Thursday, 6 March 2014

How Open is Open?

If just the other week I stood here preaching the virtues of open source and how failures such as Apple’s now infamous “goto fail” could never happen there, this week I am standing here to eat the hat I was wearing. As reported in ArsTechnica (see here), an even bigger crypto failure has been found in Linux, a failure that pretty much allows anyone who knows how to see through encrypted stuff. And by anyone we are probably talking the likes of NSA, GCHQ, their Australian signalling-whatever-you-call-them counterparts & Co. Probably not criminals, though, otherwise I suspect the fault would have been traced earlier.
It’s the magnitude of the failure that’s impressive. It seems to have been there for the past ten years, but unlike Apple’s failure it was open to public scrutiny throughout. That public scrutiny, however, did not prevent another piece of awfully written, and even worse-ly tested, code from sticking around.
Smells fishy? It does to me. For such a vulnerability to persist for so long, one of two things needs to take place. Either the repository of experts able to examine the code is surprisingly small, or that panel of experts is under the control of the powers that be. Neither option is particularly encouraging.
I can go on offering conspiracy theories and speculating how probable they are or aren’t, but one point seems clear. Linux is currently running the majority of this world’s servers. With such a huge vulnerability existing for such a long while, we can take it for granted that the US government knows most of what has been taking place on these servers. In other words, almost every piece of information about us is open for some elusive government organisation to read.
George Orwell is smiling in his grave.

No comments: