Hacker News new | ask | show | jobs
by tholdem 633 days ago
Why do you think bad actors "audit" open source more than good actors?

Isn't it more the case that all actors audit all software? Open source just has potentially more "auditors" than closed source?

(I don't understand what you mean by "usual exploits" and "keys to the castle")
2 comments
jerbearito 632 days ago
> Isn't it more the case that all actors audit all software? Open source just has potentially more "auditors" than closed source?

Perhaps bad actors don’t audit more than good actors, but this doesn’t address whether there are more good or bad actors doing the auditing. I think this is a more valuable comparison if we’re talking about risk mitigation and the safety of open-source software. Do you know that there are more good-faith auditors than bad?

Very much related — we should probably acknowledge the disparity between the two groups in terms of motivation, sustainability of said motivation, financial resources, and time.

The idea of burnout among open-source maintainers is long-known and endlessly discussed. They often/mostly volunteer their time — to some thanks, but also to a deluge of “doesn’t work” tickets with no repro, as someone pointed out on this recent post:

https://news.ycombinator.com/item?id=41579591

Bad-faith actors tend to be highly motivated, with ideological or financial goals. They have more and perhaps better resources, more so if state-funded, and more time to commit.

This doesn’t mean there’s a constant and unmanageable risk to open-source software, and I certainly don’t agree that open-source OSes are a bad idea. But it’s not as simple as having actors auditing on each side or the difference in numbers between closed and open-source.

link
thebruce87m 633 days ago
Usual exploits = using the normal tools to look for buffer overflows and such by attacking the running system and compiled binaries.

Keys to the castle = the ability to also look in the source code for vulnerabilities, run static analysis, fuzzing but also architectural flaws. Basically use extra methods that you can’t do on the running system or binaries. You would expect some tools to be run already by the authors but some tools will find things that others don’t.

Bad actors have an incentive to audit the code (find vulnerabilities) since they were in the process of attacking the system anyway, so why not look at the source? You also have state level attackers who are getting paid to find these sort of things, and others looking to sell 0-days.

Who are good actors? Who is willing to spend their time finding and fixing bugs? There are definitely people doing it out of the kindness of their heart, and others might be researchers and so on, maybe some companies that use the software - but you are relying on these outnumbering the bad actors.

I think there will always be bad actors, and assuming that there is an army of good actors watching your back might not always be correct. But happy to hear other angles, which is why I opened (and accidentally closed) the conversation.

link
tholdem 633 days ago
Good actors do it mostly for money and fame, bad actors do it mostly for money. Both actors do it for open source and closed source software.

Isn't it a good thing that anyone can effectively use tools to check for potential vulnerabilities?

This is just speculation, but I think open source projects may mature faster in terms of security because the low-hanging fruit is maybe found faster than in closed source projects?

Another interesting case I think about a lot is the classic AOSP vs. iOS. Apple tried to sue Corellium for making it easier to research iOS. Then Apple started the Apple Security Research Device program to make it easier for researchers to do iOS research. These two things seem to me to be a kind of involuntary open-sourcing of iOS. Why did Apple see Corellium as a threat and why did they provide researchers with these special devices?

link