> Indeed. I think the assertion "OSS is somehow safer because of community > audit" is a logical fallacy. How would one go about "auditing" in the first > place? There are tools to audit source code for problems - OSS is safer *because* the source is available and can be audited. > Even if the various Intelligence agencies are not injecting > vulnerabilities then they would certainly be in a strong position to > discover some of the holes already existing some time before they become > public. Yes. And despite what people think, those agencies don't have super powers. They have tools to help them, and lots of resources, but nothing out of the ordinary. There is nothing that the NSA can do that can't be done by other agencies or even individuals (or enough individuals working together). There is no doubt that every single security agency in the world has a team working on discovering exploitable code in all operating systems. It's what they do. Any exploit they find that has been reported is probably because some other agency has found it as well so they want to stop them using it. > > Unless you're operating an air gap network you can be damn sure that 'they' > can get into your systems if they really want to. The only truly secure machine is one that is at the bottom of a mine shaft, turned off and dismantled. :-) P.