Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Security by popularity is nonsense just the same as security by obfuscation.


Technically obfuscation is perfect until it's found. And many times it's never found (the same is true for passwords in general, you could argue that's a form of obfuscation). For example who would ever find a compressed file that masquerades as completely unrelated and harmless looking plain text that was made with a custom dictionary? I think it's more about how good the obfuscation is rather than it being used at all.


This has been disproven many times. Way back in 2010 it was demonstrated that any 14 character password with special characters could be guessed within 10 seconds using a rainbow table. Likewise obfuscation only hides defects from people, not bots, which only serves to speed compromise and slow resolution.


A rainbow table is ineffective against one-way hashes that include large salts, which is most modern password algorithms.

I also don't see how this is related to, or disproves, anything I said...


> Security by popularity is nonsense

This is not what the author was suggesting. The author is suggesting that, more people using an open source piece of code has a higher chance to be revised which ultimately would lead to a better security.


Who checks dependencies other than the author of the library ? The only time I check them is when they break and that's not a good thing.

I see this argument as “it’s not my job” type of argument.

Most of the time you just install and use. If I had infinite time, I’d do it because it’s fun but I don’t so I don’t.

If there’s a trust chain and I know for sure certain libraries are reviewed I’d have a peace of mind. Alas, that’s not the case and we spend our days in back burner paranoia or blissful ignorance.


well a lot of people do it. Specially if the code is part of a project going through some auditing, or certification.


This argument comes up super frequently. Yes, more people actually reading the source code is better for identifying security vulnerabilities, but that almost never how it’s either articulated or implied.

When most people make this argument the suggestion is that popular software must be more secure because somebody would have certainly identified and reported the vulnerability. That makes several assumptions not qualified by evidence. In other words it’s wishful thinking.

As a case in point when I reported my first V8 defect it was around the time of Node 4.4. Chrome had been out for several years at that point with many millions of users. The defect I found was that V8 could not perform recursion using only function name. WTF. The problem was missing test cases, not a lack of eye balls.


To adjust an old joke about economics:

“Two open source maintainers are walking along the street when one says:

Look! A repo exposing an API allowing unprivileged deletion of users!

The other replied: that vulnerability clearly cannot be real, as someone would have fixed it already.”




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: