Open Source and Security

[Elroy]

This Political article is infuriating to me:

https://www.politico.com/news/2025/0...246881?cid=apn

They twice make the argument that open source is a horrible way to transmit confidential information.

Personally, I am on the complete opposite side of the fence than that. That's like saying we shouldn't use the alphabet for our confidential communications because it's clearly open source. One might argue that the alphabet gets encrypted. But, does it matter whether or not the encryption source code is open source? Just because we know how to multiply extremely large prime numbers doesn't mean we can easily factor them.

This article's position just wholeheartedly fails to understand the distinction between programs and data.

In fact, I would argue that open source is possibly MORE secure than closed source, primarily because it'll have 1000s of eyeballs on it looking for potential holes, recommending ways to plug them. Whereas, if closed source gets leaked (which it frequently does), nobody will know if vulnerabilities were found. Furthermore, closed source allows lackey government contractors to write sloppy code with very little oversight, whereas the world gets to critique open source.

Anyway, if Politico had allowed comments, I would have torn that article to shreds as another talking head opinion writer talking out of his arse. But, you guys are all I've got.

Elroy

[FunkyDexter]

This article's position just wholeheartedly fails to understand the distinction between programs and data.

I think that's the crux, yes. There's nothing about Signal as a software platform that makes it unsuitable for high security communication.

That said, the misunderstanding doesn't make it a suitable platform for communicating classified government information of the nature that's being reported. There's a reason that the US maintains a wholly separate network for that and has policed levels of security access. The failing in this case was not in the choice to use Signal. It was the choice Signal on a public network, using personal devices and while failing to follow security protocols that should have prevented the wrong person from being added to the conversation.

Honestly, Whatsapp would be just fine for the comms if it were used on a closed network using secured devices and while following proper security protocols. But, to be fair, Politico is a political, not a technical, publication. I doubt many members of the public would understand the nuance and I'm damn sure most politicians wouldn't.

[wes4dbt]

The Signal conversation included “precise information about weapons packages, targets, and timing,” Goldberg said, describing the use of the open-source app to map out military strikes as “shocking recklessness.”

The fact that Signal is "open-source" isn't really listed as a reason it shouldn't be used. That quote is the only place it is even mentioned. Certainly wasn't the focus of the article. I don't understand why your upset over that term being used.

[Elroy]

... That quote is the only place it is even mentioned. ...

You're right, but the article's author also states this:

Regardless of the security of the app itself, communicating the military plans of the U.S. government in a non-classified space opens a massive security gap.

Which, to the casual reader further condemns open source.

@Funky: Yes, I basically agree with your comment as well. And I'm no big fan of "Signal", but just because the government hasn't "sanctioned" it, doesn't mean it's not secure.

It just seems that the biggest mistake was including a journalist on the CC list when sending out the communications. That's not on Signal. That's on the bozos who kept going back and forth on the message chain to not check the CC list.

I suppose I need to calm down. I'm just a big advocate for open source, and I get my hackles up anytime suggests that there's something wrong with open source, even for security purposes.

[Shaggy Hiker]

Has the article been updated? I see only one mention of it being open source, and just as a description, not as a value statement. It seems pretty positive on the security of the app itself, just that it was used inappropriately.

[wes4dbt]

Regardless of the security of the app itself, communicating the military plans of the U.S. government in a non-classified space opens a massive security gap.
Which, to the casual reader further condemns open source.

Don't see it, never crossed my mind. It just condemns using a "non-classidied space". It's interesting how you view it.

[Shaggy Hiker]

I suppose I need to calm down. I'm just a big advocate for open source, and I get my hackles up anytime suggests that there's something wrong with open source, even for security purposes.

I think you're being a bit over sensitive about this. You quoted the bit about communicating in a non-classified space. While I can see how you are reading that as talking about open source, I don't see it that way. That sounds like insider speak, to me. The article points out that the people involved had people on staff to set up secure communications, but they clearly went around that and used personal phones to simply step outside the established rules.

Frankly, I think this should drive security conscious people nuts, and not because of anything to do with Signal. This is not the first time this has happened. There was the whole thing about Hillary Clinton's server. The simple fact is that there are a lot of people at the tops of the government who find security to be a nuisance that gets in their way and is to be circumvented.

[OptionBase1]

Throwing in my two cents here while staying a-political.

I worked in IT security for many, many years. I left when I was convinced that "IT security" is, by definition, an oxymoron.

I think that the argument that open source is better, because there is so much scrutiny on the code that the big security bugs will get fixed quicker, is overstated.

For large scale open-source software projects, the vast, vast majority of eyeballs on the code are going to be nation state actors, both foreign and domestic, combing through code trying to find their way "in". And they obviously have zero interest in alerting the developer of these vulnerabilities.

And for closed-source software projects, these same government interests, both foreign and domestic, have assets that get hired as developers that introduce massive security holes into products with seemingly innocent looking bugs, IE "goto fail".

And if you're reading this thinking I'm just some conspiracy nut, I envy you. I wish I had taken the blue pill.

[Elroy]

Has the article been updated? I see only one mention of it being open source, and just as a description, not as a value statement. It seems pretty positive on the security of the app itself, just that it was used inappropriately.

My wife may have biased my opinion. She read the article first, and started telling me how they were using open source software to talk about government secrets. And then, I piped up to her saying that the article was full of crap if they thought that was bad ... and it snowballed from there.

But, I do think the open source vs security debate is worthwhile.

[Shaggy Hiker]

It's the meat bag at the keyboard that is the biggest security hole.

[yereverluvinuncleber]

There's a meat bag in the office of president in the US that is the biggest security ahole.

[dilettante]

This was yet another op, the timing of mass publication about it makes that clear if nothing else does. The real question is why Goldberg chose to stay quiet, gather information, and then attempt to undermine national security and the Administration with it. An unlocked door is not a license for burglary.

The desperation is palpable as Trump's approval soars and confidence we are going in the right direction gets more positive each day.

[TysonLPrice]

This was yet another op, the timing of mass publication about it makes that clear if nothing else does. The real question is why Goldberg chose to stay quiet, gather information, and then attempt to undermine national security and the Administration with it. An unlocked door is not a license for burglary.

The desperation is palpable as Trump's approval soars and confidence we are going in the right direction gets more positive each day.

He wasn't sure it was real and got off when he was convinced. He has relayed little of it even though the Trump administration said clearly and absolutely none of it was classified. I wish he would release the rest since it is not classifieds to the embarrass the Trump clown car. His group seems to be the ones "undermining national security".

And how does the Trump administration respond? Deny, attack the source, and lie about all of it.

[FunkyDexter]

I think there's two separate conversations going on here.

One is the technical question of whether Open Source encryption is somehow inherently insecure and a wider question about the merits of open vs closed source. Personally I'm pretty ambivalent toward open source - don't love it, don't hate it. I don't see any obvious reason it's insecure for encryption though. It's not the secrecy of an algorithm that makes for secure encryption (which is all someone examining the code would be able to see), it's the secrecy and complexity of the key.

The other conversation is a political one around the incompetence on the Trump team who clearly have no concept of the importance of National Security.



Edit> I rowed back my suggestion to separate the convos when I realised that the political discussion hadn't surfaced in the other thread (it's a slightly different convo) and I was, in fact, being an idiot.

[FunkyDexter]

the timing of mass publication about it

What mass publication? It was published by one outlet, the Atlantic. Other outlets subsequently jumped on it because, well, it's a damned juicy story given both the apparent incompetence and the hypocrisy. That's how news works.

An unlocked door is not a license for burglary.

...but an invitation is a licence to attend the party.

[Peter Porter]

The real question is why Goldberg chose to stay quiet, gather information, and then attempt to undermine national security and the Administration with it.

So if Goldberg had chosen not to stay quiet before the military had a chance to act, he wouldn’t have undermined national security and the administration?

An unlocked door is not a license for burglary.

An invitation equates to a break-in? Guess I better uninvite myself from my governor's dinner this weekend. Wouldn't want to be accused of stealing silverware.

Also, my son could really use your help with some school papers. Don’t want him getting another "A." That has to be bad, right?

[PlausiblyDamp]

This was yet another op, the timing of mass publication about it makes that clear if nothing else does. The real question is why Goldberg chose to stay quiet, gather information, and then attempt to undermine national security and the Administration with it. An unlocked door is not a license for burglary.

The desperation is palpable as Trump's approval soars and confidence we are going in the right direction gets more positive each day.

https://www.realclearpolling.com/pol...pproval-rating Wow, he really is soaring!

[TysonLPrice]

It is egg on the Trump administration's face time...the "Atlantic" is publishing the text. Except for the CIA operative's name. I'll bet Trump doubles down on doubling down on lies.

This is just the first big hiccup from Trump and we have heard nothing but lies and denials. That is what America can count on every step of the way for every crisis.

[dday9]

I wasn't even aware of what had happend until I listened to Dave Smith's last podcast. The points he made were:

1. How incompetent is everyone in the chat that they didn't realize they had an anti-Trump reporter on there? It wasn't like it was a huge group to begin with.
2. The only dissenter was JD Vance, and his argument wasn't for the morality of the situation, it was that he didn't want to bail Europe out to address the shipping lanes issue.
3. Holy crap did Hegseth just admit that they have no idea who make up the Houthis but wanted to bomb the place anyways?!
4. Look for Trump commentators who shilled for the administration by only repeating the talking points discussed in the group chat:
   
   1. Biden weak
   2. Iran bad

Is this more or less the picture? I'm not paying to access behind the Atlantic paywall.

[Elroy]

Yeah, since I started this thread, I'll ask that the political rhetoric be toned down a bit. For me, it really was a technical/security issue that got my hackles up.

Regarding the politics, I suppose I will say that .... I voted Democratic (and have for many years). But, I'm not entirely opposed to everything Trump et. al. are doing.

I often wonder where the USA party is that represents social liberal and economically conservative folks. And, just to be clear, I'm not a "big corporation" guy. In fact, I think they're a big part of our problems. I often call myself an "entrepreneural capitalist". I believe in individuals who do well on a level playing field. I do also recognize that certain economies of scale are needed for some things though, but mergers among our largest corporations isn't doing anything but creating market monopolies.

So, I suppose I've violated my own request, and may spark further political discussions on the points I've made. Oh well, hey ho.

And Dilettante, it's good to see a post from you. I hope you're doing well. I hardly ever see you anymore in the VB6 forum.

[FunkyDexter]

I often wonder where the USA party is that represents social liberal and economically conservative folks.

I think that probably describes my politics pretty well. Over here we've got a Liberal Democratic party that roughly aligns with that description and I've mostly voted for them since my 20s. But they've been a distant third place all that time and often fourth. It doesn't seem to be a very popular position.

[TysonLPrice]

Yeah, since I started this thread, I'll ask that the political rhetoric be toned down a bit. For me, it really was a technical/security issue that got my hackles up.

I appreciate your sentiment but this is Chit Chat. Now that national news is involved in the thread, because of the "misuse" of the software, it has shifted. And I don't think the "biggest mistake" was including the editor. It is what they were doing with national security information in the first place and the lies they doubled down on after the news broke. It was an accident we found out and it is what they apparently do as a matter of practice. It is the absolute lying by republicans that bothers me, but look who they work for.

[dilettante]

And Dilettante, it's good to see a post from you. I hope you're doing well. I hardly ever see you anymore in the VB6 forum.

I think I lost interest when some FidFuddBasic or something began turning nearly every thread into an advertisement. For VB6 programming issues I'm most active on an intranet forum run by two of my larger consulting clients. There is a rating system there for assistance and solutions that can produce cash rewards. Access requires a physical security token device to get to their VPN server, so I won't bother mentioning it.

My only gripes with "open source" software are that people often chant the words mindlessly like a mantra and I think most of the large projects are corporate-funded as a way to evade taxation and exploit free labor for the grunt work.

I can't see why open encryption software would be less secure.

[Shaggy Hiker]

There was a whole lot more chanting back in the 90s. "Open source" was the shiny new thing with something of a cult-like following. That has toned down as people have begun to recognize the nuances of the situation. I don't see people taking the more hyperbolic positions about it. Some software makes a whole lot of sense as open source, some does not, but in no case is it the clearly best solution to the problem.

When it comes to cryptography, I do think that open source is somewhat better for one reason: One should always assume that your enemies have the source code from day 1. If the encryption can be cracked by knowing the algorithm, then it isn't good enough. If they also know the password, then you're hosed, but just knowing the algorithm shouldn't be good enough. For that reason, open source keeps people from falling into the belief that their "secret, proprietary, code" is a viable type of security.

[wes4dbt]

Regarding the politics, I suppose I will say that .... I voted Democratic (and have for many years). But, I'm not entirely opposed to everything Trump et. al. are doing.

