Open Source?

[mfn]

Will Bleep be (completely!) open source? I'm asking this because you haven't answered the other threads. If yes, why didn't you just say it explicitly in the first place?

 

And if not... How can you keep your promises, f.e. that we control the program ("Consider Bleep your personal redaction pen controlled by you and only you")? How do we know that there are no backdoors and other malicious stuff?

 

I seriously hope that Bleep is going to be free. Otherwise your new program would be a joke.

[bleepfan]

mfn, 

  Why would this program be open sourced?  That would make it very difficult to recoup their investment. Possible yes, but not likely. 

 

Maybe you think it should be open source? Here's a deal for you: my company will make a Beep type chat program, free and open source, if you pay $1m for its development. Don't got a mil? Bummer.

 

The tone of your message just sounds like Bittorrent owes you something, and they don't. Giving away source code to the community is a gift. I am guessing this will be free, as it is now, and remain closed source, but they can do whatever they want without our permission.  There could be back doors built in just as there could be on the OS you are using. That is unless you wrote your own BIOS, then compiled every line code after close inspection for every binary in use.

 

Personally I am pumped about Bleep. If there's a scrappy startup finally challenging Skype then I am behind them. Shoot, I would even pay for licenses for my whole office if it was reasonable. After going through tools such as Slack/Hipchat/Skype/Flowdock and others I have learned what is missing, and I hope Bleep can handle it. 

 

Best of luck with this very expensive adventure Bittorrent. Feel free to ignore folks like mfn! I need the app and based on your work with Sync I have faith in you.

[Djhg2000]

bleepfan, you don't seem to get the concept of open source security products at all. The point is to have the code open to public review, which means someone will inevitably go through it and find weaknesses, either on purpose or by accident.

 

If some person A decides that he would want to implement protocol X in his program, he would look at existing products using X. He finds a client for X called Y. He then tries to write his own code to interface with X and along the way discover security flaw Z in Y. He develops a patch for Y and submits it to the maintainers B, C and D of Y.

 

They run some test and B confirms the patch solves the problem, C and D then approves the patch for inclusion in an urgent security update for Y. A then releases his own client for X with Z already fixed from the start.

 

This mutually beneficial development of different implementations is only possible with open source code.

[bleepfan]

Djhg2000, 

  Yup, I understand that. My argument is about commercial viability. As for security, I will trust Bittorrent with that, or not use the product. Have you not seen the large selection of lackluster open source IM clients available? You generally can have either open source or a great product. People that can pull of both (like Google) have other business models (like ad revenue and salience) and don't depend on their partially open source tools in the same way Bittorrent might need to.

 

If you want an open source chat client, go and get one. They aren't great because....drum roll...they don't support their own development.  Who cares if the code is secure, community reviewed and patched if the product isn't worth using?

 

Anyone have a realistic argument for going open source? I haven't heard one yet, so I stand behind their closed source model.

 

This is a business people.

[joebush]

You don't think that opening up source for review is a realistic request when discussing software that is intended to keep your communications secure? Either trust them or don't? That isn't remotely close to a standpoint on the matter that anyone will take seriously. And nobody should.

It is completely reasonable for Bittorrent to release Bleep as open source. They may be developing Bleep for purely altruistic reasons. They may feel that being the company who put distributed, secure communications in the hands of the world will assist with future ventures. They may be planning to offer additional services for a fee for added security for those who require it. They could be planning on licensing deals with other companies. None of these possibilities stand in contrast to an open source release of the client. And these were just a few possible scenarios.

 

Personally, I sincerely hope they do release the client source if they plan on providing a client in the future. I'm testing the alpha now, but don't see myself using the final product if it isn't open source. It actually makes little sense to keep it closed if they are allowing the use of it for free, and they've already stated they're opening the API. So, do they need to open the source? Of course not. Are there aspects involved that make it sensible to open the source? Absolutely. But like with all things, we'll have to wait and find out what happens.

