The term open source is not as simple as it is presented. It can be welcomed when it represents software that is available for free. But it is only a facade when it is used to imply that it is safe and secure.
Open source may be free for you to use for any purpose or there could be limitations, such as not for commercial purposes. These are rational options for the program writer to offer, but it can get sticky when any limitations are in place.
This video was produced with free open source software, Blender. It is a great tool, but is also a high-end tool so it has a steep learning curve. For this video only the video editing tools were used, and not the 3D tools.
But it wasn’t used because it is open source, but rather it is free. Unless you have a serious need or involved in a commercial effort, the open source nature means nothing, but the price means everything.
Source versus Binary
When using free open source software on your computer, how do you know that the source, that is published and available to you, is what you are running when you download the compiled program?
There is no technical magic that ensures that the source, that may be reviewed by lots of eyes, matches the compiled version you are running. It is a simple matter for a malicious party to use the public open source code, add to or replace some of the code in the compilation process, and deliver a compromised version to you.
How do you know this isn’t happening to the programs you are running?
Android might be an open source project, but it clearly remains controlled by Google and any other implementation based on it is hard to find. It is an illusion of free to keep control as other competitive products have virtually no hope and no revenue stream from their software.
By keeping control of the lower level, the operating system, and then adding a variety of utilities they subtlety become more entrenched in your machine. Even if the operating system is fully secure and bug free, the included utilities may have features that are invasive or have design flaws.
Safe utility on a compromised machine
If you have a free open source utility that is truly safe but it runs on a machine that has either a compromised operating system or another utility on that machine that is compromised, the safe program itself may become compromised.
A serious but somewhat humorous example is the various flashlight utilities that are either given access to your personal data or otherwise compromised or opened communications to your device by third parties. This concept has also been used with a variety of game or convenience programs.
It may be as mundane as obtaining your address list for spamming, to more serious password harvesting of your device or perhaps passwords you use when accessing data on the web.
It may have started as free, useful, or fun, but the cost may be high.
Being open source is not a panacea ensuring there are no risks. Most seasoned software developers are familiar with a bug they introduce, perhaps it is even obvious, but they remain oblivious to it for hours to years. Software developers are humans and not machines.
Heartbleed is an example of a flaw introduced in 2011, but not fixed until 2014. This was not malicious code, but a design error. This was not an amateur's effort, but a serious developer and the code was reviewed.
Any software developer, whether with four months or four decades of experience, will make mistakes. The more complex the design, the more likely an error will occur and the harder it will be to find.
It may seem like automatic updates will not only get you the latest features but the fixes for bugs that may exist, especially for security flaws.
While this is true, it also allows for the software to be updated with features you are unaware of or don’t want. These may be described as somehow helpful, but the reality may be different. You may be obtaining new tools that allow the software producer to monitor you or control you.
There is also the more subtle in that most automatic tools will periodically check in to find out if there are updates. This checking process, at minimum, will identify your IP to the update provider. The update program may also include other data, from usage statistics to perhaps things you shouldn’t share.
We need to understand terms for what they really mean. Consider the word “natural” that is applied to many foods. It is a moniker that is used to give an impression, but the reality is far different. Toxic waste is a natural product, and adding it to your food keeps is natural. But that natural food is in reality not what you might expect. Open source is the natural label for software.
Open source is a very good model for software with numerous advantages. It is great to not have to spend time or money on getting licenses in place, but you simply download and use.
But don’t apply those characteristics to the security aspects of the program.
The open source moniker is rightly tied to the free software concept, but when it is used to sound safe and secure, it is not reality.