On 04/16/2017 06:51 AM, Andrew Holway wrote: >> >> There is no doubt that most security agencies have a long list of zero- >>> day exploits in their toolbox - I would hazard to suggest that they >>> wouldn't be doing their job if they didn't! But I seriously doubt they >>> would commission exploitable code in something that is openly >>> auditable. >>> >>> P. >>> >> >> P., I used to think that too... indeed, I was thoroughly convinced of it. >> But reality changed my mind. > > > Indeed. I think the assertion "OSS is somehow safer because of community > audit" is a logical fallacy. How would one go about "auditing" in the first > place? Even if the various Intelligence agencies are not injecting > vulnerabilities then they would certainly be in a strong position to > discover some of the holes already existing some time before they become > public. I'm more worried about cloud services and the large number of root certificates that software trusts by default. That's where a lot of the hacks are going to happen, and AFAIK the only defense against it is DNSSEC + DANE which very few zones actually utilize.