Dessalines
link
fedilink
14
edit-2
7M

People have found vulnerabilities with lemmy both via the source code, and just trying things. They report them, and it gets fixed.

Meanwhile, microsoft windows during the 90s was a privacy and security nightmare. M$ sued the people who published bugs on sites out of existence, exploits could find their way from internet explorer into the filesystem, malware was so pervasive that you couldn’t run windows without an anti-virus suite. Identity theft, credit card theft, account-hijacking were rampant. Your system would slow down after running without an anti-virus for a few months. Older people had half their screen taken up on IE with ads and malware that could be installed at the click of a button, with no way to easily get rid of it.

Transparency doesn’t mean that 100% of users need to do audits on the source code. It means that the 0.00001% who are good at it, are able to in the first place, unlike with closed source software like windows.

Trust the transparency model: it works.

@pingveno@lemmy.ml
link
fedilink
2
edit-2
7M

exploits could find their way from internet explorer into the filesystem

If I recall correctly, the worst offender was ActiveX, which blurred the lines between web content and a native application. And of course once ActiveX was deprecated, businesses would keep their employees stuck on increasingly vulnerable browser versions.

Ephera
link
fedilink
97M

With these discussions, I always like to point out Chromium. It’s open-source, so people have largely been trusting that it’s fine. And in this case, we do actually have people auditing it.

Except those people have found several things wrong with it: https://github.com/ungoogled-software/ungoogled-chromium
And in fact, they even provide a solution for the things they’ve found.

In this ideal world of open-source preventing backdoors, any user of Chromium or Chrome would know about these flaws. And they would probably be using ungoogled-chromium instead. Clearly, neither of those are the case.

Helix 🧬
link
fedilink
4
edit-2
7M

Background requests to Google are a privacy concern, not a security concern per se. Don’t confuse privacy with security, although sometimes they’re intertwined.

And why should I trust a project a miniscule portion of people use from a random pseudonymous Github developer where the risk for undetected backdoors is even higher?

Also worthy of a mention: you need to be so proficient in so many languages to be able to actually audit the code yourself. It’s simply infeasible.

Normally you audit what you know and someone else will audit the other languages that you don’t know, that’s the community power.

This whole comment chain is about how relying on the community to audit is a type of bystander problem. At least that’s how I understood it.

Yes, sorry. I mean, “community power” allows individuals people to check those code any time.

I would trust first a company doing open source apps than one doing closed (both can do deep professional auditions, if the difference is open or closed, I would go to open).

About forks like ungoogled-chromium. I think I can trust them more than Google, as you don’t know what kind of binaries Google adds to your browser. The community instead, when you do a change you can review it, there are 69 people on that repo, so unless of them all are “fake bots” I suppose someone of them will check the commits/pull request that others do.

Helix 🧬
link
fedilink
17M

About forks like ungoogled-chromium. I think I can trust them more than Google, as you don’t know what kind of binaries Google adds to your browser.

Only if you check all of the code and only if you trust Microsoft that they don’t inject stuff in the Github binaries and only if you build it yourself every single time, as the project doesn’t feature reproducible builds.

I doubt you are compiling all your software, someone compiled it for you, so how do you know they didn’t injected something on your OS?

When you do apt update to get anything, it’s also about trust with Ubuntu maintainers. If you switch distro, and they have their own repos, you are also trusting them.

The ungoogled repo has 70 contributors, but there are 14.9k stars, 283 watching, 690 forks. I would untrust it if it had much fewer numbers…

Helix 🧬
link
fedilink
1
edit-2
7M

At least in repositories there are supposed to be maintainers. I also don’t really trust them, but there’s no reason to trust the ungoogled people more than the maintainers of your distribution.

The point is, you can trust nobody.

You need to trust someone, it’s your choice, I just don’t trust companies, at least with closed source.

Helix 🧬
link
fedilink
1
edit-2
7M

That’s the point, nobody does. There is no proper audit. And I don’t trust random people to do the audit properly.

But that’s more a problem you have about trust. You trust so many companies, and I don’t know how much stuff you have installed on all your devices, but I’m sure not all of them are doing audits on each release they delivered. And companies with closed source also got hacked, backdoors, vulnerabilities.

Chromium, the official app, neither got any independent audit, and it’s not written with a goal of security in mind. So ungoogled-chromium have a few experts looking into it. If you join the project and their community, you will be able to know, talk and contribute with them.

Helix 🧬
link
fedilink
17M

Okay, I now trust some random people on the internet instead of the original authors of the software.

Are the authors not also random people on the internet?

Okay, I now trust some random people on the internet instead of the original authors of the software.

https://github.com/ungoogled-software/ungoogled-chromium#credits

For you, those are random people? What is random people for you? Because then Linux is also contributed by random people.

Helix 🧬
link
fedilink
17M

This is correct. You can’t trust all of the Linux developers either, which is why we have Linus Torvalds and other maintainers with a good track record overseeing things.

Do you not understand how software development works or do you just choose to ignore blatant problems with untrusted forks of popular software?

I’m a developer, I work with this. They are not random.

Linus Torvalds and other maintainers with a good track record overseeing things

As Linux as Linus Torvalds, ungoogled-chromium has Debian, chromium and Bromite maintainers. Bromite browser also uses this ungoogled-chromium fork to apply patches.

Ephera
link
fedilink
17M

Well, I don’t think we should be separating security and privacy, especially when we’re talking about backdoors.
Security can protect other things, like availability or integrity or confidentiality of business secrets, but for the most part, it protects the confidentiality of data about humans, a.k.a. privacy.

I also seriously don’t accept the differentiation based on who’s the attacker.
A script kiddie installing a trojan on your device has a lot less data about you than Google, yet somehow that should count as a security concern whereas Google’s doings are just fine and dandy.

And that is also why I will always trust random pseudonymous developers more than Google. Like, the cynical response might’ve been that with random devs, I can at least still hope that there’s no backdoor, but it’s also the simple fact that they couldn’t possibly collect similar amounts of data about me, nor do the large-scale analysis and correlation that Google does as daily business.

Mad
link
fedilink
67M

even if no one’s done a proper audit, if there are enough contributors someone will definitely notice that something is up, and an audit can be done once concerns have been raised. the reliability of open source comes not just from anyone being able to see the source, but also that lots of people have to see the source for the project to stay alive.

@ganymede@lemmy.ml
link
fedilink
4
edit-2
7M

and there’s a transparent log of commits

Confidentiality Integrity Availability

  • 0 users online
  • 1 user / day
  • 2 users / week
  • 10 users / month
  • 61 users / 6 months
  • 2 subscribers
  • 152 Posts
  • 161 Comments
  • Modlog