Hacker News new | past | comments | ask | show | jobs | submit login

What information have Microsoft released about the Bitlocker audit(s)? I couldn't find any, although my search wasn't particularly thorough. It seems to me that the value of an audit, for third parties, is that the auditor puts their reputation behind it.



That happens in a statistically negligible number of audits, and most especially in the best cryptographic audits. Which systems has Cryptography Research audited? Answer: you have no idea.


I don't doubt that, but no doubt a great deal of cryptographic audits are produced entirely for internal consumption at the procuring party, and another large chunk of them would be for bespoke software development gigs where the audit is for the benefit of the single customer.

Audits (and here I use the word in its expansive sense) that are intended to build confidence in a large or public audience do tend to be made public.


If that's true, it should be easy to cite audits of important software conducted by well-known cryptography engineering firms. So, tell me: where's the audit of OpenSSL, or SChannel, or NSS, done by Cryptography Research or Riscure? Where's the PGP audit? The LUKS audit?

Can I ask where you came by these opinions of how security audits work? I know where I came by mine.


When I say "the expansive sense" I am not referring to the specific case of security audits. For an example of what I mean, in terms of an audit intended to build confidence in a large audience, this was published in last year's annual report for News Corporation:

  The Board of Directors and Shareholders of News Corporation:

  We have audited the accompanying consolidated and combined balance
  sheets of News Corporation as of June 30, 2013 and 2012, and the
  related consolidated and combined statements of operations, 
  comprehensive (loss) income, equity, and cash flows for each of
  the three years in the period ended June 30, 2013. These financial
  statements are the responsibility of the Company’s management. Our
  responsibility is to express an opinion on these financial 
  statements based on our audits.

  We conducted our audits in accordance with the standards of the 
  Public Company Accounting Oversight Board (United States). Those 
  standards require that we plan and perform the audit to obtain 
  reasonable assurance about whether the financial statements are 
  free of material misstatement. We were not engaged to perform an
  audit of the Company’s internal control over financial reporting.
  Our audits included consideration of internal control over 
  financial reporting as a basis for designing audit procedures that
  are appropriate in the circumstances, but not for the purpose of
  expressing an opinion on the effectiveness of the Company’s 
  internal control over financial reporting. Accordingly, we 
  express no such opinion. An audit also includes examining, on a 
  test basis, evidence supporting the amounts and disclosures in the
  financial statements, assessing the accounting principles used and
  significant estimates made by management, and evaluating the 
  overall financial statement presentation. We believe that our 
  audits provide a reasonable basis for our opinion.

  In our opinion, the financial statements referred to above present
  fairly, in all material respects, the consolidated and combined 
  financial position of News Corporation at June 30, 2013 and 2012,
  and the consolidated and combined results of its operations and 
  its cash flows for each of the three years in the period ended 
  June 30, 2013, in conformity with U.S. generally accepted 
  accounting principles.

  /s/    Ernst & Young LLP

  New York, New York

  September 20, 2013 
I do not believe the lack of a public security audit of OpenSSL, SChannel, NSS, PGP or LUKS indicates anything other than that either no-one cares enough about building public confidence in those projects to fund such an audit, or that anyone who has is sitting on the results because they weren't good.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: