Like a privacy based fully open source browser. Wouldnt it be more hackable because every one know the script and is a glopal privacy based gpay alternative possible ? What about targeted hacking is someone using closed source application more better off than someone with ooen source ?

  • Yuumi@lemmy.world
    link
    fedilink
    English
    arrow-up
    17
    arrow-down
    1
    ·
    10 months ago

    On the contrary, it’s more easy to secure because anyone can contribute. See a bug? Report it / Fix it.

    Take backdoors for example. The CIA can abuse a windows backdoor all they want because we can’t see it however on Linux such a thing doesn’t exist because we have the code.

    And even if a 0-day exploit was found and used, it would get patched really fast, it would be up to the user to do his due diligence and update.

    • NaibofTabr@infosec.pub
      link
      fedilink
      English
      arrow-up
      14
      ·
      10 months ago

      This is where most of the problems in open source come from. Just because anyone can look at the source code doesn’t mean that anyone actually is. It frequently seems that everyone just assumes that popular/common libraries have been reviewed and vetted, but never bother to check for themselves unless they happen to work in application security. It’s like Douglas Adams’ SEP field. And many common modules became common because they were convenient and/or easy to use, not because they were rigorously developed and tested with strong security principles.

      Of course expecting every user to inspect the source of every piece of software they use, every time it gets an update, is utterly ridiculous. No one would ever actually use anything.

      With closed source, the problem is that you can’t see the code so you need to be sure that you trust the developer. With open source, the problem is spaghetti code (and worse, spaghetti dependencies) so again you need to be sure that you trust the developer(s).

        • NaibofTabr@infosec.pub
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          10 months ago

          Either way, the issue is trust. With popular/widely used open source projects, you can at least democratize trust to some extent (many people have worked on this, and many more have used it). Smaller projects are more risky. This is true for proprietary software also - generally, Microsoft is putting effort into fixing vulnerabilities in their products, but if you buy specialty software from a small business with a registered address in Ireland but actually based out of Moldova, they will probably have different quality standards.

          Whether open or closed, you should try to understand the incentive model of the developers. Is it paid software? Is there a license agreement? Is it ad supported? Or donation supported? Is it a volunteer project? Is it collecting data about its users?

          Some open source software is developed by companies but distributed freely. Bitwarden is a great example of this. It’s probably the best password manager out there right now. It’s free for individual use and for self hosting. The company makes money by selling implementation and support services to businesses. This model has a lot of benefits, and the code projects that come out of such companies are generally very stable and trustworthy.

          The trust issue is slightly different in form between open and closed source, but ultimately it’s the same issue. If the security of what you’re doing matters, then you need to know who you’re working with and whether their interests align with yours.

          • taladar@sh.itjust.works
            link
            fedilink
            arrow-up
            2
            ·
            10 months ago

            Smaller projects are more risky. This is true for proprietary software also - generally,

            Not necessarily. Large commercial vendors might be much more likely to kill off one of many projects, even large ones, than a small vendor is to kill off their only project.

    • Redredme@lemmy.world
      link
      fedilink
      arrow-up
      14
      arrow-down
      1
      ·
      10 months ago

      Hold up, hold up. “on linux such a thing doesnt exist” is a very bold statement for something containing millions of lines of code.

      There where and will be more then enough zero days in Linux, be it because of malice or incompetence.

      Open source doesn’t say anything about the quality of the code.

      Ever heard of log4j? Open source code…

      • Cethin@lemmy.zip
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        1
        ·
        10 months ago

        That part is about backdoors, not zero days. However, even still backdoors may exist. Linux has libraries and other code, as well as code that hasn’t been checked well enough, than could contain backdoors. It’s less likely than Windows, but still possible.

        • Fizz@lemmy.nz
          link
          fedilink
          arrow-up
          5
          ·
          10 months ago

          I’ve heard from “reputable sources” (internet schizos) that every cpu since 2010 has been backdoored by the nsa. This can be exploited on any platform.

          • Darorad@lemmy.world
            link
            fedilink
            arrow-up
            4
            ·
            10 months ago

            There’s the Intel management engine and the amd platform security processor. Both manage low level tasks like booting, and have access to network data. Amds psp is known to have unrestricted access to user memory.

            There have been security vulnerabilities that would grant access to sensitive data exploiting both systems if not patched.

            As for a backdoor, there’s no evidence but I wouldn’t be surprised. The NSA has programs to insert backdoors into consumer products and these seem like the perfect place to do it. But again, there’s no evidence either chip is part of these programs.