Can't believe people are getting so jazzed over proprietary encryption technology! It's a truly horrible idea, especially as there are already existing F/OSS alternatives, such as https://chatsecure.org/ for iPhone.
The Debian OpenSSL example is a really bad example and does not prove or disprove anything. It certainly does not prove that secret security is somehow equal or better than open.
I can give any number of examples of bad medicine, which even if their ingredients are well publicized, documented and reviewed, they still performed badly. In what way would that prove that secret sauce medicine is equal or even more safe to use? I would never trust any medicine claiming secret sauce.
Any security can fail, but if you can't review it, the security is never trustworthy. Never. Not once! You might trust the company/producers of it, but the same goes for medicine. I might trust a doctor to give me a pill without telling me what's in it, but somehow I would not trust the same doctor if he refused to tell me what's in it.
Medicine requires a very high trust level because they can cause bodily harm. We don't trust secret sauce medicine. If you need to put the same, or even higher trust in a piece of software, why would you trust secret sauce software?
Sure, that oil which was created from snakes might cure cancer, fix your infected wound, and solve any other ills you got. It might also do nothing and thus you die.
Sure, that software might protect you from an oppressive state, hide you from mobsters with hitmen, or protect the witness. It might also do nothing and thus you die.
Sure, you personally might not be able to review medicine or software, but knowing that someone can review it will make you feel safer. It also helps to know that as soon someone does find a bug in medicine or open software, everyone can identify what things are affected by it. With secret sauce, who knows whatever else might include a copy of it if they refuse to disclose it.
Without public availability of the source code and an auditable trail from source to build, there is really no way to trust it.
This is where I feel you might be a little bit dogmatic.
You don't need the source code to audit software. Software that are heavily used are audited.
Microsoft software is probably more scrutinized that any other open source one (I'm not implying it's more secure, just that it's more analyzed).
Security is a question of trust, not a question of source code. Even if you do the audit yourself, it's a question of trust: it means you trust your own abilities to evaluate the security.
I'll go a little bit further.
Did you check that the computer you bought isn't rigged? Maybe someone can remotely control your webcam or eavesdrop your keyboard.
Did you check that the operating system you have hasn't been compromised? Maybe someone intercepted your download and patched it on the fly to insert a backdoor.
Is your home physically secure? Maybe someone is copying your hard disk every day.
You're right when you say Silent Circle should be scrutinized and criticized.
Nevertheless, I disagree when you imply that the unavailability of its source code is a show stopper. Source code only makes one small part of the security audit a little bit easier.
BS! Crypto software has to be open source to be taken seriously - all the other things you write about are additional factors that count in and are not related to this one argument, so you are trying to wishiwashi the discussion - it only shows that you think your readers are not able to think clearly and in a well-structured way or you are not able to do it.
Without sourcecode no crypto routines can be trusted - period. Anything else might work in the fake industries, where producing marketing lies is part of a standardized way to make money, but not in the real crypto world.
Your opinion only makes sense if you think P(your analysis of the source code is correct) > P(you can trust person X) * P(person X's analysis of the source code is correct).
Actually the right hand side is much more difficult to defeat because it involves more than one person.
It is impossible to achieve trust in a tool, if process and function is kept intentionally hidden away, and your life is in the balance.
Knowing that medicine is openly reviewable create a trust level that secret sauce never can achieve.
Knowing that airplane/train/building architect plans are openly accessible creates a trust level that secret sauce never can achieve.
scrutinized security can sometimes help, but, again, would you trust secret sauce medicine just because 100 000 other people has done so and to your knowledge, no one died?
Unavailability of source code is a show stopper if you need to bet your life on the chance that it will perform correctly. Everything else is blind faith, and while its true that some people will accept blind faith over "real trustworthyness", those same people also form sects who refuse medicine and trust that a miracle will magically wand cancer away.
Security might be a process, but it require an process that gives the person on the receiving end a mean to assess trust. Secret sauce is inherit impossible to do so. Historical information (like the windows example) helps, but in the end, it is just a black box with oil in it that says "made from snakes - cures everything". So far, it has in some cases worked, and in other not, and several times the sauce has been announced as "improved" with new versions. Still, would you prefer to bet your life on it, or on a open disclosed medicine which might actually have been reviewed by a third-party? Which one is more trustworthy?
The idea is about taking it to "trusted-by-me", rather than relying on "industry-trusted" or "trusted-by-someone-else" sources for analysis and verification.
That doesn't mean that the "trusted-by-me" source has the means or the ability to give it the OK, but more that I don't have to trust you at all.
Security can only be guaranteed by the people you trust, rather than the people everyone else trusts.