And for the record, there are several good chat programs that are secure and open source, so your comments insinuating otherwise are nonsense. The reason Bleep is attracting so much attention is due to it being distributed, as well. They're the first developer that has the experience and underlying tech to make this work on a big scale. It's early in the game, and if Bittorrent does what it's set out to do, they will have created a de facto standard for secure P2P communications. Other developers would likely (over time) implement the API in their own software to become compatible.

[bleepfan]

joebush, 

  Alright, this helps me solidify my position. I sincerely hope this program isn't open sourced so it can be more of a commercial success, and therefore better use to me. LGPL would just strangle this project, imo. Can you imagine a multi-billion dollar buy our for WhatsApp if it were open source? I can't. 

 

I have already acknowledged that there are commercially viable open source companies, so no need to go there any more. It's just much more difficult in most cases.  But hey, if they took the open source route and remained commercially successful, that would be very cool no doubt. 

 

As for good chat applications that are FOSS - I guess that depends on your perspective. I can't find any software + system that touches Skype/Slack/Hipchat and friends in terms of ease of use, uptime, management features and so on. Bet you can't either  . Setup a Jabber or IRC server and compare that experience to any product I just mentioned. Apples and ants. 

 

I think the best open source communication tool in the world (not a good IM client though) is Thunderbird. Sure would be sweet if that puppy were closed sourced and actually still developed at a good pace! Outlook has virtually no competition now. 

[mfn]

Hello bleepfan.

Why would this program be open sourced? [...] Maybe you think it should be open source?

Yes, it should be open source and I can give you some reasons:

- community driven clients and forks

- Bittorrent Inc. is located in the United States -> Patriot Act and the NSA, but would also apply for less totalitarian states

- Bittorrent stated on their blog that Bleep will offer secure messaging for friends, journalists and companies -> no trust without oversight

- security audits from third parties (imagine them using closed source encryption - would go against Kerckhoffs's principle)

You generally can have either open source or a great product.

What about Linux, Red Hat, Canonical, IBM, Mozilla, Oracle, Google... who are all making great open source products?

If you really just want to use an IM program with commercial success and you don't care about secure communication, just get something like Skype which is surprisingly peer to peer as well, one of the main reasons why you like Bleep. But I have to add that Microsoft centralized it more after they bought it. I hope this won't happen to Bleep.

You remind me of one of those guys who always say: "I have nothing to hide, I only care about convenience.". In the post-Snowden world we shouldn't act like nothing has happened.

[Djhg2000]

bleepfan, I don't even know where to begin anymore. Are you seriously suggesting Skype and WhatsApp has become as big as they are for the sole reason of being closed source? The other chat software you mention as successful I've never even heard of (I agree that Thunderbird isn't what you'd typically call a chat client).

 

The reason Skype became popular was because it was easy to set up, had more features than the then very popular MSN Messenger, rarely crashed and used a mostly decentralized communication protocol with encryption (noticed how similar to Bleep it used to be?). Then Microsoft bought it and reversed those very same arguments. Skype survived because Microsoft dumps tons of money into advertising.

 

Nowadays I see it as the cancer it surely is, milking the Internet for "private" information. You can't prove me wrong since it's closed source, but it has been proven to send everything through Microsofts servers. This is where open source could had helped, in which case Microsoft couldn't just had bought its way into the core protocol.

 

This also shows that a chat client can become popular without backing of a large company and I don't think Skype would had simply died off if they had released the source. They did make money from server-side features though, such as bridging calls with landline. There's no reason why Bleep or any 3rd party can't make money from proxy services.

 

Also, of course it's difficult to set up a Jabber or IRC server. But it's outright impossible to set up a Skype server. We're talking about clients here, stop trying to confuse the discussion with irrelevant information. (Yes, I do realize the irony of discussing this in a forum for a decentralized chat client.)

 

[Harold Feit]

Heartbleed.

