Comment on Head of the Signal app threatens to withdraw from Europe
lmmarsano@lemmynsfw.com 1 day agoI don’t think you should comment on security if “open source” means anything to you
Anyone can look at the source, brah, and security auditors do.
For finding backdoors binary disassembly is almost as easy or hard as looking in that “open source”.
Are you in the dark ages? Beyond code review, there are all kinds of automations to catch vulnerabilities early in the development process, and static code analysis is one of the most powerful.
Analysts review the code & subject it to various security analyzers including those that inspect source code, analyze dependencies, check data flow, test dynamically at runtime.
There are implementations of some mechanisms from Signal.
Right, the protocol.
Can you confidently describe
Stop right there: I don’t need to. It’s wide open for review by anyone in the public including independent security analysts who’ve reviewed the system & published their findings. That suffices.
Do security researches have to say anything on DARPA that funds many of them?
They don’t. Again, anyone in the public including free agents can & do participate. The scholarly materials & training on this aren’t exactly secret.
Information security analysts aren’t exceptional people and analyzing that sort of system would be fairly unexceptional to them.
Oh, the surveillance state will be fine in any case!
Even with state-level resources, it’s pretty well understood some mathematical problems underpinning cryptography are computationally beyond the reach of current hardware to solve in any reasonable amount of time. That cryptography is straightforward to implement by any competent programmer.
Legally obligating backdoors only limits true information security to criminals while compromising the security of everyone else.
vacuumflower@lemmy.sdf.org 1 day ago
In short - something “everyone being able to look upon” is not an argument. The real world analogies are landmines and drug dealers and snake oil.
You are not speaking from your own experience, because which problems are solved and which are not is not solely determined by hardware you have to do it by brute force. Obviously.
And nation states can and do pay researchers whose work is classified. And agencies like NSA do not, for example, provide reasoning for their recommended s-boxes formation process. For example.
Solving problems is sometimes done analytically, you know. Mostly that’s what’s called solving problems. If that yields some power benefits, that can be classified, you know. And kept as a state secret.
People putting those in are also not in the dark ages.
There are things which were wide open for review by anyone for thousands of years, yet we’ve gotten ICEs less than two centuries ago, and electricity, and so on. And in case of computers, you can make very sophisticated riddles.
So no, that doesn’t suffice.
Oh, denial.
There have been plenty of backdoors found in the open in big open source projects. I don’t see how this is different. I don’t see why you have to argue, is it some religion?
Have you been that free agent? Have you participated? How do you think, how many people check things they use? How often and how deeply?
Yes, but you seem to be claiming they have eagle eyes and owl wisdom to see and understand everything. As if all of mathematics were already invented.
It’s not about obligating someone. It’s about people not working for free, and those people working on free (for you) stuff might have put in backdoors which it’s very hard to find. Backdoors usually don’t have the “backdoor” writing on them.
Perhaps the reason they have so many resources is that they don’t miss opportunities, and they don’t miss opportunities because they have the resources.