Viewing a single comment thread. View all comments

kcabnazil t1_j9xi3m9 wrote

You make good points here. Multiple, actually. Using any software or hardware means putting your trust in whoever made it. Extrapolating that into something of a strawman argument/fallacy that is still completely true, using any device you didn't personally manufacture and write all the firmware/software for is opening yourself up to insecurity. The real question is, as you allude to, "who do you trust, and how far?"

However, I'd argue the semantics of, "if anything, it means people will overly trust it."

People will overly trust anything that sells them the message they want. That includes using products from big name companies. That also means believing their IT friend Bob who says anything open source is the way to go. Little do they know, Bob also happens to be making a dollar a day on their open source but rarely scrutinized app for dog memes using your phone for cryptomining.

Apple's image of privacy for the iPhone is a mirage built on believable efforts and misleading reports. People still gulp it down eagerly. Signal's image of privacy is built on throwing themselves to the lions by being well known and showing their code; anyone and everyone with the capacity to look will look if it matters to them. It doesn't mean Signal is perfect, but it does mean they're putting everything on the line to prove they're doing the best they and every other contributor can. Both teams have track records, but only one is willing to show you what happened along the way.

That said, I find it very surprising that Signal has not gone the way of Lavabit. How have they evaded U.S. government gag orders while honoring their commitments? I assume no big company has; that's rather perposterous, honestly. Several have canaries for these situations.


drawkbox t1_j9xtvb4 wrote

I am more zero trust but if you are going to trust, trust fewer third parties. Even if trustable. Third parties get sold. Third parties need to make money from that not other ways only (Apple/Google for instance don't need you using messaging to survive).

If you are already on a browser, a password store/generator is safer without a third party involved. The OS, browser and company already have you, why involve a third party?

Same with messaging... Trusting WhatsApp/Signal/Telegram is not only another level third party, it is your most private content... why trust a funded/private equity/questionable source system if you don't have to.

Signal does appear to be the best of them, however being open is not safer always.

The new trick is dependency/build attacks, so good sometimes the main company doesn't even know it is happening (see SolarWinds that was hacked via TeamCity CI, the bad bits were being put into the dependencies at build, code was fully independently verified). The problem is blanket trust. It is what led to the OpenSSL Heartbleed hole, the Log4j/Log4Shell hole and pretty much any bit hole in the last year was part of open source.

When a company gets their source code stolen (LastPass for instance) the point is to find dependencies they can manipulate, not even the code itself. Almost all closed code uses dependencies that are open or known, and have known holes, the key there is utilizing that when you know the code flow. Open source actually makes that part easier, no need to steal source code.

I am a big OSS fan, but I hate how devs are the weak link today. Devs today are so willing to trust a third party because they heard about it or it saves a day. Those are the MOST targeted dependencies...