[15629] in cryptography@c2.net mail archive
Re: Is finding security holes a good idea?
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Wed Jun 16 13:06:03 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Damien Miller <djm@mindrot.org>
Cc: Jerrold Leichter <jerrold.leichter@smarts.com>, tls@rek.tjls.com,
cryptography@metzdowd.com
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 16 Jun 2004 08:40:35 -0700
In-Reply-To: <40D05109.2030401@mindrot.org> (Damien Miller's message of
"Wed, 16 Jun 2004 23:54:17 +1000")
Damien Miller <djm@mindrot.org> writes:
> Eric Rescorla wrote:
>> I don't think that's clear at all. It could be purely stochastic.
>> I.e. you look at a section of code, you find the bug with some
>> probability. However, there's a lot of code and the auditing
>> coverage isn't very deep so bugs persist for a long time.
>
> I suspect that auditing coverage is usually going to be very similar to
> the search patterns used by blackhats - we are all human and are likely
> to be drawn to similar bugs. Auditing may therefore yield a superlinear
> return on effort. Is that enough to make it a "good idea"?
I agree that this is a possibility. We'd need further research
to know if it's in fact correct.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
