- News & Events
October 15, 2013
Logic fairly screams that open-source is the antithesis of privacy. But, that’s not the way Eli Dourado, a research fellow with the technology policy program at the Mercatus Center at George Mason University, sees it. In his piece in The New York Times, Dourado makes a case that backdoor vulnerabilities such as those created by the NSA in conjunction with the likes of Bigtech companies like Google, Apple, Microsoft, AT&T and Verizon, could be slammed shut or at least made harder to pry open in the first place if more independent hi-tech experts were involved.
In the wake of the disclosures about the National Security Agency’s surveillance programs, considerable attention has been focused on the agency’s collaboration with companies like Microsoft, Apple and Google, which according to leaked documents appear to have programmed “back door” encryption weaknesses into popular consumer products and services like Hotmail, iPhones and Android phones.
But while such vulnerabilities are worrisome, equally important — and because of their technical nature, far less widely understood — are the weaknesses that the N.S.A. seems to have built into the very infrastructure of the Internet. The agency’s “upstream collection” capabilities, programs with names like Fairview and Blarney, monitor Internet traffic as it passes through the guts of the system: the cables and routers and switches.
The concern is that even if consumer software companies like Microsoft and telecommunications companies like AT&T and Verizon stop cooperating with the N.S.A., your online security will remain compromised as long as the agency can still take advantage of weaknesses in the Internet itself.
Fortunately, there is something we can do: encourage the development of an “open hardware” movement — an extension of the open-source movement that has led to software products like the Mozilla browser and the Linux operating system.
The open-source movement champions an approach to product development in which there is universal access to a blueprint, as well as universal ability to modify and redistribute the blueprint. Wikipedia is perhaps the best-known example of a product inspired by the movement. Open-source advocates typically emphasize two kinds of freedom that their products afford: they are available free of charge, and they can be used and manipulated free of restrictions.
But there is a third kind of freedom inherent in open-source systems: the freedom to audit. With open-source software, independent security experts can scrutinize the code for vulnerabilities — whether accidentally or intentionally introduced. The more auditing by the programming masses, the better the security. As the open-source software advocate Eric S. Raymond has put it, “given enough eyeballs, all bugs are shallow.”
Perhaps the greatest open-source success story is the Internet itself — at least its “soft” parts. The Internet’s communications protocols and the software that implements them are collaboratively engineered by loose networks of programmers working outside the control of any single person, company or government. The Internet Engineering Task Force, which develops core Internet protocols, does not even have formal membership and seeks contributions from developers all over the world.
But the problem is that the physical layer of the Internet’s infrastructure — the hardware that transmits, directs and relays traffic online, as well as its closely knit software (or “firmware”) — is not open-source. It is made by commercial computing companies like Cisco, Hewlett-Packard and Juniper Networks according to proprietary designs, and then sold to governments, universities, private companies and anyone else who wants to set up a network.
There is reason to be skeptical about the security of these networking products. The hardware firms that make them often compete for contracts with the United States military and presumably face considerable pressure to maintain good relations with the government. It stands to reason that such pressure might lead companies to collaborate with the government on surveillance-related requests.
Because these hardware designs are closed to public scrutiny, it is relatively easy for surveillance at the Internet’s infrastructural level to go undetected. To make the Internet less susceptible to mass surveillance, we need to recreate the physical layer of its infrastructure on the basis of open-source principles.
At the moment, the open hardware movement is limited mostly to hobbyists — engineers who use the Internet to collaboratively build “open” devices like the RepRap 3D printer. But the Internet community, through a concerted effort like the one that currently sustains the Internet’s software architecture, could also develop open-source, Internet-grade hardware. Governments like Brazil’s that have forsworn further involvement with American Internet companies could adopt such nonproprietary equipment designs and have them manufactured locally, free from any N.S.A. interference.
The result would be Internet infrastructure, both hardware and software, that was 100 percent open and auditable. But never, of course, 100 percent secure. The N.S.A. could still try to exploit the Internet’s open hardware. And of course, open hardware would do little to prevent the government from reading e-mail if it still had the cooperation of companies like Microsoft or Google. Open hardware is not a panacea.
Still, open hardware would at a minimum make the N.S.A.’s Internet surveillance efforts more difficult and less effective. And it would increase the difficulty of surveillance not just for the N.S.A. but also for foreign governments that might otherwise piggyback on N.S.A.-introduced security vulnerabilities.
A 100 percent open-infrastructure Internet — a trustworthy Internet — would be an important step in the empowerment of individuals against their governments the world over.
ThreatMetrix™ secures Web transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. The ThreatMetrix™ Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.
To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.
Posted by Dan Rampe
Tags: Account Takeover, Account Takeover Fraud, Bank Fraud, Botnets, CNP fraud, Cookieless Device Identification, Cookies, Credit Card Fraud, Cyber attacks, Device Detection, Device Fingerprint, Device Fingerprinting, Device ID, Device Identification, Fraud Prevention, Hacking, Identity Spoofing, Identity theft, Internet Infrastructure, Malware, Malware Detection, Malware Protection, Man-in-the-Browser Detection, MitB, Mobile fraud, National Security Agency, NSA, Online Fraud, Open Source, Phishing, Phishing Detection, PII, Privacy, ThreatMetrix Cybercrime Defender Platform, ThreatMetrix Cybercrime Index, ThreatMetrix Global Trust Intelligence Network, TrustDefender Cybercrime Protection Platform, Web Fraud