We have to trust them. We have no other choice. We can't see their code, and we can't independently verify that they are on the up-and-up. We have to take their word that the service or software they provide is not only secure, but that they haven't purposefully allowed unknown third parties to gain backdoor access to our network through their products. Until recently, this was the turf of conspiracy theorists. Though we all knew it was possible, we never thought it was actually occurring. Now we know better.
Now we know that we can't trust any commercial, closed source software any more -- none of it. Not a single piece of hardware and software is currently trustworthy, and they'll forever more be suspect. This has changed the game, altering the security landscape permanently and horrifically. There's absolutely no way for any commercial, closed source vendor to regain that trust, no matter how much or how often they claim otherwise. The big one, of course, was the fact that RSA accepted millions to allow the NSA backdoor access to its security products. How anyone can continue to do business with RSA baffles me.
It's not just RSA. It's also certificate authorities and other failed guardians of Internet security. With more revelations coming out in a steady stream, it seems more likely than not that any major technology company has been compromised in one way or another. The NSA's list of exploits is extensive, and there are even embedded backdoors in commercial products like Dell PowerEdge servers. But hey, Dell apologizes for the inconvenience. The full list includes companies such as Apple, HP, Cisco, Huawei, Juniper Networks, Microsoft, Maxtor, Seagate, Samsung, and Western Digital, along with products ranging from network hardware to servers to hard drives.
If you run Dell servers, you have no way of knowing what the BIOS on those servers could be doing. You bought them, brought them into your data center, and placed sensitive and mission-critical data on them -- because you trusted Dell. The same goes for the disks in your servers and storage arrays, not to mention your routers and firewalls. You can't trust them.
There's that word again: Trust. As I've beaten to death in this piece, that's gone, and nothing will replace it unless and until we open-source everything in the stack, from the absolute top to the absolute bottom. If we get there, then we may once again find ourselves requiring network security. Lacking that level of clarity and openness, however, there's no point. It's an impossible task when your tools are designed to work against you.
This story, "RIP, information security, done in by backdoors and secret deals," was originally published at InfoWorld.com. Read more of Paul Venezia's The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.