mfn

Open Source?

Recommended Posts

All I want to say is that Bleep developer or not, those who represent BitTorrent in any way are showing they are incapable of handling complex situations like this. If you know what's good for you, you just acknowledge complaints and let the people who know what they're talking about discuss it at a later point. When you wear a tag that shows you're officially affiliated with BitTorrent, and spew nonsense like "BUT HEARTBLEED!" you are ruining the image of your brand before it even gets a chance to properly express itself. For the sake of Bleep, and the developers who presumably work very hard on it, Harold Feit, let those who know what they're actually talking about reply and keep your (misguided) opinions to yourself.

  • Like 1

Share this post


Link to post
Share on other sites

If you know what's good for you,

This statement could be interpreted as anything from you trying to get me fired to you trying to get me killed, regardless of what instructions follow.

I'll be honest, being abusive and threatening does NOT get you as much cooperation as you seem to think it does.

I've also seen your other posts and will point out that they're largely abusive, accusational and rude. It does not encourage cooperation with you or your side.

Share this post


Link to post
Share on other sites

All I want to say is that Bleep developer or not, those who represent BitTorrent in any way are showing they are incapable of handling complex situations like this. If you know what's good for you, you just acknowledge complaints and let the people who know what they're talking about discuss it at a later point. When you wear a tag that shows you're officially affiliated with BitTorrent, and spew nonsense like "BUT HEARTBLEED!" you are ruining the image of your brand before it even gets a chance to properly express itself. For the sake of Bleep, and the developers who presumably work very hard on it, Harold Feit, let those who know what they're actually talking about reply and keep your (misguided) opinions to yourself.

There are different ways of communicating your thoughts. As Harold points out, the way you express yourself here really isn't acceptable. This appears to be a trend with many of your posts. It should be possible to disagree, and even be somewhat confrontational, without being belligerent. If you can't find that balance, you may want to consider refraining from commenting.

The reason I'm mentioning this is so you don't think it's just Harold, and that it's because he's against you. It isn't and he's not.

  • Like 1

Share this post


Link to post
Share on other sites

Is there now any official statement out there whether Bittorrent is going to open source Bleep or not?

Since they haven't made any response for either Bleep or Sync about this issue, and because they have specifically mentioned that the Bleep engine's API will be open for third party development, it's best to assume they won't be opening the client's source. I'd imagine they don't make a statement about the issue as it only provides negative press, so it's better for them to say nothing. Then again, they may surprise us in the end.

Share this post


Link to post
Share on other sites

Since they haven't made any response for either Bleep or Sync about this issue, and because they have specifically mentioned that the Bleep engine's API will be open for third party development, it's best to assume they won't be opening the client's source. I'd imagine they don't make a statement about the issue as it only provides negative press, so it's better for them to say nothing. Then again, they may surprise us in the end.

 

Just for the record, seeing as though you specifically mention Sync - this has been previously discussed at length over in the Sync forums (see this thread and this thread for example). The upshot of it is Sync - like Bleep - isn't open source.

 

There's been no official statement from BitTorrent Inc saying either WILL become open source - not because of a worry of "negative press" (there are plenty of applications and operating systems, etc out there that are "closed source", and yet no-one bats an eye lid!) - but because there's simply nothing to "announce" - there have been no public plans announced to date to "open source" either.

 

If, however, you wish to get your hopes up, in relation to open source, the Sync developers have previously commented: "Never say never - we still consider this option" (source).

 

...but in reality the bottom line is that there has been no official public statement/confirmation that Bleep/Sync are envisaged/planned to one day become open source.

 

In the absence of such a statement, we should assume that Bleep/Sync will continue to be closed source applications going forward, unless an announcement is one day made to the contrary.

 

For users who don't like or can't accept that, it's really simple: no one's forcing you to use these products!

Share this post


Link to post
Share on other sites

If, however, you wish to get your hopes up, in relation to open source, the Sync developers have previously commented: "Never say never - we still consider this option" (source).

 

...but in reality the bottom line is that there has been no official public statement/confirmation that Bleep/Sync are envisaged/planned to one day become open source.

 

In the absence of such a statement, we should assume that Bleep/Sync will continue to be closed source applications going forward, unless an announcement is one day made to the contrary.

