Comments: Heartbleed v Ethereum v Tezos: has the Open Source model utterly failed to secure the world's infrastructure? Or is there a missing trick here?

"the paid model does typically carry liability"

No. This is just absolutely false. The copyright cartel has ensured that nobody will be liable for anything, ever.

Open source:

http://opensource.org/licenses/MIT

"THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE."

"Paid model":

http://support.microsoft.com/gp/mats_eula

"The software is licensed "as-is." You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement."

Posted by Glyph at August 14, 2014 12:19 PM

Your articles makes good points about how serious the problem is and how untrustworthy the proposed solutions are.

But let's not swallow the recent PR as anything more than PR.

The Snowden NSA leaks have established that the companies you cite as "willing to fund a better security" are paid by the spy agencies to inject secret backdoors into their products.

It is no accident that despite its (very obvious flaws) and disastrous background (a constant stream of vulnerabilities) OpenSSL is used by almost all VPNs, firewalls, routers on almost every available operating system and device (including smartcards!):

"How do you protect what you want to exploit?"
- Scott Charney, VP Trustworthy Computing, Microsoft

The OpenSSL Foundation (like Linux, Microsoft, CISCO, etc.) was paid to use the latest NSA-backdoored PRNG so the $2,500-a-year is just a presentable excuse for the masses.

In a world of deception, the goal is to write nice stories: "OK we did it wrong but, hey, we promise to do better next time". Business, finance and politics use the same tactic because that's a common system of defense backed by (necessarily) complacent authorities.

If we want to offer any serious security, let's focus on what's wrong to avoid the same problems.

Posted by Frank V. at August 24, 2014 06:03 AM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x55ef4da18f10) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.