There have been a lot of debate about this subject, so my question is:
How much does "Open Source" really matter, if the firmware on the hardware is proprietary?
I guess, no one can argue that Linux is a more secure operating system, but does that really matter if the hardware is locked on a hardware-level and so not under the users control?
I guess it really depends on two things, your requirements, and your politics; you can have things that are open source but are not technically free i.e. open source software that is used for non-free purposes e.g. DRM.
Personally I don't have much issue with the closed source model but I do believe that open source is better and matters - especially for personal and small/medium business use. Large corporations/enterprises are different, their spending power means closed source software companies often have to dance to their tune not the other way around.
Your last paragraph was one of the reasons the GPLv3 was created to protect users from being forced to use certain software even if it was supposed to be free software.
There's a reason to use free open software you only need to look at what's happening the last few years to see that. Without it we can't control what our computers do. without it we can't have strong encryption or secure transmissions.
Without it we have a choice of windows 10 that spies on us or windows 10 that spies on us.
I'm on my mobile so I'll stop there. But I'm sure you get the picture. Free software exists to give users specific freedoms. Without it I don't think we'd be in a good place ..
Open source matters if for no other reason than choice, but it's much more than that because open source is the basis of a lot of custom software that is purpose built for a certain type of hardware or to perform a very specific task, off the shelf proprietary software doesn't offer this advantage or option because of not having the flexibility to either scale up or down without massive amounts of money being spent in development and then massive amounts of money being spent for the rights to use the software in the first place, proprietary software in most cases is much to rigid in design to do much more than what it's intended to do.
I'm not sure firmware is a good comparison to be used against open source software, firmware while being intellectual property of the creator is a good example of something that is purpose built to do just one thing in a very rigid framework, it is beyond the users control to modify in most cases but I get the correlation your making.
There's just not much a user can do at the hardware level it is the totally dependent on the creator/manufacturer to make it secure while allowing the end user options in configuration to suit their needs, I really thought the advent of UEFI would bring about a bigger change for the user and it has in a lot of ways as far as options and features but beyond that it is still proprietary software that is locked within a rigid framework the user can't modify...at least today.
There is plenty of hardware offering that contains only open source firmware or can be loaded with open source firmware.
As explained quite some time ago on the forum, there is open source bios, and quite a number of (more enterprise grade) motherboards are compatible with it.
It's all a matter of hygiene and practicality. The key to everything is to roll out your own cloud and have a good server of your own, it doesn't have to be expensive or the latest and greatest hardware, it just has to be flashable with open source BIOS. Then you can configure your own secure environment, always departing from the assumption that any user interface device you use with it, is unsafe by nature.
That solves a lot of issues with privacy and security and the elementary protection of your individuality and identity as a human being holder of human rights and as a citizen holder or the liberties guaranteed by your constitution. But it doesn't solve everything. It doesn't solve the fact that certain corporations do more than just provide backdoor entries to your data by getting in to your "unsafe devices" through spyware that has to be presumed abundantly present in all kinds of proprietary hidden code arrangements. If they were only snooping on your unencrypted data, it would be like opening a snail mail letter in an envelope that wasn't closed, there is no excuse for that, but it may be covered by terms of service and the likes. But by implementing keyloggers, which is what Google and Microsoft do quite openly, and others do with less openness, they might intercept your master password for your private encryption keys, and that is the same as opening a closed envelope marked as "private, personal and confidential - do not open!", and that could not be covered by any general terms of service or license agreements, it would require a specific mandate like a power of attorney, which they do not have.
So as long as you avoid systems that reputably use keyloggers, and have a full open source server of your own, you're pretty safe.
Now what if you don't have the infrastructure for your own open source hardware server? No problem! If you arrange a virtual server, and make sure you use an open source virtualizer (plenty of offerings available, from Xenserver to kvm/qemu etc...), you simply use the open source seabios as virtual bios for your virtual server (which is the default). You could rent a server on a machine of a local small host company, which isn't expensive and those guys often really care for their servers. You could also rent a virtual server on the Amazon infrastructure. You could fully encrypt your server, like you can with all linux boxes.
When you virtualize and encrypt, the hardware doesn't even matter all that much if you use open source software and disable the RNG's in Intel CPU's for your encryption.
If you don't want a server of your own, but want to protect your data, nothing is easier to be honest. The open source world delivers some really fine super user friendly solutions.
