On Mon, Jul 8, 2013 at 4:34 AM, Tom Ritter <t...@ritter.vg> wrote: > As one of the people on this list who does paid security audits, I > both want to, and feel obligated to, weigh in on the topic.
Thanks for your insight into code review process. Besides perhaps insinuating that Veracode didn't do their job properly, I don't see how it is in any way relevant to the Cryptocat incident discussed ITT. > So, not avoid the hard problem, let's take this particular bug. What > I would say is MOAR ABSTRACTION. > […] > Each of these classes is pretty modular, and is unit tested up the > wazoo. That's all very interesting. Meanwhile, in the real world: https://github.com/cryptocat/cryptocat/tree/master/test > If you think this bug could never happen to you or your favorite pet > project; if you think there's nothing you can learn from this incident > - you haven't thought hard enough about ways it could have been > prevented, and thus how you can prevent bugs in your own codebase. I think you forgot that you are not in a presentation to PHBs. There is absolutely nothing I can learn from this incident. I know basic programming principles, and my job is not in providing consulting to software companies in a mess. I understand the unwillingness to accept criticism and the white-knighting, but look at it this way. If I told you that I found another vulnerability in Cryptocat, and am in a process of selling it to an intelligence agency, would you still proceed to lecture me on my thinking processes, and on best software practices? -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech