In principle open source software is the best because anyone can inspect the code and publicly warn everyone of bugs and vulnerabilities.
In practice specialized code, like encryption, requires specialists to properly analyze it. These specialists may come from organizations - private or governmental - that have incentives to keep this analysis to themselves.
I often think that the EFF and the ACLU should prioritize hiring of domain experts to vet particular, important code bases periodically.
I pointed out the real basis for security in evaluating FOSS and proprietary software here. In comment, I also noted the only high-security systems ever designed were done by the cathedral model with most resisting NSA pentesters being proprietary. Amusingly, the write-up itself always has about 1-2 points max on any site. Even my high-assurance, backdoor concept got more sometimes. I’m sure there’s fascinating social/psychological effects going on there.
Good news is the Tinfoil Chat, miTLS and Wireguard people are all doing that at least on transport side. Might be able to reuse their primitives in a GPG variant or replacement if nobody with that level of skill designs a solution for that.
In principle open source software is the best because anyone can inspect the code and publicly warn everyone of bugs and vulnerabilities.
In practice specialized code, like encryption, requires specialists to properly analyze it. These specialists may come from organizations - private or governmental - that have incentives to keep this analysis to themselves.
I often think that the EFF and the ACLU should prioritize hiring of domain experts to vet particular, important code bases periodically.
I pointed out the real basis for security in evaluating FOSS and proprietary software here. In comment, I also noted the only high-security systems ever designed were done by the cathedral model with most resisting NSA pentesters being proprietary. Amusingly, the write-up itself always has about 1-2 points max on any site. Even my high-assurance, backdoor concept got more sometimes. I’m sure there’s fascinating social/psychological effects going on there.
We should focus on solving the root problem that these bugs arise from, rather than just patching each vulnerability that pops up.
Good news is the Tinfoil Chat, miTLS and Wireguard people are all doing that at least on transport side. Might be able to reuse their primitives in a GPG variant or replacement if nobody with that level of skill designs a solution for that.
the most insane thing about this is he just put a newline in a filename. that’s it, you totally broke the best encryption system in the world.