> I have no reason to be anymore confident in OpenBSD than in Windows
Past statistics show that OpenBSD is safer. It's had far fewer security issues and has a much cleaner codebase.
If you don't place faith in past statistics then you're willfully ignoring the best means of predicting future behavior.
In addition, OpenBSD has far fewer lines of code, and the most reliable correlation with security holes is lines of code. Simply by having fewer LoC, OpenBSD is already statistically less likely to contain a security hole.
> chain of trust
Yeah, with microsoft your chain of trust is microsoft employees and the word of other people reverse engineering the code (e.g. the people who said the _NSAKEY thing was legit after reverse engineering a small portion of the code).
With OpenBSD your chain of trust includes me, the developers, and other eyes that have looked at the code. The "many eyes" theory is not flawed. It never stated that having many eyes eliminates all bugs, merely that it's better to have more eyes than fewer eyes and increases the chance a bug is noticed. There's no sane way to argue against that statement unless you turn it into a ridiculous strawman of "many eyes means heartbleed couldn't have happened QED".
> Am I to believe that the NSA gagged with thousand or so developers who work on windows, or just the 10 who manage OpenSSL
It's much easier to believe that the NSA could gag one or two of a thousand developers than one or two of 10. Believe me, you don't have to get all MS employees to futz windows security. Just getting one at random already gives you a decent probability of getting a kernel level exploit, and selecting five or so specific employees can get you a hell of a lot more.
> the "NSA paid/forced MS" boogeyman
Evidence in this post-Snowden era indicates the NSA has worked to backdoor commercial software. It's also quite possible heartbleed was an NSA inspired hole, though I don't think that would be a productive discussion to have.
If you read leaked NSA slides and look at what they have done (such as the Verizon MITM closet) then backdooring operating systems is not a bogeyman, it's quite reasonable.
You cite that they have intercepted data without the consent of the parties involved, but that ignores the fact that they also coerce parties as well; just because they have used the tactic you mention does not mean it's the only tactic they use.
If you're going to argue that BSD is no more secure than Windows and the NSA is not in fact using gag-orders and subverting software you'll need a heck of a better argument.
> I have no reason to be anymore confident in OpenBSD than in Windows
Past statistics show that OpenBSD is safer. It's had far fewer security issues and has a much cleaner codebase. If you don't place faith in past statistics then you're willfully ignoring the best means of predicting future behavior.
In addition, OpenBSD has far fewer lines of code, and the most reliable correlation with security holes is lines of code. Simply by having fewer LoC, OpenBSD is already statistically less likely to contain a security hole.
> chain of trust
Yeah, with microsoft your chain of trust is microsoft employees and the word of other people reverse engineering the code (e.g. the people who said the _NSAKEY thing was legit after reverse engineering a small portion of the code).
With OpenBSD your chain of trust includes me, the developers, and other eyes that have looked at the code. The "many eyes" theory is not flawed. It never stated that having many eyes eliminates all bugs, merely that it's better to have more eyes than fewer eyes and increases the chance a bug is noticed. There's no sane way to argue against that statement unless you turn it into a ridiculous strawman of "many eyes means heartbleed couldn't have happened QED".
> Am I to believe that the NSA gagged with thousand or so developers who work on windows, or just the 10 who manage OpenSSL
It's much easier to believe that the NSA could gag one or two of a thousand developers than one or two of 10. Believe me, you don't have to get all MS employees to futz windows security. Just getting one at random already gives you a decent probability of getting a kernel level exploit, and selecting five or so specific employees can get you a hell of a lot more.
> the "NSA paid/forced MS" boogeyman
Evidence in this post-Snowden era indicates the NSA has worked to backdoor commercial software. It's also quite possible heartbleed was an NSA inspired hole, though I don't think that would be a productive discussion to have.
If you read leaked NSA slides and look at what they have done (such as the Verizon MITM closet) then backdooring operating systems is not a bogeyman, it's quite reasonable. You cite that they have intercepted data without the consent of the parties involved, but that ignores the fact that they also coerce parties as well; just because they have used the tactic you mention does not mean it's the only tactic they use.
If you're going to argue that BSD is no more secure than Windows and the NSA is not in fact using gag-orders and subverting software you'll need a heck of a better argument.