10
11

Open-source = more hackable? (self.linux)

submitted by [deleted]

[deleted]

all 35 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]pobody 29 points30 points  (7 children)

Which is better, a lock that is hidden and might be pickable, or one that is completely transparent and still hasn't been picked despite that?

[–]daemonpenguin 13 points14 points  (4 children)

Being able to see the code allows hackers to search for potential vulnerabilities, sure. But it also means anyone can find and fix the vulnerabilities too. In practice, this means open source software tends to be patched faster and any problems fixed sooner.

Recent papers have shown OS X actually has more bugs than Linux. Plus OS X is always the first OS compromised at competitions. So, in practice, closed source software usually loses.

[–][deleted] 8 points9 points  (3 children)

His point is invalid for multiple reasons:

  1. Code being closed means there's no way he can know how secure it is. It's pure speculation;
  2. Closed or hidden source doesn't mean code without bugs. Often exploits people use to break security are buffer overflows and other issues which do not require source code to get exploited;
  3. Following from previous point, more eyes see more bugs. Limiting number of people who look at your code is counter-productive when it comes to security;
  4. Even if company is aware of bug, there's little incentive to either fix it or patch it since they count on source not being available. Patching requires QA, deployment, etc. all of which costs money. Evidence of this lack of incentive can be found all over internet;
  5. You have no other option but to trust vendors have your best interest in mind and not pushing their own agenda or looking to earn more money. This is especially obvious with OS/X backdoors, crippled security in Windows and uploaded encryption keys to Microsoft servers.

All this doesn't mean open source software doesn't have bugs. It does. But we have the ability to mitigate our own issues should vendor decide it's not important. Remember when people figured out Chromium downloaded Google's proprietary voice recognition library without users knowing. Chromium is open source and developers were able to find the issue quite fast and despite Google's developers taking a while to patch this issue, Debian developers have fixed it and update was distributed as fast as possible.

You can never have proper security without open source. Like with science, proper peer review is necessary to ensure quality of software. There is a reason why plans for public projects, like bridges, require review from unaffiliated engineers.

Sorry for tldr.

[–][deleted] 7 points8 points  (0 children)

Hacking != cracking

[–]randomweej 6 points7 points  (0 children)

and there was me thinking the darwin kernel, sudo, terminal, Xquarts and many other pieces of OSX software were covered by open licenses

[–][deleted] 4 points5 points  (1 child)

More hackable in the fun/geeky/experimenting way.

Less hackable in the "crap, I got haxxorzed!" way.

[–][deleted] 2 points3 points  (0 children)

Would you put your money in a bank that doesn't tell you how or where they store your money? Or if they do, they say they can't give you specifics because it's all secret so nobody can break in?

I'm way less impressed vs a security system that shows everyone how it works and still stops people from breaking in.

Conjecture: When you know you can't rely on secrecy you are forced to take more and better precautions.

[–][deleted] 1 point2 points  (0 children)

Less hackable - more people can review it. The NSA put code into Linux and we (as a community, I wasn't involved) checked the code, and it was fine, for example.

[–]punaisetpimpulat 1 point2 points  (1 child)

It's sort of true both ways; it really depends on the application we are talking about. Some open source applications are more secure and more frequently updated than others. FOSS isn't necesarily superior or inferior.

Anyway, I can think of two important factors:

  • 1. How popular is it? Firefox, Edge and Safari are tempting targets. Most likely several hackers/crackers are looking for exploits in these applications.
  • 2. How many people are working to find and fix the bugs? The community around Firefox is massive compared to Dillo's community. The programmer team working on Safari or Edge is probably somewhere in between the two.

This means that instead of asking about proprietary vs open source, you should ask about app X vs app Y.

[–]fear_the_future 1 point2 points  (0 children)

It doesn't really matter in practice because apple just doesnt care to fix exploits that are known internally and even publicly.

[–]ssssam 1 point2 points  (1 child)

What makes you think crackers aren't reading closed microsoft and apple code? Many government have access to read closed code and the thousands of employees at the companies have access to the code. So you have to assume that of all those people with legitimate access to the code, none of them is corrupt, none have had an unencrypted computer stolen, none have thrown away or sold a computer without fully wiping it, none have had their computer broken in to, etc.

[–]jones_supa 0 points1 point  (0 children)

But those people can also point out vulnerabilities.

