this post was submitted on 05 Dec 2024
53 points (87.3% liked)

Privacy

32383 readers
210 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Nobody on my post asking for controversial privacy topics asked this question, but I feel I should cover it anyways. People sometimes assume that software is safe simply because it is open source. That is a misconception, and I would like to cover that in this post.

What does "open source" mean?

When software is "open source," it means that the developers have made the source code for the software public and allows anyone to help contribute to the code, or create their own versions of the software based on the source code. By contrast, proprietary software is software that has not made the source code visible to the public. There are similar terms to open source, such as "source-available," "open-core," and "libre," which I won't cover in this post. For the sake of simplicity, any source-available software will be called "open source," since the specifics don't quite matter for the majority of this post.

What are the benefits open source software?

Open source software provides many benefits over proprietary software:

Code auditing: Because anyone can inspect the code, anybody can look for vulnerabilities or invasive code to make sure that the software is safe. With proprietary software, the developers would have to hire a third party auditor to inspect the code. That means you have to trust the auditor, and you have no way to verify first-hand that the code is safe.

Bug reporting: While both open source and proprietary software have bug reporting systems, open source software tends to have more thorough and transparent bug reporting. Bug reports are generally on a public issue tracker such as GitHub, which can also help prevent duplicate bugs from being reported. Having these reports public also makes the next benefit easier:

Bug fixing: Anyone can contribute to open source software, which means the workload is distributed. Instead of a small team of developers being the only ones working on the software, anyone can look at the public issues and code their own fixes for the software.

Resurrecting projects: Both open source and proprietary software can one day stop being developed. Even big companies such as Spotify can retire software, which can lead to hardware devices becoming unusable or insecure. (The code for Car Thing has been reconstructed, by the way.) Open source projects that fall out of development can easily be forked and maintained by a new developer. It's rare to see proprietary software handed off to a new owner.

Accountability: Open source projects hold the developers directly accountable for any vulnerabilities or invasive code, meaning the developer's interests are aligned with its users and not malicious purposes. This also incentivizes creating code without paywalls, since anyone could release a version of the code with the paid features "unlocked".

However, even with all these benefits, open source software isn't perfect.

Why has proprietary software become so popular?

Since ads and paywalls can generally be removed from open source software, it doesn't make it a very appealing choice to for-profit organizations. Generally, these organizations want to monetize and control their software, which means injecting ads, paywalls, and other invasive elements. This is done most easily if the software is proprietary.

It's also rare to see open source software becoming so popular, because generally open source software receives its funding from donations and doesn't have the budget to advertise the software. There are exceptions, such as OBS Studio or Blender, which have mostly become the most popular software in their categories.

Is open source software safe?

There is another downside to open source software that many people don't talk about: it is much easier to exploit than proprietary software. Because all the source code is visible to the public, it makes it easy for malicious parties to craft vulnerabilities. Proprietary software is generally a stab in the dark until a vulnerability is found, since you can't see exactly how it was coded.

Software being open source does mean that it becomes more likely to find and fix vulnerabilities, but being open source doesn't automatically make software safe. Which device do you think would be more likely to obtain a virus, a device running (stock) Android or a device running iOS? You're most likely more inclined to say the device running (stock) Android is more likely. Android at its core is open source. While correlation is not causation, and there are other factors at play, it's much easier for someone to try to craft a malicious app for Android than for iOS because of its open nature.

Proprietary software isn't automatically safe, either. It can be just as vulnerable as any other software. However, open source software has the potential to become much more secure than proprietary software, simply because more people can find and fix vulnerabilities. That's probably why Apple open sourced their Private Cloud Compute code before launching a bounty program for it.

Anyone can code malicious open source software. It's riskier, since it's more likely to be noticed, but it's still possible. Microsoft could open source Windows one day, and it wouldn't make it any more safe until somebody identified and fixed the issues. Open source software doesn't automatically make something private or secure, but it does provide integrity, because the developer is showing that they will be accountable for any malicious or vulnerable code, and that anyone is free to look through the code.

Final notes

I hope this gives you a better idea of what it actually means if something is open source. Even unsafe proprietary software can be run safely under the right conditions. If your threat model requires you to use as much open source software as possible, I made my own list of open source software called Open Source Everything that you can look through. I hope you enjoyed reading this!

