[liberationtech] Cryptography super-group creates unbreakable encryption

Mon Feb 18 20:00:24 PST 2013

>
> I don't think anyone would claim that every piece of free software is
> automatically more secure than every piece of proprietary software,
> because as you say there are many other factors involved.

Nor would I!

>
> But in your definition of security, you seem to be discounting the
> user's ability to verify things for herself, or to commission a 3rd
> party to verify things for her. You seem to be treating security merely
> as a trust issue, or an "available/obvious/likely exploits" issue.

I really think it's just a matter of building something that works,
that actually is secure, and I think there are many factors that go
into that. Open source can be a great advantage, but not if none of
those users actually do go and verify things for themselves. The
reality is that none of us have the time to verify the security of all
the tools we use, and that's even if everyone had the expertise. We
all trust the vast majority of the tools we use as a result. That's
not by any means to say that security should be based on that trust -
it should be based on peer review, continuous research, and careful
coding. All of that takes a great deal of time and often money,
however, and poorly funded open source projects usually fall way short
because they've got one part of the structure right but not the
others. Proprietary software clearly falls way short all the time too.
All that said, there's just an astounding degree of cooperation in
this community of people devoting countless hours to improving the
security of so many tools, and that's certainly to be applauded, but
those people are largely fighting an uphill battle because they're
underfunded.

>
> That's a limit on the definition that doesn't work for me. Software that
> I can't look at or ask someone to look at is by definition insecure in
> one important way.

I think the principle of that is great, but in practice we just can't
all review all the code all the time. In practice we often end up
trusting open source code that is far worse reviewed than much of the
closed source code we trust. I'm not trying to attack open source --
I've been writing open source code full time for the past 13 years --
it's what I do. But I don't think we should be delusional about it.

>
> Your points also doesn't disprove the claim that, if you are designing a
> new project that you want to be secure, a free software approach should
> be chosen. You should do lots of other things right too, of course, that
> have nothing to do with licensing.

Totally agreed! It can just be overemphasized amongst the list of
factors -- it's a super important one to be sure, but not the only
one.

-Adam

>
> -john
>
> --
> John Sullivan | Executive Director, Free Software Foundation
> GPG Key: 61A0963B | http://status.fsf.org/johns | http://fsf.org/blogs/RSS
>
> Do you use free software? Donate to join the FSF and support freedom at
> <http://www.fsf.org/register_form?referrer=8096>.
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech

-- 
--
Adam
pgp A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89