Might be a retarded question, but if software is open source,

>>59676960
Peer review will always find exploits and post about them on whatever. Closed source however...

>>59676960
Pretty much, that is why things like shellshock go unnoticed for 25 years, although you can guarantee someone knew about it and was using it in targeted attacks.

>>59676981
this, 90%

It's a real issue when people who have malicious intent (intelligence agencies) actively look for vulnerabilities but have no intention of actually reporting the issues. These people should be exposed for what they are, which is why the vault7 leaks are important.

No, retard.

>>59676981
Can those peers be trusted? They could find an exploit and fuck shit up before anyone else finds it.

File: 1488484673834.gif (67KB, 600x400px) Image search: [Google]

67KB, 600x400px

given enough eyeballs
all bugs are shallow

>>59677020
also as a quick addendum, companies have adopted open source/libre technologies at an increasing pace. they have an incentive to report issues to prevent vulnerabilities and, as they use them in production, will discover them and report them. It's not just people maintaining as a hobby who discover vulnerabilities, especially for the largest open source projects (think apache projects, etc.)

>>59676960
>Might be a retarded question, but if software is open source, wouldn't that make it more vulnerable? Since it would be easier to dig through the code and find exploits.
No, because finding exploits is easier for people trying to fix bugs as well as people trying to exploit them.

Open source software is easier to find exploits in than closed source software. But it is also MUCH easier to FIX bugs in before they become a problem in the first place.

In other words, in closed source software, you basically have ONLY the evil people looking for exploits in it. In open source software, the bad guys have it easier, but there are also a large amount of good guys present, who have it as easy as the bad guys.

Overall, open source helps the people trying to fix exploits much more than it helps people trying to abuse exploits. On the whole, this makes it more secure, not less.

Quite possibly. OSS suffers from the bystander effect, where everyone assumes that someone else is going to do something (in this case, look at the code and spot anything untoward). Literally no one does, because everyone thinks someone else will. Basically, it's the same reason someone can die while like 50 people just stand there doing nothing but looking at each other.

Meanwhile closed source is usually paid for, and with that money they can pay for code security audits and such.

>>59677156

Closed source is valuable and that's why black box reversing has created so many products. The developer teams in the cathedral use static and dynamic analysis tools during the QA process and those huge companies can afford things like cloud computing or outsourced auditing. Microsoft and Google have big security teams with talented people and they run bug bounty programs.

Only the big open source projects get audited and those have few bugs left, but it's much easier to find and exploit those bugs because you can instrument during compile time. Most people don't read code and that's why the "many eyes" bazaar argument falls apart. Even the people who read the code aren't expert bug hunters, for the most part, so it's about the quality/type of eyes as well.

Almost everything has bugs and large enough groups of code breakers will have stockpiles of exploits for almost every major piece of software regardless of source code access.

>>59676960
>Might be a retarded question, but if software is open source, wouldn't that make it more vulnerable? Since it would be easier to dig through the code and find exploits.

Yes and no.

If intentions of a person looking through the code are bad, then it is more dangerous. And vice versa, as there usually exists a bug tracker for an open source project.

That's why a bounty system for large-scale OSS projects is often necessary - to turn those with bad intentions with merely self-interested people.

It just so happens that many of the most secure big pieces of software are FOSS rather than closed. But it is about priorities more than a superior means of software production. If the big pieces of proprietary software really valued security over other stuff, surely they'd manage to do well.

So basically open source software are virtually 100% secure from being hacked by bad people since the software is out there being used in enterprise with still being foss.