1. nvda@nvda.groups.io
Topics

SECURITY FEATURES

heaven.lists92@...
 

Dear List

 

Could one of the developers please contact me regarding the following queries:

 

  1. JAWS fanatics often reference the fact that JAWS has a closed source, paid licence, as the main reason for its increased security, especially in the workplace.  As NVDA is open source, many companies are scared to use it, since they are afraid of the security risks involved with opensource licences.  How do NVDA developers make sure that the source code for NVDA is secured so that hackers cannot attach trojans or viruses, etc to it.
  2. How do the developers make sure that information, such as personally identifiable information used in call centres and health institutions, is not at risk when using NVDA?

The reasons why I am asking these questions are as follows:

 

  1. I love using NVDA on my home computer and would really encourage anyone to use it with all the features it offers without a yearly over-priced subscription.
  2. I need to recommend screen reading software to some companies in South Africa who are scared of the risks involved in installing open source software.
  3. NVDA has so many more languages that it supports with braille and speech, while JAWS is quite limited. Furthermore, NVDA is simpler to use than JAWS and I would love to see it being implemented in more companies since it is free and legal, preventing companies from resorting to illegal software.

Thank you for your help

 

Heaven
Brian Vogel
 

The myth, and it is a myth, that proprietary (closed-source) software is somehow "safer" has been disproven by many security experts.  There is a complete misunderstanding of what open-source even means.  Open-source software is available for anyone to view the source code, which makes it less susceptible to "sneaking something in" than closed-source software is (though I'll admit that virtually all proprietary software makers have good code security practices, as do any major open-source shops).  You cannot view proprietary source code, so you have no way of knowing what's actually in there.  The recent hack of Solar Winds was an excellent example that proprietary software, and ubiquitous proprietary software, can be hacked,

Open-source also does not mean that anyone on the street can literally waltz in and start editing the code for a project and have those changes send out into the world by that project.  The code used by NVDA, for instance, is managed using GitHub (which is now owned by Microsoft, but started out life as an open-source project itself), and goes through the same sort of rigorous tracking of what individual developers are pulling code, updating it, returning it for testing and, ultimately, distribution, as any commercially available software does.  The sad thing is that even many IT professionals do not realize that much of the software that they actually use is open-source software, and Microsoft includes quite a bit of open-source content in Windows.  From the Wikipedia page on GitHub:  From 2012 Microsoft became a significant user of GitHub, using it to host open-source projects and development tools such as .NET CoreChakra CoreMSBuildPowerShellPowerToysVisual Studio CodeWindows CalculatorWindows Terminal and the bulk of its product documentation (now to be found on Microsoft Docs).[31][32]

I also find your second initial question ironic.  That's not a jab at you, but at the widely held misconception that proprietary software, which one cannot examine the source code for or have your own security people analyze it if you were to so choose, is better at guaranteeing privacy/security than open-source software is.  You can't see or know what proprietary software is doing, therefore it's inherently less secure.  It depends entirely on trust and the desire of its maker to keep its reputation and market position (presuming we're talking a product like JAWS, which is very well established).  When competitors such as NVDA (and, now, Narrator) do appear on the scene they would have zero chance of making inroads if they were cavalier about exposing private data to the world.  Those who want to can actually examine the code for NVDA to see how it works.  The same cannot be said for proprietary software.
--

Brian - Windows 10 Pro, 64-Bit, Version 20H2, Build 19042  

The depths of denial one can be pushed to by outside forces of disapproval can make you not even recognize yourself to yourself.

       ~ Brian Vogel

 
Joseph Lee
 

Hi,

To add to our (NVDA contributors’) commitment to privacy (as asked earlier), part of the reason for including “no logging” option is to prevent logging potentially sensitive information, and I and many others have specifically advised the NvDA community to send debug logs privately to developers (debug log includes input and output information, and once I interpret the log, I destroy it immediately).

Another point to consider: I think the more important issue is security of add-ons, as add-ons are employed in specific contexts for various things (employment included). That’s why the add-ons community is serious about add-on security, and that we require that add-ons avoid insecure practices such as modifying files outside of specific folders without permission in order to get accepted into community add-ons website distribution (I sometimes use open-source tools such as Mypy and Flake8 to look for subtle bugs, including security bugs).

Cheers,

Joseph

 

From: nvda@nvda.groups.io <nvda@nvda.groups.io> On Behalf Of Brian Vogel
Sent: Friday, January 29, 2021 6:11 AM
To: nvda@nvda.groups.io
Subject: Re: [nvda] SECURITY FEATURES

 

The myth, and it is a myth, that proprietary (closed-source) software is somehow "safer" has been disproven by many security experts.  There is a complete misunderstanding of what open-source even means.  Open-source software is available for anyone to view the source code, which makes it less susceptible to "sneaking something in" than closed-source software is (though I'll admit that virtually all proprietary software makers have good code security practices, as do any major open-source shops).  You cannot view proprietary source code, so you have no way of knowing what's actually in there.  The recent hack of Solar Winds was an excellent example that proprietary software, and ubiquitous proprietary software, can be hacked,

Open-source also does not mean that anyone on the street can literally waltz in and start editing the code for a project and have those changes send out into the world by that project.  The code used by NVDA, for instance, is managed using GitHub (which is now owned by Microsoft, but started out life as an open-source project itself), and goes through the same sort of rigorous tracking of what individual developers are pulling code, updating it, returning it for testing and, ultimately, distribution, as any commercially available software does.  The sad thing is that even many IT professionals do not realize that much of the software that they actually use is open-source software, and Microsoft includes quite a bit of open-source content in Windows.  From the Wikipedia page on GitHub:  From 2012 Microsoft became a significant user of GitHub, using it to host open-source projects and development tools such as .NET CoreChakra CoreMSBuildPowerShellPowerToysVisual Studio CodeWindows CalculatorWindows Terminal and the bulk of its product documentation (now to be found on Microsoft Docs).[31][32]

