Just to be clear this is not directed at you tptacek. However, I am genuinely confused at HN, whenever it comes to security/privacy most yell "Open Source Only" and yet a good chuck of them use 1Password, which I believe is closed source. It really doesn't make any sense. Why trust one over all the others? Obviously given that open source does not equate to security and closed source does not equate to vulnerabilities. It make it even more disconcerting when you see a security or privacy related "Show HN:" being immediately dismissed for choosing closed source.
In the end, choosing software for privacy/security is a matter of trust: How much do you trust a piece of software to protect your privacy/security?
We determine how much we trust a piece of software based on countless different social/technical factors. Being open-source is definitely a positive trust factor, but some people may place more weight on other factors such as pedigree of the developers, availability of corporate backing/funding (guaranteed continued development/support), or maturity/stability of the software itself.
I personally consider being open-source paramount when it comes to security/privacy software (and am one of those people who tend to dismiss anything privacy/security related that's not open-source, although I don't usually feel the urge to broadcast my dismissal to the world), but I respect that other people may not share the same set of priorities.
Why? Interested in your reasons. One plausible one is that trusting an author you know can be more practical than examining every line of a massive open source code base. Could that be a reason? Others?
Shotgun blast: open source software is easier to read. Is the quality higher? Depends: there are some terrible vendors, and there are some very shoddy open source security projects. Open source software, with a couple of exceptions, are rarely audited professionally. Widely used open source projects get shaken out for memory corruption and XSS. They do not as a rule get thoroughly evaluated for cryptographic flaws.
A more precise way to state my preferences:
I trust _crypto_ from Microsoft, Apple, or (especially) Google more than I trust _crypto_ from a developer I've never heard of before. I do not as a rule trust rando closed-source projects.
The same reason many of us use Windows. All other things being equal, open source is better than closed source, but all other things are not equal. In the end, getting shit done is more important than open source. Unless you are RMS.
