lack of transpancey
#1
First off I apologize for creating this thread, but the one mentioning this topic (why closed source?) had been closed, and a very important aspect had not been discussed there. Transparency.. Nor was any real answer provided.

I have been using oclhashcat for a while, wrote a tutorial a while back even (which seems to have been spread far and wide). However I am rather concerned with the proprietary approach. After reading the original thread and it's responses, I am now even more concerned. http://hashcat.net/forum/thread-2699.html

Decisions are generally motivated by something, in this case its not money (everything is free regardless) nor does it seem to be advancing the project, otherwise it would have been open source from day one. A thousand minds are better than 3, even if 900 of them have gone full retard..

With the current information that has been provided, the only rational explanation is some sort of agenda, e.g its doing something you don't want users to know about.. (bum buddies with the NSA perhaps?)

Please feel free to clear this up, but keep in mind, source speaks a lot louder than words.
#2
Feel free to use jtr, no one here is stopping you.

*edit*

So I was just going to leave that snarky reply and close the thread, but then I got slightly agitated that you linked the thread where the answers are and claimed it was never answered. So... I am just going to paste the relevant part.

(10-12-2013, 09:15 PM)atom Wrote: I usually do not like to talk about why is hashcat not open source, because people are very stubborn when it comes to this question. There are 1000 arguments for and against open source (or closed source) and each side is unwilling to accept the other sides arguements. It's a dead end discussion and the only thing you can do when you talk about is to burn your hands on it.

I'm a big fan of open source myself. I profit from it. I use linux, I use gcc, I use GNU stuff, and thousands of other open source products. I'm not a guy who is only taking. I publish how to do optimizations in theory and in examples, as well as Ideas for attacks, as well as real code. Some of the hashcat projects are open source, like hashcat-utils, oclGaussCrack, fgets-sse2, etc.

However, i liked two arguments here. The one was that hashcat does not need to be open source. That's right. The other one was that micromanagement and a small team of very good developers make can make a superior product. I think both are correct and reflect more or less my opinion.

*edit 2*

To expand on that statement, atom is the primary driving force for anything hashcat related, with a very small (4) group of us that contribute to various aspects.

Without this trying to sound like a personal attack, if you had any sense what so ever, you could see that nothing is happening behind the scenes. Watch netstat, watch process lists, watch anything that monitors what is happening while its running and you will come up with nothing. If there were a backdoor, or exploit, or something of that nature, it would be in AMD or NVIDIA's drivers, something we have no control over since it uses binary blobs.
#3
you wonder why there is no "transpancey", yet you have not made any effort to get involved with hashcat. this is your first post on the forums, we've never seen you on IRC, you've never filed any reports on trac. i tried searching for your far-reaching hashat tutorial, but all i found were some trollbox logs of you recommending hashcat to people (irony?) you've not made any effort to get involved with hashcat, so why do you care about transparency?

transparency and open source are two vastly different things. you can have one without the other. if you want to know what's going on with hashcat, then get involved with hashcat. you will see there is plenty of transparency with the project, atom talks freely about its development. the project advances just fine without being open source. if you have something worthwhile to contribute to hashcat, just talk to atom. and on that note, if you honestly think that you are talented enough to contribute something worthwhile to hashcat, then you would likely also possess the skill necessary to audit hashcat for backdoors without the aid of the source. most people do not audit open source code anyway, the "many eyes" myth is indeed a myth. everyone assumes that someone else is auditing the code (cryptocat?)

welcome to the forums.
#4
Well, there may be a small motivation. Team hashcat is afaik always among top three players in many competitions dedicated to password recovering. Despite that I haven't done any analyzes of hashcat, I don't think there's any backdoor in it. I think all of us use a firewall, so if there was an intensive communication between your PC and a remote server, you'd catch it.

But I saw this sentence: 'The one was that hashcat does not need to be open source.' I use to hear such a thing when someone talks about a software used by small group of people or about a software, which could anyone rewrite in few minutes and things like that. Well, everything doesn't need to be open source. But let imagine that linux was not open source. It might be stable, simple, fast and portable, but surely not as big and as used as it is these days. I mean, I'm sure open source community would make hashcat even bigger than it is now.

Guys, please, stay calm and do not attack me for this reply. Thank you.
#5
(02-01-2014, 10:37 PM)Kuci Wrote: I'm sure open source community would make hashcat even bigger than it is now.

There are plenty of competing projects that are open source. If you are right, then why is oclHashcat the leader? I'm all for open source but the "community" seems to have failed in this case.
#6
(02-03-2014, 02:36 AM)magnum Wrote:
(02-01-2014, 10:37 PM)Kuci Wrote: I'm sure open source community would make hashcat even bigger than it is now.

There are plenty of competing projects that are open source. If you are right, then why is oclHashcat the leader? I'm all for open source but the "community" seems to have failed in this case.

There are several factors. Hashcat is under active development by a group of active active devs and is heavily optimized. Second, it's uniform on all supported platforms. Next, is comes with classic GNU-like CLI UI. UI is very important, we don't need any silly GUI nor messy CLI like JtR has.

And if you talk about that community seems to have failed... Well, community wasn't even tryin'. It's all about interest of contributors and professionality of maintainers. For example, one contributor may be interested in adding an OpenCL kernel, but not in adding the same kernel written in CUDA. Then some contributors may not be interested in adding some algorithms/features at all and so.

If I have to say something as a dev, I wanted to contribute into JtR in the past, but I found this project messy and not very mature. It's typical example of project with low management. You would make hashcat as messy project as JtR is if you wouldn't set any conventions that must be met in the code and merging all the code, no matter if the code is clean, if it meets the set conventions and so.

However, managing such a project correctly is not that big deal. It can be easily done when you have right people in your team and you're uncompromised. Look at Cyanogenmod. It's typical example of a big project with good contribution managing. I'm a Cyanogenmod contributor and I find the code clean, meets all the conventions set by Google or Cyanogenmod and that's why it's so stable despite it's an aftermarket distribution of Android.

I'd write much more, but I ran out of my spare time Big Grin
#7
(02-03-2014, 09:41 PM)Kuci Wrote:
(02-03-2014, 02:36 AM)magnum Wrote:
(02-01-2014, 10:37 PM)Kuci Wrote: I'm sure open source community would make hashcat even bigger than it is now.

There are plenty of competing projects that are open source. If you are right, then why is oclHashcat the leader? I'm all for open source but the "community" seems to have failed in this case.

There are several factors. Hashcat is under active development by a group of active active devs and is heavily optimized.

Exactly. Does this support your theory?

(02-03-2014, 09:41 PM)Kuci Wrote: And if you talk about that community seems to have failed... Well, community wasn't even tryin'.

Okay. Does this support your theory? No offense ;-)

Star Office (or whatever initial project later became Openoffice and Libreoffice) did not try to convince Microsoft to open its source. They rewrote the whole shebang from scratch, including all the really really boring stuff. Given a large enough community and the right leader (not me for sure) a brand new project could probably be even better than Hashcat. But I don't expect this to happen anytime soon.

magnum
#8
(02-04-2014, 01:04 AM)magnum Wrote:
(02-03-2014, 09:41 PM)Kuci Wrote:
(02-03-2014, 02:36 AM)magnum Wrote:
(02-01-2014, 10:37 PM)Kuci Wrote: I'm sure open source community would make hashcat even bigger than it is now.

There are plenty of competing projects that are open source. If you are right, then why is oclHashcat the leader? I'm all for open source but the "community" seems to have failed in this case.

There are several factors. Hashcat is under active development by a group of active active devs and is heavily optimized.

Exactly. Does this support your theory?

(02-03-2014, 09:41 PM)Kuci Wrote: And if you talk about that community seems to have failed... Well, community wasn't even tryin'.

Okay. Does this support your theory? No offense ;-)

Star Office (or whatever initial project later became Openoffice and Libreoffice) did not try to convince Microsoft to open its source. They rewrote the whole shebang from scratch, including all the really really boring stuff. Given a large enough community and the right leader (not me for sure) a brand new project could probably be even better than Hashcat. But I don't expect this to happen anytime soon.

magnum

Yeah, actually, all these arguments support it. You just can't say a project failed because it was open source. I wrote it clearly enough, didn't I ?

I don't know whether LibreOffice is a good example since afaik it's highly donated and therefore one might has it as a full time/part time job. But look at the CyanogenMod. It's a really big and really active community doing all this work for free.