[Discuss] Good and Bad Crypto

Derek Martin invalid at pizzashack.org
Wed Apr 23 13:40:46 EDT 2014


On Wed, Apr 23, 2014 at 12:04:22PM -0400, Richard Pieri wrote:
> Derek Martin wrote:
> >Unless they hack the vendor and steal the source.  White hats aren't
> >going to do that. [...]
> 
> What's your point? That hiding the code is of zero relevance to the
> security of that code?

The point was perfectly clear from context, which you removed.  The
word "unless" indicates contradiction... so it should be extremely
clear that my point was to refute your point.  I'll re-insert it for
you:

On Tue, Apr 22, 2014 at 08:14:15PM -0400, Richard Pieri wrote:
> The knife cuts both ways, Tom. If white hats can use tools like
> these to find flaws in code then black hats can use the same tools
> to find the same flaws. Closed source crypto becomes more beneficial
> to the world than open source crypto because it denies black hats
> the ability to use to these tools against it and leaves them with
> your once in a thousand years chance of accidentally finding a flaw.

It does no such thing.

Attackers have many other means to effect attacks if they are
motivated...and they are.  Closed source only hinders those who are
unwilling to commit crimes and/or who lack the resources to achieve
their goals.  Black hats are not bound by the former, and there are
plenty of criminals who are not bound by the latter.

The ONLY defense the rest of us have against this is transparency,
which puts the white hats and black hats on equal footing.  I never
said it was a perfect defense; it is not.  But it's all you have.
Closed source takes even that away, leaving you with nothing other
than blind trust, which is completely worthless in this context, since
we KNOW that your vendor (a) WILL get it wrong, at least sometimes,
and (b) IS motivated by profit, and (c) MAY NOT be perfectly
forthcoming about its (other) motives, methods, and failures (and
almost certainly will not be, to at least some extent).

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.



More information about the Discuss mailing list