Freedom, Security and Privacy
Kyle Rankin is the Chief Security Officer at Purism and a Tech Editor and columnist at Linux Journal.
He is the author of Linux Hardening in Hostile Networks, DevOps Troubleshooting, The Official Ubuntu Server Book, Knoppix Hacks, Knoppix Pocket Reference, Linux Multimedia Hacks and Ubuntu Hacks, and also a contributor to a number of other O’Reilly books.
Rankin speaks frequently on security and open-source software including at FOSDEM, BsidesLV, O’Reilly Security Conference, OSCON, SCALE, CactusCon, Linux World Expo and Penguicon. You can follow him at @kylerankin.
So much about security revolves around secrecy. After all, you don't publish your passwords or GPG keys for the world to see. Some people go as far as applying the same arguments behind why they think proprietary software is superior to FOSS, for why it's also more secure. Unfortunately, proprietary software puts control in the hands of companies who you must then rely on and trust that their software is secure, free of backdoors, and has your interests at heart. In a modern age full of companies abusing your data and government-sponsored attacks using zero-day vulnerabilities and in some cases intentionally-planted back doors, people are starting to realize not only that this trust might have been misplaced but that it's also put their freedom and privacy at risk.
The same FOSS principles that give people freedom also ensure their security and privacy. The three virtues are interdependent--as one increases, the others improve and when one is taken away, it's at the expense of the others. When software is under your control, your security and privacy are also under your control. These principles not only give people the choice of who to trust, it gives them the ability to verify that trust and revoke it if necessary. Freedom is essential to security and privacy.
This talk will use specific examples to demonstrate how the application of FOSS principles results in a more secure solution and a more empowered user. Examples will include backdoors left in proprietary software (intentionally or otherwise) that helped vendors spy on customers; the security, privacy and freedom risks with proprietary security solutions such as the Intel Management Engine, UEFI Secure Boot, and cloud password managers along with efforts to provide FOSS alternatives. I'll also use the cryptography community's history distrust of proprietary ciphers and the controversy with compromised ciphers NIST recommended at the behest of the NSA as an example of how crucial openness is for security. Finally, I'll discuss how the reproducible builds effort in projects like Debian promises even more transparency and security to the end user by taking advantage of the user's freedom to download and build software themselves to provide a method that proves binaries have not been tainted.
- 45 min
- LinuxFest Northwest 2019