On Thu, Feb 7, 2013 at 9:12 AM, Christopher Soghoian <ch...@soghoian.net> wrote: > My area of research is the intersection of law, policy and technology. As > such, I am most interested in companies' surveillance policies, their > commitment to transparency, and their stated willingness to tell the > government to GTFO if they come and ask for backdoors. On this front, Silent > Circle is extremely interesting, probably more so than any other Internet > company.
You may think these are your preferences, but what you're saying makes it clear that your preferences are actually subtly different. If someone says "we won't put in 'lawful surveillance' backdoors" but doesn't back that up with independent auditing (which can come in the form of access to source code) and you find that acceptable then what you have is a preference for _claiming_ that there are no back doors, and not a preference for being open about what the policy is (the real policy is in the software, which the public has not observed) or a preference for there being no back doors. Considering the long history of mistakes and outright lies in security software— this is simply how it is. Doubly so when you consider that lying about a backdoor or being mistaken about severe security holes is unlikely to carry consequence more negative than being open to begin with. If there were a surety bond commensurate with the loss of life that could result from mistakes and dishonesty here and there were independent auditing... plus many of a number of other things then perhaps you could say that you cared about transparency, policy, and backdoors. > For many people on this list, source code is their #1 priority. That is > fine. However, it is not my priority. I am more concerned with surveillance > policy, because that is what I study and where I think I can be most > effective in applying pressure. You're erroneously concluding that people who disagree with you have "source code [as] their #1 priority"— rather, I think it would be more fair in the context of security software to characterize the position has facts as #1 priority instead of warm and fuzzy hyperbole. Source code access is simply the least expensive and most direct way to start getting any real confidence that claims match reality. Following the argument that something is not necessarily better than nothing— we'd be better off if people who weren't interested in producing trustworthy software we're pressed into making fuzzy sounding fanciful claims. If all you can be effective at doing is improving the art of marketing (potential) snake oil, then perhaps you need to reevaluate what you're working on. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech