OpenSparc -- the open source chip (except for the crypto parts)
Eric Rescorla
ekr at networkresonance.com
Sun May 4 23:43:20 EDT 2008
At Sun, 04 May 2008 20:14:42 -0400,
Perry E. Metzger wrote:
>
>
> Marcos el Ruptor <ruptor at cryptolib.com> writes:
> > All this open-source promotion is a huge waste of time. Us crackers
> > know exactly how all the executables we care about (especially all
> > the crypto and security related programs) work.
>
> With respect, no, you don't. If you did, then all the flaws in Windows
> would have been found at once, instead of trickling out over the
> course of decades as people slowly figure out new unintended
> behaviors. Anything sufficiently complicated to be interesting simply
> cannot be fully understood by inspection, end of story.
Without taking a position on the security of open source vs. closed
source (which strikes me as an open question), I agree with Perry
that deciding whether a given piece of software has back doors is
not really possible for a nontrivial piece of software. Note that
this is a very different problem from finding a single vulnerability
or answering specific (small) questions about the code [0].
-Ekr
[0] That said, I don't think that determining whether a nontrivial
piece of software security vulnerabilities is difficult. The
answer is "yes".
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list