Trust in Software
Published by James Gallagher on .
This article takes approximately 6 minutes to read.
Part of the reason that I decided to switch my password manager was trust. It is difficult for me to trust a large corporation who is accountable to its shareholders. I have had a positive experience with security software in the past but I have my reservations. What if the software company on which I rely shuts down? What if there is a security breach?
To use many of the services in the so-called “cloud,” you need to place a lot of trust in an external party. When I used Dropbox, I implicitly trusted that they would keep my data safe and secure. It was not a conscious act at the time. I was not thinking about alternatives. I admit that I chose to use Dropbox because they offered a lot of bells-and-whistles. File synchronization? Yes, please!
I read an article in WIRED about how a technology journalist was hacked. What shocked me about the story was that nobody used any phishing attacks or brute force tools. They used social engineering. The attackers managed to get the last four digits of the journalist’s credit card by impersonating them to an Amazon support representative. It turns out all Apple needed at the time to verify your identity was your billing address and the last four digits of your account. The attacker reset the journalist’s Apple ID account and you can guess what happened after that.
The point of this story, as I see it, is that technology companies may say that they have our best interests in mind. It does not mean it is true. Such a simple attack required no hacking whatsoever. It was just gaming the system. How can I be sure that the information I give away to companies cannot be used in this way? I have almost no idea about any of the password reset mechanisms that tech companies on which I depend use.
I have been losing faith in technology companies for a while. That is why I am starting to embrace more open source software. My most recent venture into this world was KeepassXC. I have not quite got the hang of their browser extension. Aside from that, I have had a very positive experience using their software. It is a bit technical but it provides what I need. I feel a lot more confident about my password security.
What I have come to love about open source software is that it is dependable. There is a community of people behind KeepassXC who keeps it maintained. If there is a vulnerability in the software, contributors will fix it because they are devoted to the project. This is a level of dependability that I cannot, and do not, expect from technology companies. How many tech companies have shut down in the past and left their customers hanging?
Dependability matters because I like to have a workflow. I have tools that I use and I get good at using those tools. I am not at the point where I am a maestro of using KeepassXC yet. It will take time. I am willing to put some faith in the process because not all software is intuitive. That’s part of the trade-off that you see with some, but not all, pieces of open source software: the user experience may be less fluid. It is a small price to pay for security.
I am starting to run more software locally. KeepassXC does not require access to the internet. I am weaning off online services that I do not use. I guess this is reversion from the mean. History is repeating itself. In the early days of computing, everything was on your computer. A spreadsheet on a website? That was outlandish. We are now in the world of web applications: full-scale apps that can run in your browser. Do I really need these tools to run in my browser? In most cases, no. I’d much prefer a native, on-platform experience that is tailored to my operating system.
I know that when I run software locally it will be dependable. I am making conscious decisions now about the platforms I use. When I a mdeciding what software to use, I am starting to ask questions like: Does this software require me to give up personal information? What security and privacy options can I expect? Is this software going to be with me for the long haul? I’ve noticed that when I pick a tool I stick with it for a long time unless something is wrong. Something has been wrong with many of the tools I have been using: they have not been as secure or efficient as other alternatives. Some window shopping was needed to see what other tools I could use.
A Developer’s World
Most of what I can imagine I would need to do with a computer can already be done through open source software. There are open source email clients. I am using Apple Mail which I now realize could be a mistake. It is part of the Apple ecosystem. I believe I disabled iCloud backups for everything but I am not sure about whether I should be using Apple Mail. I know, I have a Mac. There’s only so far I can take this. (I am considering an operating system change.) It is worth thinking about whether a better experience could be offered by another tool. What about Mozilla’s Thunderbird client?
Individual developers who work on open source projects have earned my trust by the fact that they are willing to show their code to the world. The more people who contribute to a piece of software, the more trust I have that its quality will be high. I want to feel this way about every piece of software I use. I want to know that when I use a tool my privacy will be respected at all times. I want to know that it is not dependent on a cloud to run.
Modern tools developed by technology companies are all too-often dependent on the cloud and the longevity of the business to operate. I expect that not every company will do what Netscape done when they were being hammered by Microsoft. (Netscape, for context, open sourced their code when they were feeling the heat, which lead to the start of Mozilla Firefox.) Most technology companies will let their tech die if they fail. This does not have to be a concern if I pick the right software.