undefined | Better HN

0 pointsmbr14y ago0 comments

Your wife and all non-programmers get a major benefit when they use free software. When your wife uses proprietary software, she can never have any level of confidence that the software does what it claims to do and nothing more. Microsoft or Apple can do anything they want behind her back, and the only chance she'll ever have of knowing about it is if some disgruntled employee decides to spill the beans and doesn't immediately get silenced by Microsoft or Apple's huge legal team.

But when she uses a program whose the source code can be examined by a worldwide community of programmers, her chances are greatly improved that if the code plays any dirty tricks someone will already have discovered the offending code, they will have screamed bloody murder, and the offending code will already have been removed. Even if she's unfortunate enough to have encountered the malicious code before it's been discovered, she can be confident that when it is discovered: 1) it will quickly be fixed, and 2) since it's in Microsoft's and Apple's interests to disparage F/OSS software, it will be prominently reported on the 11:00 news.

I'm certainly not claiming that there's any absolute guarantee that any software is safe. If you really want to be paranoid, read Ken Thompson's "Reflections on Trusting Trust" at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.167....

But I am claiming that her chances of being harmed by having her data misused are far, far greater when she uses software that can only be examined by a very few programmers inside an organization that has a vested interest in hiding the misuse. She's much safer when she uses software that can be examined by a worldwide community of programmers whose vested interest is in achieving status within the programmer community by producing code they can be proud of.

0 comments

1 comments · 1 top-level

Tyrannosaurs14y ago

I don't dispute that that's a benefit, I do dispute that it's a big enough benefit to counter all the downsides from the perspective of a regular user.

Part of this is that I think the whole "programmers eyes" benefit is over stated.

"Can be examined" and "is examined by people who know enough to do a useful assessment" are different things. The number of programmers who really understand security isn't that high and the number of those who are committing time to review this sort of code is a fraction of this.

Most exploits aren't down to subterfuge, they're down to incompetence and the people coding (and reviewing) Linux are no less prone to that than those working on Windows or OSX. Those programmers are still human and still make mistakes. Oh, and not everyone reviewing the code has my best interests at heart. I'm not saying that security through obfuscation is good (it's not) but nor is openness without some drawbacks - on balance it's good but it's two steps forward, one step back.

And even if there are exploits in there for the NSA and the like, that's not actually that big a deal for most people. Don't get me wrong, I don't subscribe to the "privacy is only for those with something to hide" line, but security is about trade offs, and I can't see that the potentially greater security that comes from the code being open isn't worth the trade offs that come with it for non-technical users.

For me the positive thing about OSS is that to a large degree it keeps the competition honest. OSS keeps a focus on security and openness that I don't think existed in the same way before it was so prominent. I think this is a massive benefit, just one that I don't have to use OSS to take advantage of.

Because of this I love that OSS exists, and benefits from the fact it does, I just don't want to use it.

j / k navigate · click thread line to collapse