 by Max Mehl from the Free Software Foundation Europe and we try to analyze the links between security and the fact of software being free. Thanks, excellent. Yeah, thank you for having me here. My name is Max Mehl as the introduction already said. I'm working for the Free Software Foundation Europe and yeah, today I will talk about the interplay between Free Software and IT Security and unlike many other talks at this conference, this will not be about any specific product or a project but more about the whole environment where or where the security community and the Free Software community might match and interrelate. Especially we will talk a little bit about or think a little bit about how openness can contribute to security and how does it work because normally secrecy and security is something hidden, but Free Software is all in the open. So but first of all a little bit about our work as Free Software Foundation Europe. We are a bunch of really cool people and charity that empowers users to control technology, especially in Europe. What do we mean by that? I mean technology is everywhere. Everyone has at least one computer in its pockets or their pockets probably even more and this technology is everywhere. It empowers our lives but can we actually control it or does it control us and this is the question or this is a topic that we are working with since 2001 and yeah, we're doing this in all of our Europe for example in political work, public awareness work, but also legal work. So but now coming a little closer to the topic today but first about what is Free Software actually? I'm pretty sure that most of you, all of you hopefully heard this term since you're attending this conference but a little refresher might be helpful still. So Free Software gives you four crucial elemental freedoms. The first freedom is the freedom to use the software for any purpose. So there are no restrictions. The Free Software gives you any permissions to use it. So no matter whether for commercial interest, private interest and so on. You can study the software or any other friend that you ask. So you can have a look in the source code or ask someone else to have a look in the source code and analyze how it works. The third freedom is the freedom to share the software. So you can give the software to friends, to colleagues inside of your company or inside of your university and the price doesn't matter. So Free Software doesn't necessarily have to be creators. There can also be price tag on that. And the last freedom is the freedom to improve software. So you or anyone else can improve the software, make it better, make it worse and also share these modifications and give back to the community. It is really important to know that any software that does at least have one restriction on one of these freedoms is not Free Software. Then we call it a proprietary software or non-free software. And also important to notice or to note again is that people also give it other names. So some people prefer the terms open source, Libre Software, Foss, Floss. So these are different name tags, but for the same thing for the four elemental freedoms. And we prefer the term Free Software because it has an emphasis on freedom. But if you have better reasons to use other words, you're welcome to do so. But now let's start with the actual topic. What is IT security? Pretty sure as well that you have your own definition or your own understanding, but I took a definition of this really great person. Who of you in the room knows the person from the picture? Ah, yes. Okay, that's the majority. Yeah, you guessed right. This is Bruce Schneier. He is an IT security expert, cryptographer, journalist and also authored a few books. And in one of his books, Secret and Lies, which has been released in 2000, he writes, security is not a product. It itself is a process. And I find this, this is simple, but I find this really, really clever because he says, well, this is not security is not something that you can just take from the shelf in the software market and say, well, this is now labeled secure. So it has been secure is secure and will always be secure. But instead security is an ongoing process. And this is really important to keep this security as a process thing in mind when thinking about how free software can contribute to security. So what are parts of these processes of security? Well, there are the simple things, the obvious things. For example, you have code floors, bugs that make you software, your product insecure. That's pretty obvious. If you have a bug, a security critical bug, then your software is not secure anymore. Or at least you know that it's not secure anymore. Also the question of encryption and algorithms hashing things. So we had many of those examples during this conference already. These are also critical for security or also the question of who's fixing bugs actually. So people may report bugs and may know bugs or you find any, but you have to actually fix them. So that is of course also a part of the whole security process. So at a second glance, there are another components of security. For example, libraries. I'm not speaking about those buildings with books in it, but actual libraries that you can take from someone else, somewhere else, some software components that you can include into your own software. Those are pretty neat because you don't have to reinvent the wheel. But, well, do you know that those libraries are secure? Did you check them? Do you trust the third party whom you had this library from? So this is another factor, the human factor. Imagine you have a 100% secure software solution. Well, we all know that's not possible. But even if you had, it would be worth nothing if your coworker or anyone else who has access to it just gives out the data of all customers or the secret keys that encrypt the data or whatever. So this is also important to know that this is also part of the process or customization. You are a software company and the client asks, well, I like your software, but make a small modification for me. And then a second and a third customer comes with the same request. So do you add some or decrease security by doing those customizations? Do you keep track of it? Do you maintain it? That's also quite tricky. And then there are the really nasty details. Business strategy, for example. A real life example is one router manufacturer which hosts software supported a quite old and, well, insecure file sharing protocol. And the developer said, well, let's get rid of it. It's replaced by another nice protocol and this one is more secure. But management said, or other people planning the product said, no, we cannot get rid of it because otherwise we will use clients, customers, buyers who still depend on this old protocol. So well, from the developer perspective, this is stupid, but considering the business strategy, it might be worth to support