I don't get how open source is safe and secure

If the code is public, what is stopping someone from just reading it and using studying it to develop an exploit?

Other urls found in this thread:

en.wikipedia.org/wiki/Security_through_obscurity
twitter.com/SFWRedditGifs

Q T P 2 T
T
P
2
T

Idea is to make software so good that you can't find a flaw even if the code is open

That's exactly the point. But there are enough good people who help fiz those to mitigate the bad people trying to exploit them.

In closed source software those good people aren't allowed to operate unless they work for the company.

the point is that everyone can improve upon it and people will spot possible security issues and fix them ... or you can just fix it yourself

where as with proprietary software you simply dont know whats underneath and how its ever going to get fixed and you are at the mercy of the retards who own the source code

I have a question: If everything was open source can software devs still make money?

>I don't get how open source is safe and secure.
Because you're a braindead shit-troll who tries to refute crap nobody ever said.

>just reading it and using studying it to develop an exploit?
Most people aren't able to do that even if they wanted

"Every secret creates a potential failure point. Secrecy, in other words, is a prime cause of brittleness—and therefore something likely to make a system prone to catastrophic collapse. Conversely, openness provides ductility."

Nobody makes money selling software anymore idiot.

Yes, except only the good ones would remain in the field and rest will be left jobless.

>it's safer because people point out the flaws
What was that thread about the 11 year old kernel vulnerability

There have been many exploits that have existed for 10+ years in open source software which have only recently been fixed.

Being open source does not mean more security or safety.

more people are interested in fixing the code and contributing than interested in exploiting it.

Even if the chances of exploits are higher, the chances of 0days are probably lower.

(i have no credible source but experience to base this claim on.)

I know an exploit in certain closed source software that existed for 23 years and hasn't been fixed yet.

Probably but not as much

>>Being open source does not mean more security or safety.
It does though, it just doesn't mean it's 100% perfectly secure.

I found that one too. Is it [spoiler] Using CSRF or XSS to remotely privesc to root [/spoiler]

You have more chance of picking up a security issue with open source software since more people are combing through it.

The internet is rife with examples of benevolent developers and hackers that point out to enterprise and closed source software faults and flaws only to be ignored or threatened with legal council.

Still op you and your father are long time cock smokers and your mother is a whore.. Have a great day.

That's a common misconception by information security laymen. If your code is only secure because it's secret, it is not secure.

en.wikipedia.org/wiki/Security_through_obscurity
>Security experts have rejected this view as far back as 1851

This is true in a practical sense for software, because if you're a talented reverse engineer looking for exploits, even compiled code is an open book to you. Security 101 says that your system must be secure, even to an attacker who knows everything about it.

>Being open source does not mean more security or safety.
Yeah, you can argue this, but it definitely doesn't mean _less_ security or safety. Every other week, Project Zero finds another longstanding security flaw in Windows. What's scary is that if Windows was open source, their job would probably be a bit easier, which means they'd probably find more. Just imagine how many undiscovered (by white hats) security flaws there are in Windows.

It's not the 90s anymore. If you wanna make money, don't sell software.

Nothing. But security through obscurity doesn't work either as there are other ways of detecting security flaws as well.

Sure. "Open source" doesn't mean the devs are doing it for free. Most work being done on any high-profile open source projects is being done by people who are being paid to do so. Your company want a feature that doesn't exist? It's much cheaper to pay someone to make(and maintain) a version of apache that has that feature than it is to develop your own web server from scratch. Bonus point: Just because something is open source doesn't mean it has to be freely available. Open source/free software licenses only matter if you intend to distribute that software. You only have to share the source code to people who actually use the software.

Adobe, no?

Na , I was quite hilariously surprised when someone mentioned their Photoshop subscription and I thought it was a joke

Companies and universities still buy licenses.

Most software developers are people hired to do a job.
Someone pays them for a while to develop a product or maintain a project or improve a project.
The people who make an application, sell it for $2 to a million customers is rare.

you can fuzz binaries

look at some hash or checksum algorithms. most of them are completely open and everybody who want to, can learn how they work. But only because you know the code and how they work does not mean that you can genererate the actual data from a hash/checksum. so its absolutely possible to write open and save code

> I don't get how 2 + 2 = 4
If you use mathematical algorithms you can generate complexity in such a way that it would take too long to crack it brute force.

As nothing is secure on an infinite time scale.

Literally anything enterprise makes so much money its crazy. thousands of dollars for per user licenses or endpoint installs?!?!

Fuckin everyone sells endpoint software by the endpoint so thousands of endpoints at anywhere from 200-4000 per endpoint thats a shit ton of money.

>Try finding a job where you arent someones slave.

The NSA is constantly putting in bugs and exploits to make free software look bad so everyone will just their shitty proprietary software that they also have backdoored.

>the point is that everyone can improve upon it and people will spot possible security issues and fix them

Are there really that many people who spend their free time reading code just to find security issues and report them?