I can relate to this, sort of.

I think there is an immigration problem. I think there is waste in our government agencies. I think the US has been providing a disproportional amount of the funding in many of world wide causes it's involved in(though I have never researched that). But lets work on fixing the problem and not just eliminating the entire system.

But you have to remember that we have Trump and Musk in charge of solving these problems. They are world class morally bankrupt con men, so they have no concept of economic and social responsibility.

[wqweto]

This was yet another op, the timing of mass publication about it makes that clear if nothing else does. The real question is why Goldberg chose to stay quiet, gather information, and then attempt to undermine national security and the Administration with it. An unlocked door is not a license for burglary.

Btw, he actually left on his own when it became clear the group is real which I did not expect to happen but probably was advised by attorneys to do so.

If you receive invitation for a group named "TOPSECRET. Will Drop Bombs" by Donald Rumsfeld do you leave immediately with tail between your legs or curiosity previals and you bravely accept invitation and try to dismantle the scammers playing with you?

I would have remained in the group, recorded everything, making fun of the scammers with my buddies and finally trolled everyone after a day or two. Why not, they are the fools inviting me to witness them breaking the law.

cheers,
</wqw>

[TysonLPrice]

Forget about that...watch this shiny ball:

Live Updates: Trump Announces 25 Percent Tariffs on Imported Cars

https://www.nytimes.com/live/2025/03...iffs-auto-cars

That is going to make America billions in revenue

[TysonLPrice]

In just a day Trump has said:

It was a hoax. The information wasn’t classified. Somehow the journalist got “sucked into” the Signal chat, either deliberately or through some kind of technical glitch. The Atlantic’s article was a “witch hunt” and called the journalist a “total sleazebag.” “I think Signal could be defective, to be honest with you."

[dilettante]

That is going to make America billions in revenue

Well it has worried the unelected Canadian WEF shill enough to get him stammering and muttering in his broken Quebecois French.

No telling when elections might be or what outcome they might produce. There must be a shortage of Monopoly boards, Twister mays, and Bingo cards to overcome because they haven't chosen a random date to hold them yet. Helluva "system" they use for "elections" where they still bend the knee to tyrants.

[dday9]

After watching some clips from corporate media outlets, it seems like from the left they are pointing to the fact that they used Signal and from the right they are trying to play the conspiracy angle of how did this reporter get on? And yet, nobody seems to be talking about why in the hell are we bombing the poorest country in the middle east.

Tom Woods has a quote: No matter who you vote for, you get John McCain.

The quote is referring to foreign policy. It doesn't matter if you vote for the Nobel Peace Prize winner, Barak Obama, doddering ole Uncle Joe, or "America First" Donald Trump, every one of their administrations backed Al-Qaeda forces to help the Saudi led Yemeni government fight against the Houthis.

The only difference this time is that we got to see how the sausage is made and their blasé attitude towards dropping bombs. Dil, I hate to tell you, but this is 100% on Trump too. Mike Waltz served in the Bush administration as a defense policy director in the Pentagon and as counterterrorism advisor to Vice President Dick Cheney (straight from wiki), how can Trump get rid of the swamp by hiring it? Was he "tricked" again?

[FunkyDexter]

why in the hell are we bombing the poorest country in the middle east.

The declared reason was that the Houthi's were attacking international shipping. The undeclared reason was: optics. They wanted to be seen to do something.

I actually do think some sort of military intervention was justified given the Houthis' actions but the indiscriminate manner of this action was pretty troubling. They collapsed occupied apartment buildings, killed innocent women and children and then sent each other fist bump emojis.

[Shaggy Hiker]

Bombing is the response of least involvement. It's showy, rarely costs the lives of US servicemembers, and accomplishes something that only Hollywood could love. Buildings get destroyed, whoever is in them get killed or wounded, and nothing gets accomplished. Israel has bombed Gaza into rubble without being able to stop Hamas from firing rockets.

You bomb when you want to appear to be doing something while not actually doing something....you also have to not care about civilians, but who ever does?

[wes4dbt]

In just a day Trump has said:

It was a hoax. The information wasn’t classified. Somehow the journalist got “sucked into” the Signal chat, either deliberately or through some kind of technical glitch. The Atlantic’s article was a “witch hunt” and called the journalist a “total sleazebag.” “I think Signal could be defective, to be honest with you."

