undefined | Better HN

story

0 pointsacqq12y ago0 comments

Just believing "somebody would see it" is provably not enough.

http://www.schneier.com/blog/archives/2008/05/random_number_...

The bug was introduced in September 2006. Discovery published May 2008. Affected: the most popular Linux distribution, all the keys generated on it in that period. Scary.

Moreover, the bug was not found by reading the source code. The keys generated by all the existing system were analyzed. If I remember, only the keys generated by mentioned Linux distros stood out (and some hardware devices using customized firmware or poor implementations). Windows and OSX weren't there.

0 comments

dllthomas12y ago

But the odds it will be found (and publicly acknowledged) is higher than with closed-source software. Availability of the source is not a substitute for audit and care, but is helpful and you're not guaranteed audit or care with closed solutions.

acqqOP12y ago

The mentioned bug was not discovered by reading sources. The sources were available for one and half years and were used for the most popular Linux distributions. What can we expect for less popular ones then?

I'm not saying that it's better to have closed source, even if we can discuss that too when we consider how often the changes are introduced (for security: the less often the better provided the start is good enough) I'm saying that just believing something is secure simply because "it's open source" is pure hand waving.

dllthomas12y ago

Availability of the source is not a substitute for audit and care, but is helpful and you're not guaranteed audit or care with closed solutions.

j / k navigate · click thread line to collapse

0 comments

dllthomas12y ago

acqqOP12y ago

dllthomas12y ago

Availability of the source is not a substitute for audit and care, but is helpful and you're not guaranteed audit or care with closed solutions.

j / k navigate · click thread line to collapse