mfn

Open Source?

Recommended Posts

What if we state and agree that demonstrating a real-life program is secure is NP-complete?

Accepting this should get any program off the closed-source / open-source diatribe.

 

May Goedel be with you!

Share this post


Link to post
Share on other sites

Strictly speaking, the cryptography layer Bleep uses is open source, because it is libsodium.  If you do not trust BitTorrent to not leak data to NSA -- thereby, might I add, completely ruining its reputation if discovered -- then it is an entirely separate issue.

Not to be nitpicky but if you are using libsodium you need to display their copyright notice & permission notice for libsodium somewhere inside the app.

https://github.com/jedisct1/libsodium/blob/master/LICENSE

as stated in the second line "provided that the above copyright notice and this permission notice appear in all copies.".

Edited by gabeio
  • Like 1

Share this post


Link to post
Share on other sites

As for joebush, I don't approve the way the Community Manager and then the Moderator constantly changed the meaning of his posts in their answers. His points were clearly stated and after reading them there is no room for misinterpretation.

 

if Marketing campaign = "yet another messaging app", => no thread would have ever been created. But when maketing campaign = "secured and decentralized messaging", open-sourcing is key and you know that. Tox, Whispers Systems..

 

You could have kept the message "Chat with your friends privately". "secured, decentralized ?", you're just conveying expectations that you're not able to fulfill. You're hurting yourself. As far as we are concerned, there is no difference between your stuff and Viber. The way you're doing thing, the decentralization you're talking about is not part of the product, it's your infrastructure. But your infrastructure is your business, no one cares.

 

My2cents : I'll use Bleep as a case study on how a company can waste is energy, either with bad design choice, bad marketing strategy or even both. Do you think that today people will trust you based on your word for secured messaging? If I am willing to trust someone I will trust Microsoft / Google and use Skype / Hangouts, not you. They have a bigger name and a track record of dealing with sensistive data. "Bittorent ? You mean the illegal movie download software with lots ads ? I got a virus last time." This is how people see you. For the most part they don't know about Bittorent "INC", the bittorent protocol and bittorent clients managed by third-parties. Bittorent is just bittorent.

 

And anybody who knows this usually also knows the irrelevance of a distributed secure messaging application when it is closed-source. And it is the big mistake you've made. I predict Bleep  will miserably fail, at least in its current package.

 

Get me right here : what I'm saying is that you could have built it in a centralized manner in one month it would have made no difference as far as we care. This is a problem. You wasted your time.

 

Personally I'm using Tox. They started after you but are ahead now, guess whose model has proved to be working ? Today they're not thinking about Audio and Video calls, it's been released ages ago and it is now stable.  They even have clients available in all platforms in native code.

 

Yes it's open-source and they'ren't earning a dollar with it right now. But so are you today with Bleep. However the big difference between them and you is that I'd be willing to pay for any corporate service they might offer. Because I know they're serious about their decentralized security stuff and that they got it right. They're not missing the expectations they create. And they're not making me promises about stuff I have to accept by faith.

 

Don't take it personally, take it as a customer feedback.

 

 

Edit: Just seen you've moved toward a more "yet another messaging app" message since I last checked your website months ago. So Bleep actually already died in its previous form. It's more a Snapchat like targeting teens now. My prediction here is that commercially you'll have market share BUT you'll struggle with differentiation, because it looks a lot like Snapchat & Cie. 10 years ago, you would have been able to make a differentiation by providing ressource intensive features that competitors wouldn't have been able to imitate due to their centralized architecture. (Big file sharing etc...). Today, the infrastructure has moved to the cloud and very cheap massive scaling if impressibely easy to achieve...... will see.

 

At least you now make clear that Bleep is not the go-to app people looking for "secure messaging" are after. It is "private messaging", you deliver messages privately. Could have achieved the same in one month with a centralized architecture.

Edited by r2dnb

Share this post


Link to post
Share on other sites

The argument that "open source = more secure" holds very little weight in the wake of such cases like Heartbleed, ShellShock, etc

 

It does not really change anything to the argument. The problem with closed source software is that you simply don't know how many Heartbleed/Shellshock vulnerabilities it had. It is very likely that some proprietary software vendors silently fix Heartbleed-scale vulnerabilities to save face. Only when someone outside the vendor finds it and makes it public, you know.

 

Besides that, a strong argument can be made that open source is more secure, because it at the very least allows anyone who is capable to check that there are no obvious backdoors and that the encryption being used is canonical. Obviously, there are many subtle bugs possible that can be very had to spot (especially in C) and people can make mistakes (like downstream removing a source of entropy for key generation).

 

In the end it is a scale that goes from 'proprietary - not validated by a trustable external party' to 'open source - validated by many trustable external parties'.

 

---

 

A completely separate point is that there is the sense of entitlement that you often see in these threads. Bittorrent developed Bleep, Sync, etc. They did the work and own the copyright and no one is entitled getting it as open source. One can try to convince Bittorrent Inc. to do so, but it's their thing, and they can do whatever they want.

 

If you don't want a closed-source messenger, I can understand completely. (Ironically, most people of these people are probably running Windows, OS X, iOS, or Android, which are completely closed source or contain large closed source blobs.) But this point has been made repeatedly, and I think repeating it daily does not add much - it's unlikely that it will make Bittorrent Inc. change their mind and it adds a lot of noise to the forums for people who just want to ask a question about a particular product. This is e.g. very annoying in the Sync subforums where people try to promote SyncThing all the time. Yes, I know it exists, no it doesn't provide the functionality that I need, stop bothering people with it.

 

If you think a P2P messenger should be open source, write your own!

 

---

 

I agree with those saying that it would be great if the spec was open. This makes it easier to verify that the protocol and encryption makes sense & allows for the creation of alternative implementations (both to verify the protocol and to support platforms that Bittorrent Inc. does not cover, such as Linux).

