[yeukhon]

I'd want to hear Linus responding to both the OP and Taylor. But quick thought: do people like Bruce Schneier ever read this file? I think in the next year or two we will see a huge number of research going into finding "backdoor", suggesting implementation weaknesses. I am not going to speculate too much about who is NSA mole or why certain code got into the codebase. I'm more interested in researchers to find more weaknesses, like how Barton Miller did by fuzzing unix programs back in the 90s! I wish I had enough knowledge to help out.

[antocv]

Bruce Schneier

I have all the respect for the guy, really, but then I read his guardian article "how to keep your data safe and secure" and mentions keeping "air gap" between computers with sensitive data but then he himself admits after all his methods and safeguards for the leaks he is working with, he uses Windows and usb-sticks to transfer (encrypted) files between them.

He uses Windows.

He uses Windows.

And he was claiming in the article that free and open source are better for security. Oh really, so your encrypted files on your usb-sticks for sure cant spread malware through your airgap through a file-system exploit? For sure it has never been done before that a file system could be used to take over an OSs internals, oh never.

[jamesrom]

It's still good advice. In fact, unless you audit the source of your OS, it's compiler, hardware and any software you need to use you can't really make any guarantees either.

[antocv]

I can make you the guarantee that Microsoft is actively cooperating with the NSA and has backdoors in Windows.

I can guarantee you that few people have access to the Windows source to check it.

I can also guarantee you that many more people have access and have audited the source code of a GNU/Linux system.

I cant guarantee you that GNU/Linux doesnt have backdoors. But for all intents and purposes it is just plain Wrong to use windows for any security related activities.

Would you be more comfortable leaking documents using a GNU/Linux livecd or Windows?

[yeukhon]

Sorry. I think you are too paranoid. You are. Close source can have backdoor and open source can have backdoor too. I like to use Linux and my Mac to do programming work, but it doesn't mean I don't care about Windows.

If you think Linux has less chance getting backdoor, well, look at all the speculation we got these days. If NSIT cryptographic standard has reduced security as many people believe, then your communicate is dead.

If you believe that all ISP are cooperating with the US government here in the US, why the hell are you still using the Internet as we know it? You are guaranteeing that only an open source system will not have a backdoor while a closed source must have. Microsoft has collaboration with NSA in one way or another. Is that a secret? Most of their "collaboration" probably come from business things like military-kind projects. They might have backdoor. But guarantee is a big assumption. If you don't have solid proof then you are making false accusation.

It's like saying because your friend shakes hands and hang out with a cold-blood murder he must be a cold-blooded person too. Plain wrong, ignorant and simply stupid.

Security has a trust involved. If you don't trust your USB, your own product, then you will not get any security. There is nothing wrong with transferring things between usb and windows computer. It's fine. You can still run SCP, SSH over your Windows socket. Is that now weaker because damn MS is working with NSA as you say?

Someone give this man a cookie because we are obviously living in an fantasy.

If you think your ipod, your laptop don't have backdoor according to how MS and Intel are working with NSA, you are contradicting. Stop using the Internet and stop using anything. Then you are safe.

[willvarfar]

I think you are throwing the baby out with the bath water here.

Bruce Schneier can be presumed to have evaluated his risks; he's a very well known author on exactly that.

[icecreampain]

Using [only] Windows should automatically disqualify one from giving and security related advice.

At least Linux and BSD source is viewable by people. Lots of people.

[anon1385]

The same lots of people that immediately noticed when Debian shipped a broken openssl? Or the ones that didn't notice at all for years until somebody noticed identical certs showing up in the wild?

https://en.wikipedia.org/wiki/Random_number_generator_attack...