Learning Library

← Back to Library

Open Source Security: Kerckhoffs vs Obscurity

9mUnknown ChannelsecuritytutorialintermediateWatch on YouTube ↗

Key Points

  • Even operational systems, including Linux, can be compromised and contain malware, but this doesn’t inherently make open‑source software insecure.
  • Proprietary software hides its source code (a “black box”), whereas open‑source software reveals the code, allowing anyone to inspect how it works.
  • Kerckhoffs’s principle states that a cryptographic system should remain secure even if everything except the secret key is publicly known, promoting transparency and broader review.
  • Relying on “security through obscurity” – keeping implementation details hidden to deter attackers – is considered a weak approach compared to open scrutiny.
  • Open‑source projects can achieve strong security when they embrace transparency, rigorous peer review, and avoid hidden mechanisms.

Sections

Full Transcript

# Open Source Security: Kerckhoffs vs Obscurity **Source:** [https://www.youtube.com/watch?v=HcV4u-nemNk](https://www.youtube.com/watch?v=HcV4u-nemNk) **Duration:** 00:09:56 ## Summary - Even operational systems, including Linux, can be compromised and contain malware, but this doesn’t inherently make open‑source software insecure. - Proprietary software hides its source code (a “black box”), whereas open‑source software reveals the code, allowing anyone to inspect how it works. - Kerckhoffs’s principle states that a cryptographic system should remain secure even if everything except the secret key is publicly known, promoting transparency and broader review. - Relying on “security through obscurity” – keeping implementation details hidden to deter attackers – is considered a weak approach compared to open scrutiny. - Open‑source projects can achieve strong security when they embrace transparency, rigorous peer review, and avoid hidden mechanisms. ## Sections - [00:00:00](https://www.youtube.com/watch?v=HcV4u-nemNk&t=0s) **Debating Malware in Open Source** - A speaker recounts a past debate about Linux malware, asserts that any operational system can be compromised, defines open‑source versus proprietary software, and outlines key considerations for ensuring the security of open‑source projects. ## Full Transcript
0:00about 20 years ago a colleague and I had 0:02a debate as to whether Linux could have 0:04malware in it he said no I said yes 0:08turns out I was right it turns out in 0:10fact any system if it's operational can 0:12be broken into it can be hacked it can 0:15have malware so it shouldn't come as a 0:17huge surprise but that's not to say that 0:19open source isn't secure in fact it can 0:22be very secure but let's take a look at 0:24what are some of the considerations I'm 0:26going to take a look at open source 0:28security in this video some of the 0:30things that we should be thinking about 0:32and then ultimately conclude with some 0:34guidance so that you can make sure your 0:35open source projects are in fact secure 0:38let's start with some definitions first 0:40of all what do I mean by open source 0:43well to talk about this let's first talk 0:46about proprietary proprietary is a 0:48system that's closed I can't see what's 0:50in it if we're talking about software I 0:53don't see the source code I just see the 0:54executable version so it's a black box 0:57to me an open-source project open Source 1:00software in these cases I can see inside 1:02the box I can see how it works I can see 1:05if it's an operating system well I can 1:08see the source code if it's an 1:10application again I can see the source 1:12code if it's uh going to be an AI model 1:16I can see the source code and yes AI is 1:19another example of something where we're 1:21going to be using open- Source models 1:23and then one of the classics is with 1:25cryptography so in this case what I want 1:28to be able to do is see how the crypto 1:31system works that leads us to our first 1:33point Kirk off's principle kirkoff had 1:36this idea that a crypto system should be 1:38secure even if everything except the key 1:41is public knowledge so kirkoff was 1:44telling us that basically if I have 1:47plain 1:48text that I'm going to encrypt I'm going 1:51to put that into my encryption system 1:53and then what comes out is going to be a 1:56bunch of gobbledygook that no one can 1:59understand understand this is the cipher 2:01text plain text Cipher text and the only 2:05thing that should be a secret about this 2:07system is the key this thing right here 2:11that key as it changes will change this 2:14plain text into a different Cipher text 2:16that's it there should be no secrets in 2:19this this should be publicly known and 2:22why is that because the more people that 2:24know it the more review we can do and 2:26the more problems we can tease out of 2:28the system before we put it into 2:30production and that's in fact how the 2:32the rules that we have followed when it 2:34comes to cryptography these days now the 2:37contrary to that is this notion of 2:40obscurity in particular security by 2:43obscurity and you know what security by 2:45obscurity is because you've seen 2:47examples of this imagine at your home 2:49you've got a key to the door now we're 2:51not talking crypto keys we're talking 2:53physical Keys you got a key to get you 2:55into the front door and where do you 2:57hide that so that nobody could ever 3:00figure out where it is well right here 3:02under the welcome mat no one's ever 3:04going to think of that right well of 3:06course that's the idea of security by 3:08obscurity I can't see the key because 3:11it's under the mat so therefore it's 3:12secure yeah not so secure because the 3:15problem is secrecy doesn't end up being 3:18a very good way to ensure security 3:20because Secrets ultimately become known 3:24let's take a look at the Thousand eyes 3:26principle this basically says that if I 3:29have enough people all inspecting open- 3:32source code that they are going to find 3:34the vulnerability and the idea is really 3:38sound the principle Works however think 3:41about looking at a complex system