Linked by Thom Holwerda on Tue 14th Dec 2010 23:55 UTC, submitted by Oliver
OpenBSD Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.
Thread beginning with comment 453686
To view parent comment, click here.
To read all comments associated with this story, please click here.
dylansmrjones
Member since:
2005-10-02

Bullshit, and nice trolling btw.

Companies have little financial incentive to audit their code, not even when explicitly paid for it. They will audit the code exactly as little as they can get away with - and no more. There's a reason the most insecure software packages are proprietary packages. Because they cannot be effectively audited.

FLOSS projects have an incentive that no proprietary project will ever have: Street credit.

Reply Parent Score: 2

_txf_ Member since:
2008-03-17

How about being a little less hostile?

Many companies do as little as possible but there are also those that do an average job and those that do an excellent job. Blanket statement FAIL.

Security Companies DO have financial incentives to audit their code as it would be highly embarrassing and financially damaging if things like this were to be found.

The "Real" difference between closed source is that number and variety of people that can look at the code increasing coverage against poor coding or just plain human error (in the code and in checking the code).

However, there is not real statistical way to accurately quantify security verification. Are 3 less intelligent/fastidious code checkers in an OSS project than 1 very fastidious/Intelligent code checker better?

The fact that OSS is more secure is still only a (probable) hypothesis. NOT 100% proven theory.

I would say that it is likely that the low hanging security bugs are more likely to be caught in OSS that closed source, but the really tricky stuff in critical software is probably a much more level playing field.

Edited 2010-12-15 14:53 UTC

Reply Parent Score: 2

dylansmrjones Member since:
2005-10-02

There is zero hostility on my part; I'm merely stating a fact. google_ninja is trolling - with support from MollyC. No surprise though. They are as mad as a certain french windmill.

EDIT: Corporate Capitalism results in companies only having one incentive: Maximum profit. This means they will do as little as necessary and cannot be relied on for anything remotely connected to infrastructure and security. They are good at making refrigerators, but that's it really. Anything more than that requires laws that diminishes profits unless the companies take on certain tasks. Or put differently: Companies have zero incentive to audit their code.

Edited 2010-12-15 19:18 UTC

Reply Parent Score: 1

google_ninja Member since:
2006-02-05

I am literally in the middle of exactly that kind of audit right now.

Our customers care about that kind of thing, they care about our test coverage, and they care about our engineering practices. They are serious companies that are literally putting their future in the hands of our software, and our answers to those kinds of questions can be the difference between making a sale, and losing it.

The reason that I said "to argue the other side" is because I don't really agree with the origional post, exactly because of the street cred thing. It is rare to have security experts reviewing open source code to prove they are badasses publically, but at the same time its rare for a company to have the engineering practices we do, and I don't think one really trumps the other.

Reply Parent Score: 2