Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Good and Bad Crypto

Derek Martin wrote:
> Attackers have many other means to effect attacks if they are
> motivated...and they are.  Closed source only hinders those who are
> unwilling to commit crimes and/or who lack the resources to achieve
> their goals.  Black hats are not bound by the former, and there are
> plenty of criminals who are not bound by the latter.

Gee, I seem to recall writing something to the effect that hiding code 
as a security mechanism is laughable.

> The ONLY defense the rest of us have against this is transparency,
> which puts the white hats and black hats on equal footing.  I never
> said it was a perfect defense; it is not.  But it's all you have.

Actually, no, it's not...

> Closed source takes even that away, leaving you with nothing other
> than blind trust, which is completely worthless in this context, since
> we KNOW that your vendor (a) WILL get it wrong, at least sometimes,
> and (b) IS motivated by profit, and (c) MAY NOT be perfectly
> forthcoming about its (other) motives, methods, and failures (and
> almost certainly will not be, to at least some extent).

... because every major closed source vendor in the US uses the same 
test labs to test and certify their code that open source vendors in the 
US use to test and certify their code. That's right. Microsoft and Apple 
and Oracle have their code tested and certified by the same labs that 
Red Hat and SuSE and the OpenSSL project use.

The world doesn't trust OpenSSL because it's open source. The world 
trusts OpenSSL because the cryptographic module has a FIPS 140-2 
certificate. That certificate happens to be the same level certificate 
that Microsoft has for their cryptographic module. The testing standards 
are the same. The testing rules are the same. The testing procedures are 
the same. The certification and assurance levels are the same. Are the 
two modules equally trustworthy? Yes, they are, because they both passed 
the same certification process.

Rich P.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /