[Cryptography] RSA is dead.

Jerry Leichter leichter at lrw.com
Wed Dec 25 13:22:16 EST 2013 

On Dec 24, 2013, at 8:58 PM, James A. Donald wrote:
>> 90 mins + copious slurps of xmas cheer + rusty(C),,,, and I found it.
>> effing macros, this bird is worth two in the ...
> 
> I assume one hour per hundred lines of code review, so ninety minutes is within my range of normal variation, as is half an hour.
Interesting.  That's roughly in the range a professional proof reader would estimate for properly reviewing a page of technical text.

For any real software, it's also fantastically expensive, even if you work at minimum wage - and I'm sure you're not even close.  :-)  Way out of the range that open source projects could fund.

I agree with your later posting that someone who wants to use open source code in a security-essential application may be willing to fund someone with your background to do a thorough audit.  But that's a tiny fraction of the world of open source.  If you find problems - which you almost certainly will - presumably your client will fix them.  If they have the proper motivations, they'll even contribute the fixes back.  But what are the odds that anyone other than your client will ever run code with exactly your fixes?  The next version of that software will have your changes (maybe; or maybe someone on the project will change the changes for whatever reason) and a whole bunch of others besides.

I think OSS is great.  I use it all the time.  But to contrast two similar products, Linux with some recent graphics environment and MacOS with its graphics environment ... I don't see a hell of a lot of difference in terms of code quality and security.  (I see a lot of difference in MacOS's favor on consistency and usability, but that's a entirely different story.)  Neither MacOS nor Linux plus graphics is ever going to get a full code audit.  Maybe the Linux kernel will; maybe the OSS parts of the MacOS kernel will.  But I'm not putting any great faith in these, because first it's highly unlikely I'll ever run exactly the audited versions of those kernels, and second there's still going to be tons of unaudited software in any real system.

Summary:  Careful code auditing by those skilled in the practice can probably catch almost all attempts to insert back doors in software.  But the costs are so high that unless something changes to drastically lower them, only a tiny fraction of code will ever be properly audited.  This is true whether you consider OSS or closed-source code.  (In fact, one could argue that closed-source code is *more* likely to have been audited because someone who has tight control over the source is more likely to see a justification for auditing it, and making sure it *stays* audited.  I doubt that anyone has gathered the numbers needed to (dis)confirm this hypothesis.)  Maybe contributions of time by skilled auditors will help OSS - but there aren't that many skilled auditors, or hours in the day that they can possibly volunteer, to make much of a dent in the OSS code that's used widely at any moment in time.
                                                        -- Jerry

More information about the cryptography mailing list