There is the say "If you can't dazzle them with your brilliance , then baffle them with your B*** S***". My guess is, it was a politician that developed that strategy.

[jpbro]

For VB6 programming issues I'm most active on an intranet forum run by two of my larger consulting clients....Access requires a physical security token device to get to their VPN server, so I won't bother mentioning it.

If only the US government had access to such an advanced and secure communications system.

[FunkyDexter]

You bomb when you want to appear to be doing something while not actually doing something

Yup, that. And it's not a political position for me; all sides do it.

I am keenly aware that we've essentially denied Elroy the technical discussion he wanted. Is it worth us spinning of a separate thread for the politics?

[TysonLPrice]

Yup, that. And it's not a political position for me; all sides do it.

I am keenly aware that we've essentially denied Elroy the technical discussion he wanted. Is it worth us spinning of a separate thread for the politics?

I think no matter what your intentions are when posting Chit Chat goes it where it does. If we switched to new topics every time the subject goes off topic who knows how many threads would be generated. More than one of my posts have been highjacked by people with there own agenda. Are we sappy about hurting feelings here? I know a few that aren't...

If the Trump administration admitted the software was a security risk, no matter the commercial safeguards or reliability of algorithms are, this would be a "no story". They lied , obfuscated, and made false claims about the basics of the type of software that is the subject of the post, and basically treated Americans like they are idiots.

I think it belongs in this thread...

[wes4dbt]

If the Trump administration admitted the software was a security risk, no matter the commercial safeguards or reliability of algorithms are, this would be a "no story". They lied , obfuscated, made false claims about the software that is the subject of the post, and basically treated Americans like they are idiots.

It would still be a story. The opposing party (in this case the Dem's) and there media supporters wouldn't let an opportunity to point out the failures. Though I think it would have passed quickly. The response from the Rep's seem pretty standard for modern politics in this country.

Right now it seems to be working for the Rep's.

[TysonLPrice]

It would still be a story. The opposing party (in this case the Dem's) and there media supporters wouldn't let an opportunity to point out the failures. Though I think it would have passed quickly. The response from the Rep's seem pretty standard for modern politics in this country.

Right now it seems to be working for the Rep's.

And they are bringing up the Hillary "Server" issue. That had traction for awhile. The shoe is on the other foot. The media does then and now cuts on how outraged they were with Hillary and OK with it now.

[PlausiblyDamp]

I have seen a couple of posts online that have said Signal has been used in the past as a means to notify the relevant people that there is a secure message / conversation they need to be aware of; this would then result in the notified person using a properly secured and approved system for the actual messages. That would make perfect sense as presumably Signal is a lot easier to use and involves less effort than a properly secured system.

I have had managers in work send me a text / WhatsApp message to let me know there are important emails I need to deal with, depending on where I am picking up work e-mail can be a pain (need to use work laptop, MFA, possibly VPN depending on location) so I tend not to check emails frequently during the day - I don't typically work in an environment that deals with highly confidential data, this is just regular work confidential stuff.

Going back to the original post - I think a lot of non-technical people (and quite frankly, far too many technical ones as well) don't understand encryption and cryptography enough to have a valid opinion. Closed source encryption is definitely not any more secure than open source, it all depends on the strength of the algorithms in use. It has already been said here that open source is much less likely to have hidden backdoors, it is also less likely to have flaws as they will be picked up by the various professionals working / studying the code base.

A far bigger issue in a lot of cases is the environments these things are used in, which is why these kinds of communication should only be done on secured devices that enforce good practices and run in a limited environment. Personal phones / laptops etc. are often not secure as people install all sorts of apps on them, any one of which could either be malicious or just simple cause other security issues.

Then again, no level of encryption can protect against the mind numbing stupidity of inviting the wrong people to be part of the conversation!

[wes4dbt]

As a complete outsider to open source software and developing high security software, I have nothing professional to add.

As an observer I found this to be a strong point.

From OP1,

I think that the argument that open source is better, because there is so much scrutiny on the code that the big security bugs will get fixed quicker, is overstated.

For large scale open-source software projects, the vast, vast majority of eyeballs on the code are going to be nation state actors, both foreign and domestic, combing through code trying to find their way "in". And they obviously have zero interest in alerting the developer of these vulnerabilities.

I haven't seen anyone really address that point.