|
|
|
|
|
|
by tptacek
4579 days ago
|
|
|
People insist on looking at this through their default prism of "closed source bad, open source good". But people with crypto experience have other prisms; for instance, "competent, well-vetted crypto" versus "amateur enthusiast crypto". Sometimes open source is also competent and well-vetted, but vetting is expensive, and there is a lot of amateur crypto out there. |
|
|
You seem to be implying that one must be a hobbyist in order to write incompetent crypto software with no or incompetent review and tend to need company resources to get quality code reviews.
Having crypto is often an important checkmark and tack on for shipping a product and usually no one in the product group is competent to analyze the security of the way they tacked on encryption. If a few in the larger company are competent, they will avoid reviewing these projects. Being the engineer everyone associates with delays and frustrations doesn't do much for you and there will never be any proof of the costs you may have prevented.
The few better than I know how to criticize implementations that I have seen haveusually had considerable cross company and university involvement. That usually means open source or a lot of NDA and complex license agreements for cross organization code sharing.