On Fri, Apr 11, 2014 at 04:36:13PM -0700, Arshad Noor wrote:
> Isn't that a naive assumption? Every US-based company that has anything
> to do with crypto has to send in their source-code to a special address
> before you can be granted a License Exception (US BIS rules) to export
> to foreign customers. (The only exception is open-source - whose
> creators must still notify a special e-mail address about the new FOSS).
> In either case, NSA knows about it.
And isn't it pretty likely that the world's serious cyberwar
players (major governments at least) have obtained access by some means
or another (legal, private hidden deals, shady doings, or out and out
theft) to the complete source code of most major operating systems and
virtually ALL security related software (and presumably also the firmware of
many interesting networking devices) ?
Seems frankly like a no brainer to me given their missions and
what it would do to enhance their capabilities versus trying to find 0
days and other attacks without ? And if your job is stealing other
folks secrets ... well what is the problem adding another few to the
list...
Not really clear that closed source protects all that well against
this threat... while making it harder for the white hats to find problems
and get them fixed before they are widely exploited...
--
Dave Emery N1PRE/AE, [email protected] DIE Consulting, Weston, Mass
02493
"An empty zombie mind with a forlorn barely readable weatherbeaten
'For Rent' sign still vainly flapping outside on the weed encrusted pole - in
celebration of what could have been, but wasn't and is not to be now either."
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
