[112652] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Death of antivirus software imminent

daemon@ATHENA.MIT.EDU (Adam Shostack)
Mon Jan 7 20:44:18 2008

Date: Mon, 7 Jan 2008 16:12:56 -0500
From: Adam Shostack <adam@homeport.org>
To: dan@geer.org
Cc: "Leichter, Jerry" <leichter_jerrold@emc.com>, cryptography@metzdowd.com
In-Reply-To: <20080107153500.1E91533E8A@absinthe.tinho.net>

On Mon, Jan 07, 2008 at 10:35:00AM -0500, dan@geer.org wrote:
| 
| Jerry,
| 
| It is always possible that I misunderstand the McCabe
| score which may come from the fact that so many build
| environments compute it along with producing the binary,
| i.e., independent of human eyeballs.  If complexity
| scoring requires human eyeballs or the presence of the
| designer's flow charts, then will we ever get meaningful
| numbers (sans artificial intelilgence) for code we did
| not write ourselves?  [...yes, this parallels the many
| arguments about how can you trust crypto code you didn't
| write, either...]
| 
| If McCabe scoring is your area, do you agree with the
| rule that a McCabe score of <10 is essential -- an argument
| that I am quoting from some NASA spec I read a while ago
| and can dig up again if that turns out to be necessary.

I'd question the description of "essential."  I've seen code (not at
my current employer) that was very successful in the marketplace that
likely scored in the tens of thousands.  The code had been unrolled
for performance reasons, and those responsible knew the cost they were
paying.

Adam

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post