- The 8232 Project

all 39 comments
sorted by: hot top controversial new old
[–] [email protected] 17 points 1 week ago* (last edited 1 week ago) (1 children)

The xz utils shenanigans is a great example of both why open source shouldn't be implicitly trusted and why open source allows for anyone to see the shenanigans and get the issues resolved/warn people.

If this was proprietary, it would have been near impossible and taken much longer to discover.

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago)

Finding? What about fixing? No one wants to admits anti-libre software bans us from fixing its source code.

'Open source' does not work, libre software does.

[–] [email protected] 13 points 1 week ago

The safety argument is wrong. Security through obscurity was debunked a century ago, and you're floating it again. In reality, it depends on the details, because of course it does.

[–] [email protected] 11 points 1 week ago (2 children)

Most of the "Is open source software safe?" section of this post seems to advocate for what's conventionally called Security Through Obscurity, which is widely considered very ineffective at preventing exploitation and at best a minor hurdle.

There are a lot of differences between Android and iOS in terms of security, attack surface, and exploitation, but attributing that to open vs closed-source completely misunderstands the entire subject. For just two of the countless reasons: Many of the worst vulnerabilities that affect Android devices are in closed-source proprietary Qualcomm firmware. A platform being open in the sense of allowing users to install any application they want to (like Windows and Android to a limited extent) or closed off to prevent installation of unapproved software (iOS, PlayStation, Toyota cars, TiVo, etc.) is completely separate from whether that platform is open-source or not. GPLv3 has license terms that try to tie the two concepts but I chose examples that don't use it at all. Also, iOS has public kernel source code.

[–] [email protected] -1 points 1 week ago

seems to advocate for what’s conventionally called Security Through Obscurity

I was trying to avoid making it sound like iOS was more secure in that because it's proprietary. The claim I was trying to make is that open source software isn't necessarily more secure than proprietary software and being open source can make it easier to craft an attack compared to if it were proprietary. I also mentioned that there are, of course, more variables at play, such as sideloading.

In my eyes, security via obscurity is a deterrent, not a solution. It can help prevent attacks or make attacks harder, but it doesn't fix the underlying issues.

Also, iOS has public kernel source code.

I actually didn't know this! Thank you, I learned something new today :)

[–] [email protected] 7 points 1 week ago (2 children)

Why does "free software (as in freedom) matter?

[–] [email protected] 3 points 1 week ago* (last edited 1 week ago) (1 children)

so, free software is a philosophy. software is judged to be free based on it's adherence to the philosophy based on what they call the four freedoms: freedom to use, read, modify and share the software without restriction. based on those freedoms are free software licenses that enforce this. the most famous one, the gpl, also says that any modification must adhere to the same freedoms. this is what makes "free software" distinct from "open source". (see also: "copyleft")

the gpl means that you are entitled to receive the source code of any company that runs modified GPL software upon request. note that this does not prevent them from making money on the software, only that you as a (potentially paying) user must be able to get the sources without jumping through extra hoops.

this matters because all improvements are shared as a matter of course, and all source code can be audited. in theory. in reality this does not always happen, of course, which is why the fsf and similar organizations exist to drive these cases through courts. it matters because it acts as a brake on large actors using community-developed software without reciprocating.

[–] [email protected] 3 points 1 week ago* (last edited 1 week ago)

tldr: it keeps us in control over our computing.

Want privacy? Throw away your control and see how that goes.

[–] [email protected] -3 points 1 week ago* (last edited 1 week ago) (1 children)

My humble opinion

Example

Locked in google services. DNS so google sees the sites you visit, tracks what you click, where you go, who you talk to, what you like, what services you use, where you spend your money, etc.

Freedom - no log encrypted DNS rolling your own DNS server/proxy, seeing the config, the source; no tracking, no surveillance and profiles stored that are gladly shared with whatever other company or gov dept that wants it. No blobs or beacons. The ability to see what is happening, to choose what to allow or disallow, to be able to edit, modify, clone, fork, etc based on your needs and wants.

Not the Almighty profit margin.

