Originally published at: https://boingboing.net/2017/09/14/snowden-public-money-shouldn.html
…
I’m not sure that the code that schools and universities use to store info/grades about students would be best as an open source thing. Seems like asking for trouble from an entire generation of CS students who suddenly want to Ferris Bueller their way out of trouble.
Isn’t breaking into the school grading system and leaving a note a rite of passage for computer science students any more?
Not that I’m admitting to anything that might of have happened in the 1980s, but in my rather expert opinion as a computer scientist it would be a lot harder to break into a properly administrated open source system… and no amount of security will work if the system’s not properly administrated, regardless of software.
Open source does not mean insecure. Quite the opposite.
Are you suggesting that it is standard practice to not support encryption in open source software?
I’m thinking of giving up…
I am not a luddite by any stretch, but these policy discussions are so esoteric to 99% of the public. I haven’t coded anything more complex than a Lego Mindstorms since probably 8th grade. Yet I’m reminded daily here that I ought to have an opinion about this sort of stuff. I don’t even have the vocabulary, let alone an opinion, on most of this stuff.
Not a defense of myself – I wish I had kept up with it – but I have to be better at this than 90% of the public and it is completely lost on me.
Well, I wouldn’t go that far… yeah, in practice, usually open source is vastly more secure, but you can’t always know for certain. A FOSS project with only one coder, of poor skills, is unlikely to be super secure.
You really have to look at the specific project and not just the development method, which is part of the reason I specified properly administrated open source system. If the admins don’t know what they’re doing they won’t be able to evaluate or maintain security in an open source system.
Of course closed source simply cannot be evaluated for security, except by breaking in to it.
If I was going to do something like that today, I’d compromise the switching architecture, not the hosts, and do some strategic MitM. Just theoretically, mind you. And I’d be damn sure not to get caught since the penalties are harsher than just being thrown out of college nowadays.
Poor straw man.
Please explain the risk. What do you suppose the added risk would be in using open vs closed source software? Is it that you know about specific issues or have the media campaigns put out by companies such as Microsoft swayed your opinion without evidence?
This isn’t a problem of FOSS. It’s a problem of a single coder project. The licensing has nothing at all to do with it.
What you are missing here is that in an open source project anyone can review the code. So the worry of improperly administered projects is of less concern with open source than it is with closed source. Your argument supports rather than damns an open source approach.
I, uh, was speaking of grammar. I’m thinking of giving up on it, since apparently everyone else does.
I’m suggesting that school systems might be underfunded in the site-securing department, and certain underfunded and capitalistic students with hacking knowledge might sell some e-grades. Which they’re probably already doing, so why am I bothering to comment? throws up hands in defeat
That would be exactly my point. Simply being Open Source is not going to solve every other problem with a specific project, it’s not a panacea.
I am the maintainer and only coder on at least one FOSS project - Lou Goddard passed away several years ago and is greatly missed.
Correct! Or at least that was my intention.
I do think it bears mentioning, I just don’t think software development methodology is going to be as important as proper site administration. So I’d say the money currently spent on paying closed source software corporations would be better spent on paying sysadmin salaries, which are dots I wouldn’t have connected without your initial post.
I am properly chagrined, and will repair my discordant prose posthaste. Paenitet me, non mea culpa, mea maxima culpa.
Just want to add a data point - a lot of code created with public funds from NOAA/NWS and NASA is publicly available as source code. I am not sure about other agencies but I have perused some of the catalogs of both of those agencies.
Actually, you improve security when everyone can see how the code operates. Any exploits can be discussed and fixed openly rather than left hidden by a private company that has a monetary incentive to leave it alone and sue anyone who discloses them (not to mention have them jailed).
I gave up
This topic was automatically closed after 5 days. New replies are no longer allowed.