Why is open source software assumed to be secure?
-
I support free and open source software (FOSS) like VLC, Qbittorrent, LibreOffice, Gimp...
But why do people say that it's as secure or more secure than closed source software?
From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on websites like Github or Gitlab.
Isn't that actually also helping hackers?
wrote last edited by [email protected]It doesn’t literally mean that everyone that uses OSS will inspect the source code for vulnerabilities, most don’t even have the skill to do so.
It’s more secure because access to source facilitates exploiting it, and patching it, faster, and because nerds that do have the skills and find something unusual will delve into the code to debug it. The XZ Utils back door was found by one of such nerds doing beta testing, it didn’t even get to be distributed to general users.
It’s a telling sign that malicious actors nowadays are surreptitiously trying to compromise OSS through supply chain attacks instead of directly finding zero days. For example: StarDict sends X11 clipboard to remote servers
-
The code being public helps with spotting issues or backdoors.
In practice, "security by obscurity" doesn't really work. The code's security should hinge on the quality of the code itself, not on the amount of people that know it.
It also provides some assurance that the service/project/company is doing what they say they are, instead of "trust us".
Meta has deployed code so criminal that everyone who knew about it should be serving hard jail time (if we didn't live in corporate dictatorships). If their code were public they couldn't pull shit like this anywhere near as easily.
-
I support free and open source software (FOSS) like VLC, Qbittorrent, LibreOffice, Gimp...
But why do people say that it's as secure or more secure than closed source software?
From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on websites like Github or Gitlab.
Isn't that actually also helping hackers?
wrote last edited by [email protected]If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
What you're describing is known as "security through obscurity", the practice of attempting to increase security of a system by hiding the way the system works. This practice is highly discouraged, as it is known to not actually be effective at increasing the security of a system.
Security by obscurity alone is discouraged and not recommended by standards bodies. The National Institute of Standards and Technology (NIST) in the United States recommends against this practice: "System security should not depend on the secrecy of the implementation or its components."
https://en.wikipedia.org/wiki/Security_through_obscurity#Criticism
Isn't that actually also helping hackers?
No, by sharing the implementation details of the system, it helps those trying to keep it secure by allowing anyone to inspect, discover, and contribute fixes to security flaws.
Open-source software is not perfect and is suceptible to security flaws and vulnerabilities, but it is better and more secure than closed-source software in every way. Every risk that applies to open-source software also applies to closed-source software, but worse.
-
I support free and open source software (FOSS) like VLC, Qbittorrent, LibreOffice, Gimp...
But why do people say that it's as secure or more secure than closed source software?
From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on websites like Github or Gitlab.
Isn't that actually also helping hackers?
Because more eyes spot more bugs, supposedly. I believe it, running closed source software is truly insane
-
I support free and open source software (FOSS) like VLC, Qbittorrent, LibreOffice, Gimp...
But why do people say that it's as secure or more secure than closed source software?
From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on websites like Github or Gitlab.
Isn't that actually also helping hackers?
Per Eric S. Raymond "many eyes make all bugs shallow".
Basically it's not inherently more secure, but often it's assumed that enough smart people have looked at it.
But yes all software is going to have vulnerabilities
-
I support free and open source software (FOSS) like VLC, Qbittorrent, LibreOffice, Gimp...
But why do people say that it's as secure or more secure than closed source software?
From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on websites like Github or Gitlab.
Isn't that actually also helping hackers?
Ape alone... weak. Apes together... strong.
-
I support free and open source software (FOSS) like VLC, Qbittorrent, LibreOffice, Gimp...
But why do people say that it's as secure or more secure than closed source software?
From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on websites like Github or Gitlab.
Isn't that actually also helping hackers?
wrote last edited by [email protected]The idea you're getting at is 'security by obscurity', which in general is not well regarded. Having secret code does not imply you have secure code.
But I think you're right on a broader level, that people get too comfortable assuming that something is open source, therefore it's safe.
In theory you can go look at the code for the foss you use. In practice, most of us assume someone has, and we just click download or tell the package manager to install. The old adage is "With enough eyes, all bugs are shallow". And I think that probably holds, but the problem is many of the eyes aren't looking at anything. Having the right to view the source code doesn't imply enough people are, or even meaningfully can. (And I'm as guilty of being lax and incapable as anyone, not looking down my nose here.)
In practice, when security flaws are found in oss, word travels pretty fast. But I'm sure more are out there than we realize.
-
I support free and open source software (FOSS) like VLC, Qbittorrent, LibreOffice, Gimp...
But why do people say that it's as secure or more secure than closed source software?
From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on websites like Github or Gitlab.
Isn't that actually also helping hackers?
Your post is similar to one I saw some time ago. That old post has a reply of mine, and I’ll paste it here:
The problem you’re describing (open sourcing critical software) could both increase the capabilities of adversaries and also make it easier for adversaries to search for exploits. Open sourcing defeats security by obscurity.
Leaving security by obscurity aside could be seen as a loss, but it’s important to note what is gained in the process. Most security researchers today advocate against relying on security by obscurity, and instead focus on security by design and open security. Why?
Security by obscurity in the digital world is very easily defeated. It’s easy to copy and paste supposedly secure codes. It’s easy to smuggle supposedly secret code. “Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools.”
What's the alternative for the military? If you rely on security by design and open security for military equipment, it’s possible that adversaries will get a hold of the software, but they will get a hold of software that is more secure. A way to look at it is that all the doors are locked. On the other hand, insecure software leaves supposedly secret doors open. Those doors can be easily bashed by adversaries. So much for trying to get the upper hand.
The choice between (1) security by obscurity and (2) security by design and open security is ultimately the choice between (1) insecurity for all and (2) security for all. Security for all would be my choice, every time. I want my transit infrastructure to be safe. I want my phone to be safe. I want my election-related software to be safe. I want safe and reliable software. If someone is waging a war, they’re going to have to use methods that can actually create a technical asymmetry of power, and insecure software is not the way to gain the upper hand.
-
Zero day exploits, aka vulnerabilities that aren't publicly known, offer hackers the ability to essentially rob people blind.
Open source code means you have the entire globe of developers collaborating to detect and repair those vulnerabilities. So while it's not inherently more secure, it is in practice.
Exploiting four zero-day flaws in the systems,[8] Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart.[3] Stuxnet's design and architecture are not domain-specific and it could be tailored as a platform for attacking modern SCADA and PLC systems (e.g., in factory assembly lines or power plants), most of which are in Europe, Japan and the United States.[9] Stuxnet reportedly destroyed almost one-fifth of Iran's nuclear centrifuges.[10] Targeting industrial control systems, the worm infected over 200,000 computers and caused 1,000 machines to physically degrade.
Stuxnet has three modules: a worm that executes all routines related to the main payload of the attack, a link file that automatically executes the propagated copies of the worm and a rootkit component responsible for hiding all malicious files and processes to prevent detection of Stuxnet.
“Open source code means you have the entire globe of developers collaborating to detect and repair those vulnerabilities.”
Heartbleed has entered the chat
-
I support free and open source software (FOSS) like VLC, Qbittorrent, LibreOffice, Gimp...
But why do people say that it's as secure or more secure than closed source software?
From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on websites like Github or Gitlab.
Isn't that actually also helping hackers?
wrote last edited by [email protected]If Adobe-or-Whatever has an undisclosed vulnerability, a few hundred people could easily already know about it due to working there. It can be due to bugs, or intentional backdoors required by corporate HQ or government.
They will leak this information. Either by accident or for financial gain. Those people will re-sell it to other shady people.
Now you sit on software where an unknown number of third parties can hack your shit. And you don't know about the vulnerability, what is at risk, how to protect yourself, or who from.
You can mostly trust corpos to protect against general hackers to some extent, but backdoors by government or from their own needs they will just keep secret.
Sony's Rootkit fuckery is probably the biggest example I can give, but there are tons more. Anti-piracy software are historically frequent offenders.
-
It doesn’t literally mean that everyone that uses OSS will inspect the source code for vulnerabilities, most don’t even have the skill to do so.
It’s more secure because access to source facilitates exploiting it, and patching it, faster, and because nerds that do have the skills and find something unusual will delve into the code to debug it. The XZ Utils back door was found by one of such nerds doing beta testing, it didn’t even get to be distributed to general users.
It’s a telling sign that malicious actors nowadays are surreptitiously trying to compromise OSS through supply chain attacks instead of directly finding zero days. For example: StarDict sends X11 clipboard to remote servers
Xz is such a great example of how open source is more resilient, and how much "core open source" project need a foundation supporting them
-
The idea you're getting at is 'security by obscurity', which in general is not well regarded. Having secret code does not imply you have secure code.
But I think you're right on a broader level, that people get too comfortable assuming that something is open source, therefore it's safe.
In theory you can go look at the code for the foss you use. In practice, most of us assume someone has, and we just click download or tell the package manager to install. The old adage is "With enough eyes, all bugs are shallow". And I think that probably holds, but the problem is many of the eyes aren't looking at anything. Having the right to view the source code doesn't imply enough people are, or even meaningfully can. (And I'm as guilty of being lax and incapable as anyone, not looking down my nose here.)
In practice, when security flaws are found in oss, word travels pretty fast. But I'm sure more are out there than we realize.
wrote last edited by [email protected]It's also easier to share vulnerability fixes between different projects.
