Re: "Once We Squeeze All We Can Out of the United States, It Can Dry Up and Blow Away."

"Jeffrey F. Bloss" <jbloss@xxxxxxxxxxxxxxxxxxxxxx> wrote in
news:45098984.3zqtUNzchu@xxxxxxxxxxxxx:

....merciless snipping - but not because the points aren't worthwhile...


All the points you make are entirely reasonable - where we disagree is
the weight to be given each of them.

In a nutshell, I'm not questioning whether open-source is good but
whether it is good enough.

Especially for security software! (where we are not looking for mere bugs
but camouflaged tricks that may have been put there deliberately -
possibly by folks with great capabilities, motivations, and resources)

Moreover, I wish to emphasize that, while we may debate the fine points,
the general user will indeed fall back on the oversimplified mantra of:
open-source = panacea.

In the particular case of Tor, for instance, I don't know who the hell
has reviewed the source code, to what depth, and what their credentials
are. And I use the software regularly! And I'm supposedly a
sophisticated and informed user! No, I'm relying on the general feel-
good processs that no major alarm bells have been sounded on Bugtraq,
etc.

Moreover, if I did do my homework (which would make me a very rare user
indeed) the question would arise of why I should place my confidence in a
particular open-source reviewer no matter how great his qualifications.
Perhaps he has been bought off. I have merely displaced the problem from
trusting the software to trusting the reviewer.

Yes, there are ways to get around this. I might require that multiple
qualified reviwers have examined the source-code in depth and published
their findings (including scope, methodology, etc.) But let's return
instead to the real world: How likely am I to get that standard of
review?

One could instead argue (and I throw this out acting as Devil's advocate,
not because I believe it) that I would be better off with closed-source
code from a reputable manufacturer who has paid for highly-qualified
professionals to review the code. A closed process, to be sure, but one
where there would be defined scopes of work, etc. and possibly even
clearly-defined standards, and where there are reputations on the line,
and even possibly commercial risks. The FIPS process, for instance
(although I concede immediately that its real-world implementation does
not inspire much confidence in me.)

In short, *any* security system must bootstrap off some "kernel of
trust." The key question is what that kernel should be (which will vary
for different users, of course). For some, open source and peer review
is where they'll place their trust. For others, reputable manufacturers
and a standardized but closed review process. And yet others, to whose
camp I belong, will harbur the gravest doubts about either method for all
but low-level security and will resort to kludges such as cascading open-
source and closed-source software, or looking for solutions that don't
involve software (e.g., trusted couriers), and so on.

Regards,













And, as a further quibble, the degree of reliance we can consequently put
in such open-source software (which will vary, of course, for different
users.)
.

Relevant Pages