Slashdot Mirror
Snowden: What Happened In 2013 Couldn't Have Happened Without Free Software (networkworld.com)
An anonymous reader writes from a NetworkWorld article: NSA whistleblower Edward Snowden spoke at Free Software Foundation's LibrePlanet 2016 on free software, privacy, and security. He credited free software for his ability to help disclose the U.S. government's far-reaching surveillance projects. "What happened in 2013 couldn't have happened without free software," he said, particularly citing projects like Tor, Tails (a highly secure Linux distribution) and Debian. "I didn't use Microsoft machines when I was in my operational phase, because I couldn't trust them," Snowden stated. "Not because I knew that there was a particular back door or anything like that, but because I couldn't be sure."
Links to those OSS things he mentions?
Yeah, that's why I stopped programming in MS-BASIC. It just couldn't be trusted any more.
Slashdotter's response: ". . . What's MS-BASIC? Is that like COBOL and FORTRAN's love-child?"
buh-bye free software!
No but other people have. Your strawman not withstanding, the biggest problem is backdoored hardware, proprietary binary blobs and cellular sideband processors...
I would accept Anthony Romero as a second-best option.
Or Randall Munroe
Any of these would represent us much better (which is to say...at all) than any of the current candidates.
Thanks Snowden for pointing this out, now we will see a movement against open source software because it aids terrorists, just like unlockable iphones or other means of secure communications.
You can see Edward Snowden's talk for yourself.
There are no configuration changes you can make, programs you can install, or other changes you can make to make proprietary (user-subjugating, nonfree) software trustworthy. It won't matter what the "privacy" settings say you can do; the proprietor has the upper hand and can easily write software to rat you out. Software freedom is a prerequisite for computer privacy and security and all of the other things that go into treating computer users ethically. All computer users deserve software freedom.
Digital Citizen
I use almost exclusively open source SW myself, but these days I think assuming it's not backdoored by the NSA would be naive. It may have once flown under the radar, but not any more. It's running enough critical infrastructure that it's a juicy target.
An organization as subversive and capable as the NSA is not stupid. If something that tempting is "dark" to them, they will do everything they can to invite themselves in. An OSS OS like Linux or BSD is a huge and complex base of code. One mole secretly on the NSA paycheck is all it really takes. There have been a stream of "innocent" bugs exposed over the last few years that have essentially negated some of the most important security mechanisms. I think it's foolish to assume there aren't others that have been inserted surreptitiously. It only takes one. (NSA: "You have to be right about everything. We only have to be right about one thing.")
Yes, it DOES help to have many eyes looking at code, which helps Linux be better than Windows about this. But much code never gets that kind of review, and when it does, things like the Underhanded C Code Contest show that you can create code that "looks" correct, but has extremely subtle and exploitable holes.
So any more, I would not assume that just because it's OSS, it's free from prying eyes.
Despite the many eyeballs, serious bugs in open source software have been found before. The NSA doesn't have to insert their own backdoor, they can just dig through the existing code, and find a bug that allows them to get in.
What does this have to do with anything? His "operational" phase consisted of him asking clueless users for their passwords. Open Source or backdoors had nothing to do with what he did, or how he did it.
Yeah, I get that Snowden gets a lot of love around here, but on a technical or knowledge basis, he's one of the least interesting people out there. Ever most script kiddies are more interesting than he is.
Or was it an exceptionally successful disinformation campaign?
And this applies to closed sores as well.
And this applies to closed sores as well.
It's a lot easier to find the bug when you have the source code.
No but other people have.
If that were the case then there wouldn't be the number of security issues they've found, the number of exploits they've found, the show stopping bugs that exist.
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
As mentioned a few days ago on Slashdot, most devs use Apple because they could care less about freedom, ethics, and all that fluffy stuff.
Note the following:
[...] citing projects like Tor, Tails (a highly secure Linux distribution) and Debian.
