[Cryptography] Hard Truths about the Hard Business of finding Hard Random Numbers
Ralf Senderek
crypto at senderek.ie
Fri Jan 31 01:16:16 EST 2014
On Fri, 31 Jan 2014, John Denker wrote:
> The same applies to software: Open-source software "could" be
> reviewed by anyone, which is a lovely theory, but in practice
> a lot of the stuff we rely on has never been subjected to
> anything remotely resembling a rigorous code review. A thousand
> cursory checks are nowhere near as useful as one thorough,
> professional review.
>
> Face it, the community has not learned to take security seriously.
> There is a treeeeemendous seriousness gap, because the attackers
> do take their job seriously. If we spent anywhere near as much
> securing Android as They-Who-Shall-Not-Be-Named have spent
> subverting it, the world would be a far different place.
In order to reach that place, we have to hammer out a clear strategy
for progress. It certainly does not suffice if we simply donate our
time to check certain parts of the "security environment" when we
cannot turn this efford into a trust-building result for all of us.
Also, thinking in different directions is fine, but competing with
a bunch of different solutions for the same problems wont get us
anywhere.
If anyone is willing to share his or her proposal for a joint
security review strategy, I'd be all ears.
--ralf
More information about the cryptography
mailing list