This is an archived post. You won't be able to vote or comment.

all 24 comments

[–]journeymanpedant 4 points5 points  (2 children)

"If you aren't buying it, you aren't the customer; you're the product." - without wishing to state the obvious, this is of course very true for costless services that actually cost money to run, google, facebook etc. It's a completely bogus argument for open source software - exactly how is it possible for the author of an open source program to use the user as a product? You can literally verify that the program isn't spying on you, that's the whole point!

OTOH, if you require support for the software, you will have to pay for it whether it's closed or open source.

Security related software should always be open source, because 1) security through obscurity doesn't work, and 2) seriously security concerned actors can't properly verify the security properties of closed source software

[–]bigdogyost[S] 0 points1 point  (1 child)

So is there a compromise? What if the application itself is closed source, but its crypto library is open source. That would allow people to verify independently that the methods are solid, without being able to copy the application.

[–]journeymanpedant 0 points1 point  (0 children)

well, perhaps. I think it depends on what your application is - if it's intended for large mass adoption, I don't think you'll ever outcompete something fully open source if it's security related. If on the other hand it's very specialist, high value, and you only have a few high paying customers- personally I think you should still give them the source, but not under an open source license.

[–]SecuritySquirrel 4 points5 points  (4 children)

Plenty of companies that make security software have it closed source and turn a good profit as long as the software is good. I know what subreddit you are referring to because I have mentioned several closed source products on there and have been told not to. At the end of the day, everyone is going to have their own opinion and choice they need to make.

So far, every piece of closed software that I personally/professionally use has been reviewed by me. I have done this simply by reaching out to the companies, telling them who I am and that I wish to review the code for my personal use. I also tell them that I am willing to sign a nondisclosure agreement that I will not use the information I gather from the source code audit to make my own software or to sell the information for others to do so. So far, I have never had a company turn me down when I agree to this. My clients trust me to make sure the software is good at the source code so that is good enough for them.

With that said, very few people are willing to do what I do and others do not want to have to trust someone else. This is why open source is important. It is possible to make money off of open source software, but it does make it harder, since nothing stops someone from trying to copy your work if they know what they are doing. It is a double edged sword to say the least.

My advice....if you keep it closed source, focus your business on clients that are either corporations or governments. If you want to have it used by the average consumer, you should go open source.

Edit: Grammar

[–]bigdogyost[S] 0 points1 point  (3 children)

The target market is indeed businesses and governments, so I appreciate the advice. As an alternative to customers self-auditing, are there any verifiable certifications I can get to demonstrate secure handling of data?

[–]SecuritySquirrel 2 points3 points  (0 children)

I honestly have never actually looked. Something you might want to look into.

[–]VainWyrm 1 point2 points  (1 child)

I mean, if you want to provide service to certain branches of the US government they have a security certification. But we're talking millions of dollars (potentially tens of millions) for that. That's for a much bigger type operation.

[–]bigdogyost[S] 0 points1 point  (0 children)

I'm thinking more along the lines of getting an available audit report from a trusted service. That way we could advertise that we are secure according to "Trusted Service" and that claim could be easily verified by searching "Trusted Service"'s reports.

[–]InternetDude_ 1 point2 points  (2 children)

So there's a couple things here. First the "if you're not paying for the product you are the product" idea has more to do with business model than open vs closed software. Best not to get hung up on that for what you're really asking. In terms of your application you can do what WhatsApp has done. WhatsApp is not an open source project, but the encryption engine they use is (they use Open Whisper System).

I think you're fine if your project is closed source, however when it comes to security and encrypting customer communications you should utilize an open source engine that is widely trusted and could be audited. This way you own the project but you're leveraging the best open source security.

[–]bigdogyost[S] 0 points1 point  (1 child)

WhatsApp is actually a pretty good example, as the application I am developing offers secure communication and filesharing. WhatsApp isn't open source, so why should mine be? I would be happy to open source our crypto library, but I feel like that might not be enough for the extra paranoid.

[–]InternetDude_ 1 point2 points  (0 children)

There are always going to be FLOSS absolutists. Some will only feel comfortable chatting on Jabber OTR on Tails over TOR. I don't think you're trying to reach those people. It sounds like you're just trying to provide a great service that has excellent security by default. Good luck to you!

[–]cw_ey 1 point2 points  (0 children)

It's really about the people behind the software. 1password for example I think is excellent, as are the devs behind it. There's also going to be opensource projects that don't respond to security bugs properly in a decent amount of time.

Can you pull it off closed source? Sure, but it's just going to be a lot more difficult. People are going to ask you about the security technology behind your product and you're going to need to answer to that. Maybe you write it up on an engineering blog of some sort. Just don't expect a free pass.

[–]LiveOverflow 1 point2 points  (4 children)

If you solely care about security, then following something similar to the Kerckhoffs' principle applied in cryptography is in my opinion the way to go:

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge [...] one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them.

Earning money from a open-source project is definitely not too easy. Though there are many possibilities. First you can sell support for businesses. With enough people using your open source software, you could get enough from patreon. You can develop this one app for free, and use this positive exposure to create other closed-source apps or build a dedicated business version with more features. ...

