Menu
What's new
By:
Filters Better Search

Security of opensource vs closed source

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Phantomski

Phantomski

Regular Contributor
capncybo said:
And IMO from a hacking standpoint, open source code is most likely easier to defeat or circumvent.
Click to expand...
Personally, I think it’s the exact opposite. I do strongly believe that open source and well documented source code (with reproducible builds) is THE future of Cyber Security. You can see time and time again that closed source proprietary software gets vulnerabilities discovered late, reported and ignored, and patches released too late or not at all.

Yes, of course - obscure, unpopular, forgotten or poorly written code can be a potential security disaster. And yes, reading the code, you might have much easier way in, find potential weaknesses sooner. But - that’s kind of the whole point.

In fact, I believe this should (and fortunately is) much more widely adopted philosophy, beyond networking and even IT. What’s hidden can’t be properly evaluated and massive issues tend to creep in unnoticed with disastrous consequences. Look at the whole Facebook story. If we’ve learned nothing else, this is THE lesson in pitfalls of proprietary software.

Just my 2c detour.
 
Phantomski said:
Personally, I think it’s the exact opposite. I do strongly believe that open source and well documented source code (with reproducible builds) is THE future of Cyber Security. You can see time and time again that closed source proprietary software gets vulnerabilities discovered late, reported and ignored, and patches released too late or not at all.

Yes, of course - obscure, unpopular, forgotten or poorly written code can be a potential security disaster. And yes, reading the code, you might have much easier way in, find potential weaknesses sooner. But - that’s kind of the whole point.

In fact, I believe this should (and fortunately is) much more widely adopted philosophy, beyond networking and even IT. What’s hidden can’t be properly evaluated and massive issues tend to creep in unnoticed with disastrous consequences. Look at the whole Facebook story. If we’ve learned nothing else, this is THE lesson in pitfalls of proprietary software.

Just my 2c detour.
Click to expand...
Well I'll take the Conversation bait (even if it does go back four pages) & just Say... Neither your opinion nor mine matter very much. Intellectual Property (Especially Software) is valuable & often protected for Monterey reasons & Security Rational. Myself I also LOVE open source software & use it extensively. I tend to spend very little or next to nothing for my personal computing use & almost All of my programming endeavors stem from the FOSS Eco system. BUT rather than fantasize about OPENSOURCE Goodness... Or Greatness... Aren't we all here as members Hoping Eric the Wizard will whip up some new magic which obviously revolves around Considerable Chunks of CLOSED Proprietary Code? And why do we Choose this firmware? Because it's a nice balance of features While still retaining certain CLOSED Source benefits.
 
Phantomski said:
Personally, I think it’s the exact opposite. I do strongly believe that open source and well documented source code (with reproducible builds) is THE future of Cyber Security. You can see time and time again that closed source proprietary software gets vulnerabilities discovered late, reported and ignored, and patches released too late or not at all.

Yes, of course - obscure, unpopular, forgotten or poorly written code can be a potential security disaster. And yes, reading the code, you might have much easier way in, find potential weaknesses sooner. But - that’s kind of the whole point.

In fact, I believe this should (and fortunately is) much more widely adopted philosophy, beyond networking and even IT. What’s hidden can’t be properly evaluated and massive issues tend to creep in unnoticed with disastrous consequences. Look at the whole Facebook story. If we’ve learned nothing else, this is THE lesson in pitfalls of proprietary software.

Just my 2c detour.
Click to expand...
Agree with U. Also taking the bait like an ant to sugar. Historically, most of the largest hacks have been with closed source software, Microsoft (Windows), Intel and AMD coming to mind. On the open source side, the Linux Kernel these days is 10 million lines of code, excluding comment statements. No one is sitting there sifting through 10M lines of code. And if we stick with the Linux Kernel, there are a bunch of different versions out there so the 10M lines of code are not even identical in the user base. Hackers these days are using lots of hacking tools, many of which are commonly available for download, such as AirCrack and John The Ripper as well known examples. As an open source example, Tomato as router firmware is substantially open source with only a few closed source elements (like the Broadcom drivers). And when router firmware is tested, typically Tomato (Fresh Tomato these days) is one of the best in terms of security. Most router hacks of individuals these days are on the WIFI side because users do not a) change default SSID/password provided by the router maker or ISP and b) do not change the Admin logon / password.
 
