BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Good and Bad Crypto
- Subject: [Discuss] Good and Bad Crypto
- From: smallm at panix.com (Mike Small)
- Date: Thu, 24 Apr 2014 09:21:36 -0400
- In-reply-to: <5358547E.1060508@gmail.com> (Richard Pieri's message of "Wed, 23 Apr 2014 20:02:06 -0400")
- References: <20140423174046.GP3247@dragontoe.org> <53580798.6040309@gmail.com> <li6zjjbyi3c.fsf@panix5.panix.com> <535813B2.5030401@gmail.com> <li6fvl3ye8a.fsf@panix5.panix.com> <53582B40.80200@gmail.com> <li67g6fyc39.fsf@panix5.panix.com> <5358547E.1060508@gmail.com>
Richard Pieri <richard.pieri at gmail.com> writes: > Really. The code works exactly as it was designed to work. Therefore > technically not a bug. What's broken about it is the stupid design > decision that led to it being written. So I call it a stupid. That's not quite right. Reading beyond the ends of an array in C is undefined behaviour so unquestionably a bug. It may be dumb that the spec says the payload has to be variable or even that there's a heartbeat requirement at all for the TCP case, but it's always a bug to take external untrusted data at its word in this way. > > > John Abreau wrote: >> I take issue with the strawman argument about everyone needing to >> look at the source. As long as the source is available, it only needs >> one person to notice a problem and sound the alarm, and then everyone >> else benefits. > > It's not the number of people who see it. One or a million, it doesn't > matter. What matters is that the right people see it, the people who > genuinely understand what they're looking at. And even then they might > not see the problem. If the likes of Messrs. R, S and A can screw up > then what assurances can lesser mortals offer? > > After I just got through saying that FIPS certification is a good > thing. Well, certification isn't perfect, but it's better than a bunch > of amateurs who think they know what they're doing but don't. Perhaps. There may be an economic argument why Open Source, or some parts of it, isn't getting enough attention from enough of the right people. I don't know. I only have trouble with the idea that having source and not having source is equivalent all else being equal (is this a strawman? I thought that's what was being said in places). I remember reading on the common lisp newsgroup that many consider the proprietary lisp compilers better than sbcl or clisp. Erik Naggum had some interesting ideas on the general topic of failing to reward free software contributors, e.g.: https://groups.google.com/forum/#!msg/comp.lang.lisp/ZKJyAbgwcBU/jbGevBxZOeIJ It's kind of sad to me, reading people complain how the OpenSSL project was severely underfunded, making these kinds of problems inevitable, to know that the people doing OpenSSH get like 1/10th of that to support what they do (and some of them are now taking on OpenSSL, or LibreSSL as they're calling the fork). But then I always thought it tragic that music teachers get paid less than stock brokers too.
- Follow-Ups:
- [Discuss] Heartbleed and UDP
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] Good and Bad Crypto
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Heartbleed and UDP
- References:
- [Discuss] Good and Bad Crypto
- From: invalid at pizzashack.org (Derek Martin)
- [Discuss] Good and Bad Crypto
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Good and Bad Crypto
- From: smallm at panix.com (Mike Small)
- [Discuss] Good and Bad Crypto
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Good and Bad Crypto
- From: smallm at panix.com (Mike Small)
- [Discuss] Good and Bad Crypto
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Good and Bad Crypto
- From: smallm at panix.com (Mike Small)
- [Discuss] Good and Bad Crypto
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Good and Bad Crypto
- Prev by Date: [Discuss] Good and Bad Crypto
- Next by Date: [Discuss] Good and Bad Crypto
- Previous by thread: [Discuss] Good and Bad Crypto
- Next by thread: [Discuss] Good and Bad Crypto
- Index(es):