On 07/13/2013 02:30 PM, ch...@thinkpenguin.com wrote:
It does not work the way you think it does. The NSA has what are zero day exploits. These are bugs which can be exploited and are not publicly known or fixed. Microsoft has informed the NSA of these zero day exploits before they have provided users with a patch to fix it (security update). Development is generally more public with free software and GNU/Linux. If there is a security exploit report it gets fixed and patched. The NSA might know about it although so does everyone else. That is short of it being silently reported (that is the reporter bypasses the public system). Generally I believe it is normal to bypass the public system to report such bugs as this gives the developers (free or non-free) time to create patches to fix the holes.
Yes it is true that there are exploits that can be used to run programs without the users consent for spying purposes. However, Trisquel has a strong security system and unlike Microsoft, devs don't give these "zero-day" exploits away. The fact that Microsoft has to tell the NSA about them shows that the NSA isn't too good at finding the exploits themselves, which probably means they can't easily find any for Trisquel. It's all theoretical though, so you just have to make sure you trust everything you download.
Long story short there are more eyes looking at the code where free software is concerned although that doesn't necessarily mean it is any harder/easier to exploit from the attackers standpoint. What is clear is Microsoft is providing these zero day exploits to the NSA before they've released patches and that is a clear betrayal of trust. No other organization can fix the holes whereas if it was reported in a free application publicly there at least would be the possibility of third parties providing a fix/disabling a feature which made the hole exploitable, etc.
I would agree that there are more eyes looking at the code where free software is concerned but finding an exploit isn't as easy as it sounds, even with the source code.
According to a poorly written statement by a Microsoft security team employee, free software source code ISN'T looked at a lot. http://www.securityfocus.com/news/191 I am not trying to prove you wrong here but rather just showing something on-topic that shows how stupid Microsoft can be. He contradicts himself 5 times.
Microsoft could however be giving away exploits for legitimate reasons (as some people call them). An example is Stuxnet which was most likely started by the NSA. When interviewing Iran's nuclear facilities, the U.S. was denied access to see the actual nuclear plants. This means that Iran could be developing nuclear weapons of sorts, and the government doesn't like stuff being hidden from them. In response, only a few months later, Iran's nuclear facilities were targeted by the Stuxnet virus. It targeted the exact PLC chipsets they used (hundreds exist) and information on the PLC chipsets was probably something the U.S. gained from their interviews on the facilities.
This clearly shows that the NSA does have some purpose for their security attacks, but I am strongly against these mishaps and breaches on civilian privacy. As Benjamin Franklin once said: "Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety." Shows that the U.S. government needs to learn more about U.S. History if you ask me.