A difference without a distinction. And in the end the conclusion is the same as I stated. I just got there sooner. ;)

Share this post


Link to post
Share on other sites

I'd like to know how BitTorrent, Inc. hopes to profit from Bleep (and Sync for that matter).

 

Free P2P applications don't have a lot of avenues for monetization, especially not privacy-, and security-oriented ones, and there aren't a lot of advantages to controlling a P2P ecosystem, especially not one that is supposed to be "private" and "secure".

 

Unless there are some specific licensing issues I don't know about, BT, Inc. is losing out on a lot of goodwill from the FOSS community and they aren't making any money to make up for it. (and I don't see how they could)

 

Honestly, I don't expect anything to change. I'm just curious.

Edited by xj9
  • Like 1

Share this post


Link to post
Share on other sites

I'd like to know how BitTorrent, Inc. hopes to profit from Bleep (and Sync for that matter).

 

Free P2P applications don't have a lot of avenues for monetization, especially not privacy-, and security-oriented ones, and there aren't a lot of advantages to controlling a P2P ecosystem, especially not one that is supposed to be "private" and "secure".

 

Unless there are some specific licensing issues I don't know about, BT, Inc. is losing out on a lot of goodwill from the FOSS community and they aren't making any money to make up for it. (and I don't see how they could)

 

Honestly, I don't expect anything to change. I'm just curious.

The most logical conclusion I can come to is that there may be a big payoff from selling user data. I can't think of any other reason that they would keep it closed-source since it's a free download and all. Alternatively, they might be an NSA front, although that seems less likely.

Share this post


Link to post
Share on other sites

I'd like to know how BitTorrent, Inc. hopes to profit from Bleep (and Sync for that matter).

An Enterprise/Business edition of Sync is in the works, which will then sit alongside the current "free"/personal edition of Sync.

 

It maybe that something similar is envisaged for Bleep as well at some stage down the line.

Share this post


Link to post
Share on other sites

Just heard about Bleep and was excited about the idea, so I installed it.

 

Then I asked myself the obvious question about source code availibility and as I saw this thread and the opinion and assessment on FOSS of the "Community Manager", I deinstalled it immediately.

 

Guys, any sort of crypto that is not open source is not to be trusted at all, and unfortunately, there is no clear official statement about this topic yet.

 

Taking bugs in openssl that went unnoticed for a long time for claiming "open source is not safer" is really false. After all, Heartbleed was found because the project is open source.

 

The real strength is that people don't have to trust the unknown source of software. Everybody must be enabled to look into the code. Which is not at all the same as "everybody has to be capable of looking into the code".

 

 

It's really sad, as I wished for this to be a real alternative to other messengers.

Seems we need to either wait or sit down and solve this problem in true FOSS project.

Edited by fugatiffy
  • Like 1

Share this post


Link to post
Share on other sites
Guys, any sort of crypto that is not open source is not to be trusted at all, and unfortunately, there is no clear official statement about this topic yet.

 

Taking bugs in openssl that went unnoticed for a long time for claiming "open source is not safer" is really false. After all, Heartbleed was found because the project is open source.

 

Strictly speaking, the cryptography layer Bleep uses is open source, because it is libsodium.  If you do not trust BitTorrent to not leak data to NSA -- thereby, might I add, completely ruining its reputation if discovered -- then it is an entirely separate issue.

Share this post


Link to post
Share on other sites

I have no idea how you use libsodium. You might make mistakes, I don't know. You might encrypt every message with another key, nobody can know. And I don't allege that you do, but taking the power to check all that away from the public and your users is not trustworthy. This is a matter of principles. Cryptographic software that is not open source is a black box. It cannot be trusted. At all. Ever. Not for disk encryption, not for OS level security, not for remote management software, and not for messaging.

 

And don't get me wrong - that's not meant personally, I don't want to be accusational or anything. That's just a very simple, general rule that counts for all sorts of software, but in this case, it's especially crucial.

 

I understand that making software open source might be contradictiory to some business models, but making cryptographic software closed source because of that is definitely not the answer. I would personally pledge money to free the code, and I'm sure if you'd put up some sort of fund raising thing, many people would follow.

