Down the rabbit hole, part 2: To ensure security and privacy, open source is required

Having access to the source code is an undeniable benefit in ensuring the security of a piece of software

To ensure security and privacy, open source is required

I am currently embarking on a quest to make my entire life as private and secure as possible—while still having a good time and enjoying the fruits of the modern world. In this article, I won’t go into why I am doing this. For that, see my article introducing this endeavor.

What I’d like to talk about right now are some pretty high-level things—laying out the ground rules, if you will, for what I’m trying to accomplish.

First, let me start by saying none of this is about open source or free software. Licensing of software, while extremely important, is not the focus here. This is about privacy and security and absolutely nothing else.


Follow Bryan Lunduke’s quest to make his life as private and secure as possible: 


That said…

If my goal is to secure all of my computing devices, I need access to the source code in order to do a complete and effective security appraisal of the software I am running.

It really is that simple. The need for open source software, in this case, has nothing to do with any ethical implications of software freedom—nor do the benefits of open source to software developers enter into this discussion. But having access to the source code is an undeniable benefit in ensuring the security of a piece of software.

To prove this point, let’s look at a hypothetical situation. 

Assume a bucket filled with milk that has been sitting in the sun for a week is directly above you. It’s curdled and funky and stinks to high heaven.

Two buttons are in front of you. Both are supposed to perform a simple, yet critical, function: to NOT dump the bucket of rotting, terribleness on your head. Easy—but important.

Underneath the button on the left reads the following message: “Proprietary, closed source code. Copyright 2016 SomeRandomCompany. All rights reserved. All requests for code will be ignored. But we totally swear we won’t dump the milk on your head. Pinky swear.”

The button on the right reads: “Open Source code available to all. Reviewed and contributed to by hundreds of developers from around the world. Feel free to review the code and speak with the programmers before pushing the button.” 

Which one do you press?

Easy answer, right? 

Now, in theory, one doesn’t need to press any button at all. This would seem to be the best way to ensure the what-was-once-milk stays safely inside the bucket (and not all over your head). Just don’t push a button, right? But this whole endeavor of mine is about living in the modern age. It’s about using modern computing devices and communicating digitally. I am obviously going to push one of the buttons. It’s just a matter of selecting the safest button to jab with my thumb.

Which leads me to my first critical decision in securing my life: 

I am going to use only open source (and, when possible, free software) on my computers, phones, tablets, servers and any other computing devices I have control over. 

Finding open source software for everything is harder than you think

This is both easier and harder than many people might think. 

On the one hand, running a completely open operating system, office suite, web browser and the like is astoundingly simple. Grab one of the (many) open source (and free software) operating systems (such as Linux), and you’re off and running. 

At least for your desktop and laptop computers. 

But when we start talking about something as simple as, say, choosing a platform for sending and receiving messages (text, voice and video), things get a bit more difficult. 

Let’s say, for example, I choose to use Signal for messaging. It’s encrypted (which is great) and provides a significant amount of source code under great licenses (also great). But their server also has a large amount of proprietary, closed source code (dealing with making voice calls) that I cannot currently get access to.

That gives me pause. It is, based on what little I have written here, already preferable over solutions such as Google Hangouts and other, far-more-closed services. But the existence of any code that cannot be vetted, tested and analyzed (publicly) by independent programmers raises a not-so-subtle red flag. 

So, decision made. Only open source (and/or free software)—at least when possible. And when it isn’t possible, steps should be taken to fully understand both the scope and possible implications of having my data handled by source code that I cannot 100 percent verify the actions of. 

I still have a long, long way to go, including: 

  • The way I connect to the internet
  • How I handle all forms of communication (from email to phone calls to video chat)
  • Where I store data (and how I share it with others)
  • How I secure pieces of software from each other
  • How I handle maps and walking/driving directions

So many things. So many.

It’s almost overwhelming, but I shall persevere.

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022