freebsd at edvax.de
Sun Jan 27 19:47:49 UTC 2019
On Sun, 27 Jan 2019 11:14:40 -0600, Valeri Galtsev wrote:
> I 100% agree with Polytropon, and would just add one simple point:
> FreeBSD is open source system. Everyone in the World can (and some/many
> do) go and audit the code for backdoors and/or vulnerabilities.
It's not that the code of "Windows" or closes-source programs
in general won't be audited. But this process is not public.
Auditors have to sign an NDA, and there usually is no real
indication of _that_ they performed an audit, and _what_ they
found out. The primary reason is "trade secret". We know that
"security by obscurity" just doesn't work. :-)
You need to have trust both in the makers of the software
and in the auditors. You cannot buy trust. And especially
when they didn't properly do their normal work, and then
"surprisingly" something happened, and the public got
knowledge about it - instead of admitting the mistakes,
adjusting their processes accordingly, and tried to do
better next time, they increase prices and shove money
into more aggressive marketing and ads, _then_ you know
exactly what their priorities are, even though their web
site claims "we value your privacy" or "we care for our
Oh, and people still give them money. It's far easier if
it's tax payers' money, so no more annoying questions. :-)
> To the contrary to
> proprietary systems which not only hide the source, but also will do all
> to put you in jail if you reverse engineer (disassemble) their binary
> code and attempt to publicize spy part if you discover one.
On the other hand, there is a market for especially 0days
which governments and their spy agencies are interested in.
Law also mandates or at least encourages backdoors and
bypasses, so if a company wants to do business in a given
country, they will surely follow those... suggestions...
> Of course we all learned mathematics, and logically it is difficult to
> prove FreeBSD does not have malicious code. However for those who claim
> an opposite: that FreeBSD does have malicious code in it, it is very
> easy to prove their point. It is sufficient to point to one of them. If
> one can not point even to single malicious chunk in FreeBSD, one
> shouldn't insist there is one.
It's also a fact that just because you pay money, you
don't get good software, where "good" means about every
aspect that one can be interested in: reliable, fast,
secure, maintainable, and so on. You can find similar
problems everywhere where software plays a significant
role, not just PCs, but also appliances, NAS, routers,
switches, WLAN modems.
Manufacturers don't care because of three reasons:
1. "Good" (see above) costs money. Especially security
does not generate an immediate gain, but is expensive
to do right.
2. There is an EULA ("you sign by switching on" or "you
agree by opening the box") that delegates all risks
and troubles to the user - and far far away from the
3. The customer already handed over the money, so what?
Brand NAS with hardcoded password bypass, anyone? ;-)
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
More information about the freebsd-questions