Mike Small wrote:
heartbeat requirement at all for the TCP case, but it's always a bug to take external untrusted data at its word in this way.
I maintain that this isn't a bug; it's willful stupidity.
Perhaps. There may be an economic argument why Open Source, or some parts of it, isn't getting enough attention from enough of the right people. I don't know. I only have trouble with the idea that having
Most of the right people when it comes to crypto are identified by security agencies very quickly, and then either recruited or constrained before they pose any threat -- which is to say, before they can contribute substantially to either open source or proprietary ventures. Of those who remain, the ones who aren't good enough for the NSA and similar agencies, most either end up working for big companies like Microsoft and Google, because these are the only ones that can afford their salaries, or start their own security-related companies.
source and not having source is equivalent all else being equal (is this a strawman? I thought that's what was being said in places). I remember
I didn't say equivalent. I said equal trustworthiness. If two cryptographic modules perform identically under the same rigorous test conditions then they are equally trustworthy under those and similar conditions. The nature of the code license is irrelevant to the functional results.
-- Rich P. _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
