[Cryptography] EFF amicus brief in support of Apple
Perry E. Metzger
perry at piermont.com
Sun Mar 6 14:20:28 EST 2016
On Sun, 6 Mar 2016 13:42:11 -0500 grarpamp <grarpamp at gmail.com> wrote:
> > It's time we stopped believing that there's something magic about
> > open source software.
>
> > There's no way the average person can build their own software
> > from source [...] forcing your 80 year old grandfather who used
> > to be a chef to audit a few million lines of source code, compile
> > them, and load them onto his phone before he can make a phone
> > call isn't going to help
>
> No. See, those are the real problems... mindset. You all who say
> this type of talk are disbelieving apologists still trying to
> advance control, profit, babysitting, trust us we know better,
> etc... over others.
I'm a practical person. I want systems that work, not that provide
some sort of philosophical warm fuzzies.
Now, I've spent a very large fraction of my career working on things
like open source operating systems for the love of it, and I'm very
sympathetic for feelings of affection towards those, but most of my
time has been spent on security work, and I've drawn some inexorable
conclusions from working on *that*.
One of those conclusions is that normal users (and that means
everyone, even security people, when they're trying to get their work
done) cannot be trusted to make decisions that will keep their systems
secure. You just can't remain alert every minute you're using a
computer. Nor, for that matter, is it rational to expect people to
want to.
Economies of scale are real things. It is nice for a hundred million
people to be able to download patches to their systems automatically
without even having to think about it or understand what a patch is
for that matter. We've learned that the risks associated with the
automated patching systems are much lower, in practice, than the risks
of unpatched systems. It is nice for people to be able to download a
game or a to-do application without having to personally audit the
code, and we've found that systems that make this easier even at the
cost of openness (say, iOS) seem to work better than those that are
more flexible about it (say, Android).
> No one is asserting that opensource is
> currently better or magic. However, when a billion humans around
> the world *may* look at and even participate in the hw and sw if
> they wanted to, versus only 25 people locked in the coderoom of a
> megacorp whose primary raison d etre is by definition making
> money... the possible odds that it *could* be better and even a
> solution to everything as you say... are in fact better.
Where's the evidence for your assertion? If you look at Android vs.
iOS, iOS, with its much more restrictive environment, seems (as a
practical matter) to be more secure.
> Nor do I see you offering to personally help those grandfathers
> around you get their phone / cpu up and running when they
> understand *why* they want to use the open hw and sw, but
> come asking some human they know who can help the details.
There are hundreds to thousands of people in the world who can't
compile their own operating systems for every one of us who can. What
you're suggesting is impossible. There is no way any of us who can,
in fact, compile an OS kernel would get any work done if we were all
expected to spend our days "offering to personally help" everyone
else do such things.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list