Thanks for taking this first step in opening up the firmware!
I’m SO HAPPY to have this first step done! I know we’ve been much later in doing this than anyone hoped. We’ve got more that we intend to do… but it’s good to be started.
One common question I’ve received from folks who aren’t familiar with open source is, “Does opening the source make Glowforge more vulnerable to hackers?”
I’d love to hear the thoughts of the community on how best to reply (other than “no, we don’t rely on security through obscurity”).
I would emphasize that keeping how things work secret is not generally regarded as effective in the computer security community. If there’s a security hole, “bad guys” can find their way in anyway. More scrutiny of the code means more people looking for problems and helping to fix them. It is also common principle that a securely designed system should not rely on hiding how it works - the cryptography used to authenticate and protect things like web site logins, financial transactions, WiFi, etc., is all publicly documented and is only considered secure because it has withstood attempts to crack it by experts with full knowledge of the algorithms. Similarly, Glowforge’s software is designed to be safe and secure, and being open to inspection will only help improve security.
It seems like a simple question but, asking it implies the questioner doesn’t understand computer/IT/Internet security and, requires some level of additional education to understand any detailed answer. You probably need some less-terse response than “no, it doesn’t” but, the most effective quick response might be something more like: “it may seem counterintuitive but, technology professionals have found that it makes things LESS vulnerable.” Then, maybe provide a link to some article from a reputable source or, to a meta-post linking to a bunch of articles on the topic. I am pretty sure there is an almost-endless ocean written on the subject, available via search.
Solve the business problem presented by the question in a way that doesn’t overwhelm the non-technical person making a casual inquiry. It’s also direct, accurate, memorable and, sidesteps becoming embroiled in details that might attract arguments about bias.
Does that make sense?
If you’ve done something particularly stupid that was very well hidden, you might be more secure without publishing (until someone bad found the vulnerability).
BUT the very important implicit thing is that when people looking over your published code tell you that X, Y, or Z is a vulnerability, you then actually have to go fix those things (or accept fixes).