in the 3:45case of Linux there's on the order of 27 3:48million lines of code that's a lot of 3:50stuff and I'm going to find the 3:51vulnerability that's right there okay 3:55even with a thousand eyes looking at 27 3:57million lines of code that's a problem 3:59of scale are we going to be able to 4:02scale the inspection of individuals in 4:06order to find all of the vulnerabilities 4:08and who ultimately feels responsible to 4:10do this a lot of people use open source 4:13but not everyone contributes to open 4:15source and not everyone is looking for 4:16vulnerabilities in open source so it's a 4:19subset of that community that actually 4:21is trained and understands what to be 4:23looking for in the first place and feels 4:25a personal responsibility to go off and 4:27do that level of inspection and then 4:30support if we do find who is going to 4:33fix it who's going to verify that the 4:35fix that somebody wants to suggest okay 4:37we have processes for doing all of this 4:40but the the point is it's not as simple 4:42as just saying we put it out there and 4:44the community finds all the problems and 4:46everything works perfectly it doesn't 4:49now having said that we've had some big 4:51successes so this General principle does 4:55in fact work and I'll give you some 4:57examples two really classic ones and I 5:00just mentioned one of them is Linux 5:02operating system very solid operating 5:05system and it has the ability that you 5:07can configure it to be very secure it's 5:10withstood the test of time for decades 5:13about three decades now and again very 5:16solid operating system we can do some 5:18great stuff with this another example 5:21borrowing from the world of cryptography 5:24the standard that we all use for 5:26symmetric cryptography these days is 5:28called the advanced encryption standard 5:30AES and it was developed in an open- 5:32Source model in other words the 5:34algorithms were submitted everyone had 5:37an opportunity to look at the algorithms 5:39and understand how they work and try to 5:41F figure out if there's a way that they 5:43can break them and so far no one has 5:45found a way to break AES that's anything 5:48faster than Brute Force so that's a 5:51success now so we've had some of those 5:54but how about some of these well we've 5:57had some of those as well uh one of the 5:59most not notable is a vulnerability to a 6:02component called log 4J which is 6:04open-source software that was included 6:06it's logging software that logs 6:08activities included as part of Apache 6:11and it was included in tons and tons of 6:15products in tons of projects that people 6:17worked on individually and in large 6:20groups and we found a few years ago that 6:24there was a vulnerability a very serious 6:26vulnerability in this even though it had 6:28been available for people review for 6:30years there was a serious vulnerability 6:33that gave an attacker potentially 6:34complete control over the system so in 6:37that case the Thousand eyes didn't find 6:39the problem and and ultimately we found 6:42it and now there's a fix but not 6:45everything gets caught is the point some 6:47other things that we found IDC uh 6:49reported in 2023 that there was a 6:5324% increase in software supply chain 6:58vulnerabilities that's a big number 7:01looking at open source and saying we're 7:03using all of this code and that the 7:05number of vulnerabilities is increasing 7:08astronomically and they went further on 7:10to say that it affected roughly 64% of 7:15organizations so it's not like just a 7:17few people are getting hit by this it's 7:19affecting lots and lots of people so as 7:22software grows as these open source 7:24projects grow we're needing to grow our 7:28responsibility our support our skill 7:30level and our ability to to Really 7:33analyze all of these things effectively 7:35now another uh bit of information that 7:37we had from one report 7:39was a problem is that coders will 7:43sometimes encode Secrets directly into 7:46their source code what kind of Secrets 7:47do I mean I'm talking about passwords 7:50I'm talking about crypto keys and things 7:52like that they found that in analyzing 7:55code that there were 7:574,000 secrets embedded directly into 8:01source code that's a lot and if because 8:04it's source code means anyone could look 8:06at it and see what it was and therefore 8:08anyone could take advantage of it and 8:10those 4,000 Secrets unique Secrets 8:12embedded in open- source 8:15code affected 8:17450,000 projects these again are 8:20alarming numbers so we shouldn't be 8:22doing that but it's not like just a few 8:25people did it it happened on at least 8:274,000 occasions that this occurred so so 8:29we've got to do a better job we have our 8:31successes but we also have some failures 8:34okay what can we do to avoid some of the 8:36failures that I just mentioned it turns 8:38out there is some good guidance out 8:40there and resources you can take 8:41advantage of there's a group called The 8:43open software security Foundation ossf 8:47their website you can see ossf dorg 8:51includes a lot of good educational 8:53materials so you can learn more about 8:55what you need to do to make this stuff 8:57not fail in addition they have some 9:00guides in particular they focus on open 9:03source development what are secure 9:05coding practices and things like that 9:07that you should follow project 9:09management and project considerations 9:11for running an open source project and 9:13also industry best practices the things 9:16that we've learned that are the time- 9:17tested principles that we know work and 9:21help us avoid that and achieve more of 9:23that so what about that debate is open 9:25source more secure or not I'm going to 9:28say it's not more secure it's more 9:32secure and that's what makes the 9:34difference in other words I have the 9:36ability to leverage the Thousand eyes I 9:40have the ability to leverage Kirk off's 9:42principle and not rely on security by 9:44obscurity so that I can achieve these 9:46successes so open source can be more 9:49securable and that is the goal that 9:52we're ultimately after