I also find your second initial question ironic.  That's not a jab at you, but at the widely held misconception that proprietary software, which one cannot examine the source code for or have your own security people analyze it if you were to so choose, is better at guaranteeing privacy/security than open-source software is.  You can't see or know what proprietary software is doing, therefore it's inherently less secure.  It depends entirely on trust and the desire of its maker to keep its reputation and market position (presuming we're talking a product like JAWS, which is very well established).  When competitors such as NVDA (and, now, Narrator) do appear on the scene they would have zero chance of making inroads if they were cavalier about exposing private data to the world.  Those who want to can actually examine the code for NVDA to see how it works.  The same cannot be said for proprietary software.
--

Brian - Windows 10 Pro, 64-Bit, Version 20H2, Build 19042  

The depths of denial one can be pushed to by outside forces of disapproval can make you not even recognize yourself to yourself.

       ~ Brian Vogel

 
hurrikennyandopo ...
 

Hi


The following webpage from NVACCESS might help and answer some of there questions.

The link is https://www.nvaccess.org/corporate-government/


The link is https://www.nvaccess.org/corporate-government/

Also asking the developers should help.


They can also get there developers to look over the code as well.



Here in New Zealand we have nvda on 2 huge library networks which can be found on the main page of http://www.accessibilitycentral.net

If I remember right nvda is installed on about 1000 computers between those 2 networks There used to be 3 the APN K but about a year ago they changed from Windows computers which had 750 copies of nvda on there network to chrome books



Gene nz


On 29/01/2021 10:24 pm, heaven.lists92@... wrote:

Dear List

 

Could one of the developers please contact me regarding the following queries:

 

  1. JAWS fanatics often reference the fact that JAWS has a closed source, paid licence, as the main reason for its increased security, especially in the workplace.  As NVDA is open source, many companies are scared to use it, since they are afraid of the security risks involved with opensource licences.  How do NVDA developers make sure that the source code for NVDA is secured so that hackers cannot attach trojans or viruses, etc to it.
  2. How do the developers make sure that information, such as personally identifiable information used in call centres and health institutions, is not at risk when using NVDA?

The reasons why I am asking these questions are as follows:

 

  1. I love using NVDA on my home computer and would really encourage anyone to use it with all the features it offers without a yearly over-priced subscription.
  2. I need to recommend screen reading software to some companies in South Africa who are scared of the risks involved in installing open source software.
  3. NVDA has so many more languages that it supports with braille and speech, while JAWS is quite limited. Furthermore, NVDA is simpler to use than JAWS and I would love to see it being implemented in more companies since it is free and legal, preventing companies from resorting to illegal software.

Thank you for your help

 

Heaven
Quentin Christensen
 

Hi Heaven,

Others have already put forward the main points, as well as the link to our corporate and government page: https://www.nvaccess.org/corporate-government/

We specifically addressed this concern on that page for basically the reasons you have outlined.  I would also point out the "Open Source" section on that page and the links to both the UK and the US government policies promoting the use of open source software.  I only picked those as the governments of two major countries.  in fact, since you mention South Africa, I would direct you to the South African Government's own Free and Open Source Software (FOSS) policy, which not only promotes the use of Open Source software, the first point of the revised policy states:

"The South African Government will implement FOSS unless proprietary software is demonstrated to be significantly superior. Whenever the advantages of FOSS and proprietary software are comparable FOSS will be implemented when choosing a software solution for a new project. Whenever FOSS is not implemented, then reasons must be provided in order to justify the implementation of proprietary software."


Obviously that policy is only binding to government departments, but it is a pretty strongly worded, official endorsement of open source software.

With regard to the specifics of NVDA itself, it should be noted that it has very little internet connectivity (essentially just to check for updates - and the details of the information shared are on our corporate page previously linked to) - and if you are still concerned, you can run NVDA in secure mode AND block it's ability to access the internet, and the only single thing that will change is that the program won't be able to check for updates (and this fails silently, there is no error or nag about it).

If you (or any of the companies you approach) do have any further concerns, please feel free to raise them here or contact us at info@...

Kind regards

On Fri, Jan 29, 2021 at 8:24 PM <heaven.lists92@...> wrote:

Dear List

 

Could one of the developers please contact me regarding the following queries:

 

  1. JAWS fanatics often reference the fact that JAWS has a closed source, paid licence, as the main reason for its increased security, especially in the workplace.  As NVDA is open source, many companies are scared to use it, since they are afraid of the security risks involved with opensource licences.  How do NVDA developers make sure that the source code for NVDA is secured so that hackers cannot attach trojans or viruses, etc to it.
  2. How do the developers make sure that information, such as personally identifiable information used in call centres and health institutions, is not at risk when using NVDA?

The reasons why I am asking these questions are as follows:

 

  1. I love using NVDA on my home computer and would really encourage anyone to use it with all the features it offers without a yearly over-priced subscription.
  2. I need to recommend screen reading software to some companies in South Africa who are scared of the risks involved in installing open source software.
  3. NVDA has so many more languages that it supports with braille and speech, while JAWS is quite limited. Furthermore, NVDA is simpler to use than JAWS and I would love to see it being implemented in more companies since it is free and legal, preventing companies from resorting to illegal software.

Thank you for your help

 

Heaven



--
Quentin Christensen
Training and Support Manager
1 - 5 of 5