Hacker News new | ask | show | jobs
by bigiain 3497 days ago
> proprietary software is inherently insecure

Unlike widely used and security-critical open source projects, right? Like, say, OpenSSL?

("All hardware sucks. All software sucks." This is at least as true these days as it was back on alt.sysadmin.recovery in the '90s)
1 comments
ralmidani 3497 days ago
At least in the case of free (as in freedom) software, the vulnerabilities can be exposed and patched. More importantly (and more relevant to this discussion), software freedom also tends to make it difficult for the original developer to hide malicious features.
link
acdha 3497 days ago
Theoretically, yes, but if you're going to make that claim you'd need some hard data showing that exploitable bugs either happen less frequently or are going and patched earlier.

Care to show your data and analysis?

link
bigiain 3497 days ago
To be fair - they didn't make that claim, just left it up to you to assume the dichotomy.

It can be (and arguably is) true that "proprietary software is inherently insecure" - without requiring an opposite statement like "open source software is inherently secure" to also hold. (The wording in context _does_ strongly suggest that was the implied premise of the implied premise tho.)

link
ralmidani 3497 days ago
How can I obtain reliable data on non-free software when the public cannot study the source code?

You also seem to discount the possibility of _intentional_ vulnerabilities (from the user's perspective) being included in the software by its developer.

link
acdha 3496 days ago
You appear to be unaware of the large industry reverse-engineering software of all sorts. You could compare comparable projects and see whether source availability correlates with fewer vulnerabilities, lower severity, etc.

Similarly, the security community has discussed the possibility of intentional vulnerabilities in opensource software for decades. Sure, someone would probably notice if you submitted secret-nsa-exploit.patch but it's unclear that someone would notice if e.g. you submitted a Heartbleed-style bug, not to mention something the NSA's dual curve backdoor.

To be clear, I've been working with open-source software since the mid-90s. I think the model has a lot to offer but it's not magic. Lazy fanboy activism doesn't do anything but lower your credibility and help the companies which are arguing that open-source isn't safe to use (or isn't safe to use without paying them to manage it).

link