this post was submitted on 15 Jan 2025
22 points (80.6% liked)

Privacy

32753 readers
4039 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I recently learned that my company prefers closed-source tools for privacy and security.

I don't know whether the person who said that was just confused, but I am trying to come up with reasons to opt to closed-source for privacy.

top 27 comments
sorted by: hot top controversial new old
[–] TCB13 2 points 1 day ago (1 children)

Okay, here are a few thoughts:

  • Companies like blame someone when things go wrong, if they chose open-source there's isn't someone to sue then;
  • Buying proprietary stuff means you're outsourcing the risks of such product;
  • Corruption pushes for proprietary: they might be buying software that is made by someone that is close to the CTO, CEO or other decision marker in the company, an old friend, family or straight under the table corruption;
  • Most non-tech companies use services from consulting companies in order to get their software developed / running. Consulting companies often fall under the last point that besides that they have have large incentives from companies like Microsoft to push their proprietary services. For eg. Microsoft will easily provide all of a consulting companies employees with free Azure services, Office and other discounts if they enter in an exclusivity agreement to sell their tech stack. To make things worse consulting companies live of cheap developers (like interns) and Microsoft and their platform makes things easier for anyone to code and deploy;
  • Microsoft provider a cohesive ecosystem of products that integrate really well with each other and usually don't require much effort to get things going - open-source however, usually requires custom development and a ton of work to work out the "sharp angles" between multiple solutions that aren't related and might not be easily compatible with each other;
  • Open-source requires a level of expertise that more than half of the developers and IT professionals simply don't have. This aspect reinforces the last point even more. Senior open-source experts are more expensive than simply buying proprietary solutions;
  • If we consider the price of a senior open-source expert + software costs (usually free) the cost of open-source is considerable lower than the cost of cheap developers + proprietary solutions, however consider we are talking about companies. Companies will always prefer to hire more less expensive and less proficient people because that means they're easier to replace and you'll pay less taxes;
  • Companies will prefer to hire services from other companies instead of employees thus making proprietary vendors more compelling. This happens because from an accounting / investors perspective employees are bad and subscriptions are cool (less taxes, no responsibilities etc);
  • The companies who build proprietary solutions work really hard to get vendors to sell their software, they provide commissions, support and the promises that if anything goes wrong they'll be there. This increases the number of proprietary-only vendors which reinforces everything above. If you're starting to sell software or networking services there's little incentive for you to go pure "open-source". With less companies, less visibility, less professionals (and more expensive), less margins and less positive market image, less customers and lesser profits.

Unfortunately things are really poised and rigged against open-source solutions and anyone who tries to push for them. The "experts" who work in consulting companies are part of this as they usually don't even know how to do things without the property solutions. Let me give you an example, once I had to work with E&Y, one of those big consulting companies, and I realized some awkward things while having conversations with both low level employees and partners / middle management, they weren't aware that there are alternatives most of the time. A manager of a digital transformation and cloud solutions team that started his career E&Y, wasn't aware that there was open-source alternatives to Google Workplace and Microsoft 365 for e-mail. I probed a TON around that and the guy, a software engineer with an university degree, didn't even know that was Postfix was and the history of email.

[–] [email protected] 1 points 14 hours ago (1 children)

I work in another big4 company, and I have a strong feeling that your claims apply to us as well.

It's funny though that before joining the company, employees are forced to sign some documents about anti-corruption policies.

[–] TCB13 2 points 11 hours ago (1 children)

I work in another big4 company, and I have a strong feeling that your claims apply to us as well.

That's sad, but it is the world we live in.

[–] [email protected] 2 points 8 hours ago

We trust our medical records to insurance companies, that hire big consulting firms, that don't know how to protect data or promote affiliate services. I love this world.

[–] [email protected] 5 points 1 day ago (1 children)

Some people believe open-source tools to be weaker since all the code is there for malicious actors to exploit.

[–] [email protected] 3 points 1 day ago

I don't understand this mindset.

In open source, both malicious actors and contributors will try to find problems.

In closed source, the development team is paid by hour (and probably don't care about the product quality) and the only motivated people to find real issues are malicious actors.

But people still consider closed source safer.

[–] [email protected] 3 points 1 day ago

idk, how secure are you by handing over your privacy to a product whose back-end you can veer into 🥲

[–] [email protected] 28 points 2 days ago* (last edited 2 days ago) (2 children)

In my experience the "privacy and security" argument is a smokescreen.

The real reason is that it makes someone else responsible for zero-days occuring, for the security of the tool, and for fixing security problems in the tool's code. With open source tools the responsibility shifts to your cybersecurity team to at least audit the code.

I don't know about your workplace, but there's no one qualified for that at my workplace.


A good analogy: If you build your house yourself, you're responsible for it meeting local building codes. If you pay someone else to build it, you can still have the same problems, but it's the builder's responsibility.

