Are closed source developers less safe than open source ones?

submitted by

I would Imagine that when you are privy to secrets which become increasingly valuable, you also draw some heat on yourself.

What are your thoughts?

7
13

Log in to comment

Hot Top New Old
edited

Not inherently, no. But the problem is you DONT KNOW which ones are safe or not. You’re running software on your device without knowing what it’s doing.

Generally open source software is safer because if it was malicious somehow someone could theoretically see that and report it.

So if they want to make it malicious generally they will make it closed source as well.

 reply
5

The code review at a closed source shop, maybe 20 people are aware, of that 20 maybe 3 will actually read the PR/MR before approving it. In an open source project maybe 5 people maybe 500 will be aware of the PR/MR, every one of those fuckers will read the proposed change and not only that, they’ll each have an opinion about it.

Daylight is the best antiseptic.

 reply
5

Mostly no. That’s more Hollywood fantasy than real life.

 reply
8

Yeah, I’d say for information, certainly, but there are other ways you could be valuable. A dev on a popular open source project might be very valuable for executing supply chain attacks.

 reply
4
edited

Let’s say the only difference between two sets of programs/developers/realities is that one program is open source and the other is not. Scenarios:

  • Some sort of attacker is determined to get the source code through any means necessary. If the program is already open source, the developer will not be targeted because of this. If not, then the attacker might target the developer in ways to get it leaked.
  • Some sort of attacker wants to hijack the program to execute some other attack. In either case they will need to manipulate the developer somehow, but if the program is open source the attack would need to be hidden in plain sight, whereas for closed source that isn’t necessary so the attack surface within the codebase is much bigger. But depending on the project structure it would also be a lot harder to social engineer someone into accepting malicious code changes if they don’t have access to the code to begin with. At the same time, if the users think the program’s developer is compromised for some reason, they can typically hard fork core parts of the project if it is open source, which this possibility limits attack vectors further.
  • The developer needs to hide something that people finding out will make attacks far more likely (i.e. something illegal). In this case closed source might help them hide it better (but the compiled output might also need to be obscured somehow).

If the only difference is strictly whether it’s open source or not (i.e. no outside contributors), I would say open source developers are safer unless something about the source code that’s not in the binary would provoke someone powerful.

 reply
4

Deleted by author

 reply
0

Uh, most of us are selling our labor the same as anyone else, dude.

 reply
2

Deleted by author

 reply
1

People who develop and maintain closed-source software. Who did you think you were referring to?

 reply
1
Insert image