Just throwing that out there.

[Djhg2000]

Heartbleed.

Just throwing that out there.

Ah yes, an excellent example of why open source software works.

[bleepfan]

Just waiting for a real argument here against closed source. I see plenty of lousy arguments...

 

From Djgh2000:

 

bleepfan, I don't even know where to begin anymore. Are you seriously suggesting Skype and WhatsApp has become as big as they are for the sole reason of being closed source? 

 

 

What? Please show me exactly how I was trying to argue that. 

 

Now on to heartbleed. That was an obvious code error that existed in open source software, just as it could have existed in closed sourced software. Remember strong closed sourced produced are peer-reviewed also. To that end, I don't care. It's a bug. Bugs exist in all software. Heartbleed showed us that security holes could exist in FOSS software for years, and then be found. Don't read more into it. 

 

The point is that I have proposed good arguments for commercial viability that haven't yet been contradicted. Yeah, I get it that you can name other companies with open source software that make money. Never denied that. Just show me how those companies line up with Bittorrent's business model. 

 

Linux, Red Hat, Canonical, IBM, Mozilla, Oracle, Google

 

 

Seriously? Linux isn't a company. Canonical didn't get it's money from Ubuntu, mind you. Google, Orcacle and IBM didn't make their money on FOSS software. Rad Hat is the closest model that Bittorrent could possibly follow for FOSS software. 

 

But why would they do what you want? Why would they become a service oriented company(like Red Hat) because you want FOSS software? How about just let them code, make money off their hard work, and exist as a great product? 

 

Remember, they only care about you as long as you help them become a successful company - so that they can care about you more. 

 

I am preaching now, sorry. Exactly who is stopping you from writing a FOSS replacement for Bleep or Skype? I think it is ... let me think here... no one! Wait...Who is stopping you from paying for one to be properly developed? Let me just think here for a moment. ........... Hmmm, no one. Again. 

 

I hope my point is clear. If you want to give away your hard earned work, just do it. But don't make lousy arguments for others to give away their hard earned work. 

 

Or maybe you think Bleep is easy to program?

 

Someone please put forth a proper argument here. 

[mfn]

Bleepfan,

Heartbleed showed us that security holes could exist in FOSS software for years, and then be found.

OpenSSL was maintained by one single person with a budget of 2000 dollars a year. Now after Heartbleed, it gets one million a year: http://arstechnica.com/information-technology/2014/04/tech-giants-chastened-by-heartbleed-finally-agree-to-fund-openssl/.

Linux isn't a company

Where did I say that these are all companies? I was referring to the Linux foundation: http://www.linuxfoundation.org/.

Canonical didn't get it's money from Ubuntu

And? It's still a good product. Your general rule is that every open source program is bad.

Google, Orcacle and IBM didn't make their money on FOSS software.

Like you said they have business models which work with open source. There are many ways how Bittorrent can make money: https://en.wikipedia.org/wiki/Business_models_for_open-source_software.

Exactly who is stopping you from writing a FOSS replacement for Bleep or Skype? I think it is ... let me think here... no one!

I just googled for "FOSS replacement for Skype" and the first result was a reddit thread about Tox: https://tox.im/. It is exactly like Bleep, has more features and is available on almost every platform (note that it's older). I am going to try that tomorrow. It looks promising.

In my previous post, I gave you valid reasons why Bleep should be open source, but you ignored all of them. Maybe because it's not about cool and shiny stuff that's missing. According to their website, Bleep's main focus lies on secure communication. You can't expect millions of people to trust Bleep by putting faith in words. My point is that Bittorrent can't fulfill its promises if they aren't transparent, i.e. releasing the source code for both the client and protocol. I just don't want Bleep to end like Skype.

[Harold Feit]

You can't expect millions of people to trust Bleep by putting faith in words.

Making Bleep open source doesn't magically solve that.

