BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] AeroFS
- Subject: [Discuss] AeroFS
- From: richard.pieri at gmail.com (Richard Pieri)
- Date: Sun, 20 Apr 2014 17:06:25 -0400
- In-reply-to: <li6ppkbssn9.fsf@panix5.panix.com>
- References: <CAL8cYW1fEhj-reUNptW4+vfU5nywX-OB0=PCKUOQE_Vt1qCD=A@mail.gmail.com> <5352BED2.7020908@gmail.com> <5352E966.5020102@gmail.com> <5f076efda37e4520883033872ccf6dc9@CO2PR04MB684.namprd04.prod.outlook.com> <li6oazw6naq.fsf@panix5.panix.com> <5353E7E4.9090607@gmail.com> <li6a9bgt0gh.fsf@panix5.panix.com> <535406FC.5000002@gmail.com> <li6ppkbssn9.fsf@panix5.panix.com>
Mike Small wrote: > vs. proprietary software in general. I question your response that > seemed to be saying black box testing is everything since whitebox > testing, code scanning and auditing are also obviously useful, but > mostly because I don't see how it protects you from purposeful Auditing won't find problems like Heartbleed if the auditors don't understand what they're looking at. Automated code scanning won't trip over correctly written stupidity. White box testing like this will only tell you that the syntax is correct, that the code generates deterministic results for known input. White box testing gets you results like that scene in "Jurassic Park" where the programmer removes the count limiter from the dinosaur population counter and the numbers skyrocket. > evasion. It's very easy to write code whose output looks fine 999 out of > 1000 runs. If an insider leaks this fact to the press, what do you get > from a company except a denial? If you don't have the source in question > how do you get past he said she said? By demonstrating that failure with a proof of concept. You don't need source code for that, just a working exploit to show to the vendor's security team and then the world at large if the security team fails to address the issue in a timely manner. > With cloud maybe there's a further question: how do you validate that > the server's running the code they say they are? But I was thinking more > in general. (I don't use cloud services much myself.) By identifying deterministic results. -- Rich P.
- References:
- [Discuss] Ubuntu One file services
- From: genuineaudio at gmail.com (Stuart Conner)
- [Discuss] Ubuntu One file services
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] AeroFS
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] AeroFS
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] AeroFS
- From: smallm at panix.com (Mike Small)
- [Discuss] AeroFS
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] AeroFS
- From: smallm at panix.com (Mike Small)
- [Discuss] AeroFS
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] AeroFS
- From: smallm at panix.com (Mike Small)
- [Discuss] Ubuntu One file services
- Prev by Date: [Discuss] Building a non-profit membership list?
- Next by Date: [Discuss] Building a non-profit membership list?
- Previous by thread: [Discuss] AeroFS
- Next by thread: [Discuss] AeroFS
- Index(es):