"And there you have it folks. Open-source "many eyes have looked at it for years so it must be secure" crypto code."

🤘

https://threadreaderapp.com/thread/...

Thank fuck I don't interact with anyone that uses 7zip for it's encryption.

That's what happens when many eyes think that many others eyes have already been looking, so why bother. Result is, everyone can look, but nobody does.

Would be interesting, if the 7z-implementations of file-roller and peazip also have these vulns.

@Fast-Nop But someone did look, thats why we now know that it has issues, when it comes to cryptography its best to go with tools dedicated to that purpose rather than tools that just have encryption as an extra feature (That goes for both proprietary and opensource software)

Thats why I get annoyed by the general attitude of the privavy folks here. I doubt there are many of those actually checking the code. Its secure since its open source right?

At least we get to know about it at this point. With closed source we wouldn't.

Nothing is completely secure, it doesn’t matter how many eyes look at it, there will always be one that spots the flaw.

The bug has been reported, and the author even wrote they might provide a fix.

Guys, try that with closed source.

Really, stop wetting your pants. That's how open source works.

@Yamakuzure

agreed. Michal Stanek's impromptu security audit is a self-fulfillment of the benefits of the open source model: SOMEBODY DID decide to look closely, found the issue, and now it will be fixed.

Open source doesn't mean it's secure by default at all, it just means that we *can* actually verify it for vulnerabilities and backdoors, this has been done and a vulnerability has been discovered, awesome, it works exactly the way it's supposed to!

Just imagine this being closed source (and as popular as it is now) and an intelligence agency (let's take the NSA) discovering this. That's be fucking gold and it might not be discovered by someone else at all.

@Yamakuzure no, that's not how open source is advertised. The vulnerability was discovered after years. Yes it is reported but dev might not even fix it.

Point is that only advantage for open source is collaboration. Other pros of open source are not guaranteed and we are reminded of that very frequently and in such painful ways.

@linuxxx 2 things:
A- correct, it is not secure by default. But your definition of works here is concerning because this was discovered after years. Better than not being discovered but still not as good as what the open source community advertises.

B- the NSA is probably reading all the open source code (actually reading it unlike open source fans) and the public availability of the code makes their search for vulnerabilities much easier... Oh, and of course they won't report it. Open source just makes their jobs easier.

@MrCSharp compiled code, at the end of the day, is always open source.

you cannot hide anything to people with enough money, time, and motivation.

but you can make things easier for everyone else

@MrCSharp *coughcoughOpenSSLcoughcough*

And what is "the open source community"?
Don't make it sound like we were a kind of club. With monthly meetings and a sales department.

And no, Open Source makes things more difficult for guys like the NSA, because vulnerabilities *are* found eventually. Think about it.

@MrCSharp
2) sure but they'd probably either hack into companies servers to obtain the source code of software or get them through a subpoena or, of course, use their surveillance programs to gain access to anything they can. For that matter, to the nsa, it doesn't matter whether it's open or closed source.

@linuxxx or just run it through a disassembler, its a bit time consuming to read assembly but its really not that difficult. (Especially not with the debugging tools we have today)

@ItsNotMyFault Or that indeed. My point is that with closed source software, nobody except for the spy agencies and the companies itself can easily (or at all) review the code, with open source software, at least everyone can look at it.

@linuxxx sure, everyone can, that's a potential advantage. But for years, nobody does in reality. "Given enough eyes, all bugs are shallow"(tm) - no, wrong. Only with enough eyes that actually look, which is not the case.

And even if more eyes were looking, that still would require eyes with a brain behind to understand, and that is notoriously difficult with security. Unlike "average" bugs, insecure code works under normal circumstances.

@Fast-Nop Well yeah, good point but if the option isn't even there, nobody *can* even review the code.

@linuxxx But the point also of the OP is, "potential" security is not what's usually advertised in the OSS scene.

I think you're misunderstanding something. Open-source means just that and nothing else.

As someone else said, compiled code is always open source. It's not as easy but not impossible for a bad actor with enough resources.

The only reasons I could think why anyone would want to hide their code are fear of competition, ulterior motives, and poor levels of code quality.

Code reviews, and security audits. We can have all that with open source too. What's even better is if the official maintainers aren't, you can do it yourself and submit a patch. Open source gets patched faster. The most popular example would be Shellshock vs EternalBlue. How long did you have to wait for an update? [Generic you, I'm not attacking anyone.]

Closed source is the root of all evil and you know it.