[joebush]

Bleepfan:

 

You are making it obvious that you came here for no other reason than to argue. Your only four posts are in this thread about this subject matter. You've also changed your argument from "show me how open source can be viable" to "give me arguments against closed course". This is becoming quite pointless.

 

The facts remain that
  Bittorrent can release Bleep as open source software if they choose.

  there are viable business models for an open source release

  open source does, by definition, allow for more secure software

  open source allows users to trust the software (contrary to 'trust' in the company)

 

You are free to disagree, but keep in mind that facts don't need your approval. And if you merely prefer closed source for some reason (some people/companies do), you are of course welcome to your own preferences. But stop trolling. We all know closed source software earns more money. That's never been contested. That doesn't mean open source is less valuable. It just depends on how you define value.

Making Bleep open source doesn't magically solve that.

Actually, it does....just not magically. How in the world would making the project open source NOT open the path for more trust in the software?

[Sling]

How can we trust Bleep if it's closed source? It's akin to saying "hey, just trust us, it's secure.", and quite frankly, with the Snowden revelations, I don't trust a single person anymore.

 

Bleep has a feature to route all your messages through a central server in order to hide your IP address. Because it's closed source, who is to say that Bleep does not decrypt all your information the moment it hits that server and sends it to the NSA? We cannot tell, because it is closed source. A security program must be open source, I take no ones word when it comes to cryptography and privacy; let me see the code with my own eyes so that I may understand what is going on with my data.

 

For those of you who want a program that is currently better than Bleep, running on the same principle (P2P over DHT), try Tox (https://tox.im) it's open-source under GPLv3 and they're really making progress.

[Toxicle]

Heartbleed.

Just throwing that out there.

Had OpenSSL been closed source, that bug would go unnoticed for the next 20+ years and be fair game for exploiters (which today means highly educated state funded teams). Open source is the only reason it was discovered and promptly fixed, and it's also the only reason the public was alerted and given a heads up.

 

Are you telling me that security through obscurity is the bleep security model? I really hope you don't represent the development team.

 

Proprietary software is inherently insecure and untrustworthy. Tell me why I should blindly trust BitTorrent as people blindly trusted Skype for so many years as they were being stabbed in the back. Even if you have good intentions, there's nothing you can do about the law forcing your hand, which was the case with Apple, Facebook, Microsoft, Skype, Google, and the list goes on.

 

It's simply unavoidable, and the only solution is to make the code open source so that security professionals are able to audit the code and confirm its integrity.

 

With that said, if making the code open source isn't feasible from a business viewpoint, then discontinue development instead selling snake oil to make a quick buck. People's livelihood may be depending on your software; secure communications is not a game.

[Harold Feit]

Had OpenSSL been closed source, that bug would go unnoticed for the next 20+ years and be fair game for exploiters (which today means highly educated state funded teams). Open source is the only reason it was discovered and promptly fixed, and it's also the only reason the public was alerted and given a heads up.

If this were truly the case, then we wouldn't get security updates in ANY closed source apps. No updates to flash, windows, or anything else like that. Look at the number of 0-day exploits that get patched in closed source software.

 

Even if the code were audited, security vulnerabilities STILL make it through the cracks, otherwise heartbleed would not have existed in the first place.

 

It's simply unavoidable, and the only solution is to make the code open source so that security professionals are able to audit the code and confirm its integrity.

They still missed hearbleed for TWO YEARS. Can we trust people who miss vulnerabilities for that long?

[Sling]

They still missed hearbleed for TWO YEARS. Can we trust people who miss vulnerabilities for that long?

How much longer would it be if it was closed source? Are you somehow trying to imply that just because a piece of software is open source, it automatically means it's untrustable? I really fear for Bleep if you're a developer.

[Toxicle]

If this were truly the case, then we wouldn't get security updates in ANY closed source apps. No updates to flash, windows, or anything else like that. Look at the number of 0-day exploits that get patched in closed source software.

