Hacker News new | comments | show | ask | jobs | submit login

What you're expecting from a tabloid?

The code of OpenSSH and OpenBSD are available for years, and that is why it is most secure. Just think how many people tried to find a hole in OpenSSH's code!

Opening the code is the most important step. If the idea is worth and code is useful it will be improved by community, just because it is useful for them. nginx is a classic example - people around the globe are improving it because they find it useful.


The code for OpenSSH and OpenBSD is secure because Theo Deraadt personally roped crazy smart people into the project to audit the entire BSD operating system line-by-line, and then set up a regime that treated all code as guilty until proven innocent. He was the first person ever to have done either of those two things.

(I had the privilege of being a semi-involved bystander while this happened; I have one or two findings from the audit and wrote their first several advisories).

Security does not just happen for open source projects. The notion that it does is one of the more harmful myths in software security. If you have any questions about this, or about the difference between a bug (blows up in your face and ruins your day, causing you to write a patch out of anger) and a security flaw (hides in the shadows waiting for an adversary to find and exploit it), just ask Wordpress, Sendmail, or BIND.

Open source makes a lot of software security problems easier, iff you care about security --- like nginx always has, and maybe Apache not so much until recently. But slapping a GPL on your codebase and pushing it to Github does not make magical unicorns poop security findings into your mailbox.

Nope. It is good that Theo is so paranoid^Wpassionate, but it isn't a whole reason. The whole reason is that so many people are involved, both on contributing and seeking design or coding flaws. Crowd-sourcing is the key.

I didn't say that opening the code makes it secure by a magic, what I said is that if the code is useful for some skilled people they will fix and improve the code, at least for themselves. Good ones will submit the patches back to the community.

So, fuck off.

tptacek is a recognized world-class computer security expert. He knows his stuff.

Watch your tone. Mindlessly contradicting him in his field of expertise is not advisable.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact