Open Source and Security

[PlausiblyDamp]

I can certainly see that there might be a lot of those types looking at the code, but they will not be the only ones.

A lot of commercial software uses open source encryption libs these days, so there will be a considerable number of professional cryptography experts looking at and maintaining them as well. Also, finding and fixing flaws in these libraries is a good way for people to get recognition in this very specialised area - so there are selfish reasons for people to do the "right thing" as well as people just wanting to fix problems.

Most standard encryption libraries are heavily used and effectively battle tested, problems are not likely to remain hidden for long. Proprietary ones on the other hand could definitely have hidden flaws that are never publicly spotted or fixed.

[FunkyDexter]

I guess it comes down to which you think is more likely:-
1. that a good actor finds a flaw and fixes it (or reports it and gets it fixed)
2. that a bad actor finds a flaw and exploits it

I would say that the chances are roughly equal but option 2 also needs to rely on option 1 to fail. For the bad actor to succeed requires that no good actor spot the exploit and that probably diminishes as the overall volume of actors increases. If any good actor spots the exploit then the bad actor fails. On that basis an Open Source with a massive number of participants is likely to be secure, I think, though it would be an interesting puzzle to game out.

Personally, my indifference to Open Source comes from bad experiences trying to integrate OS elements into commercial products. I found they tended to be poorly documented, often with multiple different branches whose purposes were opaque and often updating to get a desired change introduced a whole bunch of other unexpected and undesirable changes. None of those things are intrinsic to the Open Source model but I did find them prevalent. I think what happens is that everyone wants to get involved in the fun bit: code; but nobody wants to do the boring but necessary stuff: admin, documentation and management. Whenever I found myself struggling the failure wasn't in the principle, it always seemed to be in the human element.

Which neatly dovetails into:-

the environments these things are used in

Yeah, that. I don't think there's anything intrinsically wrong with Signal as a platform. But it hadn't been approved (in fact, advice had been issued not to use it), they used it on unsecure devices, they used it in unsecure locations and they didn't follow any sort of protocol to secure the group. This is the equivalent of posting your banking password on Social Media and then blaming the bank when your money disappears. We all know that, in security, it's the human element that is the weakest link.




I'm going to pre-empt Shaggy's inevitable pun about the overall volume of actors and just say: Brian Blessed.

[Niya]

https://www.politico.com/news/2025/0...246881?cid=apn

The Politico is funded to produce liberal propaganda. No one with a lick of sense should be reading that trash except to be aware of the garbage narratives being pushed in the present.

I wouldn't be angry about anything I read there if I were you. That article has nothing to do with the viability of open-source applications where security is paramount. All that article is designed to do is undermind the Trump administration, nothing more. If the exact same thing happened under Kamala Harris or Joe Biden, that article would have taken a completely opposite position.

[PlausiblyDamp]

Personally, my indifference to Open Source comes from bad experiences trying to integrate OS elements into commercial products. I found they tended to be poorly documented, often with multiple different branches whose purposes were opaque and often updating to get a desired change introduced a whole bunch of other unexpected and undesirable changes. None of those things are intrinsic to the Open Source model but I did find them prevalent. I think what happens is that everyone wants to get involved in the fun bit: code; but nobody wants to do the boring but necessary stuff: admin, documentation and management. Whenever I found myself struggling the failure wasn't in the principle, it always seemed to be in the human element.

I think that sums up the issue with open source quite nicely - depending on the project in question it can be a massive help or a major pain. Well supported and widely used projects can work really well, however far too often open source projects are written to fill an individual need; if your problem isn't perfectly aligned then integrating them can be more trouble than it is worth.

Cryptography however needs to be open IMHO, without lots of visibility and proper testing (and cryptography testing is a whole other level of testing) then how can anyone have faith in a propriety method?

Which neatly dovetails into:-

Yeah, that. I don't think there's anything intrinsically wrong with Signal as a platform. But it hadn't been approved (in fact, advice had been issued not to use it), they used it on unsecure devices, they used it in unsecure locations and they didn't follow any sort of protocol to secure the group. This is the equivalent of posting your banking password on Social Media and then blaming the bank when your money disappears. We all know that, in security, it's the human element that is the weakest link.

The Signal protocol is a very heavily used and tested protocol, it has become almost a de-facto standard, the chances of severe security flaws are pretty slim. The issue is using unapproved software for the type of communication, on unsecured devices, on possibly unsecure networks, and inviting the wrong person in to the chat

[PlausiblyDamp]

The Politico is funded to produce liberal propaganda. No one with a lick of sense should be reading that trash except to be aware of the garbage narratives being pushed in the present.

I wouldn't be angry about anything I read there if I were you. That article has nothing to do with the viability of open-source applications where security is paramount. All that article is designed to do is undermind the Trump administration, nothing more. If the exact same thing happened under Kamala Harris or Joe Biden, that article would have taken a completely opposite position.

https://mediabiasfactcheck.com/politico/ I am assuming anything that isn't Twitter is assumed to be far left propaganda...

[dilettante]

Ask a crook about the reputation of a crook?

[PlausiblyDamp]

Ask a crook about the reputation of a crook?

So I should ask Trump?

[Niya]

Ask a crook about the reputation of a crook?

It's worse than that. Imagine wanting to be told what colour the sky is instead of wanting to see for yourself.

[wqweto]

The Signal protocol is a very heavily used and tested protocol, it has become almost a de-facto standard, the chances of severe security flaws are pretty slim. The issue is using unapproved software for the type of communication, on unsecured devices, on possibly unsecure networks, and inviting the wrong person in to the chat

Btw, internet is unsecure network. Signal protocol is designed to be secure over unsecure networks. The signal protocol security is scutinized and accepted by cryptographers to be one of the best in class for messenger applications.

Unsecure devices and human stupidity are unsurmountable problems though.

cheers,
</wqw>

[PlausiblyDamp]

Btw, internet is unsecure network. Signal protocol is designed to be secure over unsecure networks. The signal protocol security is scutinized and accepted by cryptographers to be one of the best in class for messenger applications.

Unsecure devices and human stupidity are unsurmountable problems though.

cheers,
</wqw>

Completely agree with you, if you are using a typical messenger application then the Signal protocol is about as good as it gets. WhatsApp, Google rcs, some Facebook messenger, and some Skype messages use it.

Signal, or open source, isn't the issue here and attempting to blame (unfounded) short comings in an application that should never have been used in this situation is trying to deflect blame from all of the people involved.

[dday9]

Unsecure devices and human stupidity are unsurmountable problems though.

I've heard someone here (Shaggy maybe) call users meatbags (just double checked, it was Shaggy) and I've taken that approach in programming ever since.

Basically, I try to program to the lowest common denominator and make it as idiot proof as possible. Even then, I'm still constantly surprised at how easily users can break stuff.

In short:

[Shaggy Hiker]

It's worse than that. Imagine wanting to be told what colour the sky is instead of wanting to see for yourself.

How do you propose that we do that, in this case?

It's a significant issue, these days. Ultimately, you simply don't have enough time in your life to "see for yourself" in all cases. You MUST take some things as they stand. You don't have to put much faith in them, but if you decide that anything that you haven't seen for yourself must be fake...you've got problems.

[Shaggy Hiker]

I've heard someone here (Shaggy maybe) call users meatbags (just double checked, it was Shaggy) and I've taken that approach in programming ever since.

Basically, I try to program to the lowest common denominator and make it as idiot proof as possible. Even then, I'm still constantly surprised at how easily users can break stuff.

I didn't originate that, though I don't remember where I saw it. I learned it almost thirty years ago. I wrote a program that I was able to test in a leisurely fashion over a fair amount of time...though I'd also have to say that in retrospect, I wasn't GOOD at testing software, but I didn't know that at the time. I deployed it at work...and somebody managed to crash it in about two seconds. In that two seconds, they had just been pressing buttons at random. There were very few buttons, but they didn't take the time to read the word or two of text on the ones they pressed. The bottom line was that my well tested program had crashed almost immediately, and through random usage.

Once I got looking at it, I realized that there was a sequence of buttons that COULD be pressed, but which I had assumed that nobody would ever press because it would be irrational if the user read the button captions. They did not, and happened to hit on the irrational sequence. That taught me that people will try, not just the reasonable things, but ANYTHING.

[wes4dbt]

I guess it comes down to which you think is more likely:-
1. that a good actor finds a flaw and fixes it (or reports it and gets it fixed)
2. that a bad actor finds a flaw and exploits it

I would say that the chances are roughly equal but option 2 also needs to rely on option 1 to fail. For the bad actor to succeed requires that no good actor spot the exploit and that probably diminishes as the overall volume of actors increases. If any good actor spots the exploit then the bad actor fails. On that basis an Open Source with a massive number of participants is likely to be secure, I think, though it would be an interesting puzzle to game out.

That sounds reasonable to me. I would add one thing. The bad actor only has to find one thing the reviewers didn't notice to make the software insecure.

Don't take that as I'm against open source. I'm not qualified to say, it's just a thought.

[Elroy]

Funky's comment regarding risks of open source:

I guess it comes down to which you think is more likely:-
1. that a good actor finds a flaw and fixes it (or reports it and gets it fixed)
2. that a bad actor finds a flaw and exploits it

Personally, I chalk that up as a strength of open source (even if #1 and #2 are 50/50). Particularly for widely used closed source applications (even those from Microsoft, Apple, and others), I think the chances of that closed source code being leaked are relatively high. But, probably, in many of those cases, we never know it's been leaked because the "leakers" or people getting their hands on it don't want to be sued.

And, if they've got it, they're "bad actors" almost by definition.

So, if we assume (admittedly arguable) that all source code is either "leaked" or "open source", wouldn't we rather have the eyeballs of good actors on it? And this will only happen in the open source case.

IDK, I tend to believe that software like Windows and Office haven't been leaked, but would we ever know? Back in the day, I got my hands on the full source code of MS-DOS that was somehow leaked. And I'll die thinking that Bill Gates got his hands on the source code to CP/M to write MS-DOS (which became the foundation for Windows).

And then we can turn to the open source of Unix/Linux, which is the most stable OS out there.

[Shaggy Hiker]

I lean that way, as well. If the sense of safety rests on the assumption that no bad actor has seen the code, that's a pretty dubious footing.

[wes4dbt]

And I'll die thinking that Bill Gates got his hands on the source code to CP/M to write MS-DOS (which became the foundation for Windows).

Microsoft (and later, Bill Gates) didn't develop the original version of DOS; instead, they purchased the rights to 86-DOS, developed by Tim Paterson at Seattle Computer Products, which was then rebranded as MS-DOS.

They paid $50k for it. That worked out pretty good.