[Cryptography] This is why we have Stuxnet

Jerry Leichter leichter at lrw.com
Tue Mar 22 06:26:20 EDT 2016 

> Another thing with this particular SDK is that the whole thing seems to have
> been assembled by people who are primarily hardware engineers (again, very
> common in embedded, nice hardware, hacked-together software), so the hardware
> is outstanding, really really well thought-out and designed [0], while the
> software is held together with duct tape.
Many years back (1980's), I was on the faculty at the Rutgers CS department.  When CS departments were first created, there was a big battle at many universities:  Was CS going to be part of the school of arts and sciences; or was it going to be part of the engineering school?  At Rutgers, the answer was "yes":  There was both a CS department and a CE (Computer Engineering) department.  At the time (and, I gather, until very recently), the CE department was smaller and didn't have the faculty needed to teach a few of its core courses; so CE majors were required to take at least two core course (Programming Languages/Compilers; Operating Systems) in the CS department.

I taught both those courses, so saw all the CE students.  In general, I found the CE guys (as best I can recall, no women - there were a few in the CS department) were bright and hard working.  (In fact, they were on average better than the CS students.)  But ... most of them had learned programming in the same course:  A DSP course they took a semester or so before my course.  And the habits they learned ... ugh.  OK, given the era, making DSP's work in software even for audio (video was just impossible) required serious optimization and low-level hacking.  You could do it in C, but you had to treat C as a glorified assembler.  Abstraction, even to the limited degree that C supports it, was just not an option.

I ended up making it a goal of my courses that beyond the actual subject material, I'd make sure the CE (and CS!) student actually learned something about writing good code - something college courses rarely want to bother with anyway.

Based on the interviews I do - and the code I see written - I'm not sure the programming education of *CS* students today is really much better.  But I'm sure the hardware guys still see programming as the trivial final bit of the job, to be thrown together as quickly as possible, except when in has to be as efficient as possible in some of the inner loops.

BTW, I've seen good *security* guys whose code is ... not good.  Hey, I got the protocol all formally verified, the rest is just a bit of quick hacking.

As an industry, we have a *long* way to go.
                                                        -- Jerry

More information about the cryptography mailing list