Gunther Birznieks, eXtropia
Date: Friday, July 11
Time: 10:30am - 11:15am
Location: Salon A
In an integrated world, the whole is greater than the sum of the parts. But this sum can have uninvited additions--security problems caused by integration haste. Much of open source is written with Unix or the interaction of other open systems in mind. While it's possible to do ports that seem to work on a system such as Microsoft Windows, design differences in the systems can create gapping holes. Birznieks' session covers a variety of software from web applications to Unix server applications ported to Microsoft. Finally, solutions to these problems will be examined, including rules of thumb on how applications can be coded with other systems' security in mind.
Birznieks describes his involvement in this issue: "I have spent nine years producing open source programs at the end-user application level. One common thread with such projects is that they eventually find their way into environments that authors are not aware of or do not have daily access to. As such, many open source authors tend to write only with open systems in mind which leaves end-users trying to get the apps to work on proprietary systems.
"Over the years, I have seen that attempting to wedge programs into environments they weren't meant for can cause security problems. Usually an end-user will stop at just getting the program to 'functionally' work but lack the experience to know whether they've opened a security hole unintentionally. Even experienced development projects have a variety of holes that happen only on certain platforms. Even a widely used and developed project like Apache, for example, has had at least a few holes last year that were purely related to their port to Windows."
Birznieks' session "provides a forum to discuss open source projects and share ideas gathered over the years in one place for an OSS developer to understand how to develop software that can be open to porting to different environments without causing security glitches. It may be controversial in that developers of OSS like to think their software is secure. Usually, this is definitely the case. However, the achilles heel still lies in moving OSS to environments it wasn't originally programmed in. This talk attempts to mitigate this and help start to provide guidelines on what OSS developers should think about from the start.
"From a marketing perspective, improving the security of open source software is something that should help companies overall. Including companies that may specialize in SI (Systems Integration) of OSS into commercial/proprietary environments and what to look for."
Birznieks' prediction for how technology will affect us in the future? "While many users in the world are becoming technology savvy in terms of using word processors and spreadsheets and other tools, when it comes to security, they still have a very 'physical' sense of security. Most people keep tabs on their wallet or pocketbook if they are in a crowded area or make sure their credit card carbons are disposed of properly when they use a credit card.
"However, as criminals become more technology focused, the general public will undergo a like evolution in terms of security education beyond the physical and into the virtual world. In five to ten years, I would expect that if end-users do not know what such things as ATM skimming and identity theft are, they will. Technology will be improved to prevent such scams but this improvement of technologies will not be transparent--end users will become more educated about virtual security just as they are about physical security."