Is finding security holes a good idea?
Eric Rescorla
ekr at rtfm.com
Wed Jun 16 11:40:35 EDT 2004
Damien Miller <djm at mindrot.org> writes:
> Eric Rescorla wrote:
>> I don't think that's clear at all. It could be purely stochastic.
>> I.e. you look at a section of code, you find the bug with some
>> probability. However, there's a lot of code and the auditing
>> coverage isn't very deep so bugs persist for a long time.
>
> I suspect that auditing coverage is usually going to be very similar to
> the search patterns used by blackhats - we are all human and are likely
> to be drawn to similar bugs. Auditing may therefore yield a superlinear
> return on effort. Is that enough to make it a "good idea"?
I agree that this is a possibility. We'd need further research
to know if it's in fact correct.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list