On Tue, Nov 14, 2000 at 01:21:03PM -0800, Russ Allbery wrote:
> He's not alone in that opinion; I think that opinion has a lot of merit,
> although I wouldn't go so far as to say that such contests are *bad*. But
> I don't think they actually prove anything.
Exactly Schneier's opinion: contests could be good (like RSA's), but
alone they prove absolutely nothing about the security of a product.
What I do not understand is this: why not treat a software as a
research paper? A research paper is usually refereed---and in most
sciences referees are not paid a dime. Referees get their salaries
from elsewhere, but they usually do their refereeing very thoroughly
because it is in the culture to accept this pro bono job as one's very
important responsibility. The expectation is that if I publish a
paper, I'd like to have a tough referee's opinion---if for nothing
else but to check the correctness of the result, and I also must
return the favor.
Mate
