Like a privacy based fully open source browser. Wouldnt it be more hackable because every one know the script and is a glopal privacy based gpay alternative possible ? What about targeted hacking is someone using closed source application more better off than someone with ooen source ?
As long as there us incentive to do so, malicious actors will exploit the source code whether it is open or closed…
Making something open source does make it easier for malicious actors, but it also allows honest actors to find and fix exploits before they can be used - something they won’t/can’t do for closed source, meaning you have to rely on in-house devs to review/find/fix everything.
Absolutely, this is a good explanation.
And to add, so many pieces of software share code through shared libraries or systems. Open source means if there is a flaw in one library that is found and fixed, all the software that uses it downstream can benefit.
Closed source, good actors might not even know their software is using flawed older libraries as it’s hidden from view.
Plus open source allows audit of code to ensure the software is what it says it is. There are plenty of examples of commercial closed software that does things deliberately that do not benefit it’s user, but do benefit the company that makes the software.
The track record of open source projects for fixing known vulnerabilities is pretty good. Closed source suppliers, on the other hand, have frequently been caught trying to sweep things under the rug.
The saying in software engineering is “there’s no security in obscurity.” Hiding your implementation isn’t for security, it’s for other business purposes.
deleted by creator
No, absolutely not. Security through obscurity hasn’t worked for decades.
I do not think that ever worked.
No but I sure have dealt with a lot a stupid decisions for years because somebody thought it would and used that as an excuse to be wildly insecure to save time.
It works if working is simply not knowing there are exploits happening.
During the browser war years when M$ forced everyone into using Internet Explorer via their OS monopoly, malware exploded. It was so easy to get a broken system because IE was tightly coupled to the Windows. I remember all of us having to fix our parents computers, then install a ton of anti-virus software to prevent it. Identity theft and tons of other exploits were rampant.
Some people found and published some these bugs, and published them on various sites… and what was microsoft’s response? To sue those sites out of existence, and let the malware keep stacking up. The problem really didn’t go away until Opera and Firefox came along.
Talk about trumatic memory. The amount of family and friend gatherings i spent cleaning malware of a old beige windows machine is horrifying. Opened internet explorer, and it was more toolbars then webpage area. No wonder i run 100% linux nowadays.
It’s a dual edged sword, everybody can look for vulnerability, it may-help some pirates, but it also means that everyone can volunteer to fix-it. To my understanding, professional security auditor concluded that (at least for big free projects) open-source is safer than closed source because more people fix bugs than exploit them
No more specifically it’s safer because bugs can be found readily.
Yes, this increases your attack surface. But way worse than the easily-found-easily-exploited bug is the bug that is being exploited and you have fuck all idea it’s even there.
Tetra (the digital radio) is a nice example for that. It was ‘secure’ for a long time - or at least we don’t know otherwise, because the majority of issues found when an independent team finally bothered to reverse that thing can be exploited without the operators noticing.
With an open standard people would’ve told them in the 90s already that they’re morons.
Or the exploit has been found but the dev do fuck all to fix it.
FOSS generally puts more pressure on people to write better and safer code, because you know everyone is going to look at it. Even when vulnerabilities are found, they are usually fixed so fast compared to the proprietary side. There are stories of people waiting 6 months for Microsoft to fix a vulnerability, while an Openssh or openssl issue is usually fixed in a few days.
Lots of good and relevant reading here:
The fact that most hacked software is closed source (i.e. Windows and most Windows tools) proves that open source software is not lees secure.
Not really. That windows is targeted more is not to do with it being closed source or necessarily less secure; it is ubiquitous and so from a hacker/malware point of view it’s the best chance of getting a financial reward from their efforts.
However it being closed source makes it harder to identify and patch the holes. We only come across those holes either because a good actor has taken the time to find them (which is hard work) or a bad actor has started exploiting the flaws and been caught - which is terrible as the horse has already bolted, and often stumbled across after damage has been done
Open source does not magically fix that problem, it just puts the good and bad actors on a more level open playing field. Software can be secure with open code as security is about good design rather than obscuration. But open source code can also be very insecure due to bad design, and those flaws are open to anyone to see and exploit. And it requires people taking the time and effort to actually review and fix the code. There is less incentive to do that in some ways as it is currently less targeted.
