Date: Sun, 27 Jan 2019 20:47:42 +0100 From: Polytropon <freebsd@edvax.de> To: Valeri Galtsev <galtsev@kicp.uchicago.edu> Cc: freebsd-questions@freebsd.org Subject: Re: Wireless interface Message-ID: <20190127204742.f558599b.freebsd@edvax.de> In-Reply-To: <a150116a-146d-7afb-ec5f-5f0ed276b0b6@kicp.uchicago.edu> References: <CAPu-kW-0u=Eoj8NtASnD_WDnsosj_WcTEh=Zhby1DnBV3d2rdg@mail.gmail.com> <MWHPR04MB04954E8E691D98C40B68607780940@MWHPR04MB0495.namprd04.prod.outlook.com> <20190126213957.adfeb61c.freebsd@edvax.de> <5C4CE8B8.4030608@gmail.com> <20190127013705.3e8cd5f3.freebsd@edvax.de> <a150116a-146d-7afb-ec5f-5f0ed276b0b6@kicp.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 27 Jan 2019 11:14:40 -0600, Valeri Galtsev wrote: > I 100% agree with Polytropon, and would just add one simple point: > FreeBSD is open source system. Everyone in the World can (and some/many > do) go and audit the code for backdoors and/or vulnerabilities. It's not that the code of "Windows" or closes-source programs in general won't be audited. But this process is not public. Auditors have to sign an NDA, and there usually is no real indication of _that_ they performed an audit, and _what_ they found out. The primary reason is "trade secret". We know that "security by obscurity" just doesn't work. :-) You need to have trust both in the makers of the software and in the auditors. You cannot buy trust. And especially when they didn't properly do their normal work, and then "surprisingly" something happened, and the public got knowledge about it - instead of admitting the mistakes, adjusting their processes accordingly, and tried to do better next time, they increase prices and shove money into more aggressive marketing and ads, _then_ you know exactly what their priorities are, even though their web site claims "we value your privacy" or "we care for our customers"... Oh, and people still give them money. It's far easier if it's tax payers' money, so no more annoying questions. :-) > To the contrary to > proprietary systems which not only hide the source, but also will do all > to put you in jail if you reverse engineer (disassemble) their binary > code and attempt to publicize spy part if you discover one. On the other hand, there is a market for especially 0days which governments and their spy agencies are interested in. Law also mandates or at least encourages backdoors and bypasses, so if a company wants to do business in a given country, they will surely follow those... suggestions... > Of course we all learned mathematics, and logically it is difficult to > prove FreeBSD does not have malicious code. However for those who claim > an opposite: that FreeBSD does have malicious code in it, it is very > easy to prove their point. It is sufficient to point to one of them. If > one can not point even to single malicious chunk in FreeBSD, one > shouldn't insist there is one. It's also a fact that just because you pay money, you don't get good software, where "good" means about every aspect that one can be interested in: reliable, fast, secure, maintainable, and so on. You can find similar problems everywhere where software plays a significant role, not just PCs, but also appliances, NAS, routers, switches, WLAN modems. Manufacturers don't care because of three reasons: 1. "Good" (see above) costs money. Especially security does not generate an immediate gain, but is expensive to do right. 2. There is an EULA ("you sign by switching on" or "you agree by opening the box") that delegates all risks and troubles to the user - and far far away from the manufacturer. 3. The customer already handed over the money, so what? Brand NAS with hardcoded password bypass, anyone? ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190127204742.f558599b.freebsd>