Freedom to choose poison or antidote.

Another eg.

Nothing to hide may be true for now.

But what you believe need not be hidden, may, by some future government (or dictator), be deemed a crime, or worthy of retribution.

Allowing an unaccountable, unverifiable, monolith or shady actor is asking for problems.

The less data you share (or is unknowingly siphoned off) the less data you have to worry about being leaked /breached.

Knowing what is happening, being able to audit, being able to verify, freedom to choose vs blind trust.

If someone you don't know knocks on your door, do you let them in and make themselves at home?

[–] [email protected] 2 points 1 week ago (1 children)

that's not what free software is.

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago) (2 children)

Maybe the people at the heart of Foss can make it more clear.

Gnu.org

The free software movement campaigns to win for the users of computing the freedom that comes from free software. Free software puts its users in control of their own computing. Nonfree software puts its users under the power of the software's developer


Free software means the users have the freedom to run, copy, distribute, study, change and improve the software.

Free software is a matter of liberty, not price. To understand the concept, you should think of “free” as in “free speech,” not as in “free beer.”

More precisely, free software means users of a program have the four essential freedoms:

The freedom to run the program as you wish, for any purpose (freedom 0). The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this. The freedom to redistribute copies so you can help others (freedom 2). The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

[–] [email protected] 1 points 1 week ago (1 children)

so, what your first post describes is open source. this quote from the fsf also describes open source, but the important stuff is in the nuances of the wording. open source allows you to share your changes. free software forces it through legal means. sorry for being so curt at first, i elaborated in my other reply.

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago) (1 children)

Isn't that clear where I mentioned ability to fork, clone, modify, etc?

Besides that they asked why, not what.

I gave my opinion and examples.

[–] [email protected] 1 points 1 week ago

well the important distinction is who is bound, right? your examples are all true of open source as well. the main difference between the two concepts is that if i withhold my changes to gpl-licensed code from you, you can sue me for breaching the license. if the software is mit, i am in my full right to deny you access. that's not what i got from your wording.

[–] [email protected] -2 points 1 week ago* (last edited 1 week ago) (1 children)

This is free software, libre software. These quotes never say 'open source', only FS, never FOSS. gnu.org/philosophy/open-source-misses-the-point.en.html

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago) (1 children)

From itsfoss

It's foss

https://itsfoss.com/what-is-foss/

Because GNU is Foss because Foss is gnu. Because the guy that started the fsf movement is Richard stallman who wrote that.

https://www.gnu.org/philosophy/free-sw.html

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago) (1 children)

gnu.org/philosophy/open-source-misses-the-point.en.html

Edit: They are trolling. Don't feed. Wait for mods.

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago) (1 children)

You said what I posted was not Foss.

It came from the very essence of Foss.

It gave the very definition of Foss.

From the people who started Foss movement .

On the site run by the people who continue to promote and advocate for Foss.

And explains the distinction between Foss and open source.

What about that is unclear?

Post something else about open souce, please.

Tell me again how that is not what Foss is.

Please, guide me.

(What you cleverly replied with is in the link I posted ffs)

[–] [email protected] -1 points 1 week ago* (last edited 1 week ago) (1 children)

Wrong, read your own source.

[–] [email protected] 0 points 1 week ago (1 children)

Really? Lol. You replied with a link from the same site which is linked within the page I posted. Look at the screenshot.

Jfc, I'm done with you.

[–] [email protected] -1 points 1 week ago (1 children)

You cannot see the last paragraph on your own screenshot?

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago) (1 children)

And I fucking quote myself in my comment above

distinction between foss and open source.

You said the comment in which I gave the fucking definition of Foss as written by the people who wrote the very definition of Foss was not foss.

You just gave me a link within the link that gives the definition of Foss about what Foss isn't.

It isn't me that needs to read better.

Go away.

[–] [email protected] -2 points 1 week ago (1 children)

They are trolling, don't feed.

[–] [email protected] 1 points 1 week ago

Yeah, reported.

