[liberationtech] About "Confide"

Shava Nerad shava23 at gmail.com
Sat Apr 26 18:33:23 PDT 2014 

Security software isn't like a lot of open source projects.  Generally
there have to be narrowly controlled commits, well reviewed.  Those people
are experts who may have a lot of other demands on their time that are far
far more monetarily rewarding if the project is un(der)funded.  So they are
rare altruists, and we often burn out our best.

I am not trying to compare these projects to closed source projects. I am
trying to compare them to FOSS hubris.

The idea that we have, that the NGO sector has, that there is inherent
virtue in poverty and inherent evil in gaining enough resources to be well
resourced for the work available.

We need to get over that aspect of this whole thing.  Ideally, in my
opinion,  we need well organized well resourced groups with less politics
and less fashion-driven ideals.  I have no problem with free software and
open source -- I have worked with a number of projects over the years in
various roles.  I was the original publicist for FSF.

But if we always are comparing ourselves to closed source projects, then we
are not able to own either our own native strengths or the vulnerabilities
in our own working culture.  We glorify doing more with less to an excess.
It's not always appropriate, in extremis, for every project.

Security projects are at a huge disadvantage in an environment of
impoverished resources.  Any one of you should be able to run that risk
analysis.  Open or closed, under-resourced projects will be at greater
risk.  Period.

We should evaluate how the environment around a project -- funding,
development, research attention, use in greater communities -- leaves it
more or less prone to exploit attention being more likely than community
maintenance.

Because at root (pun possibly intended), some of the balance may be coming
down to the size of the pool of hackers focused on the code with either
intent.

It's a buyer's market out there.  I don't make the news.  But it does make
me ponder.

This seems like a hard problem, to me.  Tell me, what is it that I
misunderstand?

SN
On Apr 26, 2014 7:34 PM, "Jonathan Wilkes" <jancsika at yahoo.com> wrote:

> On 04/26/2014 05:18 PM, Shava Nerad wrote:
>
>>
>> Anyone who is lauding the verifiability of open source security software
>> had best show that their code has been regularly and thoroughly audited.
>>
>>
> I'm not sure what that means, so I'll start a new paragraph for what could
> be a non sequitur...
>
> Someone doesn't have to be an active scientist doing peer reviewed
> research in order to laud the verifiability of the scientific method.
>  Similarly, I don't have to be an active security dev working on peer
> reviewed software in order to recognize the obvious benefits of the free
> software approach over proprietary development.
>
> Anyone who wants to ignore those obvious benefits best explain how they
> would verify a fix for the heartbleed bug if the public weren't allowed to
> read the code.  And what if you didn't trust their description of the fix?
>  What if you, as an expert security programmer, suspected that the
> proprietary team wasn't using a sane codebase or doing a good job of
> maintaining it?  How would you leverage your skills to improve that
> proprietary security library?
>
> Compare the time it takes you to respond to the time it took the OpenBSD
> peeps to do a "git clone" command.
>
> -Jonathan
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated: https://mailman.stanford.edu/
> mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change
> password by emailing moderator at companys at stanford.edu.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140426/cfb68955/attachment.html>

More information about the liberationtech mailing list