this post was submitted on 04 Feb 2022
1 points (100.0% liked)

Security

5014 readers
4 users here now

Confidentiality Integrity Availability

founded 4 years ago
MODERATORS
 

I find people who agree with me for the wrong reasons to be more problematic than people who simply disagree with me. After writing a lot about why free software is important, I needed to clarify that there are good and bad reasons for supporting it.

You can audit the security of proprietary software quite thoroughly; source code isn't a necessary or sufficient precondition for a particular software implementation to be considered secure.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 2 years ago* (last edited 2 years ago) (1 children)

I am tired of people acting like blackbox analysis is same as whitebox analysis.

I was very explicit that the two types of analysis are not the same. I repeatedly explained the merits of source code, and the limitations of black-box analysis. I also devoted an entire section to make an example of Intel ME because it showed both the strengths and the limitations of dynamic analysis and binary analysis.

My point was only that people can study proprietary software, and vulnerability discovery (beyond low-hanging fruit typically caught by e.g. static code analysis) is slanted towards black-box approaches. We should conclude that software is secure through study, not by checking the source model.

Edit: I liked that last sentence I wrote so I added it to the conclusion. Diff.

Lots of FLOSS is less secure than proprietary counterparts, and vice versa. The difference is that proprietary counterparts make us entirely dependent on the vendor for most things, including security. I wrote two articles exploring that issue, both of which I linked near the top. I think you might like them ;).

Now, if a piece of proprietary software doesn't document its architecture, makes heavy use of obfuscation techniques in critical places, and is very large/complex: I'd be very unlikely to consider it secure enough for most purposes.