On Sat, Apr 26, 2014 at 05:18:47PM -0400, Shava Nerad wrote: > Anyone who is lauding the verifiability of open source security > software had best show that their code has been regularly and > thoroughly audited. > > It will be very easy for closed source alternatives -- snake oil or > legit -- for some time to point to heartbleed as a fatal flaw of > hubris in the argument that open sourcing is panacea to the trust > issue. > > It shook me. Two years, undisclosed? What a waste.
Not a panacea? OK. But if you think closed source software is less vulnerable to bounds-checking errors then, well, you're wrong. If anything, Heartbleed should show that using C does not necessarily make sense for critical security stuff. Or, you know, maybe we shouldn't even be looking for "lessons," because it's just the way it goes in software: there will be bugs. Nothing was unprecedented about Heartbleed -- not even the scope of the vulnerability. Countless exploitable buffer overflows have been deployed on that scale for years. The reason you can't trust closed software, though, is that you need to trust not just the compentence, but also the intentions and priorities of the owner of the source. And practically speaking, that means you must trust them to stand up against the US government, fight subpoenas, spend millions of dollars for no personal benefit, and possibly even go to jail, just to keep your secret keys secret... Not going to happen if the purpose is of releasing the software is just to make some money off of post-Snowden panic. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
