Eli5: Why can’t open source software easily be hacked?

952 views

Typically a source code leak is a safety danger. But with open source applications it is available from the start. How do you prevent people from intruding when all safety measurements can be plainly seen?

In: 6

21 Answers

Anonymous 0 Comments

> Typically a source code leak is a safety danger.

This is the most problematic when you’re relying on security by obscurity. Your security mechanism is that people don’t know what’s going on. But this has never been a reliable security measure. A good programmer with interest, time and effort can figure most anything out. It’s just code, and that’s what we do for a job. It just turns it into a more annoying job.

This can work in the program’s favor when the program is something specialized or rarely used. It’s less likely that somebody will bother. But if you have something popular like say, World of Warcraft, you better bet there’s all kinds of people poking at it, and the lack of source doesn’t help all that much with the security.

> But with open source applications it is available from the start. How do you prevent people from intruding when all safety measurements can be plainly seen?

A good safety measure doesn’t depend on the secrecy of the code. Eg, the old code of Reddit is available. But if Reddit is written right, and the code says you can only log into my account by knowing a password, then seeing the logic of the login code doesn’t let you hijack my account. All you see is that it correctly checks passwords.

Now if it had a flaw, then you could see it in the code. But not being able to see the code wouldn’t be a guarantee that nobody would run into it by accident, or by using domain knowledge and experimenting with known tricky conditions, or such other methods.

A lot of things in software don’t have that many ways of being done. A skilled programmer in a given field can make very reasonable guesses at what sorts of mistakes a developer could make when doing a thing, and run experiments to see if the application indeed breaks or not.

You are viewing 1 out of 21 answers, click here to view all answers.