> Prefer software with thousands rather than millions of users
Yep, guess which software shows up as a toy CTF challenge for the weekend? Just because you can understand how something works doesn’t mean it’s secure.
The concrete thing I'm doing and generalizing from boils down to:
* Starting from Lua which seems to have a decent security story;
* Changing a few lines of _safe_ Lua for yourself without introducing new buffer overflows and so on;
* and limiting the reach of those changes to a few thousand people _at most_. (99% of forks won't have even that, thanks to the tyranny of the power law.)
Your comment is very much something I think about. I don't think it's as cut and dried as you make it sound. It seems worth exploring. It seems analogous to doing controlled burns every year to avoid humongous wildfires.
Excellent advice. I will now look only for things that I have no chance to understand.
Proprietary systems are probably the best bet since we are, by definition, not allowed to understand. Only windows for OS and secure pulse for internet connection for me - there couldn't possibly be any major security flaws with that logic right?
* Starting from Lua which seems to have a decent security story;
* Changing a few lines of _safe_ Lua for yourself without introducing new buffer overflows and so on;
* and limiting the reach of those changes to a few thousand people _at most_. (99% of forks won't have even that, thanks to the tyranny of the power law.)
Your comment is very much something I think about. I don't think it's as cut and dried as you make it sound. It seems worth exploring. It seems analogous to doing controlled burns every year to avoid humongous wildfires.