Earlier this year, I read and listened ( through the linux.conf.au podcast ) to what can only be described as a seminal and thought provoking paper on medical software security by Karen Sandler, opening my eyes to an entire area of software security that one doesn’t normally think about. Karen’s talk at the 2012 Linux Conf in Australia, appropriately titled “Freedom in my heart”, struck a cord – I’ve been dealing with 8 years of CFS so I have some idea of the constant nag at the back of your mind about one’s health. When that health is threatened because of software developed by the lowest cost bidder, then we’re in for a bad time.
Considering that even simple medical devices now have upwards of 100,000 lines of code, and with a commercial industry standard of 1 bug per 1000 lines of code, issues can mount up very quickly. Of course commercial companies are the first to stand up and raise their security-by-obscurity flag, but how can we trust our health to these companies when we know with certainty that their software is riddled with bugs. There is no or little recourse to action as you have with Open Source Software. Unless you can prove negligence implicitly – considering the protection afforded medical companies, this is unlikely.
Besides the security aspect of medical software, there are of course many other areas of critical importance that seem to be dominated by commercial companies with no apparent respect for the ‘client’ and an overriding passion above all else, for profits. The attacks on core Iranian nuclear infrastructure of the last year via Flame, open access to confidential government information on New Zealand’s Work and Income public computer terminals, TD Bank’s missing unencrypted backup tapes, vulnerabilities in Sinapsi’s eSolar SCADA systems, the recent Shamoon virus attack that turned 30,000 Aramco workstations and servers into expensive paperweights, and the in-game exploit that managed to kill the majority of characters of some cities in World of Warcraft are just some of the issues that we’re facing every day. Exploits and security issues are no longer the prevue of script kiddies and lazy coders – the motives are now profit and destruction, and the actors are governments and organised crime groups.
In the USA for example, it’s estimated that over 80% of critical infrastructure is in the hands of commercial companies who have little incentive to fortify their networks against cyber attacks – that would involve cost and eat into shareholders profits. IOActive researcher Barnaby Jack has recently found flaws in wireless transmitters of medical equipment that could result in death-at-a-distance. The Economist’s article, “When code can kill or cure”, gives a startling perspective on the issues surrounding medical device security. The list is endless.
And my point is?
Open Source Software has proven itself equal to, and in many cases better than, commercial solutions. It’s used in every aspect of life from computers to smartphones to cars and TV’s. But there are certain areas where commercial companies are afforded protection via inaction or action to provide patently insecure solutions to critical areas. Besides the obvious security benefits of OSS solutions, there is also lower ( or no ) costs, rapid development, high quality coding, open standards and best-in-class support.
The next time you’re thinking about purchasing some software, ask your commercial software vendor about their security track-record. Or better yet, think about the OSS option. Either way, you may be surprised.