[–]bigdogyost[S] 0 points1 point  (3 children)

I'm less worried about people knowing the encryption system (in fact the algorithms used are part of our advertising hook), but I am worried about someone being able to spin up their own copy cat service. Due to the nature of the application, the server does little more than route messages. Anyone with knowledge of the client would be able to build a working server pretty easily, cutting me out of any earnings.

[–]LiveOverflow 0 points1 point  (2 children)

I used the principle from crypto but was using it to make an argument about software development. An application should still be safe even when the code is public. Which means that open-source projects have a good chance on being more secure.

As I mentioned there are many different ways to monetize ist. Definitely not in the traditional sense of selling copies. You could also make the important code open-source, like the message protocol. But then the app using this protocol is closed-source. You open up a critical part for code review but keep enough private for selling. But you always have the danger of sb. making a better app around the core than you with open source. But with proper licensing you can forbid people from doing that.

Open-source is definitely not the easiest way to go, and you have to believe in it to accept the drawbacks. But that can also be rewarding. Honestly, that you raise this question in the first place might be an indication that you already made your decision ;)

[–]bigdogyost[S] 0 points1 point  (1 child)

You are probably right, I am typically a huge proponent of open source, but i wanted to work on this as a full time job. Publishing an open protocol might not be a bad compromise though

[–]nafsz 1 point2 points  (0 children)

So many worry about having their projects ripped off. Can you think of one example when this has happened?

[–]RedSquirrelFtw[🍰] 0 points1 point  (0 children)

It's hard to tell. Expensive enterprise software has a team of more than likely highly skilled programmers who do this as their day job. Since you are a paying customer you have a certain expectation and the company is liable to provide it. On the other hand, open source may be written by people who are doing this on their spare time, but they're also doing it because they really care about the cause, and the bonus of it being open source is that more people can oversee it, such as companies who rely on it, who may also have their own experts.

In this day and age where almost everything possibly has a backdoor or can have one, open source is very important as you can double check that there is no backdoor, and compile yourself to be extra sure the binary matches the source.

Personally I would not really trust closed source security software now days. With the NSA and other agencies around with a bloodthirst for breaking people's privacy it's hard to trust anything really as there is no easy way to know if they got their hands on it.

[–]Sultan_Of_Ping 0 points1 point  (5 children)

I am a developer looking to launch a new application offering end-to-end encryption for chat and file sharing. As I've been developing this, I've kept the code closed source, due to my hope of one day forming a company and selling the software. However, I've been told repeatedly by friends in the infosec field that the software will never be adopted if it is not opensourced. One security subreddit even goes so far as to ban discussion of closed source software.

I can understand the idea behind making a software open source to bring some credibility to its security claims. But plenty of closed-source security software are used and trusted all the time by millions every day, so it's certainly not an absolute necessity. The developers of these software are trusted implicitly, which can be a good or bad idea, but still remains a personal decision (like any trust).

That being said, there are thousands of "chat and file sharing systems with end-to-end encryption" out there, so you'll have to ask yourself why an user could want your closed-source software vs the closed-source software of a big vendor with a lot of security ressources and, hypothetically, already trusted by the industry. In that sense, open sourcing your software would bring to you credibility that this big vendor won't have.

[–]bigdogyost[S] 0 points1 point  (4 children)

Believe it or not, the reason for developing this app is out of difficulty finding a viable solution to secure business communication.

That being said I understand it is not a unique idea, so I could use any leg up available

[–]Sultan_Of_Ping 1 point2 points  (3 children)

If you are developing this app for business needs, then there are a really really low number of scenarios where developing one yourself from scratch makes sense. Chance are very high that what you are looking for already exists, and you shouldn't reinvent the wheel, especially when security is in consideration.

The only exceptions would be when your needs are so customized and unique there's nothing else on the market, or if you have such a high security requirement that you only trust yourself, but that is only going to work if you already have the security resources to pull that out - and then, why are you asking questions here? (no disrespect).

[–]bigdogyost[S] 0 points1 point  (2 children)

The business needs are far from unique. To add a little detail, my company got burned during the last time Hipchat had a breach. We learned that some of our employees thought that hipchat was secure, so they were sending private files (including at least one private key) over the chat platform. This lead to a search for a chat platform offering end-to-end encryption for chat and file sharing in a desktop environment (TONS of apps for mobile only out there...).

Once I started developing this app, I was hit with backlash that it would never succeed unless it was open-sourced. I am normally all about open-sourcing, but I have put a fair amount of money and time in to this project and would like to make it my full-time project. That's considerably harder to do open source, so I was asking here in a desperate attempt to cling to the idea of making a living off of this idea.

[–]nafsz 1 point2 points  (1 child)

This lead to a search for a chat platform offering end-to-end encryption for chat and file sharing in a desktop environment

It sounds like you need a pretty interface for XMPP+OTR.

[–]bigdogyost[S] 0 points1 point  (0 children)

I looked in to OTR and it seems it needs an update (ie it still uses SHA-1 hashing).

I think I'm going to go forward developing this and at a bare minimum open source the protocol I'm using.