older protocols or older features to not lose any customers. There's no perfect solution, but it's part of the debate around security. Then, of course, support cycles. How long do you support your old versions and how do you notify your customers or liability? You made a mistake in your code or someone else did and it caused some serious troubles, some serious damage. Who is liable for that? Do you want to be liable? Well, that's a question. So all of these are components of security and just a small subset. Now, how does free software come into play here? Does it work like on this picture? You just take one of those free software licenses, a GPL family or other OSI or FSF approved licenses and in some mysterious ways it then makes your product safer? Probably not, right? So how then can free software benefit security of any software? This is also, again, a small subset, but here are four examples of which we think that they contribute to security. First of all, transparency. It's the inherent nature of free software to be transparent and transparency increases trust. As a customer, as a user of a software, I have a better feeling with knowing, well, I or anyone else that I ask and who knows their stuff can inspect the code, can inspect the software. I'm not getting any black box, but I'm, well, people play with open cards and it's also increasing trust internally because you don't have to spend so much work, so much energy on hiding the source code, but yeah, you can concentrate on actually making your product more secure. It also adds some outside pressure. I had this so many times when speaking with developers and asking them, well, you're having a great software project, but unfortunately it's proprietary. So why not releasing it as free software? And they come and say, yeah, you know, free software, it's great and I would love to do it, but there are some really nasty things inside of my code, I cannot release it. It would be a shame to me. What? Sorry, then why do you even release your software? If you're certain that it contains bugs and nasty details and you're not certain about what's inside of your code, you shouldn't release it anyway. So if you're really serious with releasing your software as free software as a single developer or also as a big company, then you have a second or even a third look at the code and try to get rid of bugs and inspect it another time. So this outside pressure, it's a little bit negative, but it's for the better. Then you have sharing synergies. That's especially visible in projects where multiple partners are working on one software, on one solution. For example, we have it in the public administration field where one city is starting with a software project to solve a certain issue and surprisingly other cities come and take up the software and try to start using it and also giving back to it. And this even across countries and continent borders. So if you have other people who share interest, who take interest in the software and they're getting part of the community, that's an awesome thing because they have a different point of view that can contribute to the security but also to extending the software. But of course this is no automation. So just because you release the software as free software it does not magically create a community around it. But it has the potential of doing that. And you have the factor of independence. So if you know the software that I'm using is insecure, has an issue, has a bug, you can fix it on your own. You don't have to wait for the vendor, for the manufacturer to fix the problem, but you can do it yourself. Or ask someone else to do it, perhaps as a paid job. And if things get really worse, then you can even fork it. So there are really good examples of where this happened and it was for the better of the whole software community, of the whole community of the project around it, that people just made a fork out of it. So all of these are components and potentials. And that's why we say free software isn't necessary, but not sufficient component of IT security. What do we mean by that? Well, it's necessary. Because we're certain that if you really strive to 100% security of a software, even if that's not possible, but that's the goal, then you have to make it free software. Because otherwise the disadvantages of having it proprietary do not away the advantages of making it free software, that you have these community effects, that you have this trust and this independence. But on the other hand, it's not a sufficient component. So just making it free software, or even just making it perfectly fine free software with building up a community and having other parties take interest in your software, it's not sufficient. So it does not make your software magically secure, but you also have to have these other components in mind. So you decided to make your software now a free software. That's great. But still there are a few considerations to take and a few things that perhaps are even a little bit more complicated with making it free software. So again, a few examples. What about responsibilities? Especially in shared projects, like the one I mentioned with those cities and public administrations. Who's responsible for it? Are you responsible? Is it the partner? Is everyone responsible for auditing the code and making it more secure and keeping that in mind? And how to deal with external libraries that you take into your project? Well, again, no simple answer, but this has to be done and this has to be thought of. Then the decree of reuse. Free software is great because you don't have to reinvent the wheel. You can take existing software, existing components and make your own software on top of that. Imagine a web application. You take one web server, a database, then another web framework, and on top of that your own software. That's great. You don't have to invent a web server from a scratch. On the other hand, you're taking a lot of external risks as well, but also a lot of external knowledge. On the other hand, you could say, well, I'm just making it everything custom. Like I write my web server from a scratch and everything else. Then I know what's inside of it. I tailor it to the needs that I actually have and I reduce the risk of having code that I don't understand and that I cannot check. This is, again, a consideration to make. Then there's often the argument about national security, especially when you talk with politicians and people from politics, who say, well, if we release some software as free software, it might infringe our national security. Yes and no. I think for most software we know and we've ever seen in the code, we cannot say that it would endanger the national security if this source code was public. But on the other hand, yes, there might be software, especially in the military area. I think, personally, well, it would be better. We would better off if