It's still in a company's best interests to patch security vulnerabilities in their proprietary software; exploits become public all the time which forces them to do so. My point is that the number of unknown security vulnerabilities in proprietary software is guaranteed to be a lot higher than popular open-source equivalents (IE and Windows contrasted with FIrefox and Linux prove this without a doubt), and moreover, they will take exponentially longer to fix: 20 eyes are no match for 2,000 eyes, even if those 20 are the best in the world (which they likely aren't).

 

Even if the code were audited, security vulnerabilities STILL make it through the cracks, otherwise heartbleed would not have existed in the first place.

 

No one denied this. What's your point?

 

 

 

They still missed hearbleed for TWO YEARS. Can we trust people who miss vulnerabilities for that long?

Can we trust a company who puts profits above security, and whose security model is scoffed at by anyone with an introductory level of knowledge in crypto, much less security professionals?

 

The number of heartbleed-equivalent land mines in all the proprietary software in use today is unknown, but it would be beyond naive to think they don't exist, and in all likelihood they're going to be around for much longer than 2 years. Think of all the legacy code from the 90s that's still part of modern Windows versions and never gets looked at.

[Harold Feit]

How much longer would it be if it was closed source? Are you somehow trying to imply that just because a piece of software is open source, it automatically means it's untrustable? I really fear for Bleep if you're a developer.

No, I'm saying that forcing everything to be open source won't magically make it more secure.

Without having a closed source equivalent scenario as an example, NO ONE can make the claim that these bugs will take more or less time to find and fix.

Some of these exploits get caught, others don't. IT DOESN'T MATTER if they're open source or not.

Being an "Open source everything" zealot won't change that.

[joebush]

No, I'm saying that forcing everything to be open source won't magically make it more secure.

A lot of what you say isn't actually correct. It feels like rhetoric to me. Although merely opening the source doesn't create "magic", it opens up the potential for a more secure application than closed source. This is a fact. It also allows users to have added trust in the software since security holes (whether intentional or accidental) aren't hidden behind closed source. There are most likely a huge number of people that won't be using this software after release unless it is open source. Trust is essential in an application such as this that promises secure communications.

 

Just to be clear, are the views and statements you've made here the official views and statements of Bittorrent on this issue? It says you are a Community Manager and Administrator, so we need to know if you are communicating on behalf of the company or not. It can most definitely appear that way. If these are your own views on the matter, you may want to clarify that, or even better, refrain from such statements as we're not very interested in your personal opinion about this.

[Harold Feit]

My comments in this thread aren't the official stance of the project until the project manager for Bleep says otherwise.

The demands I see for open sourcing everything end up all being along the same tone and it ends up not being based on the reality of things.

Security holes exist.

They get fixed.

This is true of both open and closed source projects.

A project being open or closed doesn't determine how secure it is or how fast the security holes get found and fixed.

I've seen both get fixed fast (under 24 hours) and slow (months to years).

Enough people in this thread are treating open source like a magic bullet for security, and it's NOT.

[joebush]

My comments in this thread aren't the official stance of the project until the project manager for Bleep says otherwise.

The demands I see for open sourcing everything end up all being along the same tone and it ends up not being based on the reality of things.

Security holes exist.

They get fixed.

This is true of both open and closed source projects.

A project being open or closed doesn't determine how secure it is or how fast the security holes get found and fixed.

I've seen both get fixed fast (under 24 hours) and slow (months to years).

Enough people in this thread are treating open source like a magic bullet for security, and it's NOT.

 

Being someone with an official capacity at Bittorrent, I would find it surprising if Bittorrent encourages you to share personal opinions on this subject matter from your official account. It causes confusion and can affect public opinion about the company. There is already another thread by a user that claims as fact that Bittorrent will not release this project as open source using Heartbleed as their reason. It could also have spread to other forums. This is due to you expressing your personal opinions about open source and security from your official account.

