[liberationtech] Cryptography super-group creates unbreakable encryption

Fri Feb 15 14:10:40 PST 2013

Adam Fisk <afisk at bravenewsoftware.org> writes:

> At the risk of getting swept up in this by consciously saying something
> unpopular, I want to put my shoulder against the wheel of the "open source
> process produces more secure software" machine. The reasons for software
> licensing are complex, as we all know, but I'm certainly more confident in
> the overall security of silent circle in its first release than I was in
> the overall security of cryptocat 1. Why? Because there are much more
> experienced people involved (not meant as a jab Nadim - PZ had about a 25
> year head start if not more) and also because they have judiciously sought
> the review of experts prior to release. If you have to choose between open
> and closed in terms of the potential for building a secure architecture, of
> course open is overall better, but there are many other factors at play,
> including the resources and expertise an organization is able to devote to
> the problem. Apple, for example, has an overall great security track
> record, with most of that code closed source. Having $100 million in the
> bank helps. A lot. It helps a lot more than the license. In fact the
> overall number of eyes on the code is likely the more relevant factor - the
> precise area where open source ostensibly scores such a resounding victory,
> but only if in fact more experienced eyes review the code than they do
> comparable closed source systems.
>
> It just seems healthier to recognize this is a complex issue, and I don't
> think reducing it to open versus closed source does that complexity justice.
>

I don't think anyone would claim that every piece of free software is
automatically more secure than every piece of proprietary software,
because as you say there are many other factors involved.

But in your definition of security, you seem to be discounting the
user's ability to verify things for herself, or to commission a 3rd
party to verify things for her. You seem to be treating security merely
as a trust issue, or an "available/obvious/likely exploits" issue.

That's a limit on the definition that doesn't work for me. Software that
I can't look at or ask someone to look at is by definition insecure in
one important way.

Your points also doesn't disprove the claim that, if you are designing a
new project that you want to be secure, a free software approach should
be chosen. You should do lots of other things right too, of course, that
have nothing to do with licensing.

-john

-- 
John Sullivan | Executive Director, Free Software Foundation
GPG Key: 61A0963B | http://status.fsf.org/johns | http://fsf.org/blogs/RSS

Do you use free software? Donate to join the FSF and support freedom at
<http://www.fsf.org/register_form?referrer=8096>.