[Ridley]

There are already FOSS replacements for Skype, such as Tox. The fact is that if every line of code can't be inspected then the software can't be considered secure, and we're forced to put blind faith in a faceless corporation, which is understandably not acceptable for many people. I don't really care if you think this is "practical" or not. That's simply the reality of the situation. Proprietary == insecure.

If a company is unable to profit off of making FOSS software then they can go ahead and keep it closed source, but they should not be claiming that their software is secure when their claims cannot be verified. That's simply dishonest, and only proves the critics right about their trustworthiness.

[FreezerburnV]

I would argue that, theoretically, proprietary can be secure. A code base can be made secure by highly experienced engineers who are paid to make the code secure. You might never be able to see the code, but it could still be secure. The problem is that you can never actual verify how secure the proprietary solution is. So whether or not it is secure, you don't trust it. (there are even some interesting arguments to be made about the security of any solution that deals with some kind of user input. my previous boss stipulated that the only way to have a truly secure email client is to have some third-party, verified library that takes all the input, and spits out encrypted data to whatever program deals with email servers, without the program dealing with email servers ever seeing that input in plain text form because who knows what it might do with it)

On the other hand as well, open source most certainly does not mean secure. I don't even have to argue to make this point, I merely have to point out Heartbleed or Shellshock.

[dmix]

Yes, proprietary can be secure. But my question to you is why bother?

As a business model open-source arrangements such as Red Hat or the countless Hadoop services show that you don't really need to lock down the source code to create a successful business around it.

With communications software, the costs a closed-sourced software with magical trust-us crypto getting fully compromised is incredibly high. If people can't trust their basic tools to be private, nor be able to verify it, than they can't assume any conversation they have is private. That's a scary world IMO.

This is particularly true for broken encryption more than the presence of memory exploitation such as Heartbleed or Shellshock.

[bad_user]

While you can argue that some piece of open source software can be more insecure than a proprietary alternative, auditing a piece of software requires access to the source code and that is mandatory. And with open source everybody can audit with no restrictions. Yes, OpenSSH is a piece of shit, but how do you think it was discovered, from 2 independent parties no less.

Then there's another effect that I like - after the initial patch was released, the story went public, we got notified immediately, then we could discuss about what caused it and see the actual commits and who did it. Such a catastrophe can sink a company, therefore you never see such post mortems for proprietary stuff. And yes, even I as a developer cannot audit software for security, but the point is that I could hire somebody else to do that for me, like the Finnish company that discovered Heartbleed.

So yeah, there is no concrete proof that proprietary stuff is less or more secure than open source, but the point is that we'll never know, because nobody can know how secure something is without looking at the source code.

[RaleyField]

OpenSSH or OpenSSL? I thought OpenSSH was pretty solid, forgetting the fact that configuring it isn't as straightforeward as one would hope.

[bad_user]

Sorry, I meant OpenSSL. It was a typo.

[Ridley]

Yes, in theory it is possible. However even 100% secure proprietary software must be assumed to be insecure, because we're still running on blind faith, which is patently stupid for anyone who requires security.

[ethbro]

You run OpenBSD, don't you? (To be fair, their approach since the 90s seems a lot more reasonable now)

[Ridley]

No, my views are not based on my own needs or paranoia. As a security-oriented software developer I recognize that software that claims to be secure needs to deliver, because people like Snowden, Assange et al. may be relying on it some day.

[vezzy-fnord]

I don't even have to argue to make this point, I merely have to point out Heartbleed or Shellshock.

The reason both were found and had the absurd propaganda campaigns behind them as they did that are the only reason you can even name them to begin with, is precisely because the underlying software was free.

On the other hand, let's name drop another vulnerability and its exploit: SMBRelay. Took 7 years after it was made public to introduce an incomplete and partial fix. Still exploitable to this day, 13 years later.

[res0nat0r]

So what it boils down to, is that both open source and closed source software can have bugs lingering in them for years that go unnoticed and/or unfixed.

[Someone1234]

Tox is not a Skype replacement. For example:

- Skype is "everywhere" (Windows, Windows RT, Windows Phone, OS X, iOS, Android, Linux, FreeBSD, Blackberry, XBox One) and opposed to a handful of places (Windows, Linux, OS X, Android, iOS, FreeBSD, OpenIndiana). Plus Outlook.com's Skype implementation supports most platforms with a HTML5 browser.

- Landline/cellular phone calling. Text message sending.

- Caller ID, Voicemail, etc.

- Skype Numbers (i.e. buy a landline phone number people can call your Skype via, which is insanely useful for SMBs and individuals alike).

- Tox's feature list is largely a myth. Most clients are missing major Skype features and none support all of them, see this: https://wiki.tox.im/Clients#Features

People who think Tox is a Skype replacement aren't Skype's core demographic. The landline/cellular/etc functionality is heavily used by many and nothing that claims to be a replacement can be taken seriously if it lacks that.

[wmeredith]

I don't think it's as black and white as all that. This reads like the equivalent claim the NSA makes along the lines of, "if you have nothing to hide, why can't we record every facet of every communication and store it forever?" Business relationships run on trust. Claiming your software is secure when it is to the best of your knowledge is not dishonest.

[humanrebar]

That's a false dichotomy. Not wanting personal conversations recorded is called discretion, a form of wisdom. Not wanting technical details of a product published is primarily a way to gain a competitive advantage, either against other businesses or against potential threats.

[Ridley]

You're making the baseless (and some might say naive) assumption that it is secure to the best of their knowledge. If they really wanted to build trust then they would prove it and leave no doubt in people's minds.

[wmeredith]

"Dear citizen, you're asking us to make the baseless assumption that you're innocent until proven guilty, if you really want to build trust you'll let us monitor you 24/7 and leave no doubt in our mind."

You're making an assumption of guilt. The fact that something isn't open source doesn't inherently make it insecure.

[bad_user]

It doesn't make it trustworthy either. When speaking of encryption algorithms, not publishing a new algorithm for peer reviewing is unthinkable. This is also not about judgment - I do consider people to be innocent until proven guilty, but do you trust people you don't know with issues that could harm you? Besides companies are not people, we are taking about a commercial entity here that wants to sell something. And people get to vote with their wallet and opinions, depending on their needs and I see nothing wrong with that.

[wmeredith]

"And people get to vote with their wallet and opinions, depending on their needs and I see nothing wrong with that."

I was thinking the same thing! But you seem to be assuming guilt and I am not. Honestly, I can see it both ways. It just seemed spurious to me to state that if we don't know it's good, it must be bad.

[Ridley]

I'm not making any assumptions as to their motives; I have not accused them of any wrong doing. As far as I'm concerned, they might be working in good faith or they might not be. That's not good enough when it comes to security. You're incorrect with that last sentence as I and others have pointed out already.

[fredguth]

tox.im website is not working. Am I looking in the wrong place?