Merge pull request 'add security section' (#290) from zl/blog-contributions:main into main

Reviewed-on: http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/pulls/290
ok payment sent + merging, thanks!
This commit is contained in:
nihilist 2025-04-13 21:36:52 +02:00
commit 5ec2d5b831
4 changed files with 57 additions and 0 deletions

BIN
opsec/closedsource/7.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 92 KiB

BIN
opsec/closedsource/8.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 36 KiB

BIN
opsec/closedsource/9.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 81 KiB

View file

@ -143,6 +143,63 @@
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Security in FOSS</b></h2> <br> <br>
<p>
Open Source Software is <b>essential for security.</b>
</p>
<p>
A common argument made for closed source software is that it is 'more secure', often brought up in disagreements like iPhone vs Android or the general Company Software vs Community FOSS debate.
</p>
<p>
In reality, <b>security is compromised and reduced when software is closed source.</b>
</p>
<p>
We have to first understand that perfect security is not possible. There will always be potential vulnerabilities in any software regardless of what it is.
This what security patches and updates are for, changing of the software to fix issues.
</p>
<p>
Let's compare Apple's MacOS vs the Linux Kernel as an example to display why open source is better for security. Below is an image of the top section of of Apple's security page for MacOS Sequoia 15.4.
</p>
<div style="text-align: center; margin: 1px;"><img src="7.png" class="imgRz" style="width:40%"></div><br>
<p>
Although we get brief confirmation that the listed vulnerability has been fixed, <b>we cannot actually verify the patch.</b> We have to trust that it has been fixed reliably in the MacOS source code and none of the questions listed above are answerable.
</p>
<p>
This opens up several questions or even threat vectors. If the patch was not done properly and created a new vulnerability, we would not be able to tell.
Or if a malicious government/adversary pressured them into adding a <b>backdoor or spyware</b> into a patch, we similarly would have no way of knowing. Put simply, nearly <b>all specifics of updates are opaque and only known to the developers.</b>
</p>
<p>
Below is an image of the Linux kernel's git history.
</p>
<div style="text-align: center; margin: 1px;"><img src="8.png" class="imgRz" style="width:70%"></div><br>
<p>
Unlike the one sentence security patches on the MacOS page, you can see <b>every single line of code that was changed</b> in each commit of the Linux kernel. This transparency and visibility is very important for security.
</p>
<p>
Firstly, unlike only the Apple developers being able to patch security vulnerabilities or review the source code, <b>anyone can review the source code</b> of the Linux kernel.
This means that vulnerabilities can be <b>searched for in the source code itself instead of just on the application layer.</b> The concept of security through obscurity or purposefully making software closed is flawed since that does not actually solve existing vulnerabilities.
</p>
<p>
Having source visible almost always leads to high security since anyone can <b>submit patches</b> after their code review if they found an issue.
Compared to just a single developer team for the closed source software, <b>the number of eyes</b> on the code of a piece of open source software is much higher, which means <b>more code review and more safety testing</b>, ultimately leading to greater security.
</p>
<div style="text-align: center; margin: 1px;"><img src="9.png" class="imgRz" style="width:70%"></div><br>
<p>
Moreover, the visibility is crucial: Apple can claim they fixed a critical security issue but as mentioned, we cannot review the code ourselves to check if it properly fixes it or of there is spyware/a backdoor.
In open source software, we can <b>verify the update and make sure there isn't any spyware ourselves.</b>
</p>
<p>
The <b>transparency and availability</b> in open source software provides <b>auditable, trustable changes</b> and the <b>best possible security</b>.
</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">