"Tor" and "Debian" are well known and probably don't need explanation, while "Tails" is more obscure and has a quick explanatory note.
This is how you do it, this is a good method. (It's in the original article.)
Looking through the past 3 pages of Slashdot I couldn't find any examples of obscurity, but I found lots of examples of references that had a hint of help for the reader - a word of context or a placing phrase or something that illuminates the subject for the reader.
It looks like things are getting better. Keep up the good work.
But it's impossible to audit the source code of closed source software if you don't have the source code.
I agree that "sure" is a bad choice of words, but arguing that closed source software is better in this regard is just plain stupid.
But it's impossible to audit the source code of closed source software if you don't have the source code.
Correct, but I think the NSA is much more motivated to find an exploit in millions of lines of code than other people are to audit the same.
With OSS you still need to trust people, but you need to trust fewer people, you know who those people are, and you can see who else trusts them. With proprietary code, there is a chain of trust that is only as strong as its weakest link. With OSS, there is a web of trust. I can look at the git log and see who wrote a particular algorithm, and I can often see what other code they have written. I can see the changes that were made later, and who made them. For many OSS projects, I can see who reviewed/audited the code. None of this is magic, and there is never a 100% assurance, but OSS has come clear advantages.
And yet.. Heartbleed.
Think the other way round: try to sneak in a backdoor in opensource.
1) You're never sure, who reads the source and finds it. And when this will happen
2) It can probably be attributed to you in some way
3) The big security does not come from the source alone, but from the open development process. Go, read the Linux source and look for security holes. Much work? Indeed! But now go and look at the commits from today. Read the summary, read the code, check if it seems to match, watch out for possible security hole. This can be done and this is done by many people.
On the closed source side: You get from time to time one big update, no code at all. If you want to make yourself some work, you can try to disassamble the binary. People do so and people find security bugs and backdoors, but it's a lot more efford.
And the third thing: If you already suspect something, you can go and read the corresponding code of the misbehaving part, while you are still without source when using closed source.
So yeah, nobody has a guarantee for no backdoors, but it's harder to sneak one in.
Snowden is fighting against people, who have the source for software, where he does not have the source. This makes it even worse for him.
It's a lot easier to find the bug when you have the source code.
1. Many security researchers have claimed that this is not true. They often find bugs just by pushing the running code past its limits: giving it more input data that it is expecting, giving it binary data when it is expecting ascii, or exploiting corner cases, like negative numbers when it is expecting only positive numbers or triggering arithmetic overflow on a pointer, etc. You don't need the source to do any of this.
2. Just because you don't have access to the source, doesn't mean the NSA/CIA/FBI/FIS/MSS doesn't have the source. Many times they simply buy access, as they did with RSA. Sometimes they demand access as a condition of doing business, as they did with Microsoft. Sometimes they hack their way in. Other times they infiltrate or bribe low level developers.
You're right, you're right: in open source, other people do not check the code. Ever. (I stand corrected; thank you for putting me in my place.) ;)
Indeed. The stupid is strong with that one. The thing is that in OSS, backdoors will be found sooner or later, sometimes much later. And that is something the NSA/GCHQ/GeStaPo dreads as it exposes them. Does not matter that much even if it is 5 years or 10 years later.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Which is a good example how and why OSS works: It was found, documented, traced back (no sign of foul play) and fixed. What do you think would have happened in a commercial, closed library?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The US, Russian and Chinese security services have all the source code to Windows. The difference is that security researchers don't have access to it.
So, the adversaries have it but none of the people we would hope to be protecting it.
The NSA has essentially been shown to have known vulnerabilities they use for eavesdropping, but never notify the vendor. Why would they? They have a key to the kingdom. What possible motive would they have to fix that vulnerability? They don't care a bit about privacy and security: just access to the data. If they have it, likely so does every other adversary.
So basically everybody is happy except for the users who rely on both the vendors and security services to keep them safe. Massive failures all around.
