You'd be surprised what people will take seriously. Some people actually bought the brooklyn bridge: http://www.nytimes.com/2005/11/27/ny...brid.html?_r=1

Some people believe the September 11, 2001 Al Qaeda attacks were perpetrated by the U.S. Government: http://en.wikipedia.org/wiki/9/11_conspiracy_theories

Some people believe the moon landings were faked: http://en.wikipedia.org/wiki/Moon_la...iracy_theories

Some people actually believe that their email has won that lottery or that the counterfeit check cashing/money laundering scheme is legitimate.

btw - http://scienceblogs.com/goodmath/200..._ritchie_a.php

"Many eyes" is just a marketing line, it is not a security tool.

Yeah. And that's called trust.

No, closed-source is based on liability:
- If a closed-source company releases code that steals user data, the user will sue that company.
- If an unknown open-source developer contributes a patch that's found to be broken 2 years later (Debian anyone?), how exactly will you track him down? (You've never seen him, you have no name, no street address, no phone number, no nothing but an IP address - if that).

Absolutely.

That's a different thing BlackStar. But anyway you understand what I mean, coz in later posts we agree with that...

It goes nowhere. If with so many eyes you have so many problems, imagine what holes in purpose dance under closed source projects.
This incident proves that we must only accept opensource models BUT without stopping check them again and again.

+1
And if you think that I prefer the Linux forums because I thought that the obvious things wouldn't need to be repeated again and again.

When was the last time a user successfully sued a closed source software company over a security hole?

Have you ever actually read a EULA? Hint: every one I've ever read denies any responsiblity for absolutely any harm their softwre might cause up to and including making the entire universe explode.

If users could sue software companies for security holes, Microsoft would have been out of business years ago.

This is probably the most significant point anyone has brought up so far.

Show us the code where the hole actually exists.

Here's(are) the thing(s):
1) Just don't do anything stupid on the internet;
2) The people creating the backdoors are not making your PC part of a massive botnet (they only create holes in case of person x does y); remember that only the people who know the holes can exploit them, so public holes are always closed;
3) Don't upset the government by means of an internet connected PC.

Everything is crackable; the rest of planet earth already knew that ages ago...

Really, and how would anyone prove that this was malicious behaviour and not a bug? There would be no obvious 'theft' of data, only the security of that data would be compromised. This would easily be explained as a 'bug'.

Ever seen a company be held accountable for a bug that compromised their clients data? How many exploits have Windows had which compromised their customers data? Have they been sued for this?

No this is called "many eyes, full access" principle.
This is called "control".

Again, I disagree. This IS called (blind) trust. A trust is something that you HAVE to do, because you have NO choice. In foss you HAVE the choice.

If the company releases binary code that steals user data, they put it into EULA and make it legal under various reasons. Datamining. This is the least possible danger and nearly every company does it.

If it was not made official (tiny little text in 300 page EULA is enough for official statement) it is nearly possible to detect the behavior by any AV. Heuristics are 50% not detecting, 50% false positives. Malware/vuln. writers have been using sites like virustotal and OWN commercial solutions to make sure their stuff is undetected for ages.

In slight case the binary is suspicious and is submittled to AV, they may produce a signature after heavy manual disasm. For only one version - viruses have been mutating for ages incl via mutation engines.

The situation is heavily worsened by DRM. In fact DRM and viruses have very low in difference. A lot of official binary code is obfuscated and protected using similar cryptography as viruses do.

If the official binary DOES intend to produce virus-like behavior the most thing that user can do is to suspect and trust his AV or his disasm/watch tools if he has enough skills. Then, there is sweet option of white listing and money agreement. You know, google does not do anything bad, because gods are holy(see blood, dos).

For example, Federal Reserve Bank is private company and government depend on it. Who are you going to sue? Government, what government? David vs Goliath?

Given best situation, where user has skills and tools to reveal the data stealing, he is going against a company anyway. He will always loose. There is huge array of tools to hinder him, money being most primitive.

Lets take nvidia binary driver for linux vs amd opensource driver for example.
Do you trust it? I can hire an expert to trace all amd opensource source code for suspicious things. I do not have to ask amd. I can publish the result and it can be evaluated by anyone as a fact.

On nvidia I cannot hire anyone but extremely qualified person. I have no access to source, so the only method is via footprints and binary disasm. Additionally, he will need to use the tools - but if they are too closed source, who gonna check the checker?? Even if he finds something after 10 years, the result will be so spread around and so hard to present in human form thanks to obfuscation, and it will be so late in time that I have zero chance to proof. Then I end up with me and huge company against and very technical and huge in size(but vague, inconsistent) proof base.

"Oh, that periodic interrupt call? No that was not used for reading the keyboard strokes, it was used to synchronize part of GPU logic to USB speed to prevent choking of keypresses in game."

And yes, every release binary driver binary end-result is mutated(I assume). So, additionally my proof is only based on only one specific driver version and cannot be traced in time. And what happens if nvidia does not have that exact code anymore? I have talked to Tom Hall(yes, THAT Tom) about code for Commander Keen for porting reasons. He mentioned its gone. How exactly are you going to sue someone which code is not available anymore?

Compare that to proof if I would have open source, human-readable code. And add chance of detection by other programmers, not only machines.

Security by obscurity does not work.
Security by trust(proprietary) does not work.
Security by theories does not work.
Best security is in absolutely transparent society without limits. In glass world, where everyones mind can be read by another without slightest possibility to cover it by ANYone.

Today we have zillion of malware for win32/64 and only periodical "flashes" of vulnerabilities for linux which get dynamically patched - which improving in essence is.


First, I don't see microsoft firing anyone for writing software with vulnerabilities. Take opentype vulnerability on ms for example - nearly 10 years. And tracking him down is also nearly impossible unless they keep 10 year old comments and unmodified code revisions.

Second, tracking down is unimportant. We are talking about writing software, not doing bank robbery. The only thing that plays a role is how secure and verifiable the code is and stays.

And the last thing is that proprietary code is NOT your code.
You may take it as it is, or leave it.
You dont buy it, you license the right to use it under specific conditions.
There is no guarantees, no source, no promises.
"But we do gladly accept money."