Whose Software Can You Trust?
Ken Camp responded to a posting by Om Malik on Hamachi, a “mediated peer-to-peer VPN.” I’ve used this product myself and I like it. I’ve even help set it up for a friend of mine.
Ken made a very valid point about why he won’t allow Hamachi in the corporate network:
While Hamachi is indeed a Canadian company, the technical side of this service establishes a VPN tunnal via a gateway server on Cocos Island. If you aren’t aware (I wasn’t), Cocos Island is a scuba diving haven in the Costa Rican National Park system.</p> While my technical testing and review indicates that the Hamachi folks are doing all the right and honorable things, if this service were to ever embrace port hopping technology like Skype uses, you’d have a peer to peer link established from your corporate network to foreign soil. This is problematic for many businesses.
I think this raises a bigger issue, which is how can we be sure the software we download, purchase, or use will, in fact, do what its supposed to and not have any undesirable side effects. Most software is closed-source, meaning the source code is not available for review. Even if the source code were available, very few people would take the time to read it and understand what it does. Even if you don’t have the source code, there are a number of things you can observe about the behavior of the programs, such as where it connects, what ports it uses, and so on. Few people have the knowledge or skills required in order to do this. Even though I have the skills and knowledge necessary, I tend only to do this kind of research if things aren’t working or I suspect an issue.
The nice thing about software that communicates using open standards is that even if I can’t see the source code, I can understand what is going on by looking at the network traffic. If the traffic is unencrypted, then I can further analyze it to see exactly what it’s doing. Even if the traffic is encrypted, though, I can understand what is going on by following the traffic patterns.
Skype and Hamachi are not open source, nor do they use standard protocols to communicate. Hamachi tends to be well behaved, though it exhibits some behaviour that, rightfully so, makes people like Ken Camp uncomfortable in a corporate setting. Hamachi does have some observable behaviour, but because the protocol is encrypted in some manner that we don’t know, we have no way of knowing if the traffic is secure or if it is somehow being decrypted along the way.
Skype is much worse. Not only is the protocol encrypted in a non-standard way and not documented, Skype works very hard to evade detection by firewalls and intrusion detection software. It acts very much like software with something to hide.
Let’s step back a bit and talk about the underlying OS. Microsoft Windows, Mac OS, Linux, and who knows what else. In the Windows case, only a select few have access to the source code. Portions of Mac OS have published source code. All of the Linux kernel and most of the other software used on Linux has available source. Whether the source is available or not, you have any idea what any of it does? Do you know if that code is going to communicate in some way you don’t approve of? Or even a farther step back: who make the computer you’re running? How can you be sure that it’s not doing anything nefarious? Quite simply, you can’t.
I seem to be painting a doom and gloom picture here. That is not my goal, but I do bring these issues up to raise a point: at some point, you have to make a decision about whether or not you use a piece of software and anything it relies on. There are ultimately some things you aren’t going to know about the software. It’s important to quantify that where it is relevant, particularly when you are evaluating the security of said software. And while I have concerns about Microsoft Windows, Skype, and several other programs, at the end of the day, I need the functionality it provides. I am taking a leap of faith in using those programs that something bad doesn’t happen.
tags: ken camp, skype, hamachi, security
