On Fri, Feb 15, 2013 at 2:01 PM, Nadim Kobeissi <na...@nadim.cc> wrote: > On Fri, Feb 15, 2013 at 4:35 PM, Adam Fisk <af...@bravenewsoftware.org> > wrote: >> >> I'm certainly more confident in the overall security of silent circle in >> its first release than I was in the overall security of cryptocat. > > > Of course this is true. The first release of Cryptocat was made in early > 2011 by me back when I was in my second year of university and only barely > beginning to understand proper programming and security practice. It was an > experimental product full of holes and by no means secure. The first release > of Silent Circle was by a team of superheroes with 25 years of experience in > being totally badass. Big difference!
That's really my point exactly -- there are many things that determine the security of a piece of software. > > But when your model is closed-source, you're not participating in > reviewable, verifiable security practice and you're negatively affecting the > practical cryptography industry as a whole. Look at Cryptocat — it > progressed from a toy into a real product that I'm proud of, and that fully > passed a security audit with a 100/100 score just last week > (https://blog.crypto.cat/2013/02/cryptocat-passes-security-audit-with-flying-colors/) > after two years of hard work, restructuring and redesigning the whole thing, > and getting alternatively beaten up and helped by experts in the field.— > This would have *never* happened had we not been open source from the > beginning. Sure. Again, I believe that open source is a beneficial license for security, but we have to keep in mind that it's a means to an end -- secure code -- and that it's not the only means. I think you were beaten up unfairly under the circumstances for cryptocat 1, and I similarly think we're beating up Silent Circle unfairly. > > Being open source is a painful but necessary process. It invites criticism, > bone-breaking and having to admit bad design, apologize for your mistakes > and work hard on fixing them. But only through that process you create > something great that benefits the security community by offering > opportunities to learn. Sure, Silent Circle started off as a good product, > but by being closed-source they disregard the proper practice of what makes > this industry progress in terms of engineering, and they cast a shadow of > uncertainty and closed progress upon themselves, too. > There are just so many aspects that go into software licensing that I just don't draw that same line. If the goal is secure code, I again think the key is having an adequate number of capable people analyzing and dissecting that code on a constant basis. That can mean closed source code audits, and it can mean having a full time security team analyzing and improving the code at all times (Google, Facebook, many others) regardless of the software license. Open source is awesome, and I believe in it wholeheartedly, but I don't think if an organization doesn't open source their code they're automatically crazy and kicked out of the club. -a -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
