Rich, your post reminded me of this sticker I saw:
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss
Rich Pieri wrote:
> Paranoia is an
> irrational fear. We should not be paranoid. We should be rational about
> security.
On this flogged-to-death topic, I finally spotted a statement that I can agree
with (the other) Rich on! Brought a smile to my face.
A lot of the statements in this heated d
On 7/8/2015 9:32 PM, Daniel Barrett wrote:
Oh, please. Nobody actually believes that open source scrutiny will
find *every* security problem.
You know what? I honestly thought that there was no way that anything as
ubiquitous as BASH could have bugs more severe than edge case
inconveniences.
On July 8, 2015, Richard Pieri wrote:
>All of us... well, most of us anyway, myself included, were blinded
>by the illusion [that open source affords more assurance than closed
>source]. We believed if there were problems then "some smart people"
>would have noticed them and fixed them because that
On 7/8/2015 4:47 PM, ma...@mohawksoft.com wrote:
There are a lot of moving parts. Take for instance, the AES encryption
algorithm. This is a known quantity and you can "trust" that it works when
given any two independent implementations of it can encrypt/decrypt.
Yes. And this is one of the w
On Wed, Jul 08, 2015 at 04:47:19PM -0400, ma...@mohawksoft.com wrote:
>
> "trusting" that a closed system like encrypted hard disks is probably OK,
> but if you are paranoid, it isn't. We should all be paranoid.
>
Always remember: "trusted system" means that you have to trust it,
not that you ha
> On 7/8/2015 3:19 PM, Chuck Anderson wrote:
>> Sorry, I call BS. My point was that having access to source code is a
>> prerequisite. If you don't have access to the source code, it becomes
>> MUCH harder to audit because you are limited in the techniques you can
>> use, such as black box testin
On 7/8/2015 3:19 PM, Chuck Anderson wrote:
Sorry, I call BS. My point was that having access to source code is a
prerequisite. If you don't have access to the source code, it becomes
MUCH harder to audit because you are limited in the techniques you can
use, such as black box testing. If you h
On Wed, Jul 08, 2015 at 11:53:35AM -0400, Richard Pieri wrote:
> On 7/8/2015 11:06 AM, Chuck Anderson wrote:
> >I think this whole discussion revolves around choice. With open
> >source, I have a choice to audit the code if I so desire, or to hire
> >someone to do so on my behalf. With internal d
On 7/8/2015 1:18 PM, Derek Martin wrote:
But it does not matter; you asked if I know any such people; you did
not ask me to prove it. Moreover, MY trust depends neither on my
ability nor my willingness to prove my trust TO YOU.
My willingness to trust you does. Your claim is that open source i
On Wed, Jul 08, 2015 at 12:08:13PM -0400, Richard Pieri wrote:
> On 7/8/2015 11:47 AM, Derek Martin wrote:
> Do you understand that you are doing the same thing that you accuse
> proprietary software of doing?
The world is full of proprieties--I am subject to some of them the
same as any of us are
On 7/8/2015 11:47 AM, Derek Martin wrote:
Yes, in fact. I can name some of the people who do that where I work,
though I will not do so, as it is not my place to disclose that
information. I can also identify, for instance, Robert Swiecki at Google,
because he was involved in some of the recent
On 7/8/2015 11:06 AM, Chuck Anderson wrote:
I think this whole discussion revolves around choice. With open
source, I have a choice to audit the code if I so desire, or to hire
someone to do so on my behalf. With internal drive encryption, I have
(almost) no choice but to trust someone else's j
On Wed, Jul 08, 2015 at 10:15:02AM -0400, Richard Pieri wrote:
> On 7/7/2015 6:26 PM, Derek Martin wrote:
> >The difference is, the software most of us rely on is open source, and
> >is known to have been inspected by some very smart 3rd parties who
>
> "Some very smart 3rd parties?" Can you actua
On Wed, Jul 08, 2015 at 10:49:40AM -0400, Richard Pieri wrote:
> On 7/8/2015 10:23 AM, ma...@mohawksoft.com wrote:
> >The problem with internal drive encryption is getting any level of
> >disclosure and accountability.
>
> This is simply not true.
>
> FIPS security profiles are public record. Her
On 7/8/2015 10:23 AM, ma...@mohawksoft.com wrote:
The problem with internal drive encryption is getting any level of
disclosure and accountability.
This is simply not true.
FIPS security profiles are public record. Here's the security profile
for the cryptographic module used in several of Se
>> From: John Abreau [mailto:abre...@gmail.com]
>>
>> "Edward Ned Harvey (blu)" writes:
>>
>> > You seem to think there's an obstacle which isn't really real -
>> > Encryption is very cheap computationally, so cheap indeed it can be
>> > done by the disks themselves.
>>
>>
>> Â On Tue, Jul 7, 2015
On 7/7/2015 6:26 PM, Derek Martin wrote:
The difference is, the software most of us rely on is open source, and
is known to have been inspected by some very smart 3rd parties who
"Some very smart 3rd parties?" Can you actually name any of them? I
mean, can you name the specific people at Red H
"Edward Ned Harvey (blu)" writes:
>> From: John Abreau [mailto:abre...@gmail.com]
>>
>> "Edward Ned Harvey (blu)" writes:
>>
>> > You seem to think there's an obstacle which isn't really real -
>> > Encryption is very cheap computationally, so cheap indeed it can be
>> > done by the disks them
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On
> Behalf Of Derek Martin
>
> The difference is, the software most of us rely on is open source, and
> is known to have been inspected by some very smart 3rd parties who
Au contraire. How did I know this was going to turn into a
20 matches
Mail list logo
