The superior security narrative of unauditable software

27th March 2018

Which news headline looks better for a company:

  1. University graduates point out serious security flaw in ExampleSoft!

or

  1. Cyber-criminals stealing people's data - but ExampleCorp has released a patch to protect you!

These two headlines could both be triggered by the same security flaw in ExampleCorp's product.

In the first instance, the vulnerability was found by independent "good guys" before it started to be exploited. This was a good thing, as the public and ExampleCorp became aware of it at the same time any "bad guys" did, allowing all possible mitigations to be deployed as soon as possible.

In the second example, the first people to discover the security vulnerability were "bad guys", who were able to begin surreptitiously exploiting the vulnerability for identity theft before anyone knew about it. ExampleCorp didn't even start writing a patch until it was already too late.

The first instance is surely better, but it's much more embarrassing for ExampleCorp, as the blame falls on them. In the latter example, blame falls on the easy target, the "bad guys". Example 1 makes ExampleCorp look incompetent and example 2 makes them look like heroes.

What should ExampleCorp do?

ExampleCorp wants to protect their reputation, so clearly they should do everything they can to stop "good guys" studying the code. Perhaps make the software proprietary and forbid reverse-engineering in the Licence Agreement? This means the software cannot be legally studied. Indeed in the real-world most proprietary software does this.

So assuming "good guys" obey the law, bad guys are the only people who can study the code, allowing ExampleCorp to look like Heroes at all times!

Well done ExampleCorp!

Addendum

Free Software is software that respects our rights as computer users. Reject the contrary security narrative of the corporate world and use Free Software!