Page 4 of 6
Re: Which sites/programs do you boycott?
Posted: Fri Jun 05, 2015 8:33 am
by Roman
Brendan wrote:"closed source" means you have to trust the creators and nobody else
And can you trust these creators?
Brendan wrote:and "open source" means you have to trust the creators (which can include "volunteers" working for the NSA) plus everyone that came in contact with the source and tools and binaries anywhere between the creators and you
At least, open source software can be reviewed by the public.
Re: Which sites/programs do you boycott?
Posted: Fri Jun 05, 2015 8:34 am
by embryo2
Brendan wrote:Essentially; "closed source" means you have to trust the creators and nobody else; and "open source" means you have to trust the creators (which can include "volunteers" working for the NSA) plus everyone that came in contact with the source and tools and binaries anywhere between the creators and you.
If you need to trust the creators of "closed source" then in fact you trust everyone, just because you don't know anything about creator's kitchen.
So, the only way to trust software is to keep it open source and to establish some overseeing rules and freely participated committee, that govern distribution and update of the source and resulted binaries. Only cooperative efforts can do it for you, but no amount of boycotts can help. And all we are guilty for the lack of cooperative efforts. It's a death of democracy when cooperation decay, also it is applicable to the security.
Re: Which sites/programs do you boycott?
Posted: Fri Jun 05, 2015 8:56 am
by glauxosdev
Hi,
XenOS wrote:Just take sourceforge as an example. They delivered malware, it was discovered by the community, they got blamed.
XenOS' signature wrote:Programmers' Hardware Database // SF user: xenos1984; OS project: XeNOS
I'm really sorry for you. I moved my projects easily to GitLab.
Regards,
glauxosdev
Re: Which sites/programs do you boycott?
Posted: Fri Jun 05, 2015 9:47 am
by Brendan
Hi,
Roman wrote:Brendan wrote:"closed source" means you have to trust the creators and nobody else
And can you trust these creators?
No; but a large company that provides commercial software is accountable (to their customers, their shareholders and the legal system) while most open source projects are not.
Roman wrote:Brendan wrote:and "open source" means you have to trust the creators (which can include "volunteers" working for the NSA) plus everyone that came in contact with the source and tools and binaries anywhere between the creators and you
At least, open source software can be reviewed by the public.
"Can be reviewed by the public" is irrelevant when the public can't understand the source code in the first place, and if they could they've got better things to do than waste several years verifying a version of something when a new version is released each month.
Now; read
this and think about it for a while. I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.
Cheers,
Brendan
Re: Which sites/programs do you boycott?
Posted: Fri Jun 05, 2015 10:25 am
by Combuster
Brendan wrote:No; but a large company that provides commercial software is accountable to (...) the legal system
And that's actually a problem instead of being a good thing. America has been proven to force security issues into software. China has been proven to force security issues into software. That leaves the remaining two thirds of the world open to extrapolation.
I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.
That's easy, I built all of it myself
Re: Which sites/programs do you boycott?
Posted: Fri Jun 05, 2015 10:45 am
by Rusky
Brendan wrote:"Can be reviewed by the public" is irrelevant when the public can't understand the source code in the first place, and if they could they've got better things to do than waste several years verifying a version of something when a new version is released each month.
Replace "the public" with "a vastly larger group of security professionals, from all the companies that rely on the software rather than just the one that produced it." Keeping the software independent of any one country is also important.
Brendan wrote:Now; read
this and think about it for a while.
That's never been a real threat. It's a very useful thought experiment, but there's no way something as heavily relied-upon and code-reviewed as GCC, or Clang, or the Linux kernel, etc. is going to gain the capability to recognize and modify its own source code on the fly without someone noticing.
The argument that most users won't read or understand the source, and the argument that most users just download binaries anyway, are straw man arguments, not really why open source is important. The important thing is that major projects like kernels, encryption libraries, etc. have several groups supporting and relying on them that
don't necessarily trust each other. This creates much stronger incentives for security than Random Corporation A that can just cave to governments with no good way for outside entities to find out.
This is not to say proprietary software is evil. It is harder to bootstrap open source software when you're not getting paid or when it's not something that really fits into this model. People do need to be paid for their work somehow. But security does push things toward and open source model- even Apple releases their source and it does get looked at by outsiders (although there's much less guarantee that the source matches the binary here).
Re: Which sites/programs do you boycott?
Posted: Fri Jun 05, 2015 12:11 pm
by iansjack
Combuster wrote:I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.
