On 04/16/2017 06:51 AM, Andrew Holway wrote:
There is no doubt that most security agencies have a long list of zero-
day exploits in their toolbox - I would hazard to suggest that they wouldn't be doing their job if they didn't! But I seriously doubt they would commission exploitable code in something that is openly auditable.
P.
P., I used to think that too... indeed, I was thoroughly convinced of it. But reality changed my mind.
Indeed. I think the assertion "OSS is somehow safer because of community audit" is a logical fallacy. How would one go about "auditing" in the first place? Even if the various Intelligence agencies are not injecting vulnerabilities then they would certainly be in a strong position to discover some of the holes already existing some time before they become public.
I'm more worried about cloud services and the large number of root certificates that software trusts by default.
That's where a lot of the hacks are going to happen, and AFAIK the only defense against it is DNSSEC + DANE which very few zones actually utilize.