[clug] [OT] all text passwords == secure?

steve jenkin sjenkin at canb.auug.org.au
Sun Aug 26 21:52:54 MDT 2012

Angus Gratton wrote on 27/08/12 12:13 PM:

>  For a while now I've used LastPass, which is closed source

Angus, a good contribution and more than reasonable advice. Thanks.

The rest is nit-picking on my part, so everyone, feel free to delete now...

There's a logical problem with using someone else's code that's not
transparent [not FOSS ideology]:

 The Ken Thompson observation in "Reflections on Trust".
 If you didn't build the whole toolchain, can you trust a binary?

And the more realistic reason for FOSS:
  without source there's no transparency, you can't know what they are
doing with your most important, private data.

Or in Cold War parlance, "Trust but Verify".
If you can't see the code, you can't verify...

Why this is in effect nit-picking and a moot argument, not effective in
practice. [Not meant to be flame-bait. I'm trying to be pragmatic.]

 Almost all FOSS users never look at the source code, never build the
binaries they use and blindly trust the distributions they use, their
processes, website, selection/background checks on privileged
admins/developers etc.

I'm one of those people, too. I'm not doing a "holier than thou" here,
nor "do what I say, not what I do".

For servers, I blindly trust both Debian and CentOs [non-commercial
teams without deep resources]

For my desktop, Ubuntu. [Canonical, a commercial operation, may have the
resources to audit process and check employees bona fides.]

As FOSS users, you have to Accept the Risk that your favourite binary
Distribution might get compromised by a Determined Capable attacker, say
like the Nation states that did Stuxnet and descendants.

I'm *not* saying "don't trust Linux/FOSS binary distros", they are
arguably the most trustworthy and least compromised desktop and server
environments to use.

I'm suggesting the popular distros and even large software projects
(e.g. GNU desktop) are very high-value targets for Patient hackers
backed by deep pockets.

Even given that, they are much more trustworthy than Closed Source

I'd like to offer a solution or protection, but I don't have one...

Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list