this post was submitted on 15 Jul 2023
124 points (97.7% liked)

No Stupid Questions

36183 readers
803 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 2 years ago
MODERATORS
 

So with open source software more on my mind lately I was wondering - while I get the benefits of transparency and such, how safe is it? If the source code is available to all, isn't it easier to breach for people (like the recent cookies hack)? If I'd have an open source password manager, would it be easier for people to get my passwords somehow than if I use something not open source? Do I just not understand how software works in general?

And what are other benefits that may be not so obvious to someone not so knowledgable about this?

Edit: thank you all for really insightful answers! Among other things I also learned just how much I don't know :)

top 39 comments
sorted by: hot top controversial new old
[–] Zeth0s 69 points 1 year ago* (last edited 1 year ago) (1 children)

Short answer is no. Safety of a program is in its implementation, not in the visibility of the code.

Most of the internet runs on opensource code, most companies that require highest security rely on open source programs, while companies relying on proprietary software are victims of hackers, malwares, ransomware every second (I am not going to name names to avoid useless wars).

That said, not all open source code is safe to use, as no all closed source software is safe to use. Bigger projects, used by many and used by experts are usually safe, most often even safer than close source counterparts.

Smaller projects are as safe as any random software downloaded from internet, unless you are able to read the code yourself. Many are safe, many aren't, few are malevolent.

Be careful and research the program you are installing for security concerns.

If you want to download big stuff like debian, fedora, blender, gimp, krita, chromium, vscode, docker, k8s (I don't know what you are into) just be sure that you trust the source from were you download binaries. The same as for any closed source software

[–] Pieisawesome 6 points 1 year ago (3 children)

Technically, vscode isn't open source. It's in the same situation of chrome vs chromium.

Majority is the same, but Microsoft has some non-open source parts of vscode.

Vscode repo contains "code - oss"

[–] PantsOnHead 3 points 1 year ago

Except Chromium can still access the Chrome extension store. The VSCode extension store is not included with the OSS version, which seriously hampers the usefulness of the app.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

There is VSCodium that is released under MIT without the Microsoft proprietery stuff.

[–] Zeth0s 1 points 1 year ago

I know, but I didn't want to add too many details to the answer. Also because the core of vscode is open source and can be read by anyone

[–] [email protected] 41 points 1 year ago (3 children)

Open source is generally considered to be more secure because the large number of eyes on it are expected to catch the vulnerabilities. That’s the idea anyway.

I get where you’re coming from though. If anyone can see how it works it must be easier to break into right? But if something is only secure because you don’t know how it works, then it isn’t really secure at all.

[–] [email protected] 15 points 1 year ago* (last edited 1 year ago)

Right. The amount people with good intentions looking for vulnerabilities in open source software far outnumbers the amount of malicious actors looking for vulnerabilities. Chances are great that, by the time malicious actors find a vulnerability, someone with good intentions is working on a patch already.

[–] blackbelt352 7 points 1 year ago

But if something is only secure because you don’t know how it works, then it isn’t really secure at all.

For an IRL equivalence, just watch any Lock Picking Lawyer video featuring any Master lock. If watching how easily defeated those locks are plummets your confidence in those locks, well it's the same idea with digital security.

[–] [email protected] 24 points 1 year ago* (last edited 1 year ago) (1 children)

Security through obscurity is never a good thing, this has been proven many times over.

Basically, both models have been set to the test years after years, open source software always wins in regards of security over closed source solutions. Security holes are patched faster, and in most cases, way before they're even exploited.

Other benefits are... well, you can change it however you like... or pay someone to change it (not so uncommon as some might think).

[–] [email protected] 12 points 1 year ago (1 children)

Providing enterprise support for open source software ain’t much, but it’s honest work

[–] [email protected] 4 points 1 year ago

It still beats closed source solutions. We had SonicWall at work, it got breached 3 times. Now we have an OS solution, a company maintains it, we haven't had a single breach in years.

[–] CliveRosfield 22 points 1 year ago (1 children)

It’s more safe than closed source because it’s open for all to view and edit. Of course if nobody looks at it then it’s as good as being closed.

[–] Takumidesh 2 points 1 year ago (1 children)

I don't necessarily agree with this. Just because software is open doesn't mean it's actually getting audited and it also doesn't mean the people doing any auditing know what to look for.

On the other hand, closed source (or open source) software can be audited by reputable companies just the same.

The fact that it's open, in my opinion, can give people a false sense of security with the software.

The log4shell vulnerability existed in the code since 2013 and wasn't found until the end of 2021.

[–] IamtheMorgz 1 points 1 year ago

I don't think the real problem is that the vulnerabilities exist. It's a question of how many people are looking for those vulnerabilities and what those people's intentions are. With big open source projects, as someone else already pointed out, the number of good actors far exceeds the malicious ones, so when a vulnerability is identified it's more likely to be by someone who just wants to patch it, not exploit it for gain. In a closed source project, fewer good actors are looking - only the people allowed to work on the code - but the bad actors are probably pretty much the same. Of course, popularity of the program and what it's actually doing matter, too, in terms of how interested bad actors are going to be.

