[Cryptography] RSA is dead.
James A. Donald
jamesd at echeque.com
Tue Dec 24 01:51:53 EST 2013
On 2013-12-23 08:55, Jerry Leichter wrote:
> Have a look at some of the entries in the Obfuscated V contest (to
> write innocent-looking code that actually cheated one of the
> candidates). My favorite is
> http://graphics.stanford.edu/~danielrh/vote/mzalewski.c - just one
> of many.
> Come back and tell me how "capable developers" will easily find
> malicious code hidden in simple, clean-looking C code.
The use of the macro #define VOTE_AND_CHECK(v) was obviously odd and out
of place.
If not obvious what was hidden, it was immediately obvious that the
writer was trying to hide something by the use of obfuscated code.
So, I do the glaringly obvious thing, and substitute the macro, de
obfuscating the code, whereupon it is immediately obvious that the inner
t hides the outer t, which is obscure and misleading code, notoriously
apt to lead to errors.
So, I check for errors induced by the inner variable hiding an outer
variable.
And, ding! Since this is a macro, v references the inner t, not the
outer t, so every CHECK_INTERVAL votes, a vote gets counted for bush,
regardless of who it should be counted for.
This took me about half an hour. Normal time for checking someone
else's code, written to be clear, with the author sitting right beside
me answering my questions, is one hundred lines per hour.
This was a hundred line program. So the time it took me to find the
error was right in line with the time it takes me to find errors in
someone else's code when he has written the code to be as
straightforward as possible, and he is sitting in right front of me
honestly answering my questions about his code.
More information about the cryptography
mailing list