I don't recall anyone expressing that open source is some magic bullet to security. This is a very poor way of reiterating the opinions you've read. The fact remains that open source has a greater security potential than closed source, and also allows verifiable trust in the software, in contrast to closed source that can have security holes that are exploited without ever being brought to light. These can be either intentional or accidental. I already wrote this is my previous post.

My point is, you can't negate the security advantages that open source software allows for by making rhetorical statements about 'magic bullets' that nobody has professed. Even if Bittorrent created a client which was 100% efficient and has no security holes, no backdoors, and could be considered perfectly secure in every fathomable way, if that can't be verified by third-party audits, by definition it can't be 100% trusted. That is the major point being discussed.

[GreatMarko]

Joe, as Harold did make clear to you, he is not the project manager for Bleep. He is however, a Community Manager and Administrator of these forums, and therefore represents the company in that capacity.

BitTorrent Inc develop a number of software titles - not just Bleep - all of which are covered in the various forums available here. Harold was merely clarifying that he does not have overall responsibility for the Bleep project itself. The project managers and developers that are directly involved with this particular project have said on these forums that more information/documentation on Bleep and how it works will be forthcoming in due course - there's nothing to hide, you just need to remember that Bleep is presently in a VERY early "pre alpha" stage of development.

There has not been a claim "as fact" that Bleep won't be open source "due to Heartbleed". Heartbleed was not the reason why Bleep isn't/won't be open source, Heartbleed was simply used as a recent example of how software being "open sourced" doesn't necessarily make it any more secure than closed-source software.

 

Also, before you carry on all guns blazing that Bleep isn't open source, I would draw your attention to this blog post on Bleep, as the Bleep project essentially consists of two parts - an "Engine" and a "Client":

 

"The engine for Bleep has been built to serve as the back-end to any chat and voice application, offering the potential to change how people all around the world communicate .... If you’re interested in learning more about the engine behind Bleep for your messaging app, contact us: bizdev@bittorrent.com"

 

With the above in mind, whilst the "client" itself may not be open source, the underlying engine is envisaged to be accessible and "open" in some way shape or form in order for the above to be achievable.

 

Therefore, Joe, I would advise the following;
Firstly, your opposition and arguments to Bleep being closed source have now been made.
Secondly, the Bleep developers have nothing to hide, and more information on how Bleep works will become available in due course - please be patient and appreciate the current "pre-alpha" nature of the product!
Thirdly, if you don't believe Bleep is/will be secure enough for your needs... it's really quite simple: don't use it! - No one's forcing you too!

[joebush]

Joe, as Harold did make clear to you, he is not the project manager for Bleep. He is however, a Community Manager and Administrator of these forums, and therefore represents the company in that capacity.

Marko, you need to reread my post, because you have completely misunderstood what I stated. I am very much aware of what Harold is and what Bleep is. I have even mentioned in other posts about the client and engine being separate in regard to concerns about open source, so this is not new to me. What I did point out is that it can, and unfortunately has been misconstrued as an official standpoint when Harold expresses views from his account BECAUSE he has an official capacity.

That is also NOT MY statement about Bleep not being open sourced due to Heartbleed, which I feel should be completely obvious to anyone reading my previous post. I don't understand how you read that to be my standpoint on the matter. (I see you've now edited your comment about that being my statement)

It seems obvious you glanced over my post a bit too quickly and didn't understand the context and background, so your comment is very much in vain. Honest mistake, but you should spend a little more time understanding the post you're commenting. Avoidable misunderstandings are best when avoided.   My concern is about the FUD now being spread by another user because he assumed Harold's opinions are Bittorrent's opinions. That's why I asked Harold if it was his opinion or the company's opinion, because I like to be 100% sure before I assert things. Unfortunately, most people aren't as diligent. And from my experience, companies generally don't want personal opinions being shared through official channels due to this very possibility. That's the reason I addressed the issue.