Frankly, I can't say I was surprised when I read that RIM's BlackBerry 10 transmits user email account credentials to RIM servers, which then log into the account. Obviously someone at RIM thought this would be a good idea, but anyone who does anything that requires keeping email private -- say, an executive discussing sensitive negotiation strategies with colleagues, or a doctor or other health care worker, or, well, just about everyone -- should be appalled that RIM covertly collects their username and password, then logs into the account.
With the news about PRISM and other clandestine data-vacuuming operations in place all over the world, it's clear there's a problem. It's not just about hoovering up information from millions of people -- it's the vast number of devices that can no longer be trusted for use in business and government. When the code running anywhere along a data path is not open source, there's a chance it's doing something you can't know about and potentially transmitting data to someone who shouldn't have it. That possibility should serve to upset even nontechnical executives, to say nothing about governments all over the world.
[ Also on InfoWorld: The firewall threat you don't know | The perfect Trojan horse | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]
Last year I wrote about how easy it is to place backdoors within corporate networks using Swiss Army knife-type tools, but those still require someone to physically place them within a building or at least to be hooked up to a network jack. Wouldn't it be easier for the spies to make sure the network devices you purchase, such as routers and firewalls, are already backdoored?
This goes well beyond the software or firmware layer. This goes straight into the chips themselves. The code on proprietary commercial firewall chips is unlikely to be accessible to security admins; even if it were, it's unlikely they would be able or allowed to perform rigorous code audits.
I'm sure some extraordinarily sensitive organizations do this or take similar action for extraordinarily sensitive deployments, but you can bet that the costs explode. Vendors like Cisco aren't going to let just anyone sniff around their IP unless it's a huge contract. Even then, the vigilance must be maintained to ensure that every single device is running the very same code. All of this has to be done all the way up the stack, across every device that will touch the network.
Open source closes the backdoors
With open source, the veil is already lifted, and an army of developers inspects the code all the time. The potential for hidden backdoors is dramatically reduced. But that doesn't really matter if you go deep enough.
Sure, you can install pfSense on a server and know it's not backdoored, but what about the hardware within the server itself? What about the TCP offloading code in the NICs? Or the BIOS? It could contain a nefarious element that you simply can't trust -- unless, of course, all that code were open source as well.