That's easy, I built all of it myself
I'll bet 100 of my euros to 1 of yours that at some stage in the chain you used pre-built binaries to (eventually) produce your current software. Unless you can prove that those binaries contained nothing malicious the rest of the chain falls like a pack of dominoes.
Re: Which sites/programs do you boycott?
Posted: Fri Jun 05, 2015 2:09 pm
by xenos
glauxosdev wrote:I'm really sorry for you. I moved my projects easily to GitLab.
Well, I'm not using it for distributing my software anyway, I only used the SVN repository, and I'm also moving from SVN to Git. So this incident didn't really affect me at all. But still it serves as a nice example.
Re: Which sites/programs do you boycott?
Posted: Fri Jun 05, 2015 3:39 pm
by Roman
iansjack wrote:Combuster wrote:I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.
That's easy, I built all of it myself
I'll bet 100 of my euros to 1 of yours that at some stage in the chain you used pre-built binaries to (eventually) produce your current software. Unless you can prove that those binaries contained nothing malicious the rest of the chain falls like a pack of dominoes.
If such a virus, which could infect compilers, ever existed, it would be detected by some kind of software anyway. It would be unlikely to stay stealthy unless it's a so advanced malware, that it could be compared to an AI. KTH is an interesting theory, but nothing else.
Edit: Anyway, we all seem to be sure in our opinions. This debate won't produce any profit for anyone of us.
Re: Which sites/programs do you boycott?
Posted: Fri Jun 05, 2015 4:08 pm
by iansjack
Roman wrote:Anyway, we all seem to be sure in our opinions. This debate won't produce any profit for anyone of us.
That's true. This discussion is based on paranoia. The only thing to discuss is the degree of that paranoia.
Personally, I don't believe that open-source software has been compromised any more than I believe that everything I type into Microsoft Office, or Visual Studio, goes straight to the NSA (or GCHQ in my country). If they are monitoring what I do on my computer they must, by now, be suffering from terminal (pun not intended) boredom.
One can worry about all sorts of things in life. The concept that companies such as Microsoft have some evil master plan that extends beyond simply trying to sell their software (in which case it behoves them not to do anything to it that would give people cause for concern) is clearly the product of a disturbed mind. All that bothers me is if they make good software or bad software. To boycott their software for reasons other than that makes no sense to me. So, I guess, I boycott Windows Vista, but I don't boycott Windows 7. Similarly, I boycott Ubuntu Linux, but not Gentoo Linux. In other words, I like some software, I don't much care for other software - freedom of choice.
Re: Which sites/programs do you boycott?
Posted: Fri Jun 05, 2015 10:33 pm
by piranha
If such a virus, which could infect compilers, ever existed
http://c2.com/cgi/wiki?TheKenThompsonHack
Re: Which sites/programs do you boycott?
Posted: Fri Jun 05, 2015 11:09 pm
by Roman
Yes, there are examples in the wild, but they are not that dreadful and are completely unrelated to the topic.
Re: Which sites/programs do you boycott?
Posted: Sat Jun 06, 2015 1:51 am
by iansjack
Well that example seems 100% relevant to me as it is exactly what I was talking about. At some stage you use a binary to produce your programs. If that binary is compromised - and I'm happy to believe Ken Thompson when he says this can be done - then everything down the line is also compromised.
At some stage you have to trust somebody. Whether you trust a corporation - who have the world to lose by being found out with funny business - or an individual - who has nothing to lose - comes back to your freedom of choice. Do I trust all individuals on the Internet? Silly question.
Re: Which sites/programs do you boycott?
Posted: Sat Jun 06, 2015 6:07 am
by Combuster
you trust a corporation - who have the world to lose by being found out with funny business
They have PR machinery for that. Somewhat tuned to blame their issues on the government. As long as a sufficient number of people buy it, it works, and the status quo is that it does.
iansjack wrote:an individual - who has nothing to lose
And that's pretty much an even more bogus assumption.
Basically you're calling the same shade of grey both black and white in the same sentence.
Re: Which sites/programs do you boycott?
Posted: Sat Jun 06, 2015 10:19 am
by iansjack
I can only assume that you have never worked for a large corpoation in a decision-making role. Whatever the tinfoil hats may imagine, it just does not make business sense to "do evil". And in a corporation of any size you cannot keep secrets - there is always a potential whistle blower with a sense of moral purpose. It's easy for an individual to do evil and keep that secret; it is almost impossible for a multinational to do the same.
The world is not a James Bond novel with evil masterminds reigning vast private empires of nefarious henchmen. There are certainly evil governments and a host of hackers with various levels of ability. Microsoft is not the enemy.