Edited by fugatiffy
  • Like 1

Share this post


Link to post
Share on other sites

No offense taken.  I understand that you may find this insufficient, but, as the bare minimum, we intend to release a full spec of the cryptographic/networking layer.  The relevant DHT extensions are already documented on Arvid's site, though it appears to be down at the moment.

Share this post


Link to post
Share on other sites

No offense taken.  I understand that you may find this insufficient, but, as the bare minimum, we intend to release a full spec of the cryptographic/networking layer.  The relevant DHT extensions are already documented on Arvid's site, though it appears to be down at the moment.

Why does BitTorrent choose the bare minimum when it comes to its users' privacy? Should this not be a priority in the post-Snowden world? Documentation is only useful insofar as it can be compared to the actual implementation to see that all the pieces fit together properly.

 

Without security as a top priority I just don't understand the need for a closed-source distributed/DHT-based instant messenger. Centralized messengers are much easier to implement and allow for many features that a distributed system can't do very well if at all (e.g. sharing profiles/history/settings across devices). In the end, all we have is a messenger that's no more trustworthy than Skype as far as the evidence shows, but with fewer features.

Share this post


Link to post
Share on other sites

Why does BitTorrent choose the bare minimum when it comes to its users' privacy?

 

I wonder if you're willfully misinterpreting my post.  Releasing the spec is not some hypothetical absolute bare minimum when it comes to users' privacy.  I'm simply stating that BitTorrent will do at least this in the future, but possibly more.

 

Having the spec would allow any user to sniff and audit Bleep's packets, thereby ascertaining our claims that Bleep is secure.

  • Like 1

Share this post


Link to post
Share on other sites

This last post by megawidget is somehow alerting. If the public availability of the specs would compromise bleeps security, then bittorrent is doing something wrong about the encryption. When using a public/private key approach with assymetric encryption, insight into the specs/protocol would not impact the security at all.

What should be the reason to have a higher trust into bittorrent than into any other company? We might as well trust Skype(MS) or google when they claim to offer secure messaging.

Share this post


Link to post
Share on other sites

I'm talking to every user, administrator, and developer in this thread.

 

First of all, the "open-source-everything" users should stop contributing to the conversation, your arguments are inherently flawed from bias.

 

Secondly, while not all software should be open-source, operating systems and security software should be, period. The land of software security is changing every second, and a team of developers and dedicated code-auditors isn't going to be able to keep up with it. This is less of an issue with media players and creative suites and games and such, but the OS and security software are going to be the most heavy targets. Having thousands of pairs of eyes watching the source code is better in the long run. It ensures that in the event of a massive bug in the code, once it is found, those who really need the security can patch it themselves in a more timely manner than Bittorrent would be able to push an update. Software that is intended for security purposes needs to be open source, whether it is a "good business model" or not doesn't matter because it is necessary. It is for this exact same reason that the vast majority of servers run Linux - because they need the security that is added just by being able to audit and patch the code without relying upon a corporation. 

 

Thirdly, those who are claiming that open source software is counter-intuitive to profit are failing to consider that the reputation benefits of open-source security software is priceless on its own. What use is highly profitable software if nobody trusts it enough to buy it?

 

Again I must reiterate my first point, not all software should be open source. Adobe CS 6 shouldn't be open-source. FL Studio shouldn't be open source. But security software? Security software should ALWAYS be open source, especially with, well, everything going on between the NSA and ISPs and all that nonsense. We don't have to trust governments, and we don't have to trust corporations, but we should be able to trust our own eyes. The security world isn't built upon inherent trust, it is built upon distrust that reaches paranoid, tin-hat levels. Bittorrent shouldn't expect users to just trust them unconditionally. That isn't how security works.

Edited by GreatMarko
Edited for language - please be respectful towards other contributors

Share this post


Link to post
Share on other sites

Hello,

 

I went through the post, and I noticed that nobody mentioned the difference between free and open source. At the security point of view, having an open-source software is enough: no need to be allowed to freely modify and redistribute it. Of course, as soon as the source code is release, nothing prevents someone to "steal ideas" from you.

