“If you control the code, you control the world. This is the future that awaits us.” –Marc Goodman In his TED Talk on the technological future of crime, former law enforcement officer and global security expert Marc Goodman discusses an often-overlooked dark side of the hyper-connected nature of our society: opportunities for more effective high tech crime.
Listen, I’m not bringing this up to scare people. Instead, I mean to illustrate our current security predicament. The challenge is in our access to a plethora of open source tools. From spyware security and anti-virus software, to open source operating systems, anyone can go out and get the source code to discover exactly how a specific open source tool is constructed.
This presents an interesting paradox – while bad hackers can potentially identify and take advantage of security vulnerabilities, good hackers can also identify those same issues and resolve them quickly.
Closed vs. Open Source System Development
So what’s the best development method: attempting to secure systems with closed, inaccessible processes -OR- engaging the broader community through open source development?
Let me put it this way: What if we ALL control the code?
In the software development/hacker community, there’s this prevailing notion that you should always build open source software and tools. Each open source tool is built within a community setting, and all code is available to the public. If the tool becomes popular, you may go from two to five developers to hundreds or even thousands – all contributing to that code base.
Now while that may seem kind of complicated, what they’re really doing is taking the brainpower of 10,000 people and applying it to one thing. This is crowdsourcing – and it’s the beauty of open source: using a multitude of brainpower to fix the security holes, instead of a small proprietary team. It’s the many protecting us against the few.
Two Very Different Approaches
Let’s take on Microsoft vs. Apple. Microsoft has always taken a closed source method, meaning Microsoft source code is never released to anyone, except their internal developers. Conversely, Apple took the open source route when they released Mac OS X to run against Windows XP. OS X was built on an open source tool called Unix and developed by the community. (You can view Apple source code online, and at any time.)
The idea was a success. Hackers and developers were taking an in-depth look at the OS X source code, not to destroy the operating system, but to review and report security vulnerabilities.
So here you have a major strategic difference in terms of securing your operating system, yet in the end, the number of vulnerabilities (more specifically the number of security viruses and threats) that are built and available to attack Microsoft Windows number in the tens of thousands, while Apple users experience significantly less threats to operating system security.
So Microsoft’s intention in protecting their source code was to reduce security threats. However, by holding that intellectual property under lock and key, they lacked the advantage Apple gained by allowing the multitudes to uncover OS X weaknesses. Apple continues this open development process with each new source code release. Apple also experiences the added advantage of building the OS core on top of an open source tool, trusted through over twenty years of development.
Crowdsourcing for a Safer Future
There’s a good point here in trying to crowdsource some of our bigger security problems. There is always a missed opportunity when you fail to empower a larger use of community brainpower. While ultimately you may have one really amazing internal hacker working through those security threats, there’s simply no way that one person (despite their genius) is likely to outsmart 1,000 people working as one toward a common goal of security.
When 1,000 people are defending the fortress, the risk of penetration by just one bad seed is greatly reduced. Therefore, the more often we crowdsource, the safer the future of both open data and long-term data security.