One would think that the people who give a fuck about what the code says are the same people who want to exploit it.

>Are there really that many people who spend their free time reading code just to find security issues and report them?
for popular software, yes. how else would it get developed, if not by people reading it and working on it?

though it isn't necessarily free time

there are paid programmers working on a lot of FOSS projects all the time

It isn't.

Freetards on average take 10+ years to fix or find bugs, critical ones at that.

They also forget that the NSA literally wrote the security code on most Loonix distros (SELinux), I'm sure the NSA didn't leave any backdoors that freetards have yet to find.

Hello NSA

If an open source project is relevant enough, companies are dedicating developpers to use it in their value chain. If they find a bug or a security issue, they either report it to devs or fix it themselves, this way every company using said open source project benefits from the improvements. Developpers fixing these issues don't have to necessarely be autists fixing bugs for free.

Think about it this way:

If the only thing that makes your system secure is that "how it works" is a secret, then "how it works" is a great vulnerability.

That's why in digital security all methods and techniques tend to be public.

And it's for this exact reason open source software tends to be more safe and secure there are many people looking at the code and making sure it's safe and secure, if an exploit shows up there anyone can summit a patch.

I give a fuck and i report problems to the devs when i find them. I've also sent in a few patches myself.

>there are paid programmers working on a lot of FOSS projects all the time

there are also paid programmers working on proprietary software.

1. Expert releases book X on topic Y. Book has several mistakes. Potentially never a new print of the book to correct the mistakes. Thousands of people read and believe the mistake.

2. Non-expert/Expert submits paragraph A on topic B on Wikipedia. Paragraph has several mistakes. Person sees the mistake, presses the edit button and corrects it. Someone frauds? Another person will correct/restore it.

It's proven that Wiki had less mistakes than the Encyclopedia Britannica.

short answer - it's not safe and secure

the many eyes theory that they cling to is fundamentally flawed because it requires the people who audit the code to be competent

see

heartbleed
shellshock
drown

OpenSSL is proof that open source is not inherently more secure

I'd like to see irrefutable proof of that because considering how wikipedia actually works and how admins and powerusers use it to push their own agenda i'm very sceptical

I've not seen proof, but I could believe it as long as it simply compares the same topics from wiki/britannica to each other.

The English wikipedia tends to have very good articles for important topics, which a lot of people read and fix.
But there are also lots of ridiculously bad articles: these are, however, usually marked as having problems, and usually their topic is relatively niche.

Also, Wikipedia in different languages can be laughably bad. I sometimes read the one in Finnish just to laugh at how bad it can be.

heartbleed
>-DOPENSSL_NO_HEARTBEATS
shellshock
>environment variable for program interacting with the network
drown
>enabled SSLv2

inherently? or initially? I think all initial security is best effort (and yes a corporation may throw more at this initial effort)

Android.

The cost is your privacy. Microsoft wants $$$ and your privacy; total pajeet move.

Same with closed source software. Google abandoned windows because of it's almost 2 decade old security hole. All software is prone to errors and exploits. FOSS doesn't mean security, it means freedom. You can see if the whole purpose of the software is malicious (ex. Windows 10).
What's stopping a Microsoft employee from not reporting a bug and exploiting it for personal gain? Nothing. There are plenty of cases where a bug was found in something critical, then the information about that bug was sold to the highest bidder or simply exploited by the person who found it. You just have to hope that people working on proprietary software are not immoral.
There are hundreds of security issues fixed on the windows kernel too, you just aren't notified about it in the news unless someone made a big deal about it.

Fealt this was not clear.

Android's backend is Linux. Google may have this open source but sells all your information.

Microsoft will not only charge you for an OS, but they will also sell your privacy as well.

Consider the possibility a business might pay a developer to work on software because they want to user it, rather than sell it.

or what if they just didn't know? how bout dat

>Why not just edit the software and then upload it to the source control to turn it into malware?
>Other users would spot the malicious code and your update would get voted down.
>Not if I have a botnet to upvote my code.

Is this how it works IRL???

Your botnet must participate in multiple circlejerk discussions over irc channels and forums of every distribution to gain authoority

Plenty of people do it to beef up resumes, answer some "greater calling," or because their employer pays them to.

Just because it's open source doesn't mean Intel, Oracle, Microsoft, etc. aren't dumping millions into development.

[insert systemd joke here]

What was that 17 year old Windows kernel bug that the fix for caused BSODs upon boot, and you had to use WinPE to uninstall the update?

Fuck off, Saranjeet.

a book is made be read. a program isn't made to be read.

But how can they prevent one of their customers from releasing the source code

People will always find ways to make money. It isnt our responsibility to ensure they do especially if they're doing it in a fucked up way.

Besides eBen the big players do t sell software anymore and the new money is all built on foss (facebook, netflix, pretty much all)