 

 

If Bleep is not open source, I could use it as I use BTSync: for "non private" data. As soon as (or "if") an open source alternative is good enough, I will drop your product. I would never use BTSync to share/backup my private data, just as I would never use Bleep for confidential discussion. It's nothing about Bittorrent, but that is simple common sense: would you give me an envelope containing all your private pictures just because I promised you not to open it? I don't think so. Same for using BTSync or Bleep.

 

 

Just my thought: if your selling arguments for Bleep rely on its security, decentralization and anti-NSA-wathever-spying-stuff, you'd better choose wisely your position about security. Recent events showed that all major American companies such as Apple, Microsoft, Google or Yahoo collaborate with the US goverment (and sometimes, against their will, i.e. they were spied at the lowest level). Others such as Intel or the Linux foundation got pressured. Why would it be different for Bittorrent? What prevents "them" (US government, NSA, whatever) to force you to put a backdoor in Bleep? Are you more trustworthy than these companies? Bittorrent Inc is successful because (to make a shortcut) people share files illegally. Don't you have pressures by authorities?

 

Don't get me wrong, I don't accuse you of anything, I'm just trying to point out that this does not pledge in your favor as a trustworthy company.

Share this post


Link to post
Share on other sites

I'd just like to remind everyone that even in worst case scenarios of exploits and bugs, proprietary software will always leave potential for much, much worse consequences than open source. Think Heartbleed was bad? Think again.

 

 

Microsoft has patched a critical bug in its software that had existed for 19 years.

 

IBM researchers discovered the flaw, which affects Windows and Office products, in May this year - but worked with Microsoft to fix the problem before going public.

 

The bug had been present in every version of Windows since 95, IBM said.

 

Attackers could exploit the bug to remotely control a PC, and so users are being urged to download updates.

 

In a blog post explaining the vulnerability in depth, IBM researcher Robert Freeman wrote: "The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user's machine."

 

The bug had been "sitting in plain sight", IBM said.

 

The vulnerability - dubbed WinShock by some - has been graded as 9.3 out of a possible 10 on the Common Vulnerability Scoring System (CVSS), a measure of severity in computer security.

 

BBC

 

People were clueless for 19 years. This is what you risk when you use closed-source software, such as Bleep.

Share this post


Link to post
Share on other sites

This is what you risk when you use closed-source software, such as Bleep.

I think, as recent high-profile cases have highlighted, that regardless of whether software is open source or closed source, security flaws/bugs have been found - no software is 100% secure!

The argument that "open source = more secure" holds very little weight in the wake of such cases like Heartbleed, ShellShock, etc

People need to come up with far more convincing arguments for "open sourcing" currently "closed source" software, other than the weak argument that "it's safer if it's open source"!!

 

Additional Reading: Shellshock proves open source's "many eyes" can't see straight

Share this post


Link to post
Share on other sites

The argument that "open source = more secure" holds very little weight in the wake of such cases like Heartbleed, ShellShock, etc

It holds just as much weight as it always has. Did you read the article I just posted? Even in worst-case scenario, open-source is far more preferable.

 

You're simply wrong. The only purpose of proprietary software is to make money. Of course there's nothing inherently wrong with wanting to make money, but when you put your users' security at risk in doing so, some serious ethical questions come into play.

Share this post


Link to post
Share on other sites

Is the last post on this forum a valid argument for not insisting on Bleep becoming open

 

http://forum.bittorrent.com/topic/32025-if-bleep-is-not-p2p-whom-do-i-need-to-trust-and-when/

 

The basic argument is this: if the claims can be independently verified to be true, the product doesn't have to be open source in order to be trustworthy. This has nothing to do with whether the company delivering the software is making money. The question posed there only deals with the company delivering on its promises outlined in the product marketing campaign in a manner that can be verified by anyone in the user base.

Share this post


Link to post
Share on other sites

[REMOVED - Personal attacks on other forum contributors are not welcome in the forums]

 

Even if the code were audited, security vulnerabilities STILL make it through the cracks, otherwise heartbleed would not have existed in the first place.

 

Like someone else said here, that was ONE guy, working on $2,000 a year.  Is your contention that only huge corporations can create secure software? Because... Just look at adobe.

 

 

[REMOVED - Personal attacks on other forum contributors are not welcome in the forums]

Edited by GreatMarko
Post moderated - @reallynow, please refrain from personally attacking other contributors

Share this post


Link to post
Share on other sites