this software would not be published to some groups or to the public or to some other states. This is a consideration to take. I never have to make this consideration and never have to say I'm not releasing the software I'm working on as free software because it has so much risk for everyone. But still, it's a consideration to make. And, of course, there are other components of security. For example, again, take your software that is 100% secure. Well, it's not really worth it if the hardware underlying is insecure and has a lot of backdoors. Take, for example, the management engine or other things. So this is where free hardware would be awesome. Or reproducible builds that you can check that the binaries that you got and that you have running on your devices are actually matching the source code that you and others analyzed. And, of course, all those other security processes which we partly already touched. So, again, free software is a component that has a huge potential for security but it's not sufficient to make a software secure and your whole infrastructure secure. Now, we told those arguments so many times to other people in so many areas and we've heard a lot of counter-arguments and most of them are not true. So let's have a look at the top four of the counter-arguments. Here's my personal favorite. Well, free software is awesome but please only for non-critical things because otherwise, well, things might break. I think it's exactly the opposite, especially for critical services and critical public services where all of us as a society have an interest in. Have to be free software because we want to have trust in it. We want to trust it. It's important that as many eyes as possible can have a look into that and as many interests as possible can contribute to that and take part into that. So this is even more important to make it free software if it's about critical things. Or, also often heard, I guess you have heard the same, well, if you open your source code then that's a potential risk because then other people can look for backdoors, not for backdoors, for code flaws and, well, exploit it if you just hide it away then nobody can have a look into that and then you're secure. This is the security by obscurity argument and this has been proven wrong so many times. In the last two to three days we've seen so many examples where researchers got binary data and got things that are obfuscated and still found out security critical bugs and found out, well, actually the source code of a program of software. Instead, we should apply Kerkhoff's principle that you open up the algorithm, the software, how it works but you concentrate on keeping secret the key and the data. So having this distinction helps you to concentrate on what's really important. Also often heard this argument that free software is made only by and for hobbyists. We just have to take a look at the Linux kernel nowadays. How many contributors, 17,000 and from so many companies and also companies doing a lot of proprietary work as well but again, this is not unprofessional. This is highly professional. Have a look at companies like Red Hat at foundations like Apache, Microsoft or also like those full areas of virtualization things on the server, web servers content management systems. So this is where free software is leading the industry and we are not these hobbyists anymore these hackers that are sitting in their basement and doing stuff in their free time. That's a highly professional thing and we should appreciate that and we should see that, well, free software often is even more professional than proprietary alternative software. And last but not least on this top four business secrets. If you talk to CEOs and tell them about the benefits of free software they say, well, that's nice but it would invalidate my whole business model. This is like source code is my business secret and there's no clear answer. In most cases, it is fair to say that many companies are compatible with a lot of business models that are compatible with free software. So you can conduct your business perhaps with a few modifications and still open up any software that you ever wrote in your company. But of course there might be a few edge cases where you could also say, well, if I release this software that's really everything my company has. And that's a consideration to take but markets also evolve quite quickly. But still, that's one counter argument where you can say, well, yes and no at the same time. So to conclude that, I would like to speak about one concrete example and this is the example of Huawei. It's a Chinese company which is creating a lot of consumer devices, smartphones and so on leading force in 5G infrastructure, network infrastructure. So 5G is the next mobile communication standard, much faster, much lower latency and much more secure, of course, so everything bundled into one technology. And now the thing is, it's a Chinese company and there have been allegations, especially from the US side, saying, well, this company spies for the Chinese state and for intelligence services. And so many states and governments thought about, well, okay, now we are deploying or we are planning to deploy 5G infrastructure. So a lot of devices, a lot of network things that drive large parts of our society. So then in the future in 5, 10 or 15 years, everyone is communicating over 5G, there's emergency services, large parts of the industry are going over 5G. So can we really put trust into one company? And what about the competitors? For example, Cisco, Ericsson, can we trust them actually? And I think that's a really nice example where states and governments recognize the importance of controlling technology. So we at the FSFE sat down and thought about, well, how can we, how can we from the free software perspective try to solve this issue? And we think that by opening up the whole 5G stack, the software, we could solve a lot of issues that arise and a lot of questions. So what are the typical advantages of free software? Most of them I've already mentioned. Free software increases trust and establishes trust. It's a critical public infrastructure of 5G. So we should have trust into that. We as the users who are using it and also the states which rely on it. Free software makes independent security audits possible. Of course, we don't have to trust the good will and the good word of Huawei, Cisco and any other company that gives us the code and says, well, we do not spy on you, it's secure. And also quite beneficial. Agencies, so the national agencies which do some security checks and perhaps even have access to some parts of the source code could share their work if everything was free software. So the French, the German, the Italian, the US agencies could just share the results and the works when analyzing the security or the trustability of such critical infrastructure. And a nice thing we also