Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Good and Bad Crypto



Richard Pieri <richard.pieri at gmail.com> writes:
> Really. The code works exactly as it was designed to work. Therefore
> technically not a bug. What's broken about it is the stupid design
> decision that led to it being written. So I call it a stupid.

That's not quite right. Reading beyond the ends of an array in C is
undefined behaviour so unquestionably a bug. It may be dumb that the
spec says the payload has to be variable or even that there's a
heartbeat requirement at all for the TCP case, but it's always a bug to
take external untrusted data at its word in this way.

>
>
> John Abreau wrote:
>> I take issue with the strawman argument about everyone needing to
>> look at the source. As long as the source is available, it only needs
>> one person to notice a problem and sound the alarm, and then everyone
>> else benefits.
>
> It's not the number of people who see it. One or a million, it doesn't
> matter. What matters is that the right people see it, the people who
> genuinely understand what they're looking at. And even then they might
> not see the problem. If the likes of Messrs. R, S and A can screw up
> then what assurances can lesser mortals offer?
>
> After I just got through saying that FIPS certification is a good
> thing. Well, certification isn't perfect, but it's better than a bunch
> of amateurs who think they know what they're doing but don't.

Perhaps. There may be an economic argument why Open Source, or some
parts of it, isn't getting enough attention from enough of the right
people. I don't know. I only have trouble with the idea that having
source and not having source is equivalent all else being equal (is this
a strawman? I thought that's what was being said in places). I remember
reading on the common lisp newsgroup that many consider the proprietary
lisp compilers better than sbcl or clisp. Erik Naggum had some
interesting ideas on the general topic of failing to reward free
software contributors, e.g.:
https://groups.google.com/forum/#!msg/comp.lang.lisp/ZKJyAbgwcBU/jbGevBxZOeIJ

It's kind of sad to me, reading people complain how the OpenSSL project
was severely underfunded, making these kinds of problems inevitable, to
know that the people doing OpenSSH get like 1/10th of that to support
what they do (and some of them are now taking on OpenSSL, or LibreSSL as
they're calling the fork). But then I always thought it tragic that
music teachers get paid less than stock brokers too.




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org