I love the idea of open source software for exactly this reason. I see it as a reminder that most people are good.

[–] [email protected] 15 points 1 year ago* (last edited 1 year ago)

"Given enough eyeballs, all bugs are shallow." - Linus Torvalds

Open Source software is (caveat, qualifier) safer than proprietary software. (And I'll get to the caveats and qualifiers later.)

Software exploits are possible only because of mistakes, oversights, negligence, or mistaken assumptions on the part of the developer of user of the code. More eyes on the code help suss out those mistakes, oversights, negligence, and mistaken assumptions, creating a more secure (and bug-free) piece of software.

Besides that, companies that make proprietary software have incentives to put evil things into said proprietary software that endanger you to enrich them. (For instance, phone apps collecting personal data about you only to sell to advertising companies.) Companies that contribute to open source software also have incentives to put evil things into open source software, but when everyone has access to view the source code, it's a lot harder to get away with that. (Not to say it's never happened that purposeful vulnerabilities have gotten into open source software, but it's a lot easier to catch such vulnerabilities in open source software than proprietary software.)

As others have said, the way algorithms related to security are designed, the security doesn't depend on keeping the algorithm secret. (But rather, keeping a "key" -- a bit of data generated by the algorithm -- secret.)

Now, caveats.

I do believe there is some extent to which open source software is trusted to be safe even when the "chain of custody" is questionable. There are ways to ensure integrity, but there are repositories such as NPM that carry large amounts of open source software that is used by huge numbers of people on a regular basis that don't utilize sufficient integrity checking techniques. As a result, there have been a few cases where malicious code has sneaked into NPM and then into codebases.

There are also cases where governments have gotten malicious code into open source projects. (Though, I'd expect that's more of a problem with proprietary software, not less.)

[–] designated_fridge 8 points 1 year ago

I think one general benefit of open source is that in general - they are built for the user rather than for the stakeholders.

If Spotify was an open source app - you know for sure you would be able to hide podcasts for example (for people who don't care about podcasts and just want a music experience). However, since for Spotify The Business it's better to piss off X% of their users if Y% of their users turn into podcast users - they're not going care about the angry X%.

So in general - in open source apps you'll generally find features users actually want and very rarely the app will try to push new features on you because they're trying to make numbers look good on their quarterly report.

[–] [email protected] 6 points 1 year ago

It depends on the project. A server used by thousand of users and companies? Super secure. A random library with barely any usage or engagement? I wouldn't trust it without reading the source first.

[–] nachom97 5 points 1 year ago

To add, open source projects tend to give YOU more control over the data (if not the mainline version, some fork will probably exist. Its far more profitable to target a big company for a ransom than an average Joe. Obviously, as long as you don’t fall for one of the classic blunders.

[–] Koma52 4 points 1 year ago (5 children)

Neither closed or open software is safer than the other in my opinion. If someone wants to find a vulnerability they will find a vulnerability. The only advantage open source maybe has that it's harder to hide vulnerabilities for years and it's more obvious if they don't fix it. But personally I wouldn't use open source just for safety reasons.

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago) (1 children)

Wow. I couldn't possibly be any more your opposite in this regard. I try very hard not to run proprietary software. For safety reasons. And when I do run proprietary software, I do my best to sandbox it. I don't let my Nintendo Switch talk to my home network often. I hacked my robotic vacuum cleaner not to phone home. I do my (U.S.) taxes on stupid paper because there aren't pure-FOSS options for filing electronically.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Hello, me. I do all of these things as well. VLAN/Valetudo/vivisect Intuit.

[–] [email protected] 5 points 1 year ago

The software is as safe as it's maintainers. The Linux kernel runs the majority of the world's devices, open source software makes up just about every industry standard piece of software that runs the web. Linux tends to see a lot less major vulnerabilities than Windows, and fixes for those are released much faster because anyone can submit the fix, maybe even the person who found it in the first place.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

If someone wants to find a vulnerability they will find a vulnerability.

only if there is a vulnerability. Which is possible but not necessary.

The only advantage open source maybe has that it's harder to hide vulnerabilities for years

Vulnerabilitues should never be hidden but in stead eradicated. The true advantage of oss (regarding security) is that your implementations have to be secure. Security by obscurity is simply not an option

and it's more obvious if they don't fix it.

Security also means knowing about issues. When "they don't fix it" in OSS, you at least (can) know about that, in closed source it is harder to be sure that the code is secure.

[–] [email protected] 2 points 1 year ago (1 children)

What kind of safety reasons rule out OSS for you?

[–] [email protected] 2 points 1 year ago (2 children)

I think they mean any safety advantages on their own aren't enough to warrant a switch.

[–] [email protected] 1 points 1 year ago

I interpreted it the same way devexxis did, but on rereading, I think you're right.

[–] [email protected] 1 points 1 year ago

Aha. Understood. Thank you for the clarification

[–] cyberpunk007 1 points 1 year ago (1 children)

This is the right answer. Basically nothing is secure. That's the truth. There will always be a hole or a way to circumvent something. That said, a lot of open source software is very high quality and I use it where I can because it's free and some conglomerate is not push ads or siphoning info from me.

