[122534] in cryptography@c2.net mail archive
Re: OpenSparc -- the open source chip (except for the crypto parts)
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Mon May 5 19:54:14 2008
Date: Sun, 04 May 2008 20:43:20 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: Marcos el Ruptor <ruptor@cryptolib.com>,
Cryptography <cryptography@metzdowd.com>
In-Reply-To: <87r6chmwst.fsf@snark.cb.piermont.com>
At Sun, 04 May 2008 20:14:42 -0400,
Perry E. Metzger wrote:
>
>
> Marcos el Ruptor <ruptor@cryptolib.com> writes:
> > All this open-source promotion is a huge waste of time. Us crackers
> > know exactly how all the executables we care about (especially all
> > the crypto and security related programs) work.
>
> With respect, no, you don't. If you did, then all the flaws in Windows
> would have been found at once, instead of trickling out over the
> course of decades as people slowly figure out new unintended
> behaviors. Anything sufficiently complicated to be interesting simply
> cannot be fully understood by inspection, end of story.
Without taking a position on the security of open source vs. closed
source (which strikes me as an open question), I agree with Perry
that deciding whether a given piece of software has back doors is
not really possible for a nontrivial piece of software. Note that
this is a very different problem from finding a single vulnerability
or answering specific (small) questions about the code [0].
-Ekr
[0] That said, I don't think that determining whether a nontrivial
piece of software security vulnerabilities is difficult. The
answer is "yes".
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
