I mean, what’s a “proper audit”?
most audits my company does are a complete smoke and mirrors sham. But they do get certifications. Is that “proper”?
I’m pretty confident that the code-quality of linux is, on average, higher than that of the windows kernel. And that is because not only do other people read and review, the programmer also knows his shit is for everyone to see. So by and large they are more ashamed to submit some stringy mess that barely works
I don’t know how to audit code. But I can generally get through. For example, I use Aegis for 2FA OTP. How do we know it’s secure? Because I can see very clearly that it doesn’t have network access on Android and that it hasn’t tried to get network access.
My very obvious rebuttal: Shellshock was introduced into bash in 1989, and found in 2014. It was incredibly trivial to exploit and if you had shell, you had root perms, which is insane.
env x=‘() { :;}; echo vulnerable’ bash -c “echo this is a test”
And to a large extent, there is automatic software that can audit things like dependencies. This software is also largely open source because hey, nobody’s perfect. But this only works when your source is available.
See my comment below for more of my thoughts on why I think heartbleed was an overwhelming success.
And you help make my point because openssl is a dependency which is easily discovered by software like dependabot and renovate. So when the next heartbleed happens, we can spread the fixes even more quickly.
Enterprise software inventory can unfortunately be quite chaotic, and understanding the exposure to this kind of vulnerability can take weeks if not longer.
Though one of the major issues is that people get comfortable with that idea and assume for every open source project there is some other good Samaritan auditing it
I would argue that even in that scenario it’s still better to have the source available than have it closed.
If nobody has bothered to audit it then the number of people affected by any flaws will likely be minimal anyway. And you can be proactive and audit it yourself or hire someone to before using it in anything critical.
If nobody can audit it that’s a whole different situation though. You pretty much have to assume it is compromised in that case because you have no way of knowing.
Oh definitely, I fully agree. It’s just a lot of people need to stop approaching open source with an immediate inherent level of trust that they wouldn’t normally give to closed source. It’s only really safer once you know it’s been audited.
But eventually somebody will look and if they find something, they can just fork the code and remove anything malicious.
Anyways, open source to me is not about security, but about the public “owning” the code. If code is public all can benefit from it and we don’t have to redo every single crappy little program until the end of time but can instead just use what is out there.
Especially if we are talking about software payed for by taxes. That stuff has to be out in the open (with exception for some high security stuff - I don’t expect them to open source the software used in a damn tank, a rocket or a fighter jet)
I don’t use the term “open source”. I say free software because giving someone else control over your computing is unjust. The proprietor of the program has absolute control over how the program works and you can not change it or use alternative versions of it
Open source software is safe because so few people use it it’s not worth a hacker’s time to break into it (joking, but of course that doesn’t apply to server software)
Honestly, for some software this is the answer. The other one with hackers is that it’s usually easier to trick an employee into giving you the master password than finding an obscure exploit in their codebase, though it does still happen.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
Rules:
Be civil and nice.
Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.
That’s the neat part, you don’t!
I have doubt about the Linux kernel being properly audited.
compared to what?
Torvalds is doing it so he has more reasons to chain insults. “I SAID NO REGRESSIONS, YOU BUNCH OF %#$%%&#$@#$%#&%#!!!”
I mean, what’s a “proper audit”?
most audits my company does are a complete smoke and mirrors sham. But they do get certifications. Is that “proper”?
I’m pretty confident that the code-quality of linux is, on average, higher than that of the windows kernel. And that is because not only do other people read and review, the programmer also knows his shit is for everyone to see. So by and large they are more ashamed to submit some stringy mess that barely works
I just had a thought, and thought of sharing it. I prefer to be skeptical and until properly convinced, why should I blindly believe in something?
That said, I personally use Linux and BSD kernels, and I’m quite thankful for FOSS movement to exist in our reality.
A little scary to contemplate since some of the code comes from the NSA
I’m pretty sure the code submitted by the NSA has had more people look over it than any other snippet in there.
Probably there’s more to it. Who know maybe the active developers were contacted by secret services to add something kinky.
Code buddy neighbor turning out to be an NSA undercover op would make a great TV show
No, but someone knows how and does. If there’s something bad, there’ll be a big stink.
Lol that’s literally me. They get me everytime. I have to learn how to audit
I don’t know how to audit code. But I can generally get through. For example, I use Aegis for 2FA OTP. How do we know it’s secure? Because I can see very clearly that it doesn’t have network access on Android and that it hasn’t tried to get network access.
“I don’t care about free speech because I have nothing to say.” Doofus.
Luckily there are people who do know, and we verify things for our own security and for the community as part of keeping Open Source projects healthy.
Open source software is safe because somebody knows how to audit it.
My very obvious rebuttal: Shellshock was introduced into bash in 1989, and found in 2014. It was incredibly trivial to exploit and if you had shell, you had root perms, which is insane.
env x=‘() { :;}; echo vulnerable’ bash -c “echo this is a test”
It’s safe because there’s always a loud nerd who will make sure everyone knows if it sucks. They will make it their life mission
Will that nerd be heard or be buried under the scrutiny?
I’ll listen to them because I love OSS drama. But you’re right that they may just get passed over at large
And to a large extent, there is automatic software that can audit things like dependencies. This software is also largely open source because hey, nobody’s perfect. But this only works when your source is available.
Except when people pull off shit like Heartbleed.
See my comment below for more of my thoughts on why I think heartbleed was an overwhelming success.
And you help make my point because openssl is a dependency which is easily discovered by software like dependabot and renovate. So when the next heartbleed happens, we can spread the fixes even more quickly.
Enterprise software inventory can unfortunately be quite chaotic, and understanding the exposure to this kind of vulnerability can take weeks if not longer.
Also because those people who can audit it don’t have a financial incentive to hide any flaws they find
Though one of the major issues is that people get comfortable with that idea and assume for every open source project there is some other good Samaritan auditing it
I would argue that even in that scenario it’s still better to have the source available than have it closed.
If nobody has bothered to audit it then the number of people affected by any flaws will likely be minimal anyway. And you can be proactive and audit it yourself or hire someone to before using it in anything critical.
If nobody can audit it that’s a whole different situation though. You pretty much have to assume it is compromised in that case because you have no way of knowing.
Oh definitely, I fully agree. It’s just a lot of people need to stop approaching open source with an immediate inherent level of trust that they wouldn’t normally give to closed source. It’s only really safer once you know it’s been audited.
Have you seen the dependency trees of projects in npm? I really doubt most packages are audited on a regular basis.
But eventually somebody will look and if they find something, they can just fork the code and remove anything malicious. Anyways, open source to me is not about security, but about the public “owning” the code. If code is public all can benefit from it and we don’t have to redo every single crappy little program until the end of time but can instead just use what is out there.
Especially if we are talking about software payed for by taxes. That stuff has to be out in the open (with exception for some high security stuff - I don’t expect them to open source the software used in a damn tank, a rocket or a fighter jet)
Fun fact*: the software in the most advanced dildos come from old missile guidance systems the government isn’t using anymore.
*not a fact, but hopefully fun.
this was indeed fun
Thanks 😁
Maybe not a fact but I will still accept it as canon
No, missle.
Agreed.
Ahh the old motte and bailey doctrine.
FOSS is superior even for an end user like me. It only fails when corporations are allowed to “embrace, extend, and extinguish” them.
You guise look at the code?
Of course. I don’t understand any of it, but it can’t hurt check for a stealData function.
That you formated that appropriately means you still know more about code than the vast majority of people
Yes?
LGTM
Let’s go to Mars?
I don’t. But I trust you
Just learn the basics and you don’t need to trust. Like… everything science.
Now audit the linux kernel
No.
Fair enough
I don’t use the term “open source”. I say free software because giving someone else control over your computing is unjust. The proprietor of the program has absolute control over how the program works and you can not change it or use alternative versions of it
Open source software is safe because so few people use it it’s not worth a hacker’s time to break into it (joking, but of course that doesn’t apply to server software)
Honestly, for some software this is the answer. The other one with hackers is that it’s usually easier to trick an employee into giving you the master password than finding an obscure exploit in their codebase, though it does still happen.
“Transparent and accountable government is a waste of time because I personally don’t have the time to audit every last descision.”
OP, you are paranoid beyond belief.
deleted by creator
Here is my quick guide to audit code.
Step one. Google is the code safe.
Step two. Find out that the repo is actually by me. Step three. Consider it unsafe.
Third box: “yes, yes I do.”