[–] LemoineFairclough 5 points 1 week ago* (last edited 1 week ago) (1 children)

I believe these are relevant: https://www.gnu.org/philosophy/open-source-misses-the-point.html https://www.gnu.org/philosophy/categories.html

Of particular relevance is "Resurrecting projects": if you have access to "open source software" but are denied access to install or run modified versions of the software, the access is not particularly useful.

[–] [email protected] 2 points 1 week ago (2 children)

Isn't that technically Source-Available ?

[–] LemoineFairclough 3 points 1 week ago

You might be referring to "Nonfree open source" ("source code that is open source but not free") described at https://www.gnu.org/philosophy/categories.html

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago)

Too easy to scam with vague phrases like 'open source' but very hard with libre software.

[–] [email protected] 3 points 1 week ago* (last edited 1 week ago) (1 children)

'Open source' never works. Libre software does.

[–] Chais 2 points 1 week ago (1 children)

"Open source" is still commonly used to mean FOSS. Source available software isn't common enough to have made its way into the broader vocabulary.

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago)

Too easy to scam with vague phrases like 'open source' but very hard with libre software.

[–] [email protected] -2 points 1 week ago (2 children)

I always recieve negative votes, posting that it is absoluye wrong to think that OpenSource is synonym of privacy and security. There a lot of people wich confuse it. OpenSource is very important in a free internet and for developing new software, but for the user is way more important the intentions of the dev, the ethics and PP of the product. That it has an active community and devs, absolte risky to use outdated and abandoned FOSS.

OpenSource is preferable whenever possible, but as in anything else, fanaticism is harmful when a good proprietary soft offers a better solution

Yes, OpenSource permits to see the Source, but this is only interesting for devs, but not for an user normal whose programming skills no reach even to Hello World level, less in complex app with thousends of lines and extern references.

The most important for a normal user, read well TOS and PP, because they are legal documents and mandatory for both parties and that they are up to date, regardless of whether it is (F)OSS or Proprietary.

[–] [email protected] 4 points 1 week ago* (last edited 1 week ago) (1 children)

ToS never work. Libre software does.

[–] [email protected] -1 points 1 week ago (1 children)

ToS always work, it is a legally binding document, a contract which, if not respected, can be reported in court. These can be just as abusive in FOSS, even more so, than in FOSS. In terms of security and privacy, FOSS is no guarantee, it depends solely on the dev and his ethics regarding the user, not on anything else. Proprietary products from small companies or private developers may have better conditions and privacy than others that are OpenSource.

Example

https://www.ssuitesoft.com/privacypolicy.htm

On OpenSource it depends on the license it has ( a lot diferent ones) and the one of third party API's they use. https://opensource.org/licenses

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago) (1 children)

Get a fork or go to court, hard choice. /s

Anti-libre software guarantees we not control it.

[–] [email protected] 1 points 1 week ago (1 children)

You can and it is also done as in any fraudulent contract. This is independent if it is FOSS or not. Do you trust FOSS made by Google or M$ (a huge part of the catalogue) respect privacy? They aren't private, but they especific in their Tos exactly what they do with your data, not their fault if you don't read it. Same with FOSS which use APIs from these data hogs (also a lot). FOSS is more secure and private as proprietary is often correct, but you have to take it with a grain of salt, it's not a synonym and also often wrong.

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago)

Trust is a scam. Libre software puts us in control.

[–] LemoineFairclough 3 points 1 week ago

OpenSource is preferable whenever possible, but as in anything else, fanaticism is harmful when a good proprietary soft offers a better solution

I think an engineering perspective is useful: we want to solve problems, but different people have different problems, and each person cares about each of their problems to a different extent. If one person thinks their problem is that a relevant amount of their income depends on proprietary software, then the solution is substituting free software to replace proprietary software they depend upon. If another person doesn't depend on proprietary software for their income, but thinks it's a problem that their thermostat runs proprietary software, then the solution is still to substitute free software to replace proprietary software (or to replace the thermostat entirely). However, if someone wants to increase their income tenfold and using proprietary software will accomplish that (and using free software will not), then the solution is to use proprietary software.

It's probably better to help people learn and understand how to use free software than to encourage them to use proprietary software, since free software is probably easier to maintain as someone's situation changes, but there might be some situations where the best solution for someone involves using proprietary software.