The importance of FLOSS (The security point-of-view for beginners)

in #floss8 years ago

Preamble: This article is meant for absolute beginners. If requested, I could also write a more detailed (and serious) post about the whole idea behind FLOSS another day.

The term FLOSS stands for free/libre and open source software. FLOSS is a very important and integral part of our technological ecosystem. In order to see why it's so important we have to define its meaning first.

What is FLOSS? (for beginners)
Defining the term FLOSS in one sentence is not easy but I would like to attempt it anyways to be as gentle as possible with people who have never heard about that term: "FLOSS is software whose source code can be used, copied, studied, and changed by anyone". So far so good but what do I mean by source code?

Every computer program (or smartphone app or website) is written in a certain programming language. By using programming languages humans can directly tell computers what to do. The text (or code) of these languages making up a program contains instructions and is called source code. For example, we might use the programming language Python to print the words "Hello, Steemit!" on our screen by just typing, saving and executing the following source code:

print("Hello, Steemit!")

Real computer programs are, of course, much more complex than that but for now we don't want to care about the details too much.

Isn't FLOSS insecure?
You might ask now whether FLOSS is really such a good idea. Isn't it for example a very bad idea to let anyone have a look at the source code of your software? Doesn't that open all doors to potential hackers and crackers who want to break your system? Well, on the one hand it's true that every security flaw of any FLOSS software is plainly visible for anyone having the skills to read the underlying source code. But, this is not a bad thing at all, because opening up the source code also allows "good people" with the necessary skills to read and analyze the source code and by doing so they can actively help to make the software more secure. If the source code is closed or proprietary, there is no chance for people who would like to help out to have a look at the system and improve it.

I'm confused now. Gimme some examples
I know that it can be hard to wrap your head around these things in the beginning. Let's look at some examples to get a better grasp about these issues first. Let's take the Linux kernel as an example of actively developed FLOSS in comparison to the Adobe Flash player as an example of (more or less) actively developed proprietary software. If some evil hacker would like to hack a Linux-based system, he or she would probably attempt many attacks on the kernel until he or she succeeds. The evil hacker would do the same if he or she wanted to hack into a computer running the Adobe Flash player. But, here comes the huge difference: The Linux kernel is actively monitored by many people all over the world. You and me can (at any time) have a look at the current source code. And if there is a potential security hole, we can either fix these holes or tell the kernel maintainers about them such that they can fix those issues themselves.

But how does the situation look like for proprietary software (namely Adobe Flash in this example)? Only a few Adobe employees have access to the source code of the Adobe Flash player. That means there is no way for me and you (if we don't happen to be paid to work on that piece of software) to have any insight into the functionality and behavior of this program. That is a serious problem because people can actively exploit any security holes and thus attack any system on this planet running this program and only if the company behind the software decides to create and upload a patch, the average Joe will be able to defend himself against those attacks. You might think that this is a very theoretical problem but actually exploiting security holes in proprietary software has become a real problem. The Occupy Flash movement would agree, I guess.

Hold on! Are you telling me that FLOSS is immune against any hacking attacks?
No, of course not. There are many exploits for FLOSS as well. For example, the Wordpress software is a piece of software installed on thousands of servers all around the world. It's a very interesting target for evil people trying to blackmail others or steal data. From time to time we can read about Wordpress being attacked again and users are advised to update to the newest version. But one big advantage of Wordpress (and other FLOSS projects) is that smart people can take preemptive measures to prevent security holes from being exploited. With FLOSS people can analyze a system or software at any time while with proprietary software users can only react by installing updates once the company behind this software decides to provide a patch.

Mhm... ok. But why should I release some software as FLOSS if I don't want people to know how I implement certain security-related components?
At first glance it seems to be not a bad idea to just hide critical components nobody should know about. But unfortunately, this doesn't work out too well. The concept behind not releasing the functionality of a certain program in order to gain a security advantage is called "security through obscurity". At first glance it looks like a good idea, but let me quote from this Stackoverflow article to show you why it is not:

Security through obscurity would be burying your money under a tree. The only thing that makes it safe is no one knows it's there. Real security is putting it behind a lock or combination, say in a safe. You can put the safe on the street corner because what makes it secure is that no one can get inside it but you. [...]

If someone discovers the password, you can just change the password, which is easy. If someone finds the location, you need to dig up the money and move it somewhere else, which is much more work. And if you use security by obscurity in a program, you would have to rewrite the program.

My head hurts...
Ok, in that case I will just leave you alone for today and show you some nice kitties as a reward you read up to here. But I make no promises that I won't write another article about this important topic another day with even more background information. ;-)


Source: https://farm6.staticflickr.com

P.S: Questions are welcome!

Sort:  

Thanks for the info about FLOSS!

You're very welcome. :-)

Very Good Presentation. But I clicked on to this article as if it talks about dental floss. Found totally different "FLOSS" but more interesting and informative than the dental floss one!!

LOL. Sorry for the confusion but if you wish, I could also write an article about dental floss another day. Even though I'm not so knowledgeable about dental topics. ;-)

No, I know enough about dental floss, just wanted it to show to my kids if it was about dentures. But I found something totally amazing, interesting and very informative instead. Keep up the good work to share your skills:))

Thank you very much. Same goes for you and your nice math presentations, btw. Followed!

Very well written! This article deserves much more attention, therefore I resteemed it now. :)

You might be interested to know that I have started a (very small at the moment) organisation called Steem FOSSbot for creating tools for Steem that are broadly defined as bots. I didn't use the L in FLOSS, but it's the same thing 😉

You can see it here: https://github.com/Steem-FOSSbot

I've got some ideas penned in the project-tracker project too, and open to anyone coming in to contribute and collaborate. 😁

Thank you very much for letting me know about your project. I'm very new to Steemit and even though I might know a thing or two about F(L)OSS, I don't know anything about Steem bots yet. I wonder whether it's even "ethical" to run such a bot. Wouldn't a bot give me an (unfair) advantage over normal people having to look for promising posts themselves? Doesn't that run against the whole idea of Steemit that people have to find interesting content on their own?

Your instincts are right, they're very contentious 😅

There's are arguments for and against and I'm exploring them as I create. What spurred me to create a F(L)OSS bot was that there were some "power" users that were running very successful bots but they were all closed source. In fact, as far as I know, there wasn't a very good open source bot until I create Voter.

I figured that as long as other people were creating them, I would use my own knowledge to create one that would at least level the playing field somewhat for those without the knowhow to create their own.

Further to that, I created it with features to allow you to model your own voting preferences using a scoring system and some basic stats analysis and NLP.

Of course it's completely up to each user whether or not they think it's cool to use. While they are a possibility (and I believe this is permanent, an argument I'll be making in a post soon) I will use my ability to facilitate others to participate.

Thank you very much for your elaborate answer. I'm looking forward to read your post about bots soon and followed you to make sure not to miss it. Good luck with your bot, even though for the moment I prefer to dig for content myself (until you or someone else convinces me about the advantages of using a bot ;-) ).

Very good article! I hope you also write about the other benefits of FLOSS, like collaboration, interoperability, and fighting monopolistic behavior.

Thank you very much for your feedback @idealist. I followed you as I like your articles. :-) If time permits, I'll write a post about those topics in the future.