Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Though I know it's not perfect, free software projects at least give you some ability to discover and hinder government interference. I don't know why you seem more interested/worried about them.


Wasn't there a post here about how little review open source software actually gets due to the highly specific knowledge required to identify vulnerabilities?

something like: https://www.itworld.com/article/2922074/significant-virtual-...

Seems like creating a foundational open source project and introducing a few key bugs would be the best way to hide in the open.


Because the open source community is slowly coming to the uncomfortable realization that many eyes != security. Take heartbleed: SSL had a glaring security vulnerability open for years that none of those eyes ever spotted.

I've seen questions raised here on HN about Signal and Tor: where they came from, and where their funding comes from. If I had to bet, then I'd bet both of those are modern day Crypto AG variants.


Its one thing to acknowledge that open source software doesn't get the review it needs. Its another thing entirely to suggest that major platforms in use today are sponsored by state actors willing and able to introduce vulnerabilities without proof.

Turnkey black box solutions may be reviewed more regularly by a dedicated team but you have to admit that they're subject to flimsy and easy manipulation by state actors and the greed and coruptability of their owners.


> Its another thing entirely to suggest that major platforms in use today are sponsored by state actors willing and able to introduce vulnerabilities without proof.

I think the Crypto AG story is sufficient proof of itself to look with suspicion at all related open source projects. In situations where there are known bad actors and we are dependent on security, we should look with suspicion unless we know better. "Insecure until proven secure" is probably a good motto.


>Insecure until proven secure" is probably a good motto.

So just always insecure, as no amount of testing can guarantee there isn't some heartbleed like bug in there still.


If that's the reality, should we whitewash it?


>Because the open source community is slowly coming to the uncomfortable realization that many eyes != security

The community has been aware of this for a very long time. Many eyes still provides better security than few eyes, which is why singling out free software as your concern seems misplaced.

>f I had to bet, then I'd bet both of those are modern day Crypto AG variants.

Though it's possible Signal is compromised, it's basically known that the proprietary offshoot WhatsApp is compromised. Free software is still your best bet, likely even better than doing it yourself for 99.9% of the world




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: