[15631] in cryptography@c2.net mail archive
Re: Is finding security holes a good idea?
daemon@ATHENA.MIT.EDU (David Honig)
Wed Jun 16 15:33:57 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 16 Jun 2004 11:55:50 -0700
To: EKR <ekr@rtfm.com>, Damien Miller <djm@mindrot.org>
From: David Honig <dahonig@cox.net>
Cc: Jerrold Leichter <jerrold.leichter@smarts.com>, tls@rek.tjls.com,
cryptography@metzdowd.com
In-Reply-To: <kjoenjbjf0.fsf@romeo.rtfm.com>
At 08:40 AM 6/16/04 -0700, Eric Rescorla wrote:
>> the search patterns used by blackhats - we are all human and are likely
>> to be drawn to similar bugs.
Prof Nancy Levenson once did a study where separate teams coded
solutions to the same problem. The different teams' code often erred
in the same places (eg corner cases). This was taken as
an argument against N-version programming IIRC. It supports
the argument that H. saps are succeptible to common cogntive
flaws. While this was a code *generation and test* experiment,
it does bear on the "evaluate for bugs" question too.
As far as whether finding holes is a good idea, remember that
the Pros do not report what they find.
No means or methods, remember?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
