Debating OSS: Yubico OpenPGP bug "was NOT detected by any audit of the source code", well not competent ones...https://twitter.com/AsherLangton/status/731190908041842688 …
when that specific bug was a clear sign of the vendor not auditing their code...at all, because that bug was so easy to find...
-
-
Exactly. So instead of opening YK4 source,
@Yubico should make transparent their _security practices_. -
Had they been clear about Neo applet being untested 3rd party code then we would have known it couldn't be trusted.
-
But opening all of their code does nothing to help us decide if it's good or not. Only verification can do that.
-
I disagree, it helps and it doesn' hurt...it might contribute 0 worst case but certainly it doesn't hurt technical interests
-
I am just disappointed with the slow migration to a different model based on commercial concerns rather than technical
-
and the apparent mismanagement of at least 2 security bugs in my mind, again I find the all != OSS dissertation as indelicate
-
I am not against OSS. I just don't want people to assume OSS == more secure. Assurance can be built without opening source.
-
yes, I disagree on the opposite "There is an inverse relationship between making a chip open and achieving security certifications"
- 14 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.