Security Reviews and Feedback

From Kicksecure
Jump to navigation Jump to search

Reviews and feedback about the security of Kicksecure.

Definition of Audit

The term "audit" in the context of computer security is frequently used without a clear definition. It is often referenced as a general concept, with little consideration for what an audit entails or how it is conducted. Many discussions assume that an audit is a simple, standardized process. An item to be checked off a list without a thorough understanding of its scope, methodology, or significance.

Lack of Formal Audits

Kicksecure has not been subject to a full formal audit, but that has little significance. At the time of writing, other security/privacy-focused distributions like TAILS and Qubes have not been audited either. Even major operating systems such as Debian, Arch, and Fedora have not had public, published audits to date.

Absence of Recognized Experts

We are unaware of any serious research concerning the above distributions. Furthermore, no recognized experts, such as Bruce Schneierarchive.org iconarchive.today icon in cryptography, exist for conducting a security-focused operating system review.

Limitations of Published Audits

Even the usefulness of any published audit must be considered. Audits of software and operating system platforms are necessarily carefully defined and limited in scope due to the vast complexity of such an undertaking. There are no all-encompassing audits that thoroughly examine or evaluate every possible aspect of security.

Examples of Formal Security Audits of Other Software

There have been formal audits of cryptocurrency wallets.

Examples of Partial Security Audits

Independent researchers occasionally conduct partial security audits, a practice often referred to as security research.

Typically, researchers identify areas of interest either through their own investigations or by being directed to them by others. If a particular issue captures their attention, they may examine a few specific aspects in greater detail. White hat hackers who uncover security vulnerabilities may choose to publish a full public disclosure for the benefit of the community.

Security researchers often refer to themselves as such rather than as security experts or auditors. This distinction may be intentional, recognizing the additional weight and implications associated with the latter titles.

These independent researchers are usually not hired by the software projects they analyze, which can be beneficial as it helps maintain their impartiality. However, they do not claim to conduct full formal audits. Instead, they typically provide evidence of the security issues they discover while avoiding broad statements such as "we performed a full formal security audit" or "we found no security issues."

Examples of Security Research

Nothing comparable exists for security-focused Linux distributions.

Examples of Unaudited Software

To explore this issue in further detail, consider the GNU wget computer program, which retrieves content from web servers. Has wget ever been fully, formally audited? Even if it has, what did the audit entail? A professional company providing software security audits as a service, or some kind of certification? At present, no such entities exist to provide this service within the Free Software and Open Source ecosystem, meaning there are no official quality seals for Linux distributions.

If the reader is aware of any such examples, please get in contact or edit this section. Also, consider whether it is reasonable to expect a reputable organization or individual to make statements like: "GNU wget has been audited, and no security vulnerabilities were found." In reality, it usually happens the other way around; when someone reviews the source code and finds nothing wrong, nothing is reported. On the other hand, if a vulnerability is found, it may bring recognition. Essentially, anyone who claims beforehand to have found no security issues does not receive a boost to their reputation but, in fact, risks looking bad if problems are discovered later on after their previous statements about no security issues.

Call for Audits

Anybody undertaking an audit of Kicksecure is kindly asked to edit this section or get in contact so the outcome can be linked here.

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Security_Reviews_and_Feedback&oldid=91523"