Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> A research project might be collecting sensitive personal information.

The data being processed (personal info) has nothing to do with the source code. You can release the code while keeping the data private.



The source code will indicate where/how the data is input, processed and stored. It might help an attacker compromise the application in any number of ways.

There's non-trivial risk there, enough to make it an ethical concern.

So, in order to use AGPL software, you have to open source your entire source code, which means you have to go through a long and arduous risk assessment which will likely decide you can't.


You only have to open source the AGPL'ed code if it's providing a networked service.

Many academics and charities don't provide services, so it doesn't affect them.

When you write "enough to make it an ethical concern", is that a hypothetical concern of your own making?

Many academics must go through institutional review boards or other ethics committees.

Many academics also develop and distribute free software for analyzing sensitive data where IRB oversight is required.

If what you are saying is a real concern, then I expect it would have been brought up long ago.

Can you point to examples?

I believe your argument is equivalent to those saying that Linux-based free OSes cannot be used for secure platforms because the source code is available, so anyone can potentially break in.

So why is it that many people doing research which requires IRB oversight use Linux-based OSes?

I agree with tokai - you're arguing for security-by-obscurity, and there's no evidence that that increases security.

I think the evidence shows that the ethical concerns you suggest don't actually exist.


Security through obscurity is not security at all.

https://en.wikipedia.org/wiki/Kerckhoffs's_principle


I’ve always felt this argument breaks down with smaller scale targets. I’d argue security through obscurity is not security, but there can be safety in obscurity.

There are a massive number of systems that are completely bespoke for small organizations or even individuals, and their user base isn’t going to grow.

What’s more, these systems are extremely liable to rot- the contract developer writes the system and moves on. That means library versions in the repo aren’t going to get updated when new vulnerabilities are found. So now this random 1 GitHub Star system is siting unpatched out for anyone to see.

Now what might have been a hard to find but exploitable issue risks getting a black hat spotlight shown in it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: