[dkokelley]

I don't buy the "if it's open source we can see/audit/trust the service" argument.

1. Bugs get missed all of the time in OSS. There is no guarantee that the more eyes the better, and in fact there may be a negative correlation due to the bystander effect [citation needed].

2. A software service is a complex interaction between many pieces of software. Two perfectly secure, audited pieces of software could interact in an exploitable way.

3. Just because the service provider tells you "this is the code, this is how we keep you secure, etc." doesn't mean it's true in practice. A bad actor could modify the code in production before the next version of "audited, trusted, OSS" is vetted.

4. Security practices outside of the code also matter (arguably more so), and even an organization with good policies can fail to follow them at times.

Ultimately, we're trusting the people behind the services we use to be honest and do their best. It seems that LastPass has demonstrated they aren't as deserving of that trust lately, but THE SAME THING COULD HAPPEN AT ANY ORGANIZATION.

Footnote: LP/1P could push an update that grabs everything necessary to decrypt your password vault the next time you log in.

[buu700]

Source code is necessary for trust, but not sufficient.

[dkokelley]

It's a nice data point, but it's not necessary to me. Do you have the source code to your mail service provider or your online banking software? [1]

Having the source code available says a few nice things:

1. This company is confident enough to show their work

2. This company is "good" at software engineering (or it could reveal the opposite)

[1] I know some people can and do run their own mail servers. I can respect that, but I trust the Google devs and organization to be properly competent and incentivized to do a good job keeping my email account safe.

[buu700]

My mail provider and bank may be fine for their intended purposes, but I definitely don't trust them for storage of secrets or keys.