Flaws in OpenSSL FIPS Object Module
Ralf-Philipp Weinmann
weinmann at cdc.informatik.tu-darmstadt.de
Wed Dec 5 06:43:21 EST 2007
On Dec 3, 2007, at 16:51 , Paul Hoffman wrote:
> At 9:58 AM -0500 12/3/07, Perry E. Metzger wrote:
>> I don't know if people have been following this, but it is
>> interesting
>> from the point of view of studying how the FIPS process does (or does
>> not) interact with the underlying goal of producing assured systems.
>
> Another interesting part is that open-source systems are much more
> susceptible to being attacked by competitors (that is, having their
> validation suspended) than are closed-source systems.
Hi Paul,
this may have been true in the past. Enter tools like BinDiff [1] and
BinNavi [2] and a skilled reverse engineer is able to shoot down
you're closed-source implementation almost as quickly as one for which
she has source (assuming she has binaries, of course).
Cheers,
Ralf
[1] Zynamics BinNavi
http://www.zynamics.com/index.php?page=binnavi
[2] Zynamics BinDiff
http://www.zynamics.com/index.php?page=bindiff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1846 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20071205/765e36e9/attachment.bin>
More information about the cryptography
mailing list