Why is open source software assumed to be secure?

davriellelouna@lemmy.world

I support free and open source software (FOSS) like VLC, Qbittorrent, LibreOffice, Gimp...

But why do people say that it's as secure or more secure than closed source software?

From what I understand, closed source software don't disclose their code.

If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.

But open source has their code available to the entire world on websites like Github or Gitlab.

Isn't that actually also helping hackers?

canconda@lemmy.ca

Zero day exploits, aka vulnerabilities that aren't publicly known, offer hackers the ability to essentially rob people blind.

Open source code means you have the entire globe of developers collaborating to detect and repair those vulnerabilities. So while it's not inherently more secure, it is in practice.

Exploiting four zero-day flaws in the systems,[8] Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart.[3] Stuxnet's design and architecture are not domain-specific and it could be tailored as a platform for attacking modern SCADA and PLC systems (e.g., in factory assembly lines or power plants), most of which are in Europe, Japan and the United States.[9] Stuxnet reportedly destroyed almost one-fifth of Iran's nuclear centrifuges.[10] Targeting industrial control systems, the worm infected over 200,000 computers and caused 1,000 machines to physically degrade.

Stuxnet has three modules: a worm that executes all routines related to the main payload of the attack, a link file that automatically executes the propagated copies of the worm and a rootkit component responsible for hiding all malicious files and processes to prevent detection of Stuxnet.

Wikipedia - Stuxnet Worm

lemvi@lemmy.sdf.org

The code being public helps with spotting issues or backdoors.

In practice, "security by obscurity" doesn't really work. The code's security should hinge on the quality of the code itself, not on the amount of people that know it.

tabbsthebat@pawb.social

It's because anyone can find and report vulnerabilities, while closed source could have some issue behind closed doors and not mention that data is at risk even if they knew

omzwo@lemmy.world

Exactly. Open source means by design there are more people able to look at the code and therefore more emphasis for those interested in the code to want to make sure it works securely. You can be exploitative and try to keep your hack secret but there's also a chance that someone else will see the same thing you saw and then patch the code with a PR. Granted it depends on how much the original developer cares about the code to begin with to then accept or write in a patch/fix for the vulnerability that someone else brings up but the example software you listed are larger projects where lots of people have a vested interest in it working securely. For smaller projects or very niche software that have less eyes and interest, open source might not be the most secure.

On the closed source side, the people who are interested in looking for hacks are the ones who are much more motivated to actually exploit vulnerabilities for personal gain. The white hat hackers on the other hand for closed source software are fewer because not having the code available openly means they have to have more motivation (ie the company offering bounties/incentives because they care about security) to actually try to work out how the closed source software works.

brucethemoose@lemmy.world

Exploits in a lot of closed source software are from really stupid/simple things they’d get ridiculed for if the code were open.

In other words, I think being open creates “pressure” for code to be presentable and auditable. That, and there’s tons of opportunity and incentive for dysfunction with closed source stuff, like sitting on known exploits.

…That being said, it isn’t universal. Is a lone hero dev maintaining some open library going to be more effective at security coverage than a huge commercial team? Probably not.

Does the software for nuclear bomb security need to be public? Probably not.

unexposedhazard@discuss.tchncs.de

Yuup. “security by obscurity” relies on the attacker not understanding how software works. Problem is, hackers usually know how software works so that barrier is almost non existent.

octopus_ink@slrpnk.net

In addition to the other good points -

OpenSource software allows you to create reproducible builds in theory. Such that you can take the source code provided by the vendor (which you theoretically audit to ensure you are satisfied it takes no unexpected action or whatever your concerns are) and compile it, and get something that and be validated as 100% identical to what you get if you buy the compiled version from the vendor directly.

Without this assurance, the vendor can tell you that this thing they sold you does XYZ, but unless you are looking for it in your network traffic for example you might not know it's uploading webcam pictures of you in the background to ihackedyourwebcam.com or collecting and transmitting telemetry you didn't agree to or etc. Or you don't realize that software you installed on your server has a hardcoded hidden administrator user with password 123456, etc etc etc.

Also, while Linux in particular is by no means perfect, as a Linux user I know I'm using software that is much more likely to be also used by people who WILL take the time to inspect the code themselves, or might take the time to audit what it does on their network, or any of a bunch of other things that bring hard to quantify additional layers of security to the ecosystem around FLOSS.

bartydecanter@lemmy.sdf.org

Otherwise, you need to be some kind of freaking retro-engineering expert.

And as it turns out, there is a ton of financial motivation for less than ethical people to develop those skills and use them to hack proprietary software. And there is some, but less, financial motivation for ethical people to do the same.

teamassimilation@infosec.pub

It doesn’t literally mean that everyone that uses OSS will inspect the source code for vulnerabilities, most don’t even have the skill to do so.

It’s more secure because access to source facilitates exploiting it, and patching it, faster, and because nerds that do have the skills and find something unusual will delve into the code to debug it. The XZ Utils back door was found by one of such nerds doing beta testing, it didn’t even get to be distributed to general users.

It’s a telling sign that malicious actors nowadays are surreptitiously trying to compromise OSS through supply chain attacks instead of directly finding zero days. For example: StarDict sends X11 clipboard to remote servers

whatamlemmy@lemmy.world

It also provides some assurance that the service/project/company is doing what they say they are, instead of "trust us".

Meta has deployed code so criminal that everyone who knew about it should be serving hard jail time (if we didn't live in corporate dictatorships). If their code were public they couldn't pull shit like this anywhere near as easily.

theunknownmuncher@lemmy.world

If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.

What you're describing is known as "security through obscurity", the practice of attempting to increase security of a system by hiding the way the system works. This practice is highly discouraged, as it is known to not actually be effective at increasing the security of a system.

Security by obscurity alone is discouraged and not recommended by standards bodies. The National Institute of Standards and Technology (NIST) in the United States recommends against this practice: "System security should not depend on the secrecy of the implementation or its components."

https://en.wikipedia.org/wiki/Security_through_obscurity#Criticism

Isn't that actually also helping hackers?

No, by sharing the implementation details of the system, it helps those trying to keep it secure by allowing anyone to inspect, discover, and contribute fixes to security flaws.

Open-source software is not perfect and is suceptible to security flaws and vulnerabilities, but it is better and more secure than closed-source software in every way. Every risk that applies to open-source software also applies to closed-source software, but worse.

mvirts@lemmy.world

Because more eyes spot more bugs, supposedly. I believe it, running closed source software is truly insane

chocrates@piefed.world

Per Eric S. Raymond "many eyes make all bugs shallow".

Basically it's not inherently more secure, but often it's assumed that enough smart people have looked at it.

But yes all software is going to have vulnerabilities

mintiefresh@piefed.ca

Ape alone... weak. Apes together... strong.

emb@lemmy.world

The idea you're getting at is 'security by obscurity', which in general is not well regarded. Having secret code does not imply you have secure code.

But I think you're right on a broader level, that people get too comfortable assuming that something is open source, therefore it's safe.

In theory you can go look at the code for the foss you use. In practice, most of us assume someone has, and we just click download or tell the package manager to install. The old adage is "With enough eyes, all bugs are shallow". And I think that probably holds, but the problem is many of the eyes aren't looking at anything. Having the right to view the source code doesn't imply enough people are, or even meaningfully can. (And I'm as guilty of being lax and incapable as anyone, not looking down my nose here.)

In practice, when security flaws are found in oss, word travels pretty fast. But I'm sure more are out there than we realize.

snek_boi@lemmy.ml

Your post is similar to one I saw some time ago. That old post has a reply of mine, and I’ll paste it here:

The problem you’re describing (open sourcing critical software) could both increase the capabilities of adversaries and also make it easier for adversaries to search for exploits. Open sourcing defeats security by obscurity.

Leaving security by obscurity aside could be seen as a loss, but it’s important to note what is gained in the process. Most security researchers today advocate against relying on security by obscurity, and instead focus on security by design and open security. Why?

Security by obscurity in the digital world is very easily defeated. It’s easy to copy and paste supposedly secure codes. It’s easy to smuggle supposedly secret code. “Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools.”

What's the alternative for the military? If you rely on security by design and open security for military equipment, it’s possible that adversaries will get a hold of the software, but they will get a hold of software that is more secure. A way to look at it is that all the doors are locked. On the other hand, insecure software leaves supposedly secret doors open. Those doors can be easily bashed by adversaries. So much for trying to get the upper hand.

The choice between (1) security by obscurity and (2) security by design and open security is ultimately the choice between (1) insecurity for all and (2) security for all. Security for all would be my choice, every time. I want my transit infrastructure to be safe. I want my phone to be safe. I want my election-related software to be safe. I want safe and reliable software. If someone is waging a war, they’re going to have to use methods that can actually create a technical asymmetry of power, and insecure software is not the way to gain the upper hand.

compactflax@discuss.tchncs.de

“Open source code means you have the entire globe of developers collaborating to detect and repair those vulnerabilities.”

Heartbleed has entered the chat

deestan@lemmy.world

If Adobe-or-Whatever has an undisclosed vulnerability, a few hundred people could easily already know about it due to working there. It can be due to bugs, or intentional backdoors required by corporate HQ or government.

They will leak this information. Either by accident or for financial gain. Those people will re-sell it to other shady people.

Now you sit on software where an unknown number of third parties can hack your shit. And you don't know about the vulnerability, what is at risk, how to protect yourself, or who from.

You can mostly trust corpos to protect against general hackers to some extent, but backdoors by government or from their own needs they will just keep secret.

Sony's Rootkit fuckery is probably the biggest example I can give, but there are tons more. Anti-piracy software are historically frequent offenders.

towerful@programming.dev

Xz is such a great example of how open source is more resilient, and how much "core open source" project need a foundation supporting them