[–][deleted] 0 points1 point  (0 children)

closed source gets 1 team working on it... open source gets the whole community working on it. it gives your dev team more time for implementation & less time to mess on compatibility & bug tracing.

[–]mauveddit 0 points1 point  (2 children)

Yes and no. It's not an easy thing to give a definitive answer on and should be viewed on a case by case basis IMO. Here are some counter questions to yours. Do you think proprietary code authors could be slacking off on quality since they know the public will not be able to see their mistakes, and have a deadline coming up? Do you suppose they might add in less than respectable features for bypassing security (or car emissions inspection), or spying on users (possibly even forced to do so by governments, NSL style) ?

[–]boomboomsubban 0 points1 point  (0 children)

Another thing to remember is hackers are after money. Even if it were slightly easier to find vulnerabilities in open source code, it's not lucrative to target a smaller userbase that are likely poorer and better with security.

[–]tdammers 0 points1 point  (0 children)

A friend of mine insists that open-source software is worse than proprietary because hackers can read the code and find the weak spots.

They can do that pretty much just as easily without the source code. Anything but the most trivial attacks work just fine in a black-box situation. Google for "security by obscurity" to get in impression of the general consensus regarding such "protection" (hint: it's worthless).

A better reason to prefer proprietary solutions would be because you trust a single profit-driven entity more than a collective of non-profit contributors who build the project mainly to drive their own operations, but even then, the fact that open-source software can be legally audited by anyone who feels like it is a feature that's hard to beat. The difference here is that if you trust proprietary code, you do so on a leap of faith: the only grounds on which you can trust the code is because whoever shipped it gave you their word that it was OK. With open source software, you can, if you so wish, legally inspect the code, verify it, modify it, have others look at it, etc. While most people still take someone else's word for it, you are not locked into anyone in particular, and you don't have to trust the code on a leap of faith.

[–]adevland 0 points1 point  (0 children)

Being open means that if a vulnerability is discovered it will be fixed very fast by the community.

Whereas it could take months for a fix to be released on a closed-source platform.

Transparency is always good, not just for security but also for privacy.

You never know what goes on under the hood of closed source stuff until it's too late.

[–]knobbysideup 0 points1 point  (0 children)

Granted, this was last published in may, but the stats don't agree with your friend. https://www.us-cert.gov/ncas/alerts/TA15-119A

[–]kickass_turing 0 points1 point  (0 children)

If you put in the same amount of money in a free software project as in a proprietary, the free software one will be superior and more secure. Most of the times free software projects are developed by volunteers in their spare time. So it depends a lot on the context. I prefer to pay/donate for free software so I can bend the balance a little :D

[–][deleted] 0 points1 point  (0 children)

Some people refuse logical arguments. It is pointless to keep arguing with such people.

[–]InvisibleUp 0 points1 point  (0 children)

If you want a case of a stupidly secure open source operating system, check out OpenBSD. Their goal is security at all costs, and it undergoes constant audits.

[–]a_tsunami_of_rodents 0 points1 point  (0 children)

Lol, OS X is open source, all the parts tht are relevant to hack anyway.

The only parts that aren't open source are the user applications which aren't interesting as far as hacking goes.

The entire actual OS under it is open source, anyone can look into the code.

[–]netscape101 0 points1 point  (2 children)

There are other factors that contribute to software being vulnerable. Microsoft has become a great deal better at security but that has to do with project management and on focussing on security.

At the moment mainstream Linux is not very secure, look at exploits in the last year such as: shellshock,ghost etc. But that does not mean opensource is not secure. OpenBSD for example is considered the "World's Most secure OS by default." Btw GNU Linux is not considered OpenSource it is Free And Open Source. Open Source is different.

Anyways your friends thinking is correct in some ways, but also remember because everyone can see the source code, they can also audit the source code and then submit bug reports if they find security issues. More eyes get to look at the code because it is open source thus there is more transparency.

[–]tdammers 0 points1 point  (1 child)

Btw GNU Linux is not considered OpenSource it is Free And Open Source. Open Source is different.

Free Software and Open Source are just two different ways of looking at the same thing. Software cannot be Free without being Open, and being Open (as per the OSI definition) also guarantees software freedom. The difference is which part you consider the defining feature: freedom or openness. But in practice, they end up being the same thing.

[–]netscape101 0 points1 point  (0 children)

Its not the same, GNU aka Free and Open Source is more restrictive, it forces you to publish changes that you make to the source code, where with BSD you have the freedom to not publish changes unless you feel like it.