And if it gets discovered, there is an excellent chance it will also be attributed and whoever out it in will be burned and that makes such an attack extremely costly. For example, the forward-hashes of git serve exactly this purpose: No revision of the change-history after commit.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I agree that NSA and friends manage to get the source code for many projects. But that proves my point that having the source code helps to find bugs, otherwise they wouldn't have to go through that much trouble. Entering invalid input is a great way to catch easy bugs, but some bugs may be much more subtle, and require various pieces of input to align accurately.
You do not get it: Nobody at all (except morons like you) claim OSS is bug-free. The claim is that closed-source software is much, much worse. From some code security reviews I did under NDA, I fully and completely agree to that claim.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This.
Countdown to US congress losing their shit over open source software in 3... 2.... 1.....
And this applies to closed sores as well.
It's a lot easier to find the bug when you have the source code.
What makes you think the NSA doesn't have access to the source code of any but the smallest closed source project they wish to examine?
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Nobody at all (except morons like you) claim OSS is bug-free
I didn't claim it either, moron.
It's a lot easier to acquire the source code if you're a government agency who knows *everything* about the employees of a company with closed source products, and thus knows how to apply the right pressure. As far fetched and right-out-of-a-movie at it might sound, it becomes much more plausible when we remind ourselves that government agencies have no issue allowing ten year old children to be sold into slavery if it furthers their agendas.
If a TLA wants something from you bad enough, they're really good at finding a way.
Depends. They probably have access to source code from plenty of American companies. I guess they'll have a much harder time getting the source code of non-friendly foreign companies. Given enough motivation, they may find ways to get it, but it won't be nearly as easy as downloading it from the interwebs somewhere.
It amazes me that people usually think that the NSA and other secret government agencies are well-managed. The NSA has a very bad reputation. Most people who have the technical ability to find bugs in code would not work for the NSA.
Someone works for the NSA. He's at a party. Someone else asks what he does for a living. He says NSA. The other person shows distaste and walks away.
Secret agencies easily get taxpayer money, with almost no supervision. They get money even if they make huge mistakes, because there is almost no oversight; they can keep the mistakes secret. The politicians who give them money almost always have no understanding of technology.
And it's a lot easier to keep that exploit hidden (i.e. available) when the source is closed. Did you have a point?
But that proves my point
No, it doesn't; however, your misplaced confidence in your intellectual abilities definitely does amuse. ;)
And it's a lot easier to keep that exploit hidden (i.e. available) when the source is closed
Having the source code allows you to find the really subtle exploits that can remain hidden for a long time. Also, people aren't as likely to audit old code that they and others have already looked at before.
Exactly; it is a really weak claim.
He could have used proprietary encryption products, a self-hosted commercial VPN instead of Tor, an obscure proprietary OS not on the list of things worth backdooring, etc.
He did use some libre software, so we know what happened could happen using those tools. But we don't know anything about this idea that he couldn't have done it otherwise.
Avoiding Windows in particular is prudent for a wide variety of reasons; not least, products designed for the masses will have sacrificed some security for convenience.
And keep in mind, almost all the software I use is Free or OSS. I do also use a proprietary email app on my mobile device, and I use the LTSpice circuit simulator. (Only for simulation of the OSS-generated netlist)
Which is a good example how and why OSS works: It was found, documented, traced back (no sign of foul play) and fixed. What do you think would have happened in a commercial, closed library?
In commercial software it would be found, documented, traced back, and fixed. Documentation would be internal.
I'm pretty strongly against using proprietary stuff in my tool chain, but I just don't think this is a real difference.
But that proves my point that having the source code helps to find bugs
They don't want the source code to "find bugs". They want the source code so they can modify the source, insert backdoors, and install/distribute the compromised binaries ... like they did with Cisco switches and Xerox printers.
In commercial software it would be found, documented, traced back, and fixed.
