On 23 Dec 98 at 13:23, Michael Sierchio wrote:
> You also seem to be misguided about "hackers." For the most part,
> for every clever person who finds a weakness and develops exploit
> code, there are tens of others -- pimply teenagers with delusions
> of grandeur -- who download the code and exercise it.
In my less-than-exhaustive perusal of "hacker literature", what
strikes me is that these "clever persons" almost never work from a
documented understanding of the design, but instead tend to reason --
not always correctly -- back from a set of behaviours, observed in
the field, to a testable theory about the implementation. Sometimes
this finds errors in the design -- which design reviews may miss
because reviewers are already "too close" to the design. More often,
it finds errors in the implementation, which ALSO tend to escape
detection in design review....
I guess this puts me somewhere in the middle. Real-world testing
and track record are not a waste of time, BUT ALSO open design review
is more likely to increase than decrease the actual security of a
system. Avoiding either, on whatever grounds, leaves one with little
basis for *any* assumption about the actual security of the result --
all you know is that you don't know.
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
