Hacker News new | past | comments | ask | show | jobs | submit login

Any time you run someone else's code you either have to trust them or trust their auditors.

Solving this problem is the reason I built this:


> or trust their auditors

if it's open source and you can build it yourself, sure

No, that's the whole point of having an auditor, so that you can have some grounds for placing trust in a system without having to trust the provider or having to audit the product yourself.

I think I'm thinking of security audit, while you're thinking about regulation/fiscal audit. Not sure what GP was talking about.

No, I was referring to a security audit.

Then no it doesn't work like that. (I do security audits for a living btw and happen to have audited many e2e encrypted messaging apps.)

There is more than one kind of security audit. The kind you do looks at the code and determines if it contains bugs. The kind I'm talking about looks at what is being served by a server and determines if it conforms to published invariants. (I hire security auditors for a living ;-)

[UPDATE] Now that I think about it some more, I guess that kind of auditor is analogous to a financial auditor, as you said. I didn't really make that connection before because the nature of the work is very different, but it's a fair analogy.

[UPDATE2] Looking back at your previous comment I see that the word "regulation" is in there. I'm not sure if you edited your comment or if I just missed it before, but my recollection of reading that comment is that it said "financial audit". Either way, I apologize for the misunderstanding and subsequent confusion.

You also have to trace the actual live code, to see if its actually running the code you think it should run. And not just with N=1, maybe with N=100 or a sufficiently high number.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact