Security

Free Software and its Security Advantages

Everyone loves free software, but not all free software is Free. With software there is a substantial difference between “free”, “Free”, and “open source”.

As an end user Free Software can in some cases offer advantages over closed and proprietary software, especially in the case of software which is relied on for security.

The Definition of Free

The Free Software Foundation defines Free Software as “software that respects users’ freedom and community. Roughly, the users have the freedom to run, copy, distribute, study, change and improve the software. With these freedoms, the users (both individually and collectively) control the program and what it does for them.”

Free Software is not about price, but about protecting users freedom to use, modify and distribute software. The four fundamental freedoms that are applicable to Free Software are:

  • The freedom to run the program, for any purpose (freedom 0). Does the software do what it purports to do? Does the software only do what it purports to do, free from any nefarious other uses or intentional back doors that are unknown to you? Is the software secure from attackers;
  • The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1);
  • The freedom to redistribute copies so you can help your neighbour (freedom 2);
  • The freedom to distribute copies of your modified versions to others (freedom 3). Access to the source code of the software is a precondition for the practical exercise of these freedoms. This access is the largest difference between proprietary software and Free Software.

Free Software, and its accompanying freedoms, should not be equated or confused with software that does not have a price; it is possible for a company to charge a price for Free Software, just as it is possible for a company to give away its own proprietary software at no cost. Also, just because software is Free, does not necessarily mean it is not subject to copyright; one method used to protect Free Software is to make it subject to a “copyleft” license, such as the GNU GPL License, which requires modifications to the software to be distributed under the same license, preventing persons from modifying Free Software and re-releasing it as proprietary code.

Free Software is about liberty, not price. As the FSF puts it, “[t]o understand the concept, you should think of ‘free’ as in ‘free speech,’ not as in ‘free beer’.”

The term “open source software” is often incorrectly used interchangeably with the term “Free Software”. With open source software you can usually view and modify source code, but open source software does not necessarily grant all the freedoms associated with Free Software.

Security Advantages Offered by Free Software

When selecting a software to use there are often various programs available, some proprietary and others Free Software. When using any software it is essential to be able to ensure that:

  • the software indeed does what it says it does;
  • the software does not do anything malicious or contain “back doors”; and
  • the software does not contain any exploitable bugs or security flaws.

These concerns are amplified if the software it being used to preform a critical function, to protect systems or store and safeguard confidential information.

Proprietary software is developed in a closed fashion by a limited development team. Nobody has the right or the ability to examine the source code. This means that you are putting your trust in the software’s development team. Unfortunately trust can be placed in the wrong people.

How certain can you be that your encryption software does indeed encrypt your data using the algorithm that it says it does? Does the encryption program implement the algorithm correctly? Does your software phone home or otherwise send requests or information to an unknown server? Does your software contain intentional back doors to allow third parties or law enforcement to circumvent security? Is your software free from security vulnerabilities that can be exploited?

These concerns are addressed by Free Software.

First, with Free Software you can be certain that the software does indeed do
what it purports to do. The source code is available and users are able to examine exactly what the software does and how it aims to do it.

Secondly, because users are able to examine the source code any intentional back doors build into the software can be more easily discerned and anything malicious in the software can be identified.

Thirdly, serious security flaws can be quickly identified and addressed. Linus Law, named in honour of Linus Torvalds, is “given enough eyeballs, all bugs are shallow”. Free Software is often developed by extremely large groups of people, for example the latest Linux report states that more than ten thousand people have contributed to the Free operating system. Arguably the large amount of people actively combing through, improving and adding to the software source code weed out many of the exploitable bugs and security flaws.

Some opponents of Free Software argue that by having code open for inspection it makes software less secure, allowing people to look at the software code, find and exploit flaws. This is an argument in favour of “security through obscurity”, an argument that a security flaw in code is acceptable as long as it is hidden and no body can easily see it. Security through obscurity is never a good idea as it works off of the premise that would be attackers are not looking for vulnerabilities that exist in the proprietary software.

Unfortunately no software can ever provide a guarantee that it is one hundred percent secure, but it should not be necessary to place your trust in a group of developers who may not have your best interests in mind. With Free Software you don’t have to trust so blindly.

Edit: A fascinating perspective on the topic of trusting code is given in this speech by Ken Thompson, published in Communications of the ACM, August 1984 Volume 27 Number 8, entitled “Reflections on Trusting Trust: To what extent should one trust a statement that a program is free from Trojan horses. Perhaps its more important to trust the people who wrote the software”.

“The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect …”


This work by Clinton Pavlovic is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.