[Chugalug] Dropbox (and other Python Apps) Reverse-Engineered
wes at the-wes.com
Wed Aug 28 21:32:33 UTC 2013
if big comany A pays someone to review the open source code, let's say they
find bugs and commit the changes upstream, then company B pays someone to
review the code later, they now have 2 independent reviews of the same code
(whether more fixes are supplied or not), rather than the 1 you would get
from rolling your own.
On Wed, Aug 28, 2013 at 2:17 PM, Christopher Rimondi <
chris.rimondi at gmail.com> wrote:
> "This is the power of open source: with many eyes on the system, the
> weaknesses will be brought to light quite rapidly."
> In theory that statement is great. Theoretically the more eyes on the code
> will find bugs faster. In practice I don't think so. I have heard of some
> pretty old bugs in popular open source libraries. Finding security bugs in
> software is a lot of work.
> I bet if a company was developing a commercial application where security
> counted that relied on open source libraries they would never rest on the
> assumption that the "many eyes looked at the code" so it must be secure.
> They pay someone to review the code every time.
> On Wed, Aug 28, 2013 at 3:31 PM, Mike Harrison <cluon at geeklabs.com> wrote:
>> On Wed, 28 Aug 2013, wes wrote:
>>> A smarter plan is to remove the need for secrets. Use strong encryption
>>> and authentication, which are essentially
>>> provided for you already in the shape of libraries. Leave the workings
>>> in the open. All that remains is for your users'
>>> keys to be compromised, and the attacker can then gain access to that
>>> user's data only. This is the power of open
>>> source: with many eyes on the system, the weaknesses will be brought to
>>> light quite rapidly.
>> Regarding the keys. I'm temped to add AGP to my Android phone so I can
>> decrypt email from the 5 or so people I can use GPG'd email with from
>> my phone. But my quandry is putting my private keys on the phone, which I
>> really don't trust to keep them private on, or creating a different keyset
>> for my phone, but then I'd have multiple keys for other people to decide
>> which I might be using to read their email, or encrypt with both.. or.. or..
>> So I'm just using one machine right now for GPG.. and I'm not so sure I
>> trust it much, but I trust it more than I trust my phone.
>> Chugalug mailing list
>> Chugalug at chugalug.org
> Chris Rimondi | http://twitter.com/crimondi | securitygrit.com
> Chugalug mailing list
> Chugalug at chugalug.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Chugalug