[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: [Discuss] AeroFS
- From: smallm at panix.com (Mike Small)
- Date: Sun, 20 Apr 2014 11:19:41 -0400
- In-reply-to: <5f076efda37e4520883033872ccf6dc9@CO2PR04MB684.namprd04.prod.outlook.com> (Edward Ned Harvey's message of "Sun, 20 Apr 2014 01:28:44 +0000")
- References: <CAL8cYW1fEhj-reUNptW4+vfU5nywX-OB0=PCKUOQE_Vt1qCD=A@mail.gmail.com> <5352BED2.firstname.lastname@example.org> <5352E966.email@example.com> <5f076efda37e4520883033872ccf6dc9@CO2PR04MB684.namprd04.prod.outlook.com>
"Edward Ned Harvey (blu)" <blu at nedharvey.com> writes: >> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss- >> bounces+blu=nedharvey.com at blu.org] On Behalf Of Tom Metro >> >> Uses closed-source, proprietary software. Nullifies the first point. > > Disagree. Both windows and mac are closed-source OSes, which provide > standard crypto libraries to the application layer. The fact that > your OS is closed source immediately nullifies your above > nullification argument, because it's literally impossible for you to > run a completely open source stack, unless you switch to a different > OS. Then don't use closed source OSes? I guess then you have to ask whether the layer underneath that and the compiler bootstrapping was compromised. > > More: While we all agree that more eyes and more scrutiny (open > source) are good for security of a crypto library, the honest truth > is, it's more *trained* and dedicated eyes that matters. And you can > only count the ones who want to help. The flip side is that the bad > guys also get the open source, and sometimes they keep their > discoveries secret. > > The honest truth is, flaws exist in both open and closed source. Some > of each are great. Some of each are crap. Some were accidental, and > some were planted by the NSA coercing Linus (or whoever). > > As a software developer, who develops closed source software that does > (amongst other things) encryption and transport of user files, I can > say this: I scrutinize all the open and closed source libraries and > applications that I use. I care greatly about using them correctly, > and ensuring strong crypto to the best of my abilities. It is > *appalling* how often I look at open source, as well as closed source > stuff, and determine that it's bad crypto. How do you examine closed source crypto? It's a fair argument that the code being available isn't sufficient to have all its bugs (intentional or normal) found, but if the code's not available at all...