Though one of the major issues is that people get comfortable with that idea and assume for every open source project there is some other good Samaritan auditing it
I would argue that even in that scenario it’s still better to have the source available than have it closed.
If nobody has bothered to audit it then the number of people affected by any flaws will likely be minimal anyway. And you can be proactive and audit it yourself or hire someone to before using it in anything critical.
If nobody can audit it that’s a whole different situation though. You pretty much have to assume it is compromised in that case because you have no way of knowing.
Oh definitely, I fully agree. It’s just a lot of people need to stop approaching open source with an immediate inherent level of trust that they wouldn’t normally give to closed source. It’s only really safer once you know it’s been audited.
And to a large extent, there is automatic software that can audit things like dependencies. This software is also largely open source because hey, nobody’s perfect. But this only works when your source is available.
See my comment below for more of my thoughts on why I think heartbleed was an overwhelming success.
And you help make my point because openssl is a dependency which is easily discovered by software like dependabot and renovate. So when the next heartbleed happens, we can spread the fixes even more quickly.
Enterprise software inventory can unfortunately be quite chaotic, and understanding the exposure to this kind of vulnerability can take weeks if not longer.
My very obvious rebuttal: Shellshock was introduced into bash in 1989, and found in 2014. It was incredibly trivial to exploit and if you had shell, you had root perms, which is insane.
env x=‘() { :;}; echo vulnerable’ bash -c “echo this is a test”
Man we would have been so much better with plaintext communications everywhere, right?
You cite heartbleed as a negative but a) SSL would never have proliferated as it has without openssl and b) the fix was out in under a week and deployed widely even faster.
The alternative, proprietary crypto, would have all the same problems including the current laggards, but likely without everyone understanding what happened and how bad it was. In fact, it probably wouldn’t have been patched because some manager would’ve decided it wasn’t worth it vs new features.
I don’t disagree with this, but your point about automatic audits… It’s always a learning curve to prevent silly shit like heartbleed from getting into the system. But the idea that there was no check against this when it was first PR’d seems almost absurd. This is why sticking hard to API and design specs and building testing around them is so important.
I think the point that’s more relevant to the original post is that while the speed with which fixes were rolled out were admirable, the flaw existed for years before anybody noticed it.
Codenomicon, the company who actually named the flaw, didn’t find the bug via the source code. They were building a security product and when testing that product against their own servers exposed the flaw. Open Source was not a factor in this discovery.
Google HAD discovered the flaw via the source code, exactly two days earlier.
In this case, the bug was 0.267379679% more discoverable due to being open source versus being closed.
In all seriousness though, I just disagree and I think it’s important to note the inaccuracy of thinking that a bug, which is famous only because it was deliberately publicized and deliberately open source, is anything but a huge win compared to what would likely have played out had the most popular SSL library in the world been proprietary and closed.
The only person in the whole thread talking about proprietary software is that guy.
This is a thread about how the accepted wisdom that many eyes make open source software more secure is based on the assumption that someone else is effectively auditing the code base which has been proven over and over again not to be true.
E: I just looked at this thread and now everyone is talking about proprietary software. It would be cool if the progression of time made fools of us all, but it looks like it’s just me this time.
Even audited source code is not safe. Supply-chain attacks are possible. A lot of times, there’s nothing guaranteeing the audited code is the code that’s actually running.
You shouldn’t automatically trust open source code just because its open source. There have been cases where something on github contains actual malicious code, but those are typically not very well known or don’t have very many eyes on it. But in general open source code has the potential to be more trustworthy especially if its very popular and has a lot of eyes on it.
But eventually somebody will look and if they find something, they can just fork the code and remove anything malicious.
Anyways, open source to me is not about security, but about the public “owning” the code. If code is public all can benefit from it and we don’t have to redo every single crappy little program until the end of time but can instead just use what is out there.
Especially if we are talking about software payed for by taxes. That stuff has to be out in the open (with exception for some high security stuff - I don’t expect them to open source the software used in a damn tank, a rocket or a fighter jet)
I mean, what’s a “proper audit”?
most audits my company does are a complete smoke and mirrors sham. But they do get certifications. Is that “proper”?