Only if the company made it a priority and budgeted for it. Then it would be rolled into the next release, which may not come for months, or even years. Oh, and the next release will only be installed by users that can afford the upgrade fee.
It was identified and fixed only after it had been exploited. I believe that same sequence of events applies to OS and closed source. Maybe all the many eyes perusing the source were a little far sighted. And why doo people keep spouting the old canard about OS being more secure because you can look at the source code. That may have been true once upon a time but the low hanging fruit has been pretty much dealt with. You can take a perfectly safe piece of OS software and introduce gaping holes when building and deploying said software to the target machine. Most of the security weaknesses in both OS and closed source is not the software but the idiot in charge of deploying and administering the software. Another thing about the "many eyes" theory is that there is a gigantic gap between OS programming and application programming and the former only represent a small percentage of people claiming to be software developers.
Same is true for open source.
On github this week, I fixed a bug where the ticket was over 5 years old, and the project owner finally realized it is a real bug and the solution is harmless.
It hasn't been accepted yet, of course. Give it a couple more years.
That's the whole point, your odds are better... Nothing is perfect.
With closed source only a single party really has access to the source, anyone else they grant access to will be under the terms (eg NDA) of the vendor and so may be unable to disclose finding anything bad even if they do, plus if they're working together they likely have the same agenda.
There is also the chance that source code has leaked, in which case blackhats have it, even if they do find backdoors or bugs such people are more likely to make use of them for their own nefarious purposes than disclose them to the public.
With open source the possibility exists for anyone to get their hands on the code, including multiple parties with conflicting goals. If a backdoor existed then at least some of those with access to the source are going to be against the backdoor and disclose/close it.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
(other AC)
I see this over and over again. The rebuttal is also formulaic. But let me offer another kind of rebuttal:
Likely he did. It's there for everyone to read, and for example I DO audit it. You don't?
That's also why I keep the amount of strange packages on my system low. I didn't read the source? It doesn't get installed.
And yet.. Windows 10, Apple's Thunderbolt option ROM bug, Flash, every single iOS jailbreak, the PS3's botched digital signature verification and copies of the PSP master keys...
See how easy it is to miss shit and call people out on it after the fact with the benefit of 20/20 hindsight? Just because you can look at the source does not mean that all of the bugs have been found and patched. Having the source available does mean that you *CAN* look at it for yourself to see if a bug exists and report it, or fix it yourself. Having the source code however does not magically protect an end user from bugs, because the typical end user (and most people in general) does not even bother to check and therefore takes what ever is given to them. Bugs and all, expecting that the hard work of searching for bugs has been done for them, and then getting upset when a bug is found that they took no action themselves to find or report / fix.
And then they do something like post crap online about how OSS development is just as bad as proprietary software development, because they couldn't be bothered to engage in half of what the OSS community expects of them. They want their free software without any kind of bugs what so ever NAOW! Without actually helping in the work needed to get to that goal.
Yep
I would be shocked if the government did not have all kinds of stuff planted in Microsoft products. And that can lead to very dangerous actions. Suppose, as an example that the government becomes informed of a very dangerous criminal due to bugs planted in an OS or browser. But it is obvious that making an arrest would reveal the existence of that bug. People could be made to vanish and never be heard from again. The problem is it could be someone else that used your computer. With no open trials taht could be a very real problem.
But it was fixed for you and anyone else applying your patch.
In commercial software it would be found, documented, traced back, and fixed.
How would you know?
Documentation would be internal.
Case in point.
Snowden is spouting bullshit, FOSS is great, but to suggest it is all you need is complete and utter rubbish. Unless you are running completely open hardware right down to the CPU microcode level you cannot audit 100% of the system, as Snowden's Russian masters know, otherwise they would not have gone to the trouble of fabricating their own CPUs (to be sure that the only back-doors in them were the ones thy put there themselves.).
> Did you have a point?
