Which sites/programs do you boycott?

All off topic discussions go here. Everything from the funny thing your cat did to your favorite tv shows. Non-programming computer questions are ok too.
User avatar
Roman
Member
Member
Posts: 568
Joined: Thu Mar 27, 2014 3:57 am
Location: Moscow, Russia
Contact:

Re: Which sites/programs do you boycott?

Post by Roman »

Brendan wrote:"closed source" means you have to trust the creators and nobody else
And can you trust these creators?
Brendan wrote:and "open source" means you have to trust the creators (which can include "volunteers" working for the NSA) plus everyone that came in contact with the source and tools and binaries anywhere between the creators and you
At least, open source software can be reviewed by the public.
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
- Alan Kay
embryo2
Member
Member
Posts: 397
Joined: Wed Jun 03, 2015 5:03 am

Re: Which sites/programs do you boycott?

Post by embryo2 »

Brendan wrote:Essentially; "closed source" means you have to trust the creators and nobody else; and "open source" means you have to trust the creators (which can include "volunteers" working for the NSA) plus everyone that came in contact with the source and tools and binaries anywhere between the creators and you.
If you need to trust the creators of "closed source" then in fact you trust everyone, just because you don't know anything about creator's kitchen.

So, the only way to trust software is to keep it open source and to establish some overseeing rules and freely participated committee, that govern distribution and update of the source and resulted binaries. Only cooperative efforts can do it for you, but no amount of boycotts can help. And all we are guilty for the lack of cooperative efforts. It's a death of democracy when cooperation decay, also it is applicable to the security.
My previous account (embryo) was accidentally deleted, so I have no chance but to use something new. But may be it was a good lesson about software reliability :)
glauxosdev
Member
Member
Posts: 119
Joined: Tue Jan 20, 2015 9:01 am
Libera.chat IRC: glauxosdever

Re: Which sites/programs do you boycott?

Post by glauxosdev »

Hi,
XenOS wrote:Just take sourceforge as an example. They delivered malware, it was discovered by the community, they got blamed.
XenOS' signature wrote:Programmers' Hardware Database // SF user: xenos1984; OS project: XeNOS
I'm really sorry for you. I moved my projects easily to GitLab.


Regards,
glauxosdev
User avatar
Brendan
Member
Member
Posts: 8561
Joined: Sat Jan 15, 2005 12:00 am
Location: At his keyboard!
Contact:

Re: Which sites/programs do you boycott?

Post by Brendan »

Hi,
Roman wrote:
Brendan wrote:"closed source" means you have to trust the creators and nobody else
And can you trust these creators?
No; but a large company that provides commercial software is accountable (to their customers, their shareholders and the legal system) while most open source projects are not.
Roman wrote:
Brendan wrote:and "open source" means you have to trust the creators (which can include "volunteers" working for the NSA) plus everyone that came in contact with the source and tools and binaries anywhere between the creators and you
At least, open source software can be reviewed by the public.
"Can be reviewed by the public" is irrelevant when the public can't understand the source code in the first place, and if they could they've got better things to do than waste several years verifying a version of something when a new version is released each month.

Now; read this and think about it for a while. I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.


Cheers,

Brendan
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.
User avatar
Combuster
Member
Member
Posts: 9301
Joined: Wed Oct 18, 2006 3:45 am
Libera.chat IRC: [com]buster
Location: On the balcony, where I can actually keep 1½m distance
Contact:

Re: Which sites/programs do you boycott?

Post by Combuster »

Brendan wrote:No; but a large company that provides commercial software is accountable to (...) the legal system
And that's actually a problem instead of being a good thing. America has been proven to force security issues into software. China has been proven to force security issues into software. That leaves the remaining two thirds of the world open to extrapolation.
I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.
That's easy, I built all of it myself ;)
"Certainly avoid yourself. He is a newbie and might not realize it. You'll hate his code deeply a few years down the road." - Sortie
[ My OS ] [ VDisk/SFS ]
User avatar
Rusky
Member
Member
Posts: 792
Joined: Wed Jan 06, 2010 7:07 pm

Re: Which sites/programs do you boycott?