[–] TCB13 2 points 1 day ago

Yeah it's all about outsourcing the risk to someone.

[–] [email protected] 6 points 2 days ago (3 children)

That smokescreen argument makes a lot of sense. Both the company and our clients, tend to opt for ready out-of-the-box proprietary solutions, instead of taking responsibility of the maintenance.

It doesn't matter how bad or limiting that proprietary option is. As long as it somewhat fits our scenario and requires less code, it's fine.

[–] [email protected] 5 points 1 day ago

That smokescreen argument makes a lot of sense.

I don't think it does. Remember the Crowdstrike blunder? Remember how many people blamed Windows?

People don't know or care who is managing your security.

[–] [email protected] 7 points 2 days ago

instead of taking responsibility

This is why, they prefer to shift the blame in case it hits the fan. That's all, that's it.
They don't care about code quality, maintainability or whatever.

[–] serenissi 1 points 2 days ago

It doesn't matter if the code is open here. Depending on what your company does, it might be cheaper to buy ready to use products by some vendor than paying software/sysadmin guys to review, deploy and maintain. It can be even required by law. Needless to say there are many software vendors selling contract for open software, either hosted or fully deployed and supported. Still in many fields like medical due to vendor lock ins there aren't many feature complete open software and you need the programs to be reliable, usable by non technical people and virtually unchanged over long time. To provide these guarantees without depending on proprietary vendors means to make your own software company (and perhaps open up your work not to become just another closed software) and nobody does that.

Security works kinda the same. But in these contexts if someone uses privacy and security together like this it's probably just bs.

[–] [email protected] 30 points 2 days ago (1 children)

I recently learned that my company prefers closed-source tools for privacy and security.

I will suggest that same logic to my banker too: a vault whose key they won't own, but I will. Don't worry, all your money will be safe with me, it's a promise 😇

[–] [email protected] 7 points 2 days ago

Pinky promise

[–] [email protected] 13 points 2 days ago (1 children)

Security through obscurity isn't security.

The classic example:

I have a website with no authentication which displays data that really should be locked down. But it's OK because I never told anyone else the URL so no one will find it.

[–] s38b35M5 3 points 2 days ago

I never told anyone else the URL so no one will find it.

Who wants to tell them about DNS records and web crawlers?

[–] [email protected] 13 points 2 days ago

Best reason: nobody see how bad your code is 🤷‍♂️

[–] [email protected] 8 points 2 days ago* (last edited 2 days ago)

Cloased source does for privacy and security what sweeping problems under the rug does: it mitigates them, a bit, but then when they inevitably do hit, they hit hard.

[–] s38b35M5 4 points 2 days ago* (last edited 2 days ago) (1 children)

My past employers have said the same, until I showed them they were already using apache, nginx, postgresql, MariaDB, and OpenWRT among other things.

A lot of shops think that using proprietary tools means they can demand fixes for critical vulnerabilities, but in my experience, even proprietary dev teams just reply that the code maintainers are aware and working on a fix.

Apache vuln? Here's the link to their acknowledgment of that CVE and exactly what modules are affected.

That may show that the flaw is in an unused module, like node.js, but even when it is applicable, they just wait for the code maintainers to address it. They take no responsibility themselves.

[–] autonomoususer 4 points 2 days ago

Anti-libre software bans us from fixing it, bans us from control.

[–] UnfortunateShort 5 points 2 days ago (1 children)

You can make an argument for confidentiality making it harder to find exploits in your code. If nobody cares enough to report them to you, or if you don't have the resources to fix them, open-sourcing your code just exposes them.

This is pretty much only an argument if you use stuff that would be irresponsible to use in the first place tho

[–] JubilantJaguar 2 points 2 days ago

If nobody cares enough to report them to you, or if you don’t have the resources to fix them

To be fair, this scenario does feel worryingly like it might be common.

[–] [email protected] 4 points 2 days ago (1 children)

There is some logic here, having a business relationship with a party that now has a contractual duty to you, is a stronger guarantee than an open source project.

For instance Windows is source available, to many businesses, so in one sense it's open source, and the other sense is closed source. From a business perspective that's a reasonable trade-off sometimes

[–] [email protected] 2 points 2 days ago* (last edited 2 days ago) (1 children)

Tin-foil hat on. So, with CCP/GSP, secret agencies are free to find backdoors on the system.

I didn't know about those programs. I thought the Windows source code is kept secret from everyone.

Edit: https://www.youtube.com/watch?v=MyvwacFNPxc

[–] autonomoususer 3 points 2 days ago* (last edited 2 days ago)

We are banned from fixing backdoors. Conspiracy? Derailment strategy.

[–] autonomoususer -2 points 2 days ago* (last edited 2 days ago)

A very common strategy to divert blame away from yourself is, using fake security as a cover story, infecting yourself with anti-libre software, so you are banned from fixing its source code. Also, saying 'open source' is a strategy to derail libre software.