Which sites/programs do you boycott?

[Roman]

"closed source" means you have to trust the creators and nobody else

And can you trust these creators?

and "open source" means you have to trust the creators (which can include "volunteers" working for the NSA) plus everyone that came in contact with the source and tools and binaries anywhere between the creators and you

At least, open source software can be reviewed by the public.

[embryo2]

Essentially; "closed source" means you have to trust the creators and nobody else; and "open source" means you have to trust the creators (which can include "volunteers" working for the NSA) plus everyone that came in contact with the source and tools and binaries anywhere between the creators and you.

If you need to trust the creators of "closed source" then in fact you trust everyone, just because you don't know anything about creator's kitchen.

So, the only way to trust software is to keep it open source and to establish some overseeing rules and freely participated committee, that govern distribution and update of the source and resulted binaries. Only cooperative efforts can do it for you, but no amount of boycotts can help. And all we are guilty for the lack of cooperative efforts. It's a death of democracy when cooperation decay, also it is applicable to the security.

[glauxosdev]

Hi,

Just take sourceforge as an example. They delivered malware, it was discovered by the community, they got blamed.

Programmers' Hardware Database // SF user: xenos1984; OS project: XeNOS

I'm really sorry for you. I moved my projects easily to GitLab.


Regards,
glauxosdev

[Brendan]

Hi,

"closed source" means you have to trust the creators and nobody else

And can you trust these creators?

No; but a large company that provides commercial software is accountable (to their customers, their shareholders and the legal system) while most open source projects are not.

and "open source" means you have to trust the creators (which can include "volunteers" working for the NSA) plus everyone that came in contact with the source and tools and binaries anywhere between the creators and you

At least, open source software can be reviewed by the public.

"Can be reviewed by the public" is irrelevant when the public can't understand the source code in the first place, and if they could they've got better things to do than waste several years verifying a version of something when a new version is released each month.

Now; read this and think about it for a while. I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.


Cheers,

Brendan

[Combuster]

No; but a large company that provides commercial software is accountable to (...) the legal system

And that's actually a problem instead of being a good thing. America has been proven to force security issues into software. China has been proven to force security issues into software. That leaves the remaining two thirds of the world open to extrapolation.

I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.

That's easy, I built all of it myself

[Rusky]

"Can be reviewed by the public" is irrelevant when the public can't understand the source code in the first place, and if they could they've got better things to do than waste several years verifying a version of something when a new version is released each month.

Replace "the public" with "a vastly larger group of security professionals, from all the companies that rely on the software rather than just the one that produced it." Keeping the software independent of any one country is also important.

Now; read this and think about it for a while.

That's never been a real threat. It's a very useful thought experiment, but there's no way something as heavily relied-upon and code-reviewed as GCC, or Clang, or the Linux kernel, etc. is going to gain the capability to recognize and modify its own source code on the fly without someone noticing.

The argument that most users won't read or understand the source, and the argument that most users just download binaries anyway, are straw man arguments, not really why open source is important. The important thing is that major projects like kernels, encryption libraries, etc. have several groups supporting and relying on them that don't necessarily trust each other. This creates much stronger incentives for security than Random Corporation A that can just cave to governments with no good way for outside entities to find out.

This is not to say proprietary software is evil. It is harder to bootstrap open source software when you're not getting paid or when it's not something that really fits into this model. People do need to be paid for their work somehow. But security does push things toward and open source model- even Apple releases their source and it does get looked at by outsiders (although there's much less guarantee that the source matches the binary here).

[iansjack]

I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.

That's easy, I built all of it myself

I'll bet 100 of my euros to 1 of yours that at some stage in the chain you used pre-built binaries to (eventually) produce your current software. Unless you can prove that those binaries contained nothing malicious the rest of the chain falls like a pack of dominoes.

[xenos]

I'm really sorry for you. I moved my projects easily to GitLab.

Well, I'm not using it for distributing my software anyway, I only used the SVN repository, and I'm also moving from SVN to Git. So this incident didn't really affect me at all. But still it serves as a nice example.

[Roman]

I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.

That's easy, I built all of it myself

I'll bet 100 of my euros to 1 of yours that at some stage in the chain you used pre-built binaries to (eventually) produce your current software. Unless you can prove that those binaries contained nothing malicious the rest of the chain falls like a pack of dominoes.

If such a virus, which could infect compilers, ever existed, it would be detected by some kind of software anyway. It would be unlikely to stay stealthy unless it's a so advanced malware, that it could be compared to an AI. KTH is an interesting theory, but nothing else.

Edit: Anyway, we all seem to be sure in our opinions. This debate won't produce any profit for anyone of us.

[iansjack]

Anyway, we all seem to be sure in our opinions. This debate won't produce any profit for anyone of us.

That's true. This discussion is based on paranoia. The only thing to discuss is the degree of that paranoia.

Personally, I don't believe that open-source software has been compromised any more than I believe that everything I type into Microsoft Office, or Visual Studio, goes straight to the NSA (or GCHQ in my country). If they are monitoring what I do on my computer they must, by now, be suffering from terminal (pun not intended) boredom.

One can worry about all sorts of things in life. The concept that companies such as Microsoft have some evil master plan that extends beyond simply trying to sell their software (in which case it behoves them not to do anything to it that would give people cause for concern) is clearly the product of a disturbed mind. All that bothers me is if they make good software or bad software. To boycott their software for reasons other than that makes no sense to me. So, I guess, I boycott Windows Vista, but I don't boycott Windows 7. Similarly, I boycott Ubuntu Linux, but not Gentoo Linux. In other words, I like some software, I don't much care for other software - freedom of choice.

[piranha]

If such a virus, which could infect compilers, ever existed

http://c2.com/cgi/wiki?TheKenThompsonHack

[Roman]

If such a virus, which could infect compilers, ever existed

http://c2.com/cgi/wiki?TheKenThompsonHack

Yes, there are examples in the wild, but they are not that dreadful and are completely unrelated to the topic.

[iansjack]

Well that example seems 100% relevant to me as it is exactly what I was talking about. At some stage you use a binary to produce your programs. If that binary is compromised - and I'm happy to believe Ken Thompson when he says this can be done - then everything down the line is also compromised.

At some stage you have to trust somebody. Whether you trust a corporation - who have the world to lose by being found out with funny business - or an individual - who has nothing to lose - comes back to your freedom of choice. Do I trust all individuals on the Internet? Silly question.

[Combuster]

you trust a corporation - who have the world to lose by being found out with funny business

They have PR machinery for that. Somewhat tuned to blame their issues on the government. As long as a sufficient number of people buy it, it works, and the status quo is that it does.

an individual - who has nothing to lose

And that's pretty much an even more bogus assumption.

Basically you're calling the same shade of grey both black and white in the same sentence.

[iansjack]

I can only assume that you have never worked for a large corpoation in a decision-making role. Whatever the tinfoil hats may imagine, it just does not make business sense to "do evil". And in a corporation of any size you cannot keep secrets - there is always a potential whistle blower with a sense of moral purpose. It's easy for an individual to do evil and keep that secret; it is almost impossible for a multinational to do the same.

The world is not a James Bond novel with evil masterminds reigning vast private empires of nefarious henchmen. There are certainly evil governments and a host of hackers with various levels of ability. Microsoft is not the enemy.