On 2/28/16 6:35 PM, Jean-Christophe Helary wrote:
> I don't know if you're actually involved in open source development, but what > you write above is the theory, and the practice is that it takes a huge > amount of time and sheer luck to find flaws because open source projects > generally do not have volunteers who focus on security issues. You can see > that with openssl, glibc and other important projects. Free software is not > *the* solution to security and privacy. We need also flawless development > protocols and hardware that is robust but affordable. I am, as a matter of fact. The examples to which you allude fall, as far as I know, into the category of implementation weaknesses, to which of course all software is susceptible. I would like to hear about any deliberate backdoors, on the scale of the Apple phone monstrosity, which have been found in any important open-source project. Perhaps there have been some. Enlighten me. Preferably with some degree technical detail, rather than vague arm-waving. It's a mantra in the infosec world that all security comes down to physical security. If you have physical possession of the device, then a brute-force attack is always theoretically possible, as long as you can suppress any active behavior on the device's own part. But Apple provided the cops with a royal road. They don't need to go to the trouble. _______________________________________________ pen-l mailing list pen-l@lists.csuchico.edu https://lists.csuchico.edu/mailman/listinfo/pen-l