One solution is to get a smartphone or tablet for which there is an open source ROM available. The basic Android operating system is open source, it's called AOSP. What isn't open source, are the applications provided by Google, and those contain all of the nasty stuff. So you simply don't install those. Even if you use gmail as mail provider, you can send encrypted mail that Google will not be able to read as long as you don't have GApps installed on your device. You can still access Google services through sandboxing applications like Web Apps or Google Apps, which are open source applications made to keep Google's snooping confined to a secured container.
A good arrangement would be:
a "popular" smartphone, not very high end, but midrange, with a well documented SoC for which there are a full complement of open source drivers. Samsung is not a bad choice, STE, some Mediatek chips, etc... look up on github for which chip all open source drivers are known and/or added to the linux kernel. The linux kernel works in such a way that of course it cannot do anything about the breach of security in the radio of a phone, because that sits behind the SoC, but it's very well documented and regulated what interaction the linux kernel permits and executes between what is under the kernel's control and what goes on in the radio. Once it's governed by the linux kernel, you basically have to willingly compromise it with proprietary software to decrease the basic security the linux kernel offers by design.
an open source community developed ROM based on AOSP, with a decent size dev community standing behind it.
no gapps
when there are no gapps, the phone doesn't require you to log in to a google account, in fact, there should be no system-wide accounts. By lack of gapps, you don't have access to the Google Playstore, but you can go to "f-droid.org" with the standard AOSP browser and download the f-droid market client. F-droid contains only vetted open source software, and mentions possible privacy risks with certain applications like Firefox, which won't be supported much longer for that reason anyway (not that you would need it because the standard AOSP browser is actually very good). On the f-droid market, find and install K9Mail and Openkeychain. Openkeychain is super easy to use and will guide you through the process of making an encryption keyset for your mail accounts, that you can then use with K9Mail. This will actually, notwithstanding proprietary radios in your phone (something that tablets mostly don't have to deal with if they use a Wifi radio with open source firmware and drivers, which is most often the case these days), provide you with a secure communication over the internet, that is super easy to set up and use, and requires no prior knowledge at all.
If you want to use other Google services like Drive or Maps, you can do so - under your Google account or not, whatever you want - with GApps or WebApps browser, applications that you'll also find on f-droid.org, that provide an open source sandbox in which you can access Google services without compromising the basic security of your entire device. There is an open source alternative or superlative for just about any Google Play Store application though, from social networks that respect privacy to direct messaging agents or voip or sip clients, but also turn by turn navigation, bank access applications, office applications, and whetever exotic apps anyone would like, all open source.
If f-droid can't keep up, which happens from time to time because they really check everything, which takes some time, and you badly need something that isn't yet on f-droid, there is a good chance that aptoid will have it. Aptoid is not strictly open source, it's commercial, but there is also a good open source offering (better than the Google play store) and they check the code of popular apps and mention it clearly if they have checked and approved an app, so it's advisable to install only those apps from aptoid that have the checked and approved mention in the store.
If you however install GApps or Microsoft Outlook or Word or an Adobe app or an app of your ISP or some other typical Google Playstore app, you should consider your entire device and everything on it compromised, including the master password for your encryption key.
So that's an example of a "very bad" situation, namely a device which contains a proprietary radio (and of course, that can be used to track your location and register your calls, the latter of which is regulated by law and not superseded by any terms of service). Even on such devices, the main thing is to use carefully selected sources of open source software in the entire operating environment behind the linux kernel. Just like with a PC or another connected device, once you're safe behind the linux kernel, which guarantees you an operational environment controlled by you and you alone if you stick to open source software and make wise choices, the only thing anyone will be able to harvest from you is your machine identification, and thus your location on the grid, and the location of the router behind which is your server, or the router of the company that hosts your server, which will teach them nothing. If you've acquired your phone or PC in a small store using cash, or if you've bought it used from someone that doesn't know who you are and have paid cash, and if you've never registered anything, then they don't know that machine identifier is associated with you. That's not bad as far as privacy goes. Of course, one single slip up, like only running a proprietary OS once or the likes, and you're toast if your desire was to keep off the grid completely.
Now in general, I think that a combination of keeping off the grid and staying on the grid represents a responsible and realistic use case scenario. It's not because I don't want anyone opening the letters that I've sent in a closed envelope, that I'm not clearly writing my name and address on the letter in the return address space. People forget that if they go off the grid, they are not exercising their rights, because they are not identifying themselves as a holder of rights. The right to privacy is a human right, just like the liberty of religion, but the rights to individualism and personal freedom and freedom of speech, are civil rights that require the individual to exert them in his own name, as a citizen and holder of those rights. If you're incognito or use a false or assumed identity, you do not hold those rights everywhere in the world. You have to demonstrate that you will not abandon or waive those rights.
