[cryptography] Question About Best Practices for Personal File Encryption

Alfie John alfiej at fastmail.fm
Sun Aug 17 13:56:33 PDT 2014


On Sat, Aug 16, 2014, at 11:21 PM, Christopher Nielsen wrote:
> > 2. It is probably open source.
>
> What makes you think open source will save you? All the eyeballs
> looking at the code? That was proven a false sense of security when
> heartbleed was announced.

Can we please stop perpetuating that Open Source is the less secure
option? Linus said "given enough eyeballs, all bugs are shallow", he
didn't say "all bugs are non-existent".

Given an open source program, it can be accountable by anyone. If there
is a bug, it can be patched. If there is a deliberate backdoor, it can
be pointed to as an example of why to completely abandon the program and
mark the developer as tainted forever.

Given a proprietary program, it is accountable to the supplier and you
have no other option. If there is a bug, all you can do is hope for a
patch. If there is a deliberate backdoor, all you can do is hope that
someone will spots if it is ever reverse engineered.

In other words:

  - Open Source: "trust, but verify"
  - Proprietary: "trust, and have faith in the supplier"

Given the current Snowden climate, you would be naive to choose a
proprietary option. Prove me wrong.

Alfie

-- 
  Alfie John
  alfiej at fastmail.fm



More information about the cypherpunks mailing list