Monday, March 24, 2008

Security through Open Source

Topic for paper number two:

Write a “Short paper on a computing technology of your choosing introduced in the last 30 years that you believe has been used unethically. Include references and cite from the Codes of Ethics in Appendix A.”

There have been many new computing tools introduced in the last 30 years, some even earlier, that have been used unethically. Usually these tools have legitimate and legal reasons for being created, but often these tools can also be used for questionable or unethical behavior. The UNIX security scanner Nmap has many legitimate uses, and comes installed on almost all Linux systems. However, even a program this widespread can be used for black-hat purposes.

A more recent example (Nmap was created in 1997), came up in an article on Coding Horror entitled A Question of Programming Ethics. A program called G-Archiver was found to contain code that used a hard coded email and password to send an email containing every username and password that entered into the software back to the creator of the program. This was a huge breach of trust between the author of the program and it's users. Luckily, a good hearted programmer had looked into the source code and found this, and instead of abusing what he found, he deleted all of the emails in the account, changed the password, and sent a message to Google asking them to delete the account.

There is no way to know exactly how many people could have found this before the security flaw was exposed, and instead of doing what this person did, stayed quiet and used the stolen information for their own purposes. Since the source code was easily examined, this flaw was found, but imagine how long this could have occurred if the source was not accessible. This brings up the topic of security through openness.

By completely exposing what your program does, the end user has a way to ensure your program only does what you say it does. However, this also allows the end user to more easily find vulnerabilities in the software. Having an open source program forces the programmer to understand these risks, which also helps to avoid poor decisions such as using security through obscurity. This could be interpreted to apply directly to Principle 1.04 of The Software Engineering Code of Ethics: “Disclose to appropriate persons or authorities any actual or potential danger to the user, the public, or the environment, that they reasonably believe to be associated with software or related documents.” How can you disclose any more information about your software than releasing the full source code?

There will always be tools created for completely legitimate purposes that will be converted into tools for unethical uses. Something as simple as a match can be used for many ethical uses, but it could also be used to burn down a house. The only thing that you as a programmer can do, is make sure that you make ethical decisions; you don't get a choice of what your users will do.