The practical aspect of that, is that proprietary operating system and application software is mostly offered by large corporations, that have better access to legal counsel and the way the legal systems work, that means that you don't really have a chance to enforce your legal rights against them. So where it would be ideal to demonstrate that you're not relinquishing your rights by enforcing them as a user of proprietary solutions, the sad news is that this is not a practically feasible option. That's why the only practical solution is to use open source software for that.
The amount of open source software that anyone wants to use, is up to them of course. If you install linux with open source applications in Oracle VM Virtualbox (which is proprietary) on a Windows 10 machine (proprietary with keylogging), you're not protected by the open source, as the keyboard is passed through by the Windows host, thus your data entry in the linux guest is compromised. However, if you use a linux container on a headless virtualization server and ssh into it, the server doesn't really matter all that much, as long as it's a open source hypervizor of some kind. The same goes for other hardware. It's not that big of a deal in the end. People can use Windows to game on a dedicated machine, preferably in a sandbox on an open source virtualizer, but if that's not possible, on a dedicated machine that is considered unsafe and is only used for entertainment. That doesn't mean that you're giving up any rights. It does mean that you give up rights when you use the same machine or environment for your personal stuff, for your communications that you wouldn't publicly expose if the communications would not go through a computer or a network channel. That is just common sense and personal responsibility and choice. The thing that's wrong is not that the proprietary software spies on you, because that's clearly indicated in the terms of service and the EULA's, but rather that people were/are lead to believe that it's safe to use that software, and that the terms of service don't really mean anything. That's what's happening, and that's what's just plain evil about all of the "freemium" services out there. It's basically the same as putting up the sign "Arbeit macht frei", it's consciously misleading people into believing that they will not lose any fundamental rights like the right to privacy and the protection of their personal space and identity, with the sole purpose of making it easier to exploit the people and do away with them after they've served their purpose... and the thing is, even when faced with irrefutable proof that there is abuse and that there is misleading information sent out, a lot of people, if not the majority, will still not believe that evidence, and will disregard it, or even defend it and make up arguments in favour of it. History has proven that over and over again. History has also proven that the only way to escape this is to keep exerting your rights, to take the responsibility to reject the coercion, to inform yourself and make the right choices, not to remove yourself off the grid, but to pride yourself on your rights and the exertion thereof, in the most feasible and practical way.
A few years ago, for most people that used computers, there might not have been a really practical solution to exert their rights, because open source software wasn't as accessible. But right now, there is no excuse any more, as open source software is more accessible than closed source software, it requires less setup, less loss of time, less investment, etc... there simply is no reason not the use open source software, unless of course one would want to publicly relinquish his rights, which of course would be one's right also...
In the past, I think closed (CPU) firmware was acceptable because BIOS was dumb and PCI hardware varied too much to write malware for its firmware. With the advent of UEFI (which is a great improvement!) where you can write malicious firmware that will work against lots of different hardware, I don't think closed source CPU firmware is really acceptable anymore. My current hardware doesn't support Coreboot, but my next rig definitely will.
If we get to the point where we have open source CPU and NIC firmware, I will finally feel confident I actually have digital privacy.
plenty of people dispute that linux is a more secure operating system. In fact objectively linux is not very secure at all, however, because the users are so few, and because systems are so fragmented (many different distros) it generally too expensive to pursue without a particular system in mind. Thus you see fewer mass exploits of linux, than say windows or mac. If you want a secure operating system, you should look at the BSDs.
Proprietary software does not have to be insecure. For most people it all comes down to trust anyway, proprietary or not. Few people understand firmware code as it is.
Agree so much with this.
Even running Linux, does not make me feel i have any more privacy then Windows.
What it does make me feel like, is that i dont have a mass surveillance system operating system.
Security isnt just about code vulnerabilities, that's an important thing to remember, there's also trust. The nature of propitiatory software means (for certain types of software) you cannot trust it. With open code you can audit it, you cant do this with closed code.
Certain organisations in teh EU have access to some windows source code for example, the issue is they have no way of verifying the code they see is the code thats shipped because its closed code, and therefor can only trust it to a certain level.
Dont know about BSDs, but saying that proprietary software does not have to be insecure is somewhat wrong. Cause you,me or any end-user does not and never will know the code.
To trust this with blind faith, is just stupidity imo.
That is true, a lot of trust is also needed. Blind trust, mostly.
But when you see a tv-show about the police here in EU and they still use XP and cover their web-cameras.
It may give a thought or two, at least in me
Open-source isn't some magical thing that makes software bugs not exist though. It's gotten better, but back in the day there were Linux kernel privilege escalation 0days being dropped every few months.
