Security in a post-Snowden world

Many organisations are rightly concerned at the wave of revelations since mid-2013 that US agencies are spying on just about all forms of global communications. Since whistleblower Edward Snowden went public with details of the US National Security Agency's eavesdropping programmes on Internet and cellphone traffic last June, there have been almost weekly updates on just how intrusive these programmes are.

The NSA has paid security vendors to put backdoors in their products, listened in on the cellphones of global leaders, subverted the privacy of the customers of major companies such as Google and Microsoft, and even diverted and opened private postal shipments so as to insert covert spy devices into new PCs and routers before forwarding the packages on to their destinations.

"For years, paranoid security experts have been warning us all that the NSA is collecting everything and spying on everything," says Sven Lesicnik, MD of local open source software specialist LSD. "Now, thanks to the leaks provided by Edward Snowden, we know that they were telling the truth. It's no great secret that countries spy on each other - they always have and they always will - but the level to which the global Internet has been compromised by the NSA has come as a shock to most people."

Lesicnik says the main casualty in the technology market has been trust.

"When you purchase hardware or software from a vendor, you have to trust that it's not spying on you behind your back or sending out your private information. Unfortunately, we know now that certain products do exactly this and that in at least one case, the NSA paid the manufacturer to deliberately cripple them. As a result, businesses are looking for solutions that can be guaranteed to have no hidden backdoor surprises."

He says open source software is far more resistant to backdoor attempts by anyone, even a US government agency.

"Because the code is in the open, it can be inspected by anyone. And because large projects have rigorous auditing processes, any attempts to put in backdoors are quickly thwarted. An attempt to subvert the Linux kernel in 2003 was picked up immediately and rejected. With proprietary software, there is no way for a business user to know that the encryption it uses has been deliberately weakened, for example. With open source, all the code can be independently checked."

There is a perception that open source is developed by hobbyists around the world. But for the large critical projects, such as the Linux kernel, the Apache Web server and the JBoss middleware framework, Lesicnik says nothing could be further from the truth.

"These are written and added to by a combination of large technology vendors and users with a vested interest in seeing the software improved upon."