Thread replies: 27
Thread images: 1
Thread images: 1
File: le epic la hacker.png (208KB, 800x496px) Image search:
[Google]
208KB, 800x496px
I met a software engineer that insisted technologies like OpenSSH with an open source licence might have back doors known by the government.
Does that have any chance to be true?
>>
That software engineer is a windows shill so he is trying to deter you from freedom.
>>
No. There's 0%. 0%. Heh, heh, heh. 0%, goy.
>>
>>58586198
He was actually a hard core FreeBSD user if I recall correctly.
>>
>>58586189
He's right, it MIGHT have.
In the meantime, proprietary technologies like Windows are KNOWN to have backdoors.
https://en.wikipedia.org/wiki/NSAKEY
https://www.gnu.org/proprietary/malware-microsoft.en.html
>>
>>58586189
There has been speculation that some crypto algorithms in OpenSSL, like AES and ECDSA, have mathematical weaknesses that make them easier to crack, especially with special-purpose hardware. The NSA was involved in the development of these algorithms and made some questionable design decisions.
There is no smoking gun, and such flaws wouldn't make it trivial to crack the encryption. They would reduce the time necessary by orders of magnitude but it would still be expensive enough that it could only be used to crack communications or files already regarded as suspicious. There is not enough computing power to decrypt all the traffic flowing through an ISP with this technique.
Another algorithm in OpenSSL, ed25519, is widely regarded as immune to these attacks.
>>
They have I've seen em'.
>>
>>58586445
Well, not seen seen but I've smelled em' so close.
>>
>>58586293
For a bit more context, there is one (ECDSA) where the government provided "recommended" parameters for strength. It is strongly believed that these parameters are actually backdoored (there's a mathematical explanation for how they could backdoor the parameters).
This kind of encryption is, of course, recommended by the gov't, so many companies opt for the recommended keys. So there are many connections that are insecure by default
>>
>>58586189
Most of open source is gov-funded, in big part from the defense budget.
If you're not paying, you're the product.
>>
>>58586189
Might is better than definitely like with windows 10.
>>
>>58587459
That's a naive view. The best place to hide is in plain sight. After the recent fiasco, Windows will be extremely hard pressed to NOT have backdoors because every script kiddie is looking into it for their moment of fame.
Therefore it's very likely for Windows, under a regime of disabled information services (which is very transparent how to do it), is more secure than the autistic behavior "oh it's linux, it's NEVER insecure".
tl;dr: prepare your anus linuxcuck
>>
>>58586189
there are 3 main ways crypto software can get fucked:
> weak algorithms - e.g., Dual_EC_DRBG, possibly NIST ECC curves
> flawed protocols - overly complicated designs inherently leak information or are just easy to fuck up implementations
> implementation bug/"bugs" - e.g., Heartbleed
the simpler the system, the fewer opportunities that exist for mistakes and backdoors.
in reality, it's just easier for bad actors to get server keys for RSA-style handshakes.
for signed diffie-hellman handshakes (ephemeral/perfect-forward-secrecy or otherwise), compromised RNG in either client/server end is also sufficient, which is scary to think about.
>>
Sure, but it is far less likely. Take a look at The Underhanded C contest.
>>
>>58586189
Look up the whole MODULUS mess.
Hard coded numbers in lots of open source crypto that were attacked for BIG BIG MONEY by the nsa. Never use a default modulus.
>inb4 RDRAND
>>
>>58588201
Came here to post this
>>
>>58586189
Let's put it this way: the same team who develops OpenBSD develops OpenSSH. OpenBSD is an entire OS, used due to it's security around the world (banks, routers, etc. Very common for top notch security.) OpenBSD has only had 2 remote vulns since it was made in the 90's, so I'd argue it's more secure. It's also included by default in OpenBSD.
>>
Be skeptical, people.
Open sourced does not mean secure and private in any way.
People do malicious stuff under excuse "you can read the code" knowing nobody will do so.
>>
>>58589865
Open source is a necessary condition for software to be considered secure. You're right, however, that it is not a sufficient condition.
>>
>>
>>58587565
>That's a naive view.
I disagree. It's a semi-trolling statement that has motivated many a bug hunter into action. More bugs have been found in Linux lately largely due to our smug attitudes and the noteriety that comes from finding them. Patches usually get released almost immediately, so I would say this is a winning situation for Linux. Back when nobody used Linux it WAS safe to assume you'd never have anything to fear, because nobody could be bothered with targeting a few thousand neckbeards who probably really knew their shit and would catch on to anything suspicious. These days, Linux is enjoying a larger, less skilled audience, and this is making it a more profitable target. In short, you have to make some noise to attract the attention of security experts if you want to get the bugs fixed.Especially if you have a small share of the market.
>>
>>58589883
Rewording it.
Open source is a mandatory premise for software to be considered secure. A mandatory condition for software to be considered secure would be constant and accessible audits.
Being closed (thus failing premise) = not secure
Passing premise = potential
Passing premise & condition = secure
>>
>>58587565
>The best place to hide is in plain sight
This is only true, assuming you are up against a human adversary.
Look at how much money Microsoft and Google are dumping into machine learning. It's pretty reasonable to assume that they have reliable ways to find a needle in a haystack.
>disabled information services
How do you really know that they are disabled, though?
Let's assume the worst case scenario: backdoors are built into windows at the kernel level, and there are some "services" which the operating system doesn't expose to userland.
>inb4 traffic analysis
Programs like wireshark ask the OS to provide information about network traffic, and then the program displays it to you. There is nothing stopping a diabolical operating system (not necessarily suggesting that Windows has reached this point) from lying about that information. My point is that if you can't trust your OS, there is no reason to even think about disabling info services.
Yes, we can't trust linux in the same sense, because none of us have a solid grasp of the source code, but it's much easier to trust something made by thousands of individual contributors and a few corporations working together out in the open, than a monolith made by one company behind a veil.
>>
>>58589865
It's far more risky to be malicious and open source your software than to be malicious and proprietary. While I'm not going to read every line of the source code in every open source software i use, I'm not going to be able to do that in proprietary software too and hopefully an indipendant audit fill fix the open source security issue.
>>
>>58586206
yes he's the shitposter that posts in every BSD related thread
merely mentioning it is enough to get him to come in here and whine about shills and cuck licenses
>>
>>58587565
posts like these are how I know there are no real computer scientists here anymore. go back to /v/ you windows obsessed manchild
>>
>>58591567
/g/ is just /v/-gaymen computers mostly now. 4+4 /tech/ has more technology related threads
Thread posts: 27
Thread images: 1
Thread images: 1