I’m pretty confident that the code-quality of linux is, on average, higher than that of the windows kernel. And that is because not only do other people read and review, the programmer also knows his shit is for everyone to see. So by and large they are more ashamed to submit some stringy mess that barely works
I don’t use the term “open source”. I say free software because giving someone else control over your computing is unjust. The proprietor of the program has absolute control over how the program works and you can not change it or use alternative versions of it
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
Rules:
Be civil and nice.
Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.
Luckily there are people who do know, and we verify things for our own security and for the community as part of keeping Open Source projects healthy.
Though one of the major issues is that people get comfortable with that idea and assume for every open source project there is some other good Samaritan auditing it
I would argue that even in that scenario it’s still better to have the source available than have it closed.
If nobody has bothered to audit it then the number of people affected by any flaws will likely be minimal anyway. And you can be proactive and audit it yourself or hire someone to before using it in anything critical.
If nobody can audit it that’s a whole different situation though. You pretty much have to assume it is compromised in that case because you have no way of knowing.
Oh definitely, I fully agree. It’s just a lot of people need to stop approaching open source with an immediate inherent level of trust that they wouldn’t normally give to closed source. It’s only really safer once you know it’s been audited.
Have you seen the dependency trees of projects in npm? I really doubt most packages are audited on a regular basis.
Open source software is safe because somebody knows how to audit it.
It’s safe because there’s always a loud nerd who will make sure everyone knows if it sucks. They will make it their life mission
Will that nerd be heard or be buried under the scrutiny?
I’ll listen to them because I love OSS drama. But you’re right that they may just get passed over at large
And to a large extent, there is automatic software that can audit things like dependencies. This software is also largely open source because hey, nobody’s perfect. But this only works when your source is available.
Except when people pull off shit like Heartbleed.
See my comment below for more of my thoughts on why I think heartbleed was an overwhelming success.
And you help make my point because openssl is a dependency which is easily discovered by software like dependabot and renovate. So when the next heartbleed happens, we can spread the fixes even more quickly.
Enterprise software inventory can unfortunately be quite chaotic, and understanding the exposure to this kind of vulnerability can take weeks if not longer.
My very obvious rebuttal: Shellshock was introduced into bash in 1989, and found in 2014. It was incredibly trivial to exploit and if you had shell, you had root perms, which is insane.
env x=‘() { :;}; echo vulnerable’ bash -c “echo this is a test”
Also because those people who can audit it don’t have a financial incentive to hide any flaws they find
safe**R** not safe. Seriously how is this a hard concept.
*cough* Heartbleed *cough*
I came here looking for this comment.
Man we would have been so much better with plaintext communications everywhere, right?
You cite heartbleed as a negative but a) SSL would never have proliferated as it has without openssl and b) the fix was out in under a week and deployed widely even faster.
The alternative, proprietary crypto, would have all the same problems including the current laggards, but likely without everyone understanding what happened and how bad it was. In fact, it probably wouldn’t have been patched because some manager would’ve decided it wasn’t worth it vs new features.
I don’t disagree with this, but your point about automatic audits… It’s always a learning curve to prevent silly shit like heartbleed from getting into the system. But the idea that there was no check against this when it was first PR’d seems almost absurd. This is why sticking hard to API and design specs and building testing around them is so important.
I’m sure they learnt a valuable lesson there.
I think the point that’s more relevant to the original post is that while the speed with which fixes were rolled out were admirable, the flaw existed for years before anybody noticed it.
it would have been way worse, because it would have been less discoverable in a closed source software by someone somewhere
Devil’s Advocate…
Codenomicon, the company who actually named the flaw, didn’t find the bug via the source code. They were building a security product and when testing that product against their own servers exposed the flaw. Open Source was not a factor in this discovery.
Google HAD discovered the flaw via the source code, exactly two days earlier.
In this case, the bug was 0.267379679% more discoverable due to being open source versus being closed.
Lol u mad
I’m not mad, just disappointed.
