[Chugalug] Dropbox (and other Python Apps) Reverse-Engineered

wes wes at the-wes.com
Wed Aug 28 21:32:33 UTC 2013


if big comany A pays someone to review the open source code, let's say they
find bugs and commit the changes upstream, then company B pays someone to
review the code later, they now have 2 independent reviews of the same code
(whether more fixes are supplied or not), rather than the 1 you would get
from rolling your own.

-wes


On Wed, Aug 28, 2013 at 2:17 PM, Christopher Rimondi <
chris.rimondi at gmail.com> wrote:

> "This is the power of open source: with many eyes on the system, the
> weaknesses will be brought to light quite rapidly."
>
> In theory that statement is great. Theoretically the more eyes on the code
> will find bugs faster. In practice I don't think so. I have heard of some
> pretty old bugs in popular open source libraries. Finding security bugs in
> software is a lot of work.
>
> I bet if a company was developing a commercial application where security
> counted that relied on open source libraries they would never rest on the
> assumption that the "many eyes looked at the code" so it must be secure.
> They pay someone to review the code every time.
>
>
> On Wed, Aug 28, 2013 at 3:31 PM, Mike Harrison <cluon at geeklabs.com> wrote:
>
>> On Wed, 28 Aug 2013, wes wrote:
>>
>>> A smarter plan is to remove the need for secrets. Use strong encryption
>>> and authentication, which are essentially
>>> provided for you already in the shape of libraries. Leave the workings
>>> in the open. All that remains is for your users'
>>> keys to be compromised, and the attacker can then gain access to that
>>> user's data only. This is the power of open
>>> source: with many eyes on the system, the weaknesses will be brought to
>>> light quite rapidly.
>>>
>>
>> Regarding the keys. I'm temped to add AGP to my Android phone so I can
>> decrypt email from the 5 or so people I can use GPG'd email with from
>> my phone. But my quandry is putting my private keys on the phone, which I
>> really don't trust to keep them private on, or creating a different keyset
>> for my phone, but then I'd have multiple keys for other people to decide
>> which I might be using to read their email, or encrypt with both.. or.. or..
>>
>> So I'm just using one machine right now for GPG.. and I'm not so sure I
>> trust it much, but I trust it more than I trust my phone.
>>
>>
>>
>>
>> ______________________________**_________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/**mailman/listinfo/chugalug<http://chugalug.org/cgi-bin/mailman/listinfo/chugalug>
>>
>
>
>
> --
> Chris Rimondi | http://twitter.com/crimondi | securitygrit.com
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130828/8932e3af/attachment-0001.html>


More information about the Chugalug mailing list