And we know how strong Truecrypt is. You know, governments have pounded on it trying to decrypt the contents of bad guys’ hard drives. And unfortunately, in that case, they’ve been unable to. And it really is the case that even a known plain text attack against the hard drive is ineffective if the encryption is done correctly and with Truecrypt we have an open source model of how to do it correctly.»
This sort of thing really rubs my tits the wrong way.
Is it only me or does Gibson’s argument only amount to: bad guys can use open source therefore open source is bad? From this he seems to be having a go at the quote unquote open source model (of security) on the expense of Truecrypt. I want to show you, Gibson and everyone who are under the impression that open source is bad for security that this is really what we call logical abduction, as opposed to logical deduction.
Let’s consider the counter argument from a parallel universe:
a) Let there be an Open Source Truecrypt ‘ot’ and a Closed Source Truecrypt ‘ct’
b) ot and ct contain the exact same code
c) For the heck of it, let’s say they both suck
d) ot being open source, the source code is readily available
Gibson’s argument, joining the choir of many proprietary software vendors, is that ct is more secure by virtue of being closed source software. I don’t agree with this argument. On the contrary, I think it’s exactly like saying that the North Koreans are a lot safer with Kim Jong Il than Greece is with their democratic leaders.
In 2002 The New York Times’ website really sucked. Fortunately, it was closed source, so nobody knew about it! Enter grey-hat cracker Adrian Lamo and a caffeinated autistic nerd can play around with one of the Western world’s leading news content providers’ headlines. Whops! I think ‘security through obscurity’ often ends in ‘I don’t remember what I was supposed to fix’.
I’m not sure whether Gibson is tired here and just trying to answer the question as quickly as possible, but history show us time and time again how Open Source is more secure; more eyes looking at the source code, more bugs reported, faster response times. And it doesn’t really pertain to software alone. It goes along way describing our democracy too. You see, they all come back to and stem from this one little thing called Transparency.
With the closed source Truecrypt I must rely on the company providing it to release bug fixes and "do encryption correctly". In the alternate universe of ours, the company would perhaps opt to – as Gibson suggests – purposefully create back doors and/or decryption alternatives so that the quote unquote good guys could unlock the secrets of the quote unquote bad guys. This is the same thing Gibson himself caught Microsoft doing with regards to a WMF vulnerability in 2006 in the real universe. Back then it was a bad thing.
The virtuous gun maker aims toward making the perfect gun. Gibson aims toward making the gun that works in the hands of good guys and fails in the hands of bad guys. Following Aristotle’s ethics, Gibson is not a virtuous programmer. With our kindergarten notion of good and bad guys long gone, just imagine Gibson in 1940 Germany, working for "the good guys"..
This post has very little to do with Steve Gibson, I’m afraid. I think he must be pretty clever and intelligent to achieve the things he have. And I’m not saying he is Evil or a Nazi. But he voices an insubstantial opinion that transcends the pragmatics of programming and enters the realm of ethics, without really having the tools to distinguish the one from the other. This particular confusion of ideas is very common in the perpetual debates regarding open source and IT security. But however common it is, it is one I must reject and despise.
I think I can take no more Security Now! for the time being. Maybe I’ll just put on some music instead. This rant is over. Have a nice weekend!