[Cryptography] Would open source solve current security issues? (was "Re: EFF amicus brief in support of Apple")

Sun Mar 6 22:51:25 EST 2016

[Sorry if I'm taking these a bit out-of-order, but it just seemed to make
a bit more sense this way to me.]

On Sun, Mar 6, 2016 at 11:28 AM, Jerry Leichter <leichter at lrw.com> wrote:
> On Sun, Mar 6, 2016 at 10:33 AM, Perry E. Metzger <perry at piermont.com> wrote:
>> The tenor of such comments is always "there's a silver bullet here,
>> and it is open systems". Well, no, sadly, there are no silver
>> bullets. Security is hard, and remains (sadly) a set of trade-offs
>> between alternatives that are often quite mediocre. Regardless,
>> forcing your 80 year old grandfather who used to be a chef to audit a
>> few million lines of source code, compile them, and load them onto
>> his phone before he can make a phone call isn't going to help
>> anything at all.
> Beyond that ... the most damaging recent bug is the DNS resolver bug in glibc,
> code which has been open and available for inspection from the day it was
> written - and the (rather obvious, once you see it) bug managed to survive for
> 8 years.
>
> It's time we stopped believing that there's something magic about open source
> software.  There's good software and there's bad software, and even the best
> software has bugs.  And beyond bugs, all software can be deliberately
> subverted.  There are no silver bullets, just tons of continuing hard work.

When Eric S. Raymond originally published his epic the "Cathedral and
the Bazaar" in 1997, his whole premise of:

    Given enough eyeballs, all bugs are shallow.

sounded quite plausible and many thought it was almost a guaranteed certainty.

Since that time, almost everyone believe that there was at least one underlying
fallacious assumption of that premise, namely that if source was open and
available for examination, then it would in fact have "enough eyeballs"
viewing it to make a difference in software quality. Since the almost 19 years
since Raymond first published CatB, we have come to realize that they just
isn't that many people actually LOOKING at the source code. So, no eyeballs
means that open source generally as actually worse than closed source, because
in most open source projects, there is not *separate* QA team to write and
perform integration and system level testing.

Add on top of that the fact that most developers who look at source code
are not really adequately trained in application security well enough to
spot some of the more obvious potential security vulnerabilities such
as integer and buffer overflows, heap corruption, etc., much less the
much more subtle ones that are related to cryptographic flaws. Which
means we have even few qualified eyeballs able to spot security
vulnerabilities.

Where open source seems to shine (well, usually) is that once a security
vulnerability is announced, you have all sorts of people who will be quick
to offer up a patch and they generally only can do that because it is open
source. So usually the open source community is quicker with time to make
patches available. (Whether or not they are actually applied is a different
story.)

On Sat, Mar 5, 2016 at 3:23 PM, grarpamp <grarpamp at gmail.com> wrote:
>> No amount of technology, per se, can prevent this particular
>> MITM attack.  We're now going to have to have multiple keys
>> from multiple "trusted" sources prior to accepting a firmware
>> update.  Forget visiting Switzerland or the Cayman Islands
>> for access to $$$; you may now have to physically go there to
>> get your iPhone securely updated.
>
> See this is a problem. All this trust in single entities,
> singular and closed systems you keep needing to place.
> Why in the fuck do you keep doing this?
>
> You compute hardware should be completely open.
> You compute software should be completely open.
> You should fuse your own keys into your own hardware
> for software builds you reproducibly build sign and install
> yourself from distributed opensource software.
>
> Open designs, open fabs, open products, open source.
> You are NOT going to solve these problems without it.

I'm not sure how open source alone is going to solve these MITM attack
on trusted updates by itself unless it still has multiple trusted
organizations doing the signing. How is that any more trustworthy
than what we have today with say, like Mozilla Firefox or Google Chrome
browsers? (I picked them because both load trusted root CA certs.) But
as Peter Gutmann has pointed out similar things with Google's Android.
And Android being open source for hasn't seemed to help Google from delivering
Android OS in any manner that is more secure than Apple's iOS. If anything,
I would say that Android is less secure overall than iOS, although I think
a large part of that is because of how the whole Android ecosystem handles
bug fixes in the OS. (I.e., Google issues patch, which _might_ be picked up by
the smart phone OEMs, which then is passed to the mobile service providers
to finally distribute to end users.) Not only does all those intermediate
steps slow down getting patches to the user, but it also slows causes OEMs
and/or mobile service providers to sometimes decide not to include OS
patches because they both have vested interest in seeing you buy a whole
new phone upgrade rather than just patching your OS. I think we have enough
evidence from the past 5 years or so to show that that whole ecosystem
makes security worse, not better. And it is not clear to me how this would
improve if the OEMs were to suddenly make their designs, circuitry, firmware,
fabrication, etc. all open. In fact, it might even serve to further fragment
the market and make things worse rather than better (in terms of overall
security). And if Raymond's "many eyes" hypothesis really doesn't hold for
source code, do we really think it will make a difference with circuit board
designs, fabrication, firmware, etc.? I can't see how because there are probably
even less people skilled at those things than who have software skills.

Lastly, I think there were some attempts at more open production of smart
phones. Did not Ubuntu produce a phone that had at least some of its hardware
aspects open? IIRC, last I heard, I think they were doing worse than
BlackBerry.

I don't have an answer. *Defensive* security is hard. (In contract, offensive
security is like shooting fish in a barrel and I've done both for quite
some time, although I specialize more on the defensive side because I find
it so much more challenging.) Everyone has to t rust someone and from chips
to firmware to software, the entire stack is so complex and comes from so
many contributors, that while you think you may only be trusting Google or
Apple, in reality you are trusting everyone in that supply chain, whether
they are visible or not. What we need is transparency and accountability.
Perhaps open source is one way out of that pickle, but is unlikely to be
the only way out. E.g., that might start with holding for-profit companies
liable for security vulnerabilities that they produce more than just the
replacement cost of one's device.  But that's a discussion for another
mailing list as it would take us even further off-topic than we already are.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.