First of all, these organizations don't pop up or maintain themselves magically, it takes a leader to get this started and a smart team to keep it going. They deserve to be recognized for truly great work.
Second, I think having open government data in a truly ACCESSIBLE format is extremely important. If you've ever tried to look up data on the FEC site, you'll know what I mean. Not to take away from the FEC data site -- it's an incredible data resource, but tech companies certainly do a better job productizing these large amounts of data from the government.
Sharp thinking. Our business (GovPredict) is built around structuring fragmented government data. We've profited a great deal by it, and have some bandwidth and the inclination to now perform a public service and give the public access to a good deal of formerly unnavigable data.
Without whatsapp being open source, how do we know for sure that Facebook is not somehow storing or reading our messages?
As good as this sounds on paper, I hesitate to trust Facebook to transmit my data without wanting to peek a bit. I currently use both Whatsapp and Signal and will probably continue to do the same unless there is a way for users to verify Facebook doesn't keep a copy.
Taking the example of Skype, the hardening/on-the-fly decryption techniques used in the binary made the reverse engineering very difficult [0]. Difficult to reliably audit such software.
Don't know about Whatsapp though.
Maybe it is feasible, but at the very least I would wait for someone to reverse engineer it and publicly publish its findings. I do not have the skills to do that.
Moreover, if reverse engineering is so easy, why not open-source it from the beginning?
If you don't have the skills to do basic verification of a non-obfuscated binary, you don't have the skills to verify an encrypted messaging protocol implementation from source either: the latter task is harder than the former!
I think the misconception some people here have about the necessity of source code is born out of the idea that a cryptographic backdoor would look something like a mysterious HTTP POST of your key or plaintext to some random endpoint (that POST, by the way, would be trivial to spot in the binary; you wouldn't even need to read assembly).
But real cryptographic backdoors can be extremely difficult to spot. A cryptographic algorithm that uses signatures, for instance, can be fatally compromised by breaking signatures (see: TLS). An injected cryptographic flaw that breaks signatures can be as simple as biasing a single-digit number of bits in a nonce; a bias can be as subtle as generating one less byte of randomness than the protocol requires.
> If you don't have the skills to do basic verification of a non-obfuscated binary, you don't have the skills to verify an encrypted messaging protocol implementation from source either: the latter task is harder than the former!
Those aren't quite the same skill though. Some folks could have the skills to verify protocols from source, but not the skills to work with a non-obfuscated binary. Task 'A' being harder than task 'B' doesn't mean that everyone who can do 'A' (harder task) is capable of 'B (easier). Nor does the inverse follow at all.
If we admit that doing basic (non-messaging protocol impl) verification on a binary is difficult and doing messaging protocol impl verification is also difficult, it seems reasonable to presume that doing both will take more time, work, and as a result, allow for more errors in verification.
Essentially, verifying impls without source code is more difficult/time consuming/error prone than verifying ones with source code.
Of course, they could give someone the source code to verify without making it open source. But that requires that one trust this other party, selected by folks who have an interested in their protocol being reported as secure (whether it is or not).
The goal when folks are looking for freely available source code is to eliminate some of those needs for trust (by allowing a greater number of verifiers) and eliminate some of the conflict of interest (by removing some control the interested party has).
Sure, closed source bits that promise to be good and that we can (potentially) look at are OK. But having source code for them is still better.
I think the argument (one I'm not expert to make) is that the source may or may not be helpful to someone who is competent enough to validate a encrypted message application, but it is not what you need to verify.
You must verify the binary because you cannot trust the source, so it is a basic skill of anyone who has the competency to validate an encrypted message application.
Now, its possible, that the source along with repeatable builds make verifying the binary easier for someone with the skills necessary, but even with those things, they still have to verify the binary.
Don't tell me that it's easier to RE an entire multi-megabyte messenger app than it is to real the source code. Assembly can lie to you as well. There are all sorts of ways to trick IDA and friends.
One does not preclude the other. For instance, the current Signal implementation is almost certainly prone to remote code execution.
How does the Signal project handle reports of potential vulnerabilities? I haven't seen any security contact information on the OpenWhisperSystems site.
I realize you've gotten hammered by downvotes already, but this comment crosses the additional (and much worse) line of personal attack. Please don't do that on HN, regardless of who you're disagreeing with or how wrong they may be.
After leaving the YC startup I co-founded, then doing consulting in SF for about 6 months after, I decided to leave the valley at the end of 2015.
Where did I move to? Medellin, Colombia. While I'm not sure I'll stay here forever and may move back to SF at some point, I'm definitely enjoying living down here for the moment. I'm doing remote software consulting, so I am geographically agnostic.
I definitely miss friends, the hustle, and being surrounded by smart people in SF. However, there are a lot of things I do not miss about SF. For example:
Prices: SF <> Medellin
Rent: $2000 (mediocre) <> $300 (nice, best part of town)
Interesting take on consulting. I agree, the traditional consulting model is fundamentally flawed, but after reading some of his other blog posts, I'm not as sold on his approach to hiring and "orchestrating." For example:
"In our projects we discourage any horizontal communications between programmers, and you won't be able to get any help from anyone. You will be on your own and you will fail, because you are used to patronizing someone senior, in your office."
This is so ludicrous that it almost sounds sarcastic. While I agree there is value in searching out your own solution, talking through problems and asking advice from team members is very valuable. It doesn't have to be a junior asking a senior. There's clear value in talking problems out with an equal and even a senior talking through a problem with a junior.
As a former student of CS5 (the class), I must say it was spectacularly well-run, fun, and educational. Zach Dodds, one of the authors of this book, was a particularly brilliant and inspiring professor.
While I'm an advocate for practical eduction, I'm equally an advocate for understanding the principles of your field. This book will much less vocational than your typical code-school/academy/etc and instead focus on building a foundation with which you can build upon.
I highly recommend this as a great primer to computer science.
Hey, I worked as a consultant for a while and would be happy to share my contract with you. I had it drafted by a good lawyer that I trust. Contact me through my site mailer: http://nealke.mp I am very glad to see you are being proactive about getting a good contract form to start. I did not do the same and was burnt.
I also highly recommend getting a lawyer you trust so you can go to him/her with questions. I also have some more advice contained in a conf talk I did back in January https://www.youtube.com/watch?v=ZUCl0PPAT9U
Hope that helps, consulting is a fantastic job when done properly! Feel free to reach out with more questions
I've worked with over 25 clients in 4 countries and am on the look out for interesting new projects. I won't belabor an explanation of my philosophy and experience on this thread, but please visit http://nealke.mp or email me if you are interested in learning more. You can contact me at me( at )nealke( . )mp