Personally I'm using Tox. They started after you but are ahead now, guess whose model has proved to be working ? Today they're not thinking about Audio and Video calls, it's been released ages ago and it is now stable.  They even have clients available in all platforms in native code.

 

Yes it's open-source and they'ren't earning a dollar with it right now.

 

Ok, so you are happy with Tox, already provides all the functionality that Bleep doesn't provide, and is open source.

 

Why bother writing rants here?

Share this post


Link to post
Share on other sites

"Ok, so you are happy with Tox, already provides all the functionality that Bleep doesn't provide, and is open source.

Why bother writing rants here?"

Ok so you are happy with closed source bleep, why bother writing rants about your opinion and not simply use it ?

This is a forum folk, if you're not in a good mood simply turn off the internet. No body is asking you to participate or read the messages.

No comment about the "noise on the forum". All discussions related to this subject are into this thread.

I don't like people trying to shut legitimate debates down by trying to make them sound foolish or unwise.

Tox was an example supporting an argument that I elaborated. We all know we can use other products, and that's probably what most people here ended up doing. But this thread is not about that, it's about professionals talking about ethics and business models of their industry.

I can understand you are tired of this discussion. The good news is nobody is asking you to participate.

Share this post


Link to post
Share on other sites

I think, as recent high-profile cases have highlighted, that regardless of whether software is open source or closed source, security flaws/bugs have been found - no software is 100% secure!

The argument that "open source = more secure" holds very little weight in the wake of such cases like Heartbleed, ShellShock, etc

People need to come up with far more convincing arguments for "open sourcing" currently "closed source" software, other than the weak argument that "it's safer if it's open source"!!

 

Additional Reading: Shellshock proves open source's "many eyes" can't see straight

The reason open source is superior to closed source in privacy products is simple. Govermnet attacks. If we don't learn from skype we will be doomed to repeat it. NSA throught the help of microsoft and the use of gag orders managed to turn the largest voip provider in history into one of the largest spy machines in history.

If Skype was open source, people would be able to build clients that interacted with its protocol but that encrypted conversations end to end and we would not have to start from scratch.

All that said, I complitely agree that we need a solid funding model and open source can get in the way of that. But there are plenty of ways to get around that. How about crowdfunding the basic development. Or keeping core development closed source until release, so others have to follow your lead. Idk, there's got to be a way to monetize this thing.

The worst we can do is create another skype though which is as good as malware and that's what bleep may become, or any other company within the range of the US government for that matter, if their protocol and access to their network closed source and gated.

http://cointelegraph.com/news/114564/nsa-celebrates-passage-of-usa-freedom-act

Edited by jsgalt

Share this post


Link to post
Share on other sites

Various experts deem Open Source being more secure, with good reasons. It is tiring to discuss this topic over and over again when there are great articles like e.g. here in Wikipedia and at Bruce Schneier's Blog.

 

But one of the biggest misunderstandings is, that open source software does not make money. This is absurd if you look at companies like Red Hat that earn a lot with open source products.

 

So here are my four reasons why I will never use Bleep:

* Trust Issues: Source Code not revealed

* Trust Issues: Patriot Act

* Trust Issues: Official Statements

 

And, most important: There are good Open Source alternatives like TextSecure / Signal . I don't see any USPs in Bleep except using different technology which is uninteresting from a user's perspective.

Share this post


Link to post
Share on other sites

For me the main reason to want open source chat is to avoid fate of Skype. It was p2p in the past, now it is all routed through asure and provides eavesdropping capabilities for authorities, if skype was open source this would be solved by fork the moment this happens.

 

There is just no meaning to switch to Bleep when it is not protected from such scenario. Ill will of bittorrent.inc or some bad acquisition or legal obligations, and bam bleep is no more secure communication tool.

 

As we see on btsync example even ill will of bittorrent.inc is not an impossible scenario. We can face with subscription fee for 10+ contacts at some point or some similar nonsence.

Share this post


Link to post
Share on other sites

I might be ignorant on this, and I haven't bothered to read the rest of this thread but as a fellow software engineer I really hope Bleep doesn't go open source. (AND CERTAINLY NOT SYNC) As far as I understand the underlying mechanics of both pieces of software are proprietary. They are built on what fuels BitTorrent as a company. Why would they want to give that all away? Especially when it's not needed. Open source is a noble pursuit, but expecting a commercial entity to do it just because it's the hip thing to do is ridicules. Bleep and Sync are complex impressive pieces of software that took many talented individuals a lot of time (read their lives) to create and continue to build. I don't expect anyone to work for free, unless they are in a position where they can. This position is not one people are typically in. 

 

I wish there was a way to monetarily support Bleep because I feel like it's heading towards abandonment and it is a real shame. 

 

2d

Share this post


Link to post
Share on other sites

You should have read the rest of the thread. If you had done so, you would have realized that what you're saying has already been discussed.

Listen, you would be surprised of who you are talking to, I'm far from being an open-source guy. Everything I sell is closed-source.

The point of this topic is not proprietary vs open-source. The point of this topic is : selling a product whose unique selling proposition is privacy and p2p communications without releasing the source code is 1/ hilarious, 2/ dangerous for the user.

The way I see it : they've wasted their time. It was a big mistake. Textsecure and Tox are having a momentum, meanwhile Bleep is dying. Think about it for one second, has you said Bittorrent has decade of experience in P2P, but it managed to be bitten by people who reinvented the wheel from scratch. It is already a case study I mention in my consultancy sessions.

They might be good with technology but they didn't understand their market. And this is the point of this topic : Closed-source, this product is unfit for the market with the current selling line.

Share this post


Link to post
Share on other sites