thought about was, well, the competition, the competing companies could also have a look at each other's code or they would naturally do so. How tempting would it be for any competitor to find a backdoor in the software of Huawei? That would be awesome, right? And they have a lot of resources and would invest them in checking their competitors and finding bugs, finding backdoors. So that's again something where a state could outsource a lot of work by just requiring to open up such software, such drivers of critical infrastructure as free software. But of course, again, free software would only be one component. Especially in the network area, it would be important to have free software so that the chips which everything runs on can also be checked for security issues or reproducibility so that the binaries and the programs running on the ground, like for the network operators, can also be checked for whether they match the actual source code that has been assessed by other parties. Now you may think, well, that's completely unrealistic. And perhaps you're right. Perhaps you're right when we're speaking about 5G and Huawei in this case. But I think in the intermediate, in the long term, this is perfectly realistic because states and governments start to recognize that independence is important and that they're depending on a lot of third-party software which they cannot trust. And yet again, there's more and more technology which our societies rely on. So it's important that we as users and citizens but also as a society, as states, can have trust into that, can have a certain degree of independence. So I think that this factor of free software, this factor of independence, especially infrastructure, becomes more and more important and that people are starting to recognize it. So I would like to invite you to keep this in mind and when reading the media and reading something about security incidents which pop out regularly, that you think about how could free software have contributed to this? What would have been the benefits? Would it have made any difference to you? So think about that and if you have any interesting findings, please let us know, drop us an email. I would be happy to discuss that with you. And until then, I would like to thank you for your attention and of course all FSB supporters who enable our work. Thank you. Thanks. Is there any question? In the meantime, do you think that today the free software foundation has some leverage over situations like 5G or in the case of China, do the free software incentive work? I mean, there are more and more hardware and software coming from China. Are they free or not in the usual case? Oh, that's a lot of questions, packed into one. In general, yes, especially 5G raised a lot of questions, also from ministries for example. So we have been invited to a few meetings where we presented our thoughts on the Huawei case in the press release and there has been a lot of touch between ministries and political decision makers about that. And also companies start to think about that. Huawei especially, well, it's a different topic, but the relationship with Google on their Android basis, we are depending on Google. So what could be our solution? What could be our take when the trade war is going even further? So there are a lot of more companies alone in this small bubble thinking about it and a lot of more political actors which do also think about it. Regarding China, I cannot say that much. Personally, I think that there might be still occasions where Chinese companies don't really get free software yet, but there are a lot of other examples in Europe and the US as well and other parts of the world. So we have to educate that and perhaps also outreach our as a free software community outreach our communication to China and to Asia in general but also other emerging markets to educate them about free software and the importance of free software licenses that is not just grabbing software but also giving back or at least giving freedoms to its users. So there's still something to do on this side. If that help you. So you talk about the public advocacy work that you do and something that is interesting for example at the European level is that some people understand that they need to send some funding towards free software projects that are part of a common infrastructure so we had a talk from VLC developer that mentioned that yesterday and I think that we also need funding for not just maintaining what exists but trying to provide incentive to develop new solutions that are more secure than what exists in the infrastructure we use today and some places are a bit open to that so Germany has a prototype fund for example initiative which is quite nice so in your experience the FSFE FSFE experience talking to politicians is it something they understand the need for or is it something they are interested in doing something about? Yeah definitely so you already mentioned a few examples like the FOSSA which financed the security audit of VLC also prototype fund but it's part and part basically so in the European commission there and also the parliament and the last parliament there have been quite a few people and to understand our issues or the issues of the whole free software community and to do funding but of course there are also counter examples and many of them so there are still a lot of politicians, decision makers and also people in public administrations who don't understand free software yet and who don't even understand I would say modern development of software so many who just think that well we just ask a company to program a software and well on the actual deadline the software is there and then everything works magically so they never heard about beta statuses so test rollouts and something like that so there is still a lot of stuff to do but I would say the amount of people the amount of knowledge about free software increases well without being too arrogant I would say well this is thanks to the free software community who also thought about well let's spread out the knowledge and let's spread the word about free software and talk to those people even if they don't understand us at first but many are interested into that and especially because those topics like 5G become so prominent and everyone has to think about it and in so many other areas as well like take for example city councils even smaller cities see the need of becoming more independent or see the dangers of render login where they have to pay millions and billions just for licenses for software I won't name the manufacturer of such software but still they think about what are the alternatives and how can we solve them so I think the amount of people and the amount of knowledge about free software increases but I especially hope that the European Union will be a driver here and there is still a lot to do definitely ok thanks again