Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

Ted Lemon <ted.lemon@nominum.com> Sat, 07 September 2013 14:45 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FF4921F9D2B for <ietf@ietfa.amsl.com>; Sat, 7 Sep 2013 07:45:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.588
X-Spam-Level:
X-Spam-Status: No, score=-106.588 tagged_above=-999 required=5 tests=[AWL=0.011, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c+sZEjTXP-PL for <ietf@ietfa.amsl.com>; Sat, 7 Sep 2013 07:45:30 -0700 (PDT)
Received: from exprod7og126.obsmtp.com (exprod7og126.obsmtp.com [64.18.2.206]) by ietfa.amsl.com (Postfix) with ESMTP id 798C021F997D for <ietf@ietf.org>; Sat, 7 Sep 2013 07:45:29 -0700 (PDT)
Received: from shell-too.nominum.com ([64.89.228.229]) (using TLSv1) by exprod7ob126.postini.com ([64.18.6.12]) with SMTP ID DSNKUis8CECl7vZeY//baruiYr4fG4MgtWnH@postini.com; Sat, 07 Sep 2013 07:45:29 PDT
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 283B41B8187 for <ietf@ietf.org>; Sat, 7 Sep 2013 07:45:28 -0700 (PDT)
Received: from webmail.nominum.com (cas-02.win.nominum.com [64.89.228.132]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTPS id 0C67719007A; Sat, 7 Sep 2013 07:45:28 -0700 (PDT) (envelope-from Ted.Lemon@nominum.com)
Received: from [10.0.10.40] (192.168.1.10) by CAS-02.WIN.NOMINUM.COM (192.168.1.101) with Microsoft SMTP Server (TLS) id 14.2.318.4; Sat, 7 Sep 2013 07:45:28 -0700
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0 (Mac OS X Mail 7.0 \(1805\))
Subject: Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA
From: Ted Lemon <ted.lemon@nominum.com>
In-Reply-To: <CAMm+Lwj0hHkTLaGr2y6WXY8noW+ELrM2DPtkZ3y5u7Y4pt3SNw@mail.gmail.com>
Date: Sat, 07 Sep 2013 10:45:24 -0400
Content-Transfer-Encoding: quoted-printable
Message-ID: <8714B1B9-1342-4421-8895-AD4D6E9E75B7@nominum.com>
References: <alpine.BSF.2.00.1309051743130.47262@hiroshima.bogus.com> <52293197.1060809@gmail.com> <5C7FECAB-8A22-4AF1-B023-456458E1B288@nominum.com> <522949C2.8010206@gmail.com> <52294C6D.7090206@gmail.com> <m2ppsmzgs5.wl%randy@psg.com> <5229686A.5090308@gmail.com> <31078634-5AEA-4FC9-80A8-2E77650BA530@piuha.net> <20130906072539.GJ5700@besserwisser.org> <9AC2A86F-250C-4B3C-B9BA-8DF44C937B41@nominum.com> <20130906210638.GC3428@besserwisser.org> <158C3418-AE87-4843-BFD5-3E2AC3495631@virtualized.org> <CAHBU6itwDc8DiY4B_2GGe0xWZ3Zs_ctx3BkKkzdGTZT2PfgMkA@mail.gmail.com> <CAMm+Lwj0hHkTLaGr2y6WXY8noW+ELrM2DPtkZ3y5u7Y4pt3SNw@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
X-Mailer: Apple Mail (2.1805)
X-Originating-IP: [192.168.1.10]
Cc: Måns Nilsson <mansaxel@besserwisser.org>, Tim Bray <tbray@textuality.com>, "ietf@ietf.org list" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Sep 2013 14:45:43 -0000

On Sep 7, 2013, at 9:39 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
> Nor does being open source provide any additional security, only review provides security and it is hard enough getting people to review other people's code when you pay them to do that. Expecting people to spend their time reviewing other people's code for fun is naive. Kerberos had a major architectural flaw that went unnoticed for over a decade.

On the contrary, I used to suffer through security audits on ISC DHCP code back in the day; people were doing this entirely on a volunteer basis.   I think it's incorrect to suggest that open source code doesn't get audited, and indeed it's likely that it gets audited more thoroughly and more usefully than a lot of closed source code.

It really depends on the setting.   My own company sells closed-source code; Andrea asked me the other night whether I thought there might be something scary in the code.   I thought about it, and concluded that it was unlikely, because we have a very small, tight team, and everybody sees all commits.   I think it would be difficult to suborn our code without everyone on the team knowing about it, and knowing who is on the team, that would quickly be the rest of the world.

An open source project with a less tight team, or a completely suborned team, might be far less trustworthy.   But another closed-source project might be far worse, if for example the repository were so big that nobody watched all commits, and the set of committers so large that it would be easy to suborn one of them.

I think the only rule you can go by here is caveat emptor, whether the code is open or closed.   You need to actually figure out who you are doing business with.

As for compilation versus source, that's a real issue, but open source is a clear win here, because you have both the input and the output, and you can compare them.   Here, an open source project with a clear build process that is replicable is a huge win over one that is complex and wonderful and non-replicable. Knowing quite a few of the latter, I hope to see improvements that some increased paranoia might yield as people flock to the more verifiable builds, and the projects with poor build processes fix them.