undefined | Better HN

0 pointsjcrawfordor10y ago0 comments

The vast majority of defects groups like intelligence agencies are exploiting are not going to be intentionally-placed backdoors - they're going to be typical vulnerabilities discovered the normal way, just by an organization with immense resources and no motivation to share.

So the bottom-line is that it comes down to how much you trust the people that made the software. Is it a very high quality vendor? Is it a very high quality open-source project?

The nice thing about open-source software is that you have a much better ability to evaluate this from the inside. Get on mailing lists, poke around trackers, and see how they usually deal with security disclosures. Do they even have a formal program to do so? I'm not sure that OpenVPN does, although a lot of distros watch that carefully.

0 comments

1 comments · 1 top-level

armitron10y ago

I'm sorry but this all comes to moot. For any opensource project of substantial size, you absolutely "have not a much better ability to evaluate this from the inside by getting on mailing list and trackers". All of that is irrelevant and a waste of time at best (at worst you're deluding yourself).

Unless you're one of the few people on the planet who are good at auditing code for security vulnerabilities and devote the time to do it (or pay someone else to do the same), you have no stable basis to be making any assumptions as to the security status of a codebase.

If this doesn't convince you, look at all the security-critical opensource projects that are riddled with security bugs. There is not a single one of them that hasn't been compromised time and time again.

Sad but true.

j / k navigate · click thread line to collapse