Closed source software and you-- how to audit closed source software.

How can I audit closed source software?

To start, the following tools are invalauble:

• Legislation in the country of origin
• The ToS (Terms of Service)
• network analysis tools, task manager, and a search engine

You can usually assess a piece of software's doings with these methods (exceptions do rarely exist, such as connecting to hijacked domains), and I'll walk through a very basic non-real-world example.

The example

Let's say I download an instant messenger from Korea and wish to analyze it (note: this will be an analysis of the software side, not the messaging protocol itself.)

• Korean data privacy legislation is strict about selling said data to companies such as Google, Facebook, etc., and in regards to turning data over to your government in the event of a subpoena - sources in English
• The ToS states that, A company, inc. will not turn over data without a subpoena, and said data never is sold off their servers, but data including device model and geolocation may be used communicate with firms such as A company's security center and A company's developers
• When analyzing the software with, for example, Wireshark (a tool for analyzing network traffic), we can see that it is communicating only with cdn.acompany.co.kr, so it is not communicating with 3rd parties, additionally, taskman reports that its not erratically connecting to the network, draining resources, etc.

  Refuting "FOSSphile" arguements

  FOSSphile - An individual who shuns or almost shuns non FOSS (Free & Open Source Software) projects and products.

  "Today's" FOSSphile is Honda_Accord (hereafter HA@CL) of Cyberlair.

  HA@CL: The issue with this is that you're relying on detective work. You can never be 100% sure of what makes that software work, and what is isnt being shown. With FOSS, its complete transparency. There is no guesswork because there is nowhere to hide. Its laid bare for all to see.

  econobox_@KONAT: The thing is, for the majority of people, FOSS code is as good as closed-source code, since a lot of projects aren't audited by professionals, so for all you know, malicious code could be inserted; to compare, detectivework can be done on any piece of software with comparatively limited technical knowhow.

  
  

  HA@CL: In my opinion, I still think the FOSS model is superior from a privacy standpoint, because there is nothing stopping you from doing the same detective work on it, but it also opens up the opportunity for proper auditing of the code.

  econobox_@KONAT: If profit is at-play for a company, then they have to at least pander to the userbase.

  HA@CL: I feel like that falls into the deep rabbithole of legal loopholes and technicalities, since they can promise and pander all day, but the company making the software still has the upper hand in the sense that no one can actually 100% confirm that they're holding up said promise. I know that sounds a bit paranoid but its true. Google is, I feel, an excellent example of that.

  econobox_@KONAT: I mostly make that case when it comes to foreign companies that want to serve foreign markets; going back to the theoretical A company example, if you are marketing to a small percentage of American users, you can't slip up that much, since they will flock to a competitor most likely.

  HA@CL:That is true.

  econobox_@KONAT: Phrasing it as an example - A company, a Korean firm which makes privacy-centric messaging products for consumers and enterprises enters its flagship product, A messenger into the American market, with advertisements such as "we don't know what you say, neither will the U.S. government." This is good, but let's say the NSA somehow backdoors their protocol, A protocol, they have "A few options" (get it?):

  • Fess up, fix the protocol or change protocols, apologize to users
  • Exit the American market as they are now a target
  • Open-source A protocol and allow people to make A fork of A protocol, which will likely lead to FOSS projects such as A FOSS messenger

  HA@CL: Yeah, I more or less understand what you're getting at.

  Copyright 2022, Econobox_ (d.b.a konat.neocities.org)