"Y" was using a similar memory management as "T", T was hacked due to whatever, people that use Y and T report to Y that a similar vulnerability might be exploitable
Edit:
In closed source, this might happen if both projects are under the same company.
But users will never have the ability to tell Y that T was hacked in a way that might affect Y -
I support free and open source software (FOSS) like VLC, Qbittorrent, LibreOffice, Gimp...
But why do people say that it's as secure or more secure than closed source software?
From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on websites like Github or Gitlab.
Isn't that actually also helping hackers?
Isn't that actually also helping hackers?
Evil hackers don't need help and don't want help.
On the other side, there have been cases where evil programmers have brought malicious code into open source software, and it got found out because that code is public, and it got repaired and reported publicly.
Shame on these hackers.
-
Ape alone... weak. Apes together... strong.
Now I’ve got an image in my head of apes sitting around in the jungle using laptops
-
The code being public helps with spotting issues or backdoors.
In practice, "security by obscurity" doesn't really work. The code's security should hinge on the quality of the code itself, not on the amount of people that know it.
The code being public helps with spotting issues or backdoors.
A recent example of this is to see the extent that the TALOS group had to do to reverse engineer Dell ControlVault impacting hundreds of models of Dell laptops. This blog post goes through all of the steps they had to take to reverse engineer things, and they note fortunately there was some Linux support with publicly available shared objects with debug symbols, that helped them reverse the ecosystem. Dell has all this source code, and could have identified these issues much more easily themselves, but didn't and shipped an insecure product leaving the customers vulnerable.
-
Now I’ve got an image in my head of apes sitting around in the jungle using laptops
Fixing back door exploits multiple code repositories
-
Zero day exploits, aka vulnerabilities that aren't publicly known, offer hackers the ability to essentially rob people blind.
Open source code means you have the entire globe of developers collaborating to detect and repair those vulnerabilities. So while it's not inherently more secure, it is in practice.
Exploiting four zero-day flaws in the systems,[8] Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart.[3] Stuxnet's design and architecture are not domain-specific and it could be tailored as a platform for attacking modern SCADA and PLC systems (e.g., in factory assembly lines or power plants), most of which are in Europe, Japan and the United States.[9] Stuxnet reportedly destroyed almost one-fifth of Iran's nuclear centrifuges.[10] Targeting industrial control systems, the worm infected over 200,000 computers and caused 1,000 machines to physically degrade.
Stuxnet has three modules: a worm that executes all routines related to the main payload of the attack, a link file that automatically executes the propagated copies of the worm and a rootkit component responsible for hiding all malicious files and processes to prevent detection of Stuxnet.
The whole Stuxnet story is fascinating. A virus designed to spread to the whole Internet, and then activate inside a specific Iranian facility. Convinced me that we already live in a cyberpunk world.
-
I support free and open source software (FOSS) like VLC, Qbittorrent, LibreOffice, Gimp...
But why do people say that it's as secure or more secure than closed source software?
From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on websites like Github or Gitlab.
Isn't that actually also helping hackers?
One thing to keep in mind is that NO CODE is believed to be secure…regardless of open source or closed source. The difference is that a lot of folk can audit open source whereas we all have to take the word of private companies who are constantly reducing headcount and replacing devs with AI when it comes to closed source.
-
I support free and open source software (FOSS) like VLC, Qbittorrent, LibreOffice, Gimp...
But why do people say that it's as secure or more secure than closed source software?
From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on websites like Github or Gitlab.
Isn't that actually also helping hackers?
wrote last edited by [email protected]It's not more secure or less secure, but it is easier to trust
-
I support free and open source software (FOSS) like VLC, Qbittorrent, LibreOffice, Gimp...
But why do people say that it's as secure or more secure than closed source software?
From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on websites like Github or Gitlab.
Isn't that actually also helping hackers?
Somewhat of a different take from what I've seen from the other comments. In my opinion, the main reason is this:
Companies have basically two reasons to do safety/security: Brand image and legal regulations.
And they have a reason to not do safety/security: Cost pressure.Now imagine a field where there's hardly any regulations and you don't really stand out when you do security badly. Then the cost pressure means you just won't do much security.
That's the software engineering field.
Now compare that to open-source. I'd argue a solid chunk of its good reputation is from hobby projects, where people have no cost pressure and can therefore take all the time to do security justice.
In particular, you need to remember that most security vulnerabilities are just regular bugs that happen to be exploitable. I have significantly fewer bugs in my hobby projects than in the commercial projects I work on, because there's no pressure to meet deadlines.And frankly, the brand image applies even to open-source. I will write shitty code, if you pay me to. But if my name is published along with it, you need to pay me significantly more. So, even if it is a commercial project that happens to be published under an open-source license, I will not accept as many compromises to meet deadlines.