Post by Rusky »

Brendan wrote:"Can be reviewed by the public" is irrelevant when the public can't understand the source code in the first place, and if they could they've got better things to do than waste several years verifying a version of something when a new version is released each month.
Replace "the public" with "a vastly larger group of security professionals, from all the companies that rely on the software rather than just the one that produced it." Keeping the software independent of any one country is also important.
Brendan wrote:Now; read this and think about it for a while.
That's never been a real threat. It's a very useful thought experiment, but there's no way something as heavily relied-upon and code-reviewed as GCC, or Clang, or the Linux kernel, etc. is going to gain the capability to recognize and modify its own source code on the fly without someone noticing.

The argument that most users won't read or understand the source, and the argument that most users just download binaries anyway, are straw man arguments, not really why open source is important. The important thing is that major projects like kernels, encryption libraries, etc. have several groups supporting and relying on them that don't necessarily trust each other. This creates much stronger incentives for security than Random Corporation A that can just cave to governments with no good way for outside entities to find out.

This is not to say proprietary software is evil. It is harder to bootstrap open source software when you're not getting paid or when it's not something that really fits into this model. People do need to be paid for their work somehow. But security does push things toward and open source model- even Apple releases their source and it does get looked at by outsiders (although there's much less guarantee that the source matches the binary here).
User avatar
iansjack
Member
Member
Posts: 4683
Joined: Sat Mar 31, 2012 3:07 am
Location: Chichester, UK

Re: Which sites/programs do you boycott?

Post by iansjack »

Combuster wrote:
I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.
That's easy, I built all of it myself ;)
I'll bet 100 of my euros to 1 of yours that at some stage in the chain you used pre-built binaries to (eventually) produce your current software. Unless you can prove that those binaries contained nothing malicious the rest of the chain falls like a pack of dominoes. :)
User avatar
xenos
Member
Member
Posts: 1118
Joined: Thu Aug 11, 2005 11:00 pm
Libera.chat IRC: xenos1984
Location: Tartu, Estonia
Contact:

Re: Which sites/programs do you boycott?

Post by xenos »

glauxosdev wrote:I'm really sorry for you. I moved my projects easily to GitLab.
Well, I'm not using it for distributing my software anyway, I only used the SVN repository, and I'm also moving from SVN to Git. So this incident didn't really affect me at all. But still it serves as a nice example.
Programmers' Hardware Database // GitHub user: xenos1984; OS project: NOS
User avatar
Roman
Member
Member
Posts: 568
Joined: Thu Mar 27, 2014 3:57 am
Location: Moscow, Russia
Contact:

Re: Which sites/programs do you boycott?

Post by Roman »

iansjack wrote:
Combuster wrote:
I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.
That's easy, I built all of it myself ;)
I'll bet 100 of my euros to 1 of yours that at some stage in the chain you used pre-built binaries to (eventually) produce your current software. Unless you can prove that those binaries contained nothing malicious the rest of the chain falls like a pack of dominoes. :)
If such a virus, which could infect compilers, ever existed, it would be detected by some kind of software anyway. It would be unlikely to stay stealthy unless it's a so advanced malware, that it could be compared to an AI. KTH is an interesting theory, but nothing else.

Edit: Anyway, we all seem to be sure in our opinions. This debate won't produce any profit for anyone of us.
Last edited by Roman on Fri Jun 05, 2015 6:01 pm, edited 1 time in total.
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
- Alan Kay
User avatar
iansjack
Member
Member
Posts: 4683
Joined: Sat Mar 31, 2012 3:07 am
Location: Chichester, UK

Re: Which sites/programs do you boycott?

Post by iansjack »

Roman wrote:Anyway, we all seem to be sure in our opinions. This debate won't produce any profit for anyone of us.
That's true. This discussion is based on paranoia. The only thing to discuss is the degree of that paranoia.

Personally, I don't believe that open-source software has been compromised any more than I believe that everything I type into Microsoft Office, or Visual Studio, goes straight to the NSA (or GCHQ in my country). If they are monitoring what I do on my computer they must, by now, be suffering from terminal (pun not intended) boredom.

One can worry about all sorts of things in life. The concept that companies such as Microsoft have some evil master plan that extends beyond simply trying to sell their software (in which case it behoves them not to do anything to it that would give people cause for concern) is clearly the product of a disturbed mind. All that bothers me is if they make good software or bad software. To boycott their software for reasons other than that makes no sense to me. So, I guess, I boycott Windows Vista, but I don't boycott Windows 7. Similarly, I boycott Ubuntu Linux, but not Gentoo Linux. In other words, I like some software, I don't much care for other software - freedom of choice.
User avatar
piranha
Member
Member
Posts: 1391
Joined: Thu Dec 21, 2006 7:42 pm
Location: Unknown. Momentum is pretty certain, however.
Contact:

Re: Which sites/programs do you boycott?

Post by piranha »

If such a virus, which could infect compilers, ever existed
http://c2.com/cgi/wiki?TheKenThompsonHack
SeaOS: Adding VT-x, networking, and ARM support
dbittman on IRC, @danielbittman on twitter
https://dbittman.github.io
User avatar
Roman
Member
Member
Posts: 568
Joined: Thu Mar 27, 2014 3:57 am
Location: Moscow, Russia
Contact:

Re: Which sites/programs do you boycott?

Post by Roman »

piranha wrote:
If such a virus, which could infect compilers, ever existed
http://c2.com/cgi/wiki?TheKenThompsonHack
Yes, there are examples in the wild, but they are not that dreadful and are completely unrelated to the topic.
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
- Alan Kay
User avatar
iansjack
Member
Member
Posts: 4683
Joined: Sat Mar 31, 2012 3:07 am
Location: Chichester, UK

Re: Which sites/programs do you boycott?

Post by iansjack »

Well that example seems 100% relevant to me as it is exactly what I was talking about. At some stage you use a binary to produce your programs. If that binary is compromised - and I'm happy to believe Ken Thompson when he says this can be done - then everything down the line is also compromised.

At some stage you have to trust somebody. Whether you trust a corporation - who have the world to lose by being found out with funny business - or an individual - who has nothing to lose - comes back to your freedom of choice. Do I trust all individuals on the Internet? Silly question.
User avatar
Combuster
Member
Member
Posts: 9301
Joined: Wed Oct 18, 2006 3:45 am
Libera.chat IRC: [com]buster
Location: On the balcony, where I can actually keep 1½m distance
Contact:

Re: Which sites/programs do you boycott?

Post by Combuster »

you trust a corporation - who have the world to lose by being found out with funny business
They have PR machinery for that. Somewhat tuned to blame their issues on the government. As long as a sufficient number of people buy it, it works, and the status quo is that it does.
iansjack wrote:an individual - who has nothing to lose
And that's pretty much an even more bogus assumption.

Basically you're calling the same shade of grey both black and white in the same sentence.
"Certainly avoid yourself. He is a newbie and might not realize it. You'll hate his code deeply a few years down the road." - Sortie
[ My OS ] [ VDisk/SFS ]
User avatar
iansjack
Member
Member
Posts: 4683
Joined: Sat Mar 31, 2012 3:07 am
Location: Chichester, UK

Re: Which sites/programs do you boycott?

Post by iansjack »

I can only assume that you have never worked for a large corpoation in a decision-making role. Whatever the tinfoil hats may imagine, it just does not make business sense to "do evil". And in a corporation of any size you cannot keep secrets - there is always a potential whistle blower with a sense of moral purpose. It's easy for an individual to do evil and keep that secret; it is almost impossible for a multinational to do the same.

The world is not a James Bond novel with evil masterminds reigning vast private empires of nefarious henchmen. There are certainly evil governments and a host of hackers with various levels of ability. Microsoft is not the enemy.
Post Reply