[askmike]

I think open-source software is great as well, but assuming these kind of bugs are found because you can inspect the code is very wishful thinking that doesn't always hold up.

This specific example required a Google department to find it. Who would have found it if Google got restrained by the NSA?. Other notable examples include openSSL.

On top of that, here is a great talk about how easy it would be to infiltrate open source projects: https://www.youtube.com/watch?v=fwcl17Q0bpk

[feanaro]

The fact it's open source enabled someone outside the project to find it in practice. While also possible with closed source software, if you think the bar is possibly too high with an open source project, it is an order of magnitude higher with closed source.

Also, please don't say "Google". A bunch of hackers (on Google's payroll) found it, not Google. We can't tell what would've happened in a counterfactual universe where Google was not financing Project Zero.

[gretch]

I’m shocked at how cynical your perspective is that you don’t grant credit here.

Like if I said “the police didn’t save me from the hostage situation. Some hero saved me who happened to be working for the police. In an alternate universe we don’t where this guy isn’t employed by the police, we don’t know if he wouldn’t have saved me anyway”

Can’t you just say, thanks police, you saved me.

[matheusmoreira]

> Can’t you just say, thanks police, you saved me.

No. The police doesn't actually have to save people. When that happens, it's because of the heroism of individual officers.

https://en.wikipedia.org/wiki/Warren_v._District_of_Columbia

[feanaro]

I just prefer congratulating the actual people that did this instead of the relatively arbitrary money supplier. You could say I'm equally shocked that credit is propagated as "Google" instead of the names of the researchers.

[askmike]

The reason I said Google because I think that if the NSA pulled some strings at Google, this exploit would not have been published. As such this was all in the hands of Google.

[o-__-o]

Do you know what your app library dependency is doing? They talked about advertising and that got people up in a roar... but what if it’s doing reconnaissance? Mapping out your build and deploy infrastructure because you fetch externally from 12 different locations along your pipeline. Then one day they target a specific company in a patch release and then fix it later. In a high release project you would never know.

Who’s got your back on that?

[t34543]

What it does mean is that the community can fix it, and you don’t have to divert time from a product approved sprint to fix sec bugs.

[newscracker]

It's also ironic that the community fixing something for a security issue isn't going to help much since almost all the users rely on the app stores (Play Store in this case, since it seems like this is Android specific) for updates and wouldn't get any fixes unless they're tech savvy or until the developer (Signal) pushes the update to the Play Store and Google approves it.