Does source code availability mean a more secure product?
Short answer: not necessarily.
Does the company provide all the code needed to compile the voice encryption product I can then install in my mobile phone or the one they include in the firmware of the phone they provide? If the answer is no, how do I know that the code they provide me for review is the same one they used to produce the software they installed in the phone? My understanding is that there is no way to verify that.
But even if the source code they are providing for review is the same one they used to compile their product, can’t the security be compromised by how their solution was implemented on the specific phone? Does it make sense to verify the encryption algorithm if I cannot make sure the other processes involved in securing my calls, including but not limited to voice de-coding and interaction with the phone OS, are also secure and free of programming errors or back-doors?
And who is reviewing the code? Is there any incentive to do it? Are good an honest people investing their time in reviewing source code published by second tier vendors? Probably not. That the code is available does not necessarily mean that it is reviewed.
The other day I stumbled upon the web site of a company selling voice encryption products, and I sadly read their conclusion of why other vendors may not be offering their source code for review. They state they can only assume that the other vendors have something to hide, or that they may be afraid of competition, or trying to protect “so called” “trade secrets.” How sad is that?
In relation to protecting their “trade secrets,” I hope that’s true. My understanding is that trade secret protection lasts for as long as the secret is kept confidential.
Also, what do they mean by “so called trade secrets”? If it means they have a strong position against intellectual property protection, fine. But then the question would be why are they not just releasing the software as open source? Could that impact their “so called bottom line”?
In their web site they also state that they “have no (trade) secrets”. Really?
(written by uzimanu on 4/26/2007)
No comments yet.