Re: SECURITY FEATURES


 

Hi,

To add to our (NVDA contributors’) commitment to privacy (as asked earlier), part of the reason for including “no logging” option is to prevent logging potentially sensitive information, and I and many others have specifically advised the NvDA community to send debug logs privately to developers (debug log includes input and output information, and once I interpret the log, I destroy it immediately).

Another point to consider: I think the more important issue is security of add-ons, as add-ons are employed in specific contexts for various things (employment included). That’s why the add-ons community is serious about add-on security, and that we require that add-ons avoid insecure practices such as modifying files outside of specific folders without permission in order to get accepted into community add-ons website distribution (I sometimes use open-source tools such as Mypy and Flake8 to look for subtle bugs, including security bugs).

Cheers,

Joseph

 

From: nvda@nvda.groups.io <nvda@nvda.groups.io> On Behalf Of Brian Vogel
Sent: Friday, January 29, 2021 6:11 AM
To: nvda@nvda.groups.io
Subject: Re: [nvda] SECURITY FEATURES

 

The myth, and it is a myth, that proprietary (closed-source) software is somehow "safer" has been disproven by many security experts.  There is a complete misunderstanding of what open-source even means.  Open-source software is available for anyone to view the source code, which makes it less susceptible to "sneaking something in" than closed-source software is (though I'll admit that virtually all proprietary software makers have good code security practices, as do any major open-source shops).  You cannot view proprietary source code, so you have no way of knowing what's actually in there.  The recent hack of Solar Winds was an excellent example that proprietary software, and ubiquitous proprietary software, can be hacked,

Open-source also does not mean that anyone on the street can literally waltz in and start editing the code for a project and have those changes send out into the world by that project.  The code used by NVDA, for instance, is managed using GitHub (which is now owned by Microsoft, but started out life as an open-source project itself), and goes through the same sort of rigorous tracking of what individual developers are pulling code, updating it, returning it for testing and, ultimately, distribution, as any commercially available software does.  The sad thing is that even many IT professionals do not realize that much of the software that they actually use is open-source software, and Microsoft includes quite a bit of open-source content in Windows.  From the Wikipedia page on GitHub:  From 2012 Microsoft became a significant user of GitHub, using it to host open-source projects and development tools such as .NET CoreChakra CoreMSBuildPowerShellPowerToysVisual Studio CodeWindows CalculatorWindows Terminal and the bulk of its product documentation (now to be found on Microsoft Docs).[31][32]

I also find your second initial question ironic.  That's not a jab at you, but at the widely held misconception that proprietary software, which one cannot examine the source code for or have your own security people analyze it if you were to so choose, is better at guaranteeing privacy/security than open-source software is.  You can't see or know what proprietary software is doing, therefore it's inherently less secure.  It depends entirely on trust and the desire of its maker to keep its reputation and market position (presuming we're talking a product like JAWS, which is very well established).  When competitors such as NVDA (and, now, Narrator) do appear on the scene they would have zero chance of making inroads if they were cavalier about exposing private data to the world.  Those who want to can actually examine the code for NVDA to see how it works.  The same cannot be said for proprietary software.
--

Brian - Windows 10 Pro, 64-Bit, Version 20H2, Build 19042  

The depths of denial one can be pushed to by outside forces of disapproval can make you not even recognize yourself to yourself.

       ~ Brian Vogel

 

Join nvda@nvda.groups.io to automatically receive all group messages.