If cancer can be open sourced, why can’t security?
I’m a huge fan of TED Talks. The value I get out of watching them is unmatched by other series of media. One in particular has been on my mind a lot lately. You may have seen it mentioned on CNN: Salvatore Iaconesi is a 39-year-old TED fellow and the artist and technologist behind Art is Open Source. He has recently been diagnosed with brain cancer. Yeah, brain cancer! This is not a good diagnosis.
I don’t know Mr. Iaconesi, but I can only imagine he went through a period of time where he panicked. However, instead of staying in that panicked state or falling into a depression, he decided to take action. In a recent talk, he discusses how he open sourced his medical records in an attempt to gather data and ultimately form a strategy for treating his cancer. So, this got me thinking: why don’t we open source more problems in life when trying to find a solution? Do we already do this with security? The answer is, kind of.
The holy wars of open vs. closed have been raging since the beginning of systems and software. Mr. Iaconesi chose open vs. closed (i.e. just relying on his doctors). This doesn’t suggest that closed is bad in any way, but that Mr. Iaconesi felt there may be additional value in being open. Those of us responsible for security do use open source in similar ways today, whether that is gathering data by searching the Google or posting to mailing lists. Maybe we use back channels (i.e. Twitter DMs) to discuss issues with trusted comrades. But all kidding aside, Mr. Iaconesi took it web-scale.
So the question to ask then is, “did the benefits of open sourcing his medical records pan out?” Mr. Iaconesi has some very interesting numbers. At the time of his TED talk, over 200,000 people unknown to him had read his medical reports and submitted 50,000 different suggestions for treating his cancer – everything from medicine to magic. Two hundred people have helped categorize the suggestions. Sixty doctors have contacted him (as he says, real doctors with white coats). Forty of the doctors received over 500 reviews, etc. (the network effect can be seen here). Mr. Iaconesi received valuable information, provided by experienced people. With all of this data, he has been able to organize a single strategy for treating his cancer.
As individuals that are responsible for diagnosing and treating security vulnerabilities, can we relate to Mr. Iaconesi? Once we have diagnosed a “cancer” in the form of a security vulnerability, can we open source our records and gather data to form a single treatment? The question becomes: what does that look like and is it safe? Is it possible that we’ll receive 500 reviews of 40 solutions like Mr. Iaconesi? Can Mr. Iaconesi’s example really be applied to security? The answer is, yes.
Mr. Iaconesi has proven that a very sensitive issue with a lot at stake can receive value from open sourcing. Maybe there isn’t as much to gain by exploiting Mr. Iaconesi’s cancer versus a network security vulnerability. However, with some proper obfuscating up front, I believe open sourcing security can have the same success as Mr. Iaconesi’s open sourcing of his medical records.
In future posts, I’ll cover some examples of how security vulnerabilities have benefited greatly by being open sourced – by allowing passionate & experienced people to contribute data and form a strategy and a solution, much like in the example of Mr. Iaconesi.