Secure code is secure whether you can audit it or not. Secure code is secure whether you trust your vendor (to mean no harm and make no mistakes) or not. Being secure and feeling secure are two different things. The advantage of Open Source is that you can check it when you're feeling insecure and fix it when it is not secure, however as ibreakthings comments: there is nothing inherently secure about Open Source.
The point of open code isn't to be secure so i agree there's nothing inherently secure about open source, people write crap open source code all the time. But that's not unique to open source either.
Closed code can only be assumed to be secure (or not) as your never allowed to see it. You can trust your vendor all you want, depending on what your doing you simply cannot trust closed code to be secure as there isn't any way of knowing what its doing, regardless of how secure they say it is, you simply can never verify it.
Thats the benefit of open code, you can see its shit, you can modify it, you can audit it, and you can secure it yourself (if need be).
Keep in mind im not saying you cant have secure, good, safe closed source code.
Open source.
The transparency store in Brussels is a complete joke lol, it's just propaganda. Only people Microsoft agrees with after screening through their own private militia can go in, and they just don't accept people in that have real understanding of code. And even if someone would be found that Microsoft actually lets in, that person would not be able to use the analysis tools of his choice, he would only be able to use basically Microsoft proprietary analysis tools. Then there is the whole elbow rubbing behind the scenes, with Microsoft offering grants to universities where professors teach that have consulting roles in the EU, and that Microsoft would like to accept in the transparency store, because those professors don't have a clue about code, they are just caught up in the traditional pillars of the industry that it's ugly.
Linux is not insecure, it can be as secure as you want it to be. It can also be as insecure as you want it to be. BSD is exactly the same story, there is nothing inherently more secure about BSD, sandboxing in linux has evolved faster than in BSD in the last few years, and the container technology of linux is now more advanced and more secure than that of BSD. Linux does have exponentially more features and functionality now than BSD, also a recent evolution, and has a much larger install base than BSD, so there is more liability and exposure than with BSD. BSD really should step up their efforts a bit, because they're starting to lag behind.
Linux is just a kernel, there are many way to use the kernel. Some GNU/Linux distros mess up big time, others don't. It's a logical consequence of the popularity of Linux. Linux is now by far the most used kernel in the world, and the non-GNU Linux distro Android is by far the most used and popular operating system in the world.
No software is ever 100% safe. The good thing about Linux and GNU/Linux and even AOSP for instance, is that everyone can work on making it more safe, and right now, Linux and the Linux-based distros, have exponentially more devs working on improving it than any other kernel or operating system in the world, and all of the work is completely transparent and verifiable.
That's the real benefit of Linux, and of using Linux as a base to put together an operating system.
So we all can somewhat agree, to the topic with proprietary firmware coming down to the issue of blind trust. Where no one can verify it.
Meaning that you are not allowed to see, therefore you should trust it. What is in the code, The Bibel?
Computers simply do not work without religion =D
So what to do? Go to any corporate site, read the about page and then decide to trust it, with ones digital life? LOL
Just in case you haven't seen it already the recent rant by Oracle's Chief Security Officer is worth a read. She's fed up with Oracle's customers telling her they have found security holes when pen-testing their environments; basically she does not want them trying to reverse engineer Oracle's products:
http://seclists.org/isn/2015/Aug/4
In summary she is saying that trying to reverse engineer an Oracle product looking for vulnerabilities violates the EULA.
There is some industry feedback/opinion here:
http://www.securityweek.com/industry-reactions-oracle-cso-rant-feedback-friday
Q. But one of the issues I found was an actual security vulnerability so that justifies reverse engineering, right?
A. Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked.
She is actually, saying that reverse engineering is breaking into someones window or door...
At the same time, talking about "Intellectual Property" All of this BS, is just distortion of language, which so many things are. Like here where i live, they call the meat they are selling something else. (Cause if we call it what it is, they will not eat it)
Another funny example is: Bread. Made in EU, where exactly is EU?
Language is distorted and getting worse and worse. Instead of talking about things that are there, the subject is changed into something that is in the mind. (An idea of something)
My way of looking at it is that the open source development model is just a way to optimize the ratio between the "quality" (which includes security if the author has good intensions) of a project and the amount of money put into it. One example is Gimp, it is completely free, yet it works fairly well as an alternative to photoshop.
I am sure a proprietary project from a company with good intensions, putting a lot of money into the project would likely be a lot more secure and of much better quality than some little known open source project.
The problem with closed source software is that you do not know the intension of the author. Is the goal to make software that is good for the end users, is it solely to make profit or is it to make software that is good at spying on the user?