[Discuss] NAS: encryption

[richard.pieri at gmail.com (Richard Pieri)]

On 7/8/2015 1:18 PM, Derek Martin wrote:
> But it does not matter; you asked if I know any such people; you did
> not ask me to prove it.  Moreover, MY trust depends neither on my
> ability nor my willingness to prove my trust TO YOU.

My willingness to trust you does. Your claim is that open source is good 
because "some smart people" who you are unwilling or unable to name say 
it is. And then you provide one cherry-picked (as far as I can tell) 
example to specifically name, totally missing the irony of that person's 
job being identifying where open source security fails. And then you 
tell me to figure out the rest for myself. The appropriate response in 
polite conversation would be something like I flip you the bird and walk 
away.


> The notion that open source affords only an illusion of more assurance
> than closed source is nonsense.  It is still not perfect, as surely
> no human endeavor is.

The notion is not nonsense. It's reality. It's why Bashdoor went 
publicly undetected for 25 years. Many eyes looked at it but none of 
them, not even those of the vaunted unnameables, not even yours, spotted 
it or twigged to the severity. All of us... well, most of us anyway, 
myself included, were blinded by the illusion. We believed if there were 
problems then "some smart people" would have noticed them and fixed them 
because that's what open source is all about.

That didn't happen and we got another critical security flag day for the 
year.

-- 
Rich P.