[Discuss] NAS: encryption

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
> Behalf Of Derek Martin
> 
> The difference is, the software most of us rely on is open source, and
> is known to have been inspected by some very smart 3rd parties who

Au contraire. How did I know this was going to turn into an "open source is more secure" myth? It's a myth.

First of all, no matter what you do, you're putting blind trust into *some* third party.

When you download binaries of an open source project, compiled by themselves, you're blindly trusting that they didn't backdoor it when they built it.

Sure you could download and build yourself - but then you're placing blind trust in *yourself*. Did you really truly read all the code and understand it all? Of course not.

When you get open source code from Red Hat and Debian, you're just shifting your blind trust to a different group of people - who also patch the code with their own patches - which you equally did not read.

When Red Hat and Debian download source code from all the 3rd parties, do you really think they read it, much less understand it? They don't do that any more than *you* would, if you were the person downloading and building those packages from source. So you shouldn't place blind trust in them any more than you would in yourself. As evidenced by Shellshock.

Second of all, as evidenced by the whole linux kernel RDRAND fiasco 2-3 years ago, even when people *do* read the open source code, flaws get maliciously introduced anyway. And the community can even notice, and get up in arms and throw public temper tantrums and get media involvement - and sometimes the open source software producer will *still* cram the backdoor down your throats. And Red Hat and Debian and everybody else will swallow it and redistribute it.

The characteristics that determines whether or not accidental or intentional sabotage is introduced - are the skill and character of the people submitting code.

There is no characteristic of open source vs closed source code that fundamentally attract or repel people of good skill or character. Open source and Closed source code have an *equal* proportion of people with good or bad skill and character.

But most of all, evidenced by Heartbleed, POODLEv1, POODLEv2, and ShellShock - Nobody's reading the open source code.

Since I became a crypto developer a few years ago, I spend my time now reading open source stuff, and observing the behavior of closed source stuff. It is my opinion that both are about equal in terms of crypto correctness. And it is my opinion that both are about equally responsive to submissions, when I report security flaws to them - Both open source and closed source, *sometimes* act on reported flaws, and sometimes don't.

But the primitives - block ciphers, hashing functions - are all solid. The weaknesses get introduced in how they're linked together, how they're used, and how the keys are generated and stored/communicated.