Just recently they began posting in abundance. I'd speculate sockpuppet but who knows? I'll let you draw any conclusions you might wish about their reasoning and logic skills. They have some.. Some, shall we say, unusual opinions and seem inclined to stick with those opinions regardless of evidence presented. I don't really have much/any interaction. Such is simply an observation.
I've an odd habit of reading the "by" field prior to reading the post. Given that I'm retired, it affords me plenty of time to read and sometimes even check comment histories. A sock for whom, I have no idea and it's purely speculation. They may not be but a quick skim through their post history is insightful. As always, draw your own damned conclusions. ;-)
"So long and thanks for all the fish."
I'm inclined to disbelieve you. Given the sheer volume associated with the task, I've absolutely no reason to believe that you've read every line of code that you use. There's simply not enough time in the day to do so and remain even remotely close to secure - you'd be reading code from years and years ago. There are simply too many component pieces for me to believe you.
Yes, yes I am calling you a liar. I'm not sorry, if I was sorry I'd not be doing it. You have not read all the code in your OS and in the applications that you use. I won't even count the applications that you use outside of your control - those that are on the web.
However, I'll give you the chance to try to change my mind - if you feel inclined to undertake that effort. I wouldn't. What the hell does it matter if I don't believe you? But, if you want to change my mind you're free to do so but you're gonna have to make it believable. What OS do you use? How do you get online? What hardware are you using? You have *zero* binary blobs? You've somehow managed to read and then re-read the code for every single piece of software you have - and keep up with updates for security problems?
Yeah, I'm thinking that, at best, you might skim through some or speed-read without comprehension at best and, even then, you certainly don't do so with any modern OS and keep up with the myriad updates that come down the pipe daily. Which OS is this? Chances are, unless it's proprietary, I've used it. Hell, even if it is proprietary, I've probably used it.
"So long and thanks for all the fish."
There's a disinfo unit out of Fort Meade that uses low-grade nerds in uniform to overwhelm people in chatrooms when certain subjects come up; the government has openly solicited bids for software to allow these clowns to "handle multiple simultaneous chatbots and user accounts."
Yup, the jig's now up. Anyone who disagrees simply can't see the forest for all the straw, man.
Anyone taking the long view could work around something as simple as reputation and periodic change reviews and easily link together ostensibly unrelated pseudonymous commits across minor and major releases.
You don't need source code to find vulnerabilities. You can read machine code, either binary or disassembled, as easily as you can read C or any other "language."
Yea, how'd that work out for Mr. Snowden?
I had not heard or read anything about this. That is not even remotely surprising. I know the Russians use it and I know that there are some paid posters with various companies. I'm not terribly surprised that the US government would be involved though I guess it's a bit surprising that it is in the hands of the Army as opposed to something a bit more clandestine or tasked with a different charter. I could envision the US Army wanting to do so for defensive and offensive purposes when dealing with externalities but, internally? That's a little odd for the Army to be tasked with.
Surprising? No, not really. Just in who it is. That's the only odd thing that I got from your post. I'd expect something, perhaps the NSA, different to be involved. Maybe the CIA but probably not the FBI. The Army is surprising but they've got a pretty decent "cyber warfare" program. I'd expect it to be external but, then again, the web is (by its nature) international.
I've no idea if that's applicable here, with this particular person. If it is, then they're doing a very poor job of it and need to fire this guy. If it is automated then they need to tune them up again. They're illogical, inconsistent, instigating, interrupting, and inferior. (That's just a few of the words beginning with the letter "I".) They should ask for a refund, unless being unbelievable and obtuse is their goal? If "instantly recognized as a meatstick" is a desired operational parameter then they've achieved that.
Oddly, this is not the first time I've made such observations and a few of them have quietly disappeared when others noticed. I do wonder if you're are indeed onto something? It does seem a strange program for the Army to be involved in. I'd really expect a group tasked with such would be under a different heading - though perhaps it's buried under the Pentagon itself and is just manifest through the Army as they're already set up with a "cyber defense" program? I'd love more information, if you have it.