However there are a lot more benefits to open source beyond that, including transparency, audit, and collaboration. It’s those benefits together that make open source compelling.
Security is also more than being hacked. There are lots of examples of closed source software doing things to benefit it’s makers rather than its users - scraping user data for example and sending it home to be exploited. It’s harder to hide in open source software, but someone also has to take the time to look.
Not really, windows is most targeted because it’s most used. If Linux had comparable market share it would be attacked way more.
Most of the services you use every day run on Linux servers. Even Microsoft uses Linux on their servers. And these services, not an average laptop, are the main targets of malicious actors.
The vast majority of behind-the-scenes infra that the end user never sees are open-source, even if the end-user part is proprietary. Eg. Facebook and Xwitter are proprietary, but run on open-source infrastructure like Docker, Kubernetes, Nginx etc.
Proprietary OS-s are workstation/office/home PC land. They have way more security issues due to crap coding whereas security problems with open-source server stuff are as a rule the fault of the admins misconfiguring services and not keeping their software up to date.
Linux servers are hacked left and right on a daily basis.
Yes, because vast majority of orgs both in private and public sectors suck at securing their systems. Either:
-The admins lack the knowledge and skills to properly configure their stuff.
-The admins are not given the resources they need to update and secure the systems.
-The in-house parts of the system rely on some deprecated functionality of an old version of some underlying service. Updating in-house parts to make it work with new versions is not made possible because “Phil knew how but Phil was laid off 10 years ago” or “the company who made it is out of business” or “we don’t have the money to do it” or “it works now, so why bother?”
-The servers are fine, up-to-date and secure, but the in-house service itself has glaring security issues that go unfixed due to above reasons.And thus came along little Bobby Tables and was able to completely incapacitate his school district…
Generally a Linux installation is very good at keeping itself up-to-date and installing security patches automagically. Updating Docker containers is somewhat more involved, but can be easily automated with Watchtower.
Linux is used a lot, though, in a lot of high value situations (servers).
Oh yeah, definitely but those tend to be different attacks than would target random consumer computers.
Being open source definitely plays a role in Linux security, but it’s minor compared to stuff like market share, user privilege, package management vs just installing random exes, different distros using different packaging systems.
Linux is the most used OS, it has many attacks every day. The problem is that you can’t see it and that’s why you think there aren’t Linux systems or attacks to it, because you can’t see them.
I like how you just ignored the comment you replied to which acknowledged linux makes up most servers and instead just argued against a guy you made up.
I didn’t ignore.
those tend to be different attacks than would target random consumer computers
That doesn’t mean attacks on Linux are minors, just different kind of attacks, because a user mistake is easier to exploit than a vulnerability in a software/code. That’s not about software mistakes that create vulnerabilities, that’s a user mistake that install malware.
open source definitely plays a role in Linux security, but it’s minor compared to stuff like market share, user privilege, package management vs just installing random exes, different distros using different packaging systems
This kind of attacks you are saying are actually the “minor” attacks that daily occurs, but normally the most effective, there is a lot of scam, but daily or hourly there are millions or billions of attacks everywhere, or that’s what my cybersecurity team at my company showed me, they are 24/7 there to never let any attack penetrate to the organization. Imperva and Cloudflare (for example) are or have powerful firewalls that block many attacks every minute. And you are comparing that to a malware that a user install.
So that’s why I am saying, because you can’t see them, doesn’t mean there aren’t attacks.
Edit: More data added on bottom.
I found this: https://www.imperva.com/cyber-threat-index/
The Cyber Threat Index is calculated using data gathered from all Imperva sensors across the world including over:
- Over 25 monthly PBs (Peta Bytes1015) of network traffic passed through our CDN
- 30 billions (109) of monthly Web application attacks, across 1 trillion (10¹²) of HTTP requests analyzed by our Web Application Firewall service (Cloud WAF)
- Hundreds of monthly application and database vulnerabilities, as processed by our security intelligence aggregation from multiple sources
open source definitely plays a role in Linux security, but it’s minor compared to stuff like market share, user privilege,
Is saying the role open source plays in Linux security is minor compared to the role other aspects play, not that the attacks are minor.
Someone hasn’t been paying attention for decades and instead chose to be confidently incorrect
You don’t need the source code to find vulnerabilities.
To fix them you almost always need access to the source code.
Neither closed source nor open source is a guarantee of a quality code base.
There are white hat (good person) as well as black hat hackers.
If everyone can see the source code, there are more eyes able to spot problems and fix them.
And someone can fork the codebase if the original author or current maintainer refuses to fix major issues. Closed source software vendors refuse to do so quite frequently.
Hell no: Security through obscurity is not security at all. This is a fundamental rule of security.
Open source means anyone able to read the code can find and fix vulnerabilities to prevent them from being exploited in the future. It’s just as easy to exploit closed source software through fuzzing and other means, but the only people doing that are the devs and hackers, not the thousands of other people invested in the project.
It’s much easier to slip backdoors into closed source software too.
I’m annoyed that most of the answers are just “no”.
It’s actually a great question, but practical experience has shown that closed-source software is just as buggy when written, and only slightly harder for an attacker to figure out, but much much harder to fix. And that’s not even talking about deliberate anti-features, like every app that hoovers up your data and sells it so you can order a pizza.
This, and addition to company sponsored anti features, governments can ask or force companies to add back doors, unbeknownst to the consumers. For this reason (and others), I’ll only ever trust open source software for security software, like VPN.
They are equally exploitable, but those exploits are generally easier to find and fix on open source software than closed.
As an example, look at the exploit chain Apple had only patched recently, “TriangleDB”. The exploit relied on several security flaws and undocumented functions, and it was used extensively in state-sponsored malware such as Pegasus for years. If any part of the exploit chain were patched, the malware wouldn’t have worked. It took a Russian cybersecurity firm a significant effort to track down how the exploit worked when they found out they were being targeted by the malware.
This is like asking “isn’t wikipedia full of false information?”
And, yes! There are lots of mistakes in wikipedia. But when they’re found, they can be fixed. That’s the same deal with open source software.
Code security is directly proportional to the amount of resources devoted to finding and fixing bugs regardless of open or closed. If nobody is maintaining the code, it doesn’t matter.
One advantage with open you is that you can look at the version control to see how active the code is being maintained.
On the contrary, it’s more easy to secure because anyone can contribute. See a bug? Report it / Fix it.
Take backdoors for example. The CIA can abuse a windows backdoor all they want because we can’t see it however on Linux such a thing doesn’t exist because we have the code.
And even if a 0-day exploit was found and used, it would get patched really fast, it would be up to the user to do his due diligence and update.
This is where most of the problems in open source come from. Just because anyone can look at the source code doesn’t mean that anyone actually is. It frequently seems that everyone just assumes that popular/common libraries have been reviewed and vetted, but never bother to check for themselves unless they happen to work in application security. It’s like Douglas Adams’ SEP field. And many common modules became common because they were convenient and/or easy to use, not because they were rigorously developed and tested with strong security principles.
Of course expecting every user to inspect the source of every piece of software they use, every time it gets an update, is utterly ridiculous. No one would ever actually use anything.
With closed source, the problem is that you can’t see the code so you need to be sure that you trust the developer. With open source, the problem is spaghetti code (and worse, spaghetti dependencies) so again you need to be sure that you trust the developer(s).
Hold up, hold up. “on linux such a thing doesnt exist” is a very bold statement for something containing millions of lines of code.
There where and will be more then enough zero days in Linux, be it because of malice or incompetence.
Open source doesn’t say anything about the quality of the code.
Ever heard of log4j? Open source code…
That part is about backdoors, not zero days. However, even still backdoors may exist. Linux has libraries and other code, as well as code that hasn’t been checked well enough, than could contain backdoors. It’s less likely than Windows, but still possible.
I’ve heard from “reputable sources” (internet schizos) that every cpu since 2010 has been backdoored by the nsa. This can be exploited on any platform.
There’s the Intel management engine and the amd platform security processor. Both manage low level tasks like booting, and have access to network data. Amds psp is known to have unrestricted access to user memory.
There have been security vulnerabilities that would grant access to sensitive data exploiting both systems if not patched.
As for a backdoor, there’s no evidence but I wouldn’t be surprised. The NSA has programs to insert backdoors into consumer products and these seem like the perfect place to do it. But again, there’s no evidence either chip is part of these programs.
What you refer to here is known as “security through obscurity”. Which is arguably worse than “security through design”.