JWoo said:
Agree with U. Also taking the bait like an ant to sugar. Historically, most of the largest hacks have been with closed source software, Microsoft (Windows), Intel and AMD coming to mind. On the open source side, the Linux Kernel these days is 10 million lines of code, excluding comment statements. No one is sitting there sifting through 10M lines of code. And if we stick with the Linux Kernel, there are a bunch of different versions out there so the 10M lines of code are not even identical in the user base. Hackers these days are using lots of hacking tools, many of which are commonly available for download, such as AirCrack and John The Ripper as well known examples. As an open source example, Tomato as router firmware is substantially open source with only a few closed source elements (like the Broadcom drivers). And when router firmware is tested, typically Tomato (Fresh Tomato these days) is one of the best in terms of security. Most router hacks of individuals these days are on the WIFI side because users do not a) change default SSID/password provided by the router maker or ISP and b) do not change the Admin logon / password.
Click to expand...
Too funny I was just about to edit my above post to end with... "If OPEN Source is Better or Indeed the future of security etc. etc. Shouldn't we all be running DD-WRT, TOMATO, OPENWRT or something? IMO Opensource is always the greatest until you see something that's faster or an improvement which you soon learn... Is proprietary & protected.
 
Last edited:
EDIT: WHOOPS (scratch er hold the Tomato) WiFi no workie without proprietary Broadcom... But who needs WiFi on a router LOL
 
Closed source is what makes money, good or bad. The business is killing open source.
 
I wonder if we are moving to a place where we run an opensource, very capable router without wifi, and separate APs with closed source software, not caring much who makes those disposable, commodified, low margin pieces.
 
I believe this is the way to go and what @dave14305 and @john9527 can help with - OpenWRT on RPi and x86:

www.snbforums.com

DIY routers and APs

How's your RPi4 OpenWRT project going, @dave14305? The hardware is cheaper, smaller and more power efficient than most x86 boxes around. It may turn to be the best option for more tech people. Qotom boxes are 3x the price and up, brand name x86 firewalls are 5x the price and up.
www.snbforums.com www.snbforums.com
 
Once again I find myself in agreement with Tech9. Although if you ask MOST programmers if they want to be Paid or work for Free I'm fairly certain we'd all know their reply + @elorimer excellent point... I think a lot of us network enthusiasts might be heading in this direction. Especially as the price of hardware was coming down. Mind you the chip shortage seems to have certain hardware suddenly harder to find & many prices have shot back up :-(

EDIT: I do suppose OpenSource doesn't always mean FREE
 
Tech9 said:
I believe this is the way to go and what @dave14305 and @john9527 can help with - OpenWRT on RPi and x86:

www.snbforums.com

DIY routers and APs

How's your RPi4 OpenWRT project going, @dave14305? The hardware is cheaper, smaller and more power efficient than most x86 boxes around. It may turn to be the best option for more tech people. Qotom boxes are 3x the price and up, brand name x86 firewalls are 5x the price and up.
www.snbforums.com www.snbforums.com
Click to expand...
I’m very happy with my current setup. Just got another Linux kernel upgrade last night. :)
 
elorimer said:
I wonder if we are moving to a place where we run an opensource, very capable router without wifi, and separate APs with closed source software, not caring much who makes those disposable, commodified, low margin pieces.
Click to expand...

That is currently the way I am looking to go
 
I don't think I agree with the title of this branched off topic or where it is now. Security is one aspect of it, sure. What I mean is that the wireless part of AsusWRT-Merlin is the smallest part of the project, as I see it, and yet the part where closed source concerns are concentrated and where this hold up has originated. Entware, Diversion, pixelserv, unbound, VPN director, VPN servers and clients, logging, wireguard (coming) and so on are mostly at the router level and where over the years I think the most interesting stuff has happened. I'm not forgetting YazFi, but I think that might prove the point: there isn't a lot being done, or that can be done, with the wifi part.

So divorcing the wifi frees the router for more interesting development.

But I agree about the off-topic part.
 
Last edited:
capncybo said:
EDIT: I do suppose OpenSource doesn't always mean FREE
Click to expand...

No. It needs some milliseconds to reach China. Open, closed, free, licensed - it doesn't matter.

BYD-S8-and-CLK.jpg
 
elorimer said:
I don't think I agree with the title of this branched off topic or where it is now. Security is one aspect of it, sure. What I mean is that the wireless part of AsusWRT-Merlin is the smallest part of the project, as I see it, and yet the part where closed source concerns are concentrated and where this hold up has originated. Entware, Diversion, pixelserv, unbound, VPN director, VPN servers and clients, logging, wireguard (coming) and so on are mostly at the router level and where over the years I think the most interesting stuff has happened. I'm not forgetting YazFi, but I think that might prove the point: there isn't a lot being done, or that can be done, with the wifi part.

