[Chugalug] Dropbox (and other Python Apps) Reverse-Engineered

Christopher Rimondi chris.rimondi at gmail.com
Wed Aug 28 21:17:27 UTC 2013


"This is the power of open source: with many eyes on the system, the
weaknesses will be brought to light quite rapidly."

In theory that statement is great. Theoretically the more eyes on the code
will find bugs faster. In practice I don't think so. I have heard of some
pretty old bugs in popular open source libraries. Finding security bugs in
software is a lot of work.

I bet if a company was developing a commercial application where security
counted that relied on open source libraries they would never rest on the
assumption that the "many eyes looked at the code" so it must be secure.
They pay someone to review the code every time.


On Wed, Aug 28, 2013 at 3:31 PM, Mike Harrison <cluon at geeklabs.com> wrote:

> On Wed, 28 Aug 2013, wes wrote:
>
>> A smarter plan is to remove the need for secrets. Use strong encryption
>> and authentication, which are essentially
>> provided for you already in the shape of libraries. Leave the workings in
>> the open. All that remains is for your users'
>> keys to be compromised, and the attacker can then gain access to that
>> user's data only. This is the power of open
>> source: with many eyes on the system, the weaknesses will be brought to
>> light quite rapidly.
>>
>
> Regarding the keys. I'm temped to add AGP to my Android phone so I can
> decrypt email from the 5 or so people I can use GPG'd email with from
> my phone. But my quandry is putting my private keys on the phone, which I
> really don't trust to keep them private on, or creating a different keyset
> for my phone, but then I'd have multiple keys for other people to decide
> which I might be using to read their email, or encrypt with both.. or.. or..
>
> So I'm just using one machine right now for GPG.. and I'm not so sure I
> trust it much, but I trust it more than I trust my phone.
>
>
>
>
> ______________________________**_________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/**mailman/listinfo/chugalug<http://chugalug.org/cgi-bin/mailman/listinfo/chugalug>
>



-- 
Chris Rimondi | http://twitter.com/crimondi | securitygrit.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130828/b5a51e51/attachment.html>


More information about the Chugalug mailing list