The only solution is to read source code and look for anything suspicious. Linus's Law states that "given enough eyeballs, all bugs are shallow
Well. It's probably easier to break into your home, put an eavesdropping device and get your keys. I think it's important to audit code but let's be realistic, you won't defeat an agency that has you on your radar because you use "open source software".
And by the way, Linus Law doesn't make any sense, simply because some bugs cannot be seen just by looking at the source code and also because the bandwidth between eyeballs that don't belong to the same brain is extremely limited.
It's probably easier to break into your home, put an eavesdropping device and get your keys.
If they were only targeting one person, maybe. But getting a back door added to a piece of widely-used software is much easier than bugging the homes of everybody who uses that software.
The backdoor can be anywhere between the two computers (most likely at the extremities though).
I agree with you in the sense that software should be made as secure as possible, my comment is just a remainder that one should be realistic about what level of security he can get.
If you didn't audit the hardware your software is running on and your local isn't physically secure spending so much time on software auditing isn't very useful.
You'd even have to thoroughly double check that the software you have it the one you expect, audit your compiler, audit your os and recompile everything you have.
You know better than me that there is no such thing as absolute security, so you're secure relative to a menace. If you try to secure yourself against a 1st world intelligence agency, I say... "Good luck". ;)
Well. It's probably easier to break into your home, put an eavesdropping device and get your keys. I think it's important to audit code but let's be realistic, you won't defeat an agency that has you on your radar because you use "open source software".
And by the way, Linus Law doesn't make any sense, simply because some bugs cannot be seen just by looking at the source code and also because the bandwidth between eyeballs that don't belong to the same brain is extremely limited.