So divorcing the wifi frees the router for more interesting development.

But I agree about the off-topic part.
Click to expand...
Very well said, & I always feel like a douche getting punted (that's why I prefaced my initial reply with "I'll take the bait...") Knowing fairly well that we were straying off-topic. And the actual point I was trying to make became somewhat lost in all the OpenSource rallying.
But in short.
For some of the CRITICAL & Key components to function we almost always involve some form of Closely Guarded Commercialized Intellectual Property.
Even if you could implement a form of Open Source WiFi driver... but learned a CLOSED source driver was ... at least 33% faster (with the same hardware).
Most people would probably switch back to using Closed Source.
IMO maximizing network throughput is "most likely" one of the reasons people were using AsusWRT Merlin in the first place.
But Yeah... your logic above is quite reasonable.
Except (to my knowledge) the Fastest WiFi is exclusively CLOSED Source & Carefully Protected IP.
So if we (want/need) FAST WiFi...
There really isn't much of an alternative, is there ???
 
Tech9 said:
No. It needs some milliseconds to reach China. Open, closed, free, licensed - it doesn't matter.

View attachment 37113
Click to expand...
I'm fairly certain this was meant as a joke... but I can't help from asking...
You don't really think China (with all their involvement in Chip Manufacturing) have actually created back-doors etc or can execute payloads remotely on most or all WiFi chips... do you ???
 
Not sure about it. What I know is Big Brother is real in China and most communication devices are strictly monitored. I also know if you send a new hardware device to China, in less than a month time someone else is manufacturing it and selling it on your behalf, without telling you.
 
Tech9 said:
No, this is no joke. Check this out for more similar examples.
Click to expand...
Wow, while reading the article & when you see all the pictures... It's undeniable they are definitely stealing & copying intellectual properties. And Clearly... they are Very Good at doing so. Yikes.
 
I just want to add my 2 cents to the topic by providing a link:

www.theregister.com

Trojan Source attack invisibly threatens code security

Bidirectional character attack – simple and nightmarish
www.theregister.com www.theregister.com

I still think open source is the better way for security but if you read the article and just imagine how many random people are working in open source projects and inject their code into it then it will get a bad taste - but still...at least there is a possibility that someone (or more people) sees the flaw in a code and people can fix it.

In closed source you have just believe and pray like in church (nothing agains religions just a metaphoric example)
 
capncybo said:
Too funny I was just about to edit my above post to end with... "If OPEN Source is Better or Indeed the future of security etc. etc. Shouldn't we all be running DD-WRT, TOMATO, OPENWRT or something? IMO Opensource is always the greatest until you see something that's faster or an improvement which you soon learn... Is proprietary & protected.
Click to expand...
Open source provides transparency, peace of mind, money saving, and community based decentralization. Closed source provides jobs, revenue, an economy, and thus the allowance of full time extensive programming, which means more features, compatibility, and possibilities. If that was opensourced, anyone could make a better version for free basically which would outpace any paid competition, but its more difficult to make a full time living doing just that, which can slow the progress of feature development in a materialistic world. Though in this day and age with global decentralized economics such as crowdfunding and cryptocurrency, and platforms such as patreon, it makes it a lot easier.
 
Last edited:
You must log in or register to reply here.

Similar threads

B
Plume and Samsung Launch OpenSync™ Open Source Initiative
Replies
0
Views
1K
Balance
B
RMerlin
End of year 2017 development update
5 6 7
Replies
121
Views
54K
ColinTaylor
C
RMerlin
State of the project - 2016 in review
2 3 4
Replies
71
Views
39K
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
sfx2000 Security - D-Link VPN devices recommended to remove/replace.. General Network Security 0
C ASUS Security Issues General Network Security 4
L&LD Paid for VPNs, Where your security and money go to die. General Network Security 5
PR3MIUM News Windows build 2024 and Ai Recall - Security Risk General Network Security 2
J CSA rates router security and lifespan General Network Security 5
TheLyppardMan IoT Device (Dyson Air Purifier) - Urgent advice needed on security General Network Security 21
D Network security from kids General Network Security 11

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 583 (members: 27, guests: 556)
Top