Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] AeroFS



> From: Mike Small [mailto:smallm at panix.com]
> Sent: Sunday, April 20, 2014 11:20 AM
> 
> Then don't use closed source OSes? 

LOL, yeah, my point.   ;-)   (Just to strip the potential for any misunderstanding, this is sarcasm.  The idea of only supporting open source OSes is ridiculous, especially when open source isn't exactly devoid of bugs either.)


> How do you examine closed source crypto? It's a fair argument that the
> code being available isn't sufficient to have all its bugs (intentional
> or normal) found, but if the code's not available at all...

Inspect what you can.  For example as I described with the SslStream.  Even if the source isn't available, the behavior is observable, and lots of times documentation is available, etc.  

If somebody wants to attack a closed source application, the unavailability of source sure doesn't stop 'em from trying.  So you do the same thing.  (Or I do, anyway.)  Without source, go and inspect what you can see.  Look at its behavior, look for weaknesses, try to understand the limitations.

A lot of its components will be straight up public standards, such as AES, SHA, etc.  And generally, documentation outright tells you this is what's being used. 

The very *concept* of "closed source crypto" in this context is barely even applicable.  Because seriously, how do you even define it?  If an application is built on top of public standard libraries...  Even if the application is closed source and the entire encryption library is closed source, as long as you're informed that an asymmetric keypair is being used, or a password with PBKDF2...  Then you know the crypto.

Suppose Truecrypt was actually closed source hypothetically.  It would be irrelevant, because (a) you've never read the source anyway, and (b) it's as plain as day, right there in the GUI interface, exactly what they're doing.  You select which cipher to use, you select which hash to use, you give it a password, and voila.  Crypto.



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org