In all seriousness though, I just disagree and I think it’s important to note the inaccuracy of thinking that a bug, which is famous only because it was deliberately publicized and deliberately open source, is anything but a huge win compared to what would likely have played out had the most popular SSL library in the world been proprietary and closed.
What do you disagree with? Heartbleed was a vulnerability in OpenSSL. It affected millions of computers.
that is a big problem. it was quickly fixed and i dont see how it does proprietary software any favors…
The only person in the whole thread talking about proprietary software is that guy.
This is a thread about how the accepted wisdom that many eyes make open source software more secure is based on the assumption that someone else is effectively auditing the code base which has been proven over and over again not to be true.
E: I just looked at this thread and now everyone is talking about proprietary software. It would be cool if the progression of time made fools of us all, but it looks like it’s just me this time.
“Transparent and accountable government is a waste of time because I personally don’t have the time to audit every last descision.”
OP, you are paranoid beyond belief.
deleted by creator
Even audited source code is not safe. Supply-chain attacks are possible. A lot of times, there’s nothing guaranteeing the audited code is the code that’s actually running.
You shouldn’t automatically trust open source code just because its open source. There have been cases where something on github contains actual malicious code, but those are typically not very well known or don’t have very many eyes on it. But in general open source code has the potential to be more trustworthy especially if its very popular and has a lot of eyes on it.
It’s one reason I haven’t rushed to try out every lemmy app that has come out yet.
“I don’t care about free speech because I have nothing to say.” Doofus.
no , but I know a bunch of passionate geek are doing it.
But eventually somebody will look and if they find something, they can just fork the code and remove anything malicious. Anyways, open source to me is not about security, but about the public “owning” the code. If code is public all can benefit from it and we don’t have to redo every single crappy little program until the end of time but can instead just use what is out there.
Especially if we are talking about software payed for by taxes. That stuff has to be out in the open (with exception for some high security stuff - I don’t expect them to open source the software used in a damn tank, a rocket or a fighter jet)
Fun fact*: the software in the most advanced dildos come from old missile guidance systems the government isn’t using anymore.
*not a fact, but hopefully fun.
Maybe not a fact but I will still accept it as canon
No, missle.
Agreed.
this was indeed fun
Thanks 😁
That’s the neat part, you don’t!
I have doubt about the Linux kernel being properly audited.
A little scary to contemplate since some of the code comes from the NSA
I’m pretty sure the code submitted by the NSA has had more people look over it than any other snippet in there.
Probably there’s more to it. Who know maybe the active developers were contacted by secret services to add something kinky.
Code buddy neighbor turning out to be an NSA undercover op would make a great TV show
Torvalds is doing it so he has more reasons to chain insults. “I SAID NO REGRESSIONS, YOU BUNCH OF %#$%%&#$@#$%#&%#!!!”
I mean, what’s a “proper audit”?
most audits my company does are a complete smoke and mirrors sham. But they do get certifications. Is that “proper”?
I’m pretty confident that the code-quality of linux is, on average, higher than that of the windows kernel. And that is because not only do other people read and review, the programmer also knows his shit is for everyone to see. So by and large they are more ashamed to submit some stringy mess that barely works
I just had a thought, and thought of sharing it. I prefer to be skeptical and until properly convinced, why should I blindly believe in something?
That said, I personally use Linux and BSD kernels, and I’m quite thankful for FOSS movement to exist in our reality.
compared to what?
Yes?
I don’t. But I trust you
Just learn the basics and you don’t need to trust. Like… everything science.
Now audit the linux kernel
No.
Fair enough
LGTM
Let’s go to Mars?
I don’t use the term “open source”. I say free software because giving someone else control over your computing is unjust. The proprietor of the program has absolute control over how the program works and you can not change it or use alternative versions of it
You guise look at the code?
Of course. I don’t understand any of it, but it can’t hurt check for a stealData function.
That you formated that appropriately means you still know more about code than the vast majority of people
I have never. But someone has.
Everyone thinks this, so no one does it.
It’s like the bystander effect.
Depends on the software, you can bet your ass people are auditing the Linux kernel every day.