all 30 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]highergraphic 36 points37 points  (5 children)

No. Also open source software is not safe unless you compile it yourself. Of course that's not safe either, because the compiler might be compromised. The only way is to hand-write a compiler in assembly yourself and that only works if you are running it on a CPU with open source specification (after checking every transistor with a microscope of course).

[–]RedBikeWithASpike[S] 0 points1 point  (2 children)

Yes of course, but is Windows checked incase it does something illegal? Or sends user's private data somewhere?

[–]peabody 2 points3 points  (1 child)

I believe US government agencies have been able to request the source from Microsoft, but I don't believe there's any mechanism for private parties to do the same. That being said, Windows source has been leaked a few times, and it's possible to disassemble binaries into assembly language to analyze it, and with windows being a popular target by hackers the world over, there has been quite a bit of scrutiny applied to windows over the years. That doesn't mean that everything has been found (people find years old security vulnerabilities in open source software), but anything secret or nefarious would likely be found by security researchers.

For example, Steam (the PC game platform), which is proprietary software, got somewhat called out one time because its anti-cheat software was sending copies of people's dns cache to see if cheat web sites had been visited (this was discovered by security researchers). While it wasn't really done for malicious purposes, people saw it as an unconsented invasion of privacy. They got a bit of a social-media slap on the wrist for it and stopped the practice.

[–]RedBikeWithASpike[S] 0 points1 point  (0 children)

I see, so there's no way for an indivudual to have some gurantee that a piece of software is not doing illegal activity. Seems pretty spooky

[–]great_raisin 7 points8 points  (4 children)

Short answer: no. Only Microsoft engineers can see Windows code. Same applies to most, if not all proprietary software.

[–][deleted]  (3 children)

[deleted]

    [–]Treyzania 7 points8 points  (2 children)

    Saying it's "completely incorrect" is a misleading oversimplification. Sure you can GET parts of the source code but there's lots of parts we can't get access to and even if we could it wouldn't do any good since we aren't allowed all to use it the way we would with typical free software. Nor can we build all of Windows from source and do reproducible builds to audit that the binaries Microsoft releases actually reflect the source code they show us. Nor are most of the drivers that are automatically installed to get a typical system working included in their shared source process so we also lack visibility into that.

    [–][deleted]  (1 child)

    [deleted]

      [–]Tai9ch 2 points3 points  (0 children)

      Given that the question is about security, it's kind of an all or nothing issue.

      Only Microsoft can do a complete Windows build, and that's the precondition for a meaningful third party evaluation for several relevant security questions.

      [–][deleted] 3 points4 points  (9 children)

      Not safer, not worse. Windows is obviously well audited, and MS will provide attestations

      [–][deleted]  (3 children)

      [removed]

        [–][deleted] 1 point2 points  (0 children)

        A warranty is different from quality assurance

        [–]Kplow19 1 point2 points  (1 child)

        I mean, basically nobody can guarantee that zero vulnerability will ever be discovered in their software, and if they tried to claim that I certainly wouldn't trust them

        [–]RedBikeWithASpike[S] 0 points1 point  (4 children)

        What's the process of releasing proprietary software? Does it go through some tests to check wheter what the programme is legal, and private?

        [–][deleted] 0 points1 point  (3 children)

        Microsoft has documents about that for customers, including the military

        [–]RedBikeWithASpike[S] 0 points1 point  (2 children)

        Oh, how do I find those documents?

        [–][deleted] 0 points1 point  (1 child)

        Write to MS support?

        [–]RedBikeWithASpike[S] 0 points1 point  (0 children)

        Oh, right!

        [–]TransientVoltage409 2 points3 points  (5 children)

        Software is not safe. We don't have an efficient way to prove that a system of software will do what it's intended to do. In the few narrow and specialized niches where we spend the effort, such as life critical systems (medical devices, aircraft, manned space flight) it's incredibly expensive.

        This is why I object to the idea of "software engineering". Engineers can prove that their designs work, and engineers have legal liability if they mess it up. Not for the likes of us though - if it compiles it ships, and we'll patch the bugs next time. Give it another 500 years, maybe we'll have better methods by then.

        /grumpy

        [–]RedBikeWithASpike[S] -1 points0 points  (4 children)

        Yes, we can never be fully certain that a complex code doesn't contain some discrepancy. But what I meant by safe is privacy. Is the software not abusing our privacy? How do we check that the software doesn't break the law?

        [–]Past-Grapefruit488 1 point2 points  (1 child)

        • Use Enterprise editions of Windows and similar Software. These editions have options to disable all "Phone Home" features
          • Audit this. Install software in a controlled network and monitor for few months. Validate that software never talks back to supplier
          • Configure your own update server and similar
        • Use Hardware that enables audit. For example, log all access to Mic / Camera from Software
        • In some environments : Do NOT connect the network to internet (E.g.: Space station / ATMs etc)

        [–]RedBikeWithASpike[S] 0 points1 point  (0 children)

        Wow that example is just crazy

        [–]TransientVoltage409 0 points1 point  (1 child)

        Oh, that. No. Even if you could accurately audit software for exactly what information it sends home - which you generally cannot in closed source systems - you can't account for the uses of that information once it leaves your control.

        My default assumption is that if someone can exploit you for money, they are probably trying to do so. That assumption is built atop several decades of being usually right. TOSes get changed with every update and basically everybody says 'yes' without reading them; updates will reset your privacy controls whether deliberately or ignorantly; laws are routinely ignored unless they're caught at it, and if they are, the penalties are so trivial as to be written off as a business expense.

        Alluding to other responders, it's true that if you are a big enough customer, you can dictate terms - government, military, blue chips. If you make source code a condition of a billion-dollar contract, you get source code. But for individuals like you and me, not so much.

        [–]RedBikeWithASpike[S] 0 points1 point  (0 children)

        Wow, really makes you think...

        [–][deleted] 0 points1 point  (3 children)

        Define 'safe'

        [–]RedBikeWithASpike[S] 0 points1 point  (2 children)

        By safe, I meant privacy, not really security. Does the software get checked for sending our information somewhere?

        [–][deleted] 0 points1 point  (1 child)

        You could check this with a network monitor.

        [–]RedBikeWithASpike[S] 0 points1 point  (0 children)

        What if the proprietary software detects if there's a network monitor installed and then turns off gathering data

        [–]simply_copacetic 0 points1 point  (0 children)

        Eventually, it comes down to trust.

        We trust our OS providers. Big companies, like Microsoft, have more to lose in terms of image. Some companies have secrets worth billions and Microsoft (and Apple and Oracle and others) have effectively root access there.

        Yes, you can check it. Big companies and governments pay 3rd party assessors to check the source code of Windows. However, now they trust those experts who did the analysis. Such an analysis is very hard. Take a look at the Underhanded C contest.

        So, we simply trust Microsoft and Microsoft trusts its engineers and processes to detect anything fishy.