On Thu, Jan 15, 2015 at 02:46:56PM -0800, Al Billings wrote:
> > I thought software freedom and access to the source code was considered
> > a requirement for considering a system secure.
>
> According to whom? I think open source (I???ll leave aside whether ???open
> source??? is ???free software???) is ideal but it is not the only thing worth
> discussing. Otherwise, we wouldn???t be discussing most mobile applications.
According to me, among others. Open source is not merely ideal, open source
is MANDATORY. It is not sufficient, of course, but it is necessary.
All closed-source software not only may be, but *must be* immediately
dismissed as unsuitable for use, with prejudice, as it and anyone pushing
it are both unworthy of any further discussion. (Except, perhaps, as
examples of fraud.)
Please read:
https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007499.html
Yes, this does mean that most mobile applications are (at best)
worthless crap. Some of them, no doubt, have been backdoored deliberately.
(Why not? It's just good business. [1]) Others likely have gaping security
and privacy holes that will remain largely undiscovered *except* for those
with access to the source code, which I hope everyone here realizes
probably includes any intelligence agency that can trouble itself
to make the effort to acquire it. (It would be extremely naive and
appallingly stupid to suggest otherwise.) Of course, their resources,
while quite large, are still finite so I'm sure not everything attracts
their attention: but certainly anything usable/popular enough to matter
will be swept up in due course and subjected to analysis. Such analysis
may be shared (as we've seen) and may lead to active attempts to exploit
the application, which will, given the available expertise, probably succeed.
---rsk
[1] Just like this is good business:
http://www.propublica.org/article/zombie-cookie-the-tracking-cookie-that-you-cant-kill
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
change to digest, or change password by emailing moderator at
compa...@stanford.edu.
