Quote:
|
Originally Posted by sas
Most people /including myself/ are not programmers. Even if I see the code, I can't understand if it is secure or not. Some people, including us, believe that if it is open source, and no one found anything doubtful - it should be more reliable, than some company's claim that 'everything is OK'. But most users want phone & customer support more than widely tested features. And from this point of view - closed-source single-company product has advantages than open-soure, but not so user-friendly supported one.
|
This has been an ongoing discussion on the scramdisk newsgroup, and of course, Drivecrypt (closed-source) - fans have been arguing along these lines.
However, trust me, there are always people who actually review the code of open-source security applications (I am one of them).
Open-source itself might not be the guarantee for an backdoor-/bug-free application - but it is definitely the
prerequisite!
In the case of DriveCrypt for example, you have no way of knowing
a) whether it is bug-free (if it contains a nasty bug compromising its security - how would you know?)
b) whether it contains a back-door (I don't give much for promises of a profit company)
Also, one example that open-source security code actually
gets closely scrutinized:
GBDE-GEOM based encryption in FreeBSD 5.x (see my first post of this thread).
GBDE was reviewed by two very well respected cryptographers -
Dr David Wagner from Berkeley U and Lucky Green.