this post was submitted on 17 Nov 2023
45 points (100.0% liked)

Free and Open Source Software

17930 readers
54 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

Let's say, I create a bank with the caveat that all of my banking phone apps and webapps are FOSS (or if they depend on non-free components — banks probably do to communicate with each other —, then just OSS). Am I going to be behind the competition by doing this?

If the most secure crypto algorithms are the ones that are public, can we ensure the security of a bank's apps by publicizing it?

Are they not doing this because they secretly collect a lot of data (on top of your payment history because of the centralized nature of card payments) through these apps?

EDIT: Clarifying question: Is there a technical reason they don't publicize their code or is it just purely corporate greed and nothing else?

you are viewing a single comment's thread
view the rest of the comments
[–] villasv@beehaw.org 3 points 11 months ago* (last edited 11 months ago) (1 children)

Am I going to be behind the competition by doing this?

Yes, because you are due a lot more diligence with open source, and that will slow down your releases.

If the most secure crypto algorithms are the ones that are public, can we ensure the security of a bank’s apps by publicizing it?

You trade security by obscurity for security by expert oversight. I'm not a lawyer or baking auditor, but I'd say while zero-days are problematic for open source software projects; they can be life-ending for banks.

Is there a technical reason they don’t publicize their code or is it just purely corporate greed and nothing else?

This is a false dichotomy. Financial reasons to not publicize the code are technical reasons. Finance is technical.

[–] debanqued@beehaw.org 1 points 11 months ago* (last edited 11 months ago) (1 children)

The only false dichotomy I see here is the claim that you can have FOSS /OR/ expert oversight. There’s no reason why you cannot have both and hire expert oversight on a FOSS project (at least apart from reasons of the corp bottom line).

You also appear to equate FOSS with “security by obscurity”, which makes no sense. FOSS is not obscure, it’s the contrary. Non-free software makes use of obscurity, but that obscurity is not used as a basis for security. So neither FOSS nor non-FOSS inherently makes use of security by obscurity.

Financial reasons to not publicize the code are technical reasons. Finance is technical.

This is an equivocation fallacy. The OP’s use of “technical reasons” implied technological feasibility. You’ve introduced a strangely broad version of the OP’s use of that term in order to muddy the waters.

[–] villasv@beehaw.org 1 points 11 months ago (1 children)

I think you might have read it backwards, I equated closed source with security by obscurity. And obviously you can have both, if you pay extra.

Sure, finance is not technology, but I think it’s worth it pointing out that it’s not arbitrary or just greed or whatever, it has technicalities too.

[–] debanqued@beehaw.org 1 points 11 months ago (1 children)

That was quite vague and still hard to interpret the trade you mention. But I’ll say generally security benefits from:

  1. a good number of careful eyes on the code
  2. bug bounty programs
  3. audits
  4. red teams

Closed source has the false sense of security pitfall, which stems from the mentality that code secrecy is a protection of some kind. That pitfall is avoidable simply by not using it as a crutch for lacking security. Open source automatically avoids that pitfall. Bug bounties (2) help get motivated eyes (1) on the code (eyes motivated by generous legit rewards, as opposed to the reward of a zero day in the wrong hands). From there, I see no advantage to closed-source here.

[–] villasv@beehaw.org 1 points 11 months ago* (last edited 11 months ago)

I'm in total agreement that OSS builds more secure software. What I'm saying is that these companies are not in the business of building safe software.

From there, I see no advantage to closed-source here.

I think the easiest mental map is this: doing things well has a cost; doing things poorly can be cheaper; if it's way cheaper and there's some method available to de-risk it even if a little bit, no matter how little effective it is, it might be financially advantageous to pick the inferior option. This is not just for security, but pretty much everything.