[–] [email protected] 1 points 1 year ago

It is no all or nothing question. Some things are obviously more secure than others. Locking your door with a key won't guarantee that there will be no home invasion but having no lock at all will make it much easier for potential threats. And open source software has advantages in this regard.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

Most interactions in life are based on trust, so I don't think you can be totally safe. However, you can choose who you trust enough so you don't have to constantly worry. You might find this speech titled Reflections on Trusting Trust by Ken Thompson relevant.

Also see Linus' Law, which postulates that more people looking at code means bugs get noticed and fixed quicker, and large open source projects usually have a lot of people working on it.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

Like most things, it's about balance. All changes to open source software must be approved by the community managing it, and if that community is lazy or poorly managed or simply too busy then there's an opportunity for new vulnerabilities to be created, either accidentally or maliciously.

But for well managed software, as other people have said you can get more changes more frequently, more security as many people are evaluating the code base, and greater attention to what users want rather than what's profitable. Whereas with closed source software there is a greater focus on profitability, and sometimes that leaves vulnerabilities open when development is rushed and/or vulnerabilities are not seen as important enough to justify the cost to fix, but sometimes that tendancy towards profitability can also ensure the product stays a market leader. Steam may be a good example of a good closed source product.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

The idea is that having "many eyes" on the code, the vulnerabilities should be found and solved more readily. BUT... of course this is true only for big projects which actually do have many contributors.

Viceversa, while skilled (or high budget) attackers can still find vulnerabilities in proprietary software (think of how people still crack consoles and games), good-intentioned people cannot contribute to weed out these vulnerabilities.

But most important of all, it's trust. There is no way to be sure that a proprietary piece of software is actually as secure or respectful of privacy as it claims to be. Whatsapp claims to have end to end encryption, but you can't tell if it's truly secure or if it has a backdoor or some other spyware in it. For OSS instead you can always read the code yourself, or trust the many eyes that did.

Some months ago it came out that as soon as windows 11 is boot up for the first time, it starts contacting services like Amazon and steam (allowing for tracking) before even asking for license and privacy agreement. The same thing could not happen in Linux because the code is open.

Also, by using proprietary software from big corporations you give them power over your infrastructure and your work, and possibly on other people interacting with you. Which is definitely not poggers.

[–] [email protected] 1 points 1 year ago (1 children)

BUT… of course this is true only for big projects which actually do have many contributors.

It’s not always that easy. OpenSSL had the heartbleed vulnerability for two years before it was discovered and patched. Log4j also had log4shell unnoticed for a while. These two projects are both widely used.

On the other hand, we don’t know to the same extent which serious vulnerabilities have existed (or still exist) in closed software. Heartbleed and log4shell got huge attention because they impacted open source software. They would probably still be left unpatched if they were in closed source software.

[–] [email protected] 1 points 1 year ago

Vulnerabilities exist in every piece of complex software. Open source means that when a something is found, it'll be patched and pushed out quickly because there is no secrecy and everybody just wants it to get done. In commercial, closed source software, the infectives are different. Companies world rather spend their time on money making activities that supporting their old stuff. And they're scared of reputational damage, so they're more likely to sweep things under the rug. Generally, i trust open source software far more.

[–] [email protected] 3 points 1 year ago

There are good comments here already, but I thought I'd provide a practical breakdown of my experience using both in web development.

Open source software is generally better overall from a programming perspective. The "many eyes" dynamic can be extremely positive if the project has a strong developer community. Even smaller communities make great software.

On a security level, I'd say they're about on par - I've had about as many security issues with open source as I have with closed. It was what to do when that security problem arose that the real difference came into play. In open source, you either have to figure it out yourself, or wait for the community to fix it. In closed source, you're paying someone to fix it for you. On the balance, closed source security issues get fixed faster than open source in my experience, but it really depends on the strength of the community behind the open source project, versus the size of the closed source company - bigger companies move a lot slower than many of the smaller services I've used.

On a software evolution level, open source wipes the floor with closed source. There's simply no competing with the amount of creative minds behind open source development. Most closed source successes in the online world are built on the backs of open source developers - if not directly, than on the ideas that had their genesis in the open source space.

When it comes to consistency and stability, they're about neck and neck, with a slight advantage to closed source. Again, it's the difference between volunteers maintaining the code and someone you're paying.

On a personal level, how much do you want to be involved with running the software? If you want to have a greater level of control, build new features, and have the time to maintain it, go open source. If you just want it to work and you're willing to pay someone else to maintain it, go closed source.

Note in a corporate setting, it's often better to go with closed source, as then you have more plausible deniability and someone else to blame when it fails.

[–] [email protected] 1 points 1 year ago

If you know how to code and you audit the code and compile it yourself from the source code ? Then it is 100% safe.

If the program is from a well regarded community and the source code is easily accessible to the public and it has been regularly reviewed by experts ? Then it is pretty safe.

If the program is from an unknown source and the source code is difficult to access by the public or it is obfuscated and no reviews are available? It is probably better to give it a miss and keep looking for a program that is more trustworthy which suits your needs.

load more comments
view more: next ›