[Discuss] Good and Bad Crypto

Mike Small smallm at panix.com
Thu Apr 24 09:21:36 EDT 2014 

Richard Pieri <richard.pieri at gmail.com> writes:
> Really. The code works exactly as it was designed to work. Therefore
> technically not a bug. What's broken about it is the stupid design
> decision that led to it being written. So I call it a stupid.

That's not quite right. Reading beyond the ends of an array in C is
undefined behaviour so unquestionably a bug. It may be dumb that the
spec says the payload has to be variable or even that there's a
heartbeat requirement at all for the TCP case, but it's always a bug to
take external untrusted data at its word in this way.

>
>
> John Abreau wrote:
>> I take issue with the strawman argument about everyone needing to
>> look at the source. As long as the source is available, it only needs
>> one person to notice a problem and sound the alarm, and then everyone
>> else benefits.
>
> It's not the number of people who see it. One or a million, it doesn't
> matter. What matters is that the right people see it, the people who
> genuinely understand what they're looking at. And even then they might
> not see the problem. If the likes of Messrs. R, S and A can screw up
> then what assurances can lesser mortals offer?
>
> After I just got through saying that FIPS certification is a good
> thing. Well, certification isn't perfect, but it's better than a bunch
> of amateurs who think they know what they're doing but don't.

Perhaps. There may be an economic argument why Open Source, or some
parts of it, isn't getting enough attention from enough of the right
people. I don't know. I only have trouble with the idea that having
source and not having source is equivalent all else being equal (is this
a strawman? I thought that's what was being said in places). I remember
reading on the common lisp newsgroup that many consider the proprietary
lisp compilers better than sbcl or clisp. Erik Naggum had some
interesting ideas on the general topic of failing to reward free
software contributors, e.g.:
https://groups.google.com/forum/#!msg/comp.lang.lisp/ZKJyAbgwcBU/jbGevBxZOeIJ

It's kind of sad to me, reading people complain how the OpenSSL project
was severely underfunded, making these kinds of problems inevitable, to
know that the people doing OpenSSH get like 1/10th of that to support
what they do (and some of them are now taking on OpenSSL, or LibreSSL as
they're calling the fork). But then I always thought it tragic that
music teachers get paid less than stock brokers too.

More information about the Discuss mailing list