On Tue, Nov 14, 2000 at 11:25:27PM +0100, Felix von Leitner wrote:
> Thus spake Mate Wierdl ([EMAIL PROTECTED]):
> > make sure his software is secure. Perhaps his closed to the public
> > cryptography course notes would give a hint.
>
> Mate, what kind of problem do you have?
> What does qmail have to do with cryptography?
I thought it was possible that Dan would give some hints on his view
on secure programming in these notes.
> Software security auditing does not work that way.
>
> Software is secure iff the architecture and trust model is sound, which
> you can verify yourself in a few hours.
You make software security look easy, and Schneier's book tells me
otherwise.
My two points:
1) It seems that systematic (scientific?) testing of qmail
or djbdns has not happened---except by Dan.
2) The only way we could get a hint on the guiding ideas of Dan on
secure computing is to read the source code he writes. But this is
reverse engineering, and is similar to trying to undertand Gauss's
ideas by reading his proofs---good luck.
Or does everybody on this list who read qmail's sources is writing
100% secure software now?
Does everybody have a clear idea what Dan considers a security
problem? For example, he clearly does not care about preventing some
DoS attacks. Is it clear for everybody which ones are considered
unimportant by Dan? DoS attacks against djbdns or qmail will not give
you $1000 but there are two attacks listed at
http://cr.yp.to/maildisasters/sendmail.html.
Mate