"So long and thanks for all the fish."
Free and open source software can be _used_ for any purpose, good or evil.
Sure we can acknowledge the good that is done, but lets not forget the evil its used for.
If there was an ethical licence, it would not be considered free or open, unfortunately.
Well its true, that they *announced* the new version along with the problem with the old version. The new version fixed the problem. And people who couldn't upgrade right away potentially (or really) had problems. OpenSSH has had a lot of cleanup (and a fork) since then. And the *real* big issue is that there is little non-open software to replace it. Sometimes weenies will offer up statements like the following: "Oh I could write an operating system", "oh, I could design a nuclear reactor", "oh, I could create an anti-gravity-time-travel machine". And in this case "oh, I could write a secure shell library". But the truth is that you need to be a cross between an advanced network engineer and a cryptographer, at the PhD level. Usually that's more degrees than most employers are willing to employ. So they use OpenSSL. And ...you get people saying "oh I could make one of those". no.
Heeeeeeeeere, Eddie Eddie Eddie... :-) Oh, how we miss you so.
Apparently you also have bad memory and dyslexia. And your creativity in insults is lacking, as you cannot even do more than copy. Seems my estimation of your level of insight is exactly right, namely none at all.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Ahahahahahaha, your naivety is cute.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Which is a good example how and why OSS works: It was found, documented, traced back (no sign of foul play) and fixed. What do you think would have happened in a commercial, closed library?
In commercial software it would be found, documented, traced back, and fixed. Documentation would be internal.
Not in the vast majority of companies. I've been a professional software engineer for better than 25 years, and I've worked for a lot of different companies. In almost none of them is there any focus at all on going back to identify and fix problems in existing code. It's always about the next product release, or the next customization request... what will bring in more money.
There are some exceptions, but they're mostly companies and products who are facing significant outside scrutiny. These days, I'm sure Cisco is spending a lot on internal security research, but only because they've been caught several times very publicly with their pants down, for example.
OSS isn't a panacea, obviously. But it does mean that when someone decides they do care enough to look, they can find the problems, and fix them.
Same could be said of any closed service. But since your employer peddles in closed services I'll go ahead and guess you don't think that is true.
Which is a good example how and why OSS works
The point is until it was found it was the same as proprietary software: you didn't know it was there despite having the code, in fact you don't know about the many other cirical vulnerabilities that still exist. It cant be exploited until it is found so the only advantage that open source has is that (assuming you have the requisite level of knowledge) you can fix it yourself whereas in the proprietary world the vendor has to fix it.
Anybody saying "proprietary software is worse because bugs may exist but you don't know about them" is an idiot because the exact same thing applies to open source.
Only if the company made it a priority and budgeted for it. Then it would be rolled into the next release, which may not come for months, or even years. Oh, and the next release will only be installed by users that can afford the upgrade fee.
Have you really got so little experience in this industry that you actually think that's how it works? This is the sort of idiotic FUD that makes open source evangelists just look like complete imbeciles that have absolutely no idea what they're on about and only serves to undermine the open source movement as a whole. You really don't get updates with proprietary software? You really think that everybody that does get updates has to pay for them? You really think these updates come only after months or years of fixing an issue?
Take your blatant stupidity elsewhere, the open source movement doesn't need your braindead bullshit. It can survive and thrive on its merit!
though I guess it's a bit surprising that it is in the hands of the Army as opposed to something a bit more clandestine or tasked with a different charter.
Considering their choice of location, it's easy to surmise that this is a joint military/intelligence endeavor of some sort...
Yeah, it is Meade. Hmm... I'll see what I can dredge up about it. I have some friends that are still in and have increased in rank a great deal. However, they're all Marines or Navy. Still, they might have some scuttlebutt. If anything interesting pops up, I'll email you. No need to respond, obviously.
"So long and thanks for all the fish."
There's a disinfo unit out of Fort Meade that uses low-grade nerds in uniform to overwhelm people in chatrooms when certain subjects come up; the government has openly solicited bids for software to allow these clowns to "handle multiple simultaneous chatbots and user accounts."
"Clowns," huh? Unless you have some other info you seem to be confused about this program:
U.S. Central Command 'friending' the enemy in psychological war
By Shaun Waterman - The Washington Times - Tuesday, March 1, 2011
The U.S. Central Command is stepping up psychological warfare operations using software that allows it to target social media websites used by terrorists.
The Tampa, Fla.-based military command that runs the wars in Iraq and Afghanistan recently bought a special computer program that troops use to create multiple fake identities on the Internet. The military uses the fictitious identities to infiltrate groups and in some cases spread disinformation among extremist organizations such as al Qaeda and the Taliban with the goal of disrupting their operations, according to documents and U.S. officials.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
http://20committee.com/2015/07/19/the-painful-truth-about-snowden/
http://20committee.com/2014/05/31/the-xx-committee-snowden-reader/
It looks to me like "Type44Q" is confused about this program that has been previously discussed on Slashdot IIRC:
U.S. Central Command 'friending' the enemy in psychological war
Not really what is implied by him.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
American Hasbara trolls?
Snowden used free software to commit what is basically a crime and brags about it...
That his crime is defensible using whistleblower protection, that it is "for greater good" doesn't make it different from a technical standpoint.
And while anyone that understand the idea behind free software and encryption know that it can help good citizens and criminals alike but it may not be the same for the general public. And many of them view Snowden as a traitor.
Don't forget there are people doing OSS projects who give a rat's ass about your security and privacy. If companies could get away with XORing output from the rand() function and calling that encryption, they would. Actually, in the past, before PGP, they did.
Yes, one could always fret about a compiler inserting in stuff, masks on the CPU which have more "features" than the designer intended... but lets be real here. If an organization had that much backdoored, they will not be tipping their hand to prosecute someone and lose that advantage, other than a big fish. With a closed source OS, you have far less assurance of security, other than "trust us" items from the marketing people. It just might be that a closed source encryption utility is secure... but you never know, and you will not know until it is too late.
Oh, it is harder to demand an OSS project add a backdoor. If someone checks in code adding an ADK to every OpenPGP transaction for GnuPG in GitHub, in a matter of minutes, there would be numerous forks.
Is this a good thing for OSS, that Snowden mentions it made what he did possible? Snowden may get thumbs up by most on this site, i believe the average joe takes the side of the government and think he's a 'terrorist'. What people know about OSS (if at all) is what MS and other companies have bombarded them with the last +10 years or so (communist, cancer, etc). So putting these two together, how will this affect the reputations of OSS more? might give the government more free play to limit OSS development.
On a long enough timeline, the survival rate for everyone drops to zero.
Philosophical mind flips from the dumbass LaoWai. We've tumbled before when I called you our for being a scumbag foreigner who thought he was hot shit for living in the ghetto. The point is, none of the neckbeards attached to any particular project are people you can actually trust unless you knew them intimately, first hand, face to face. You haven't. You just feel good about them because they're in your little clique that you feel so proud to be in.
When will I (a 20 year professional engineer) be allowed to look at the source code of all the Google services that track me around the internet and ensure to my satisfaction that it's doing only what I'm being told in ToS?
Google open sources just enough stuff to further their interests. You should not pretend it to be anything other than that, or people will rightly question the purity of your opinions.
How do you know the govt doesn't have the source to "closed source" projects?
Also known as "professional experience," but maybe you have a hard time dealing with word meanings?
"He says something different than what I believe" doesn't imply naivety. It only implies we're different people.
Make a point next time, beyond the raw pejorative.
How many times do people find bugs via use, versus pouring through lines of code in an audit?
Of course. But this takes a lot more efford and you still have the chance, that somebody fixed your "small bug" before you finish your evil masterplan.