Re: State Department Developing Cyber Toolkit

From: Hairy One Kenobi (abuse_at_[127.0.0.1)
Date: 11/18/05 

Date: Fri, 18 Nov 2005 00:55:38 GMT

"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
news:slrndnpo68.uuf.ibuprofin@compton.phx.az.us...
> In the Usenet newsgroup alt.computer.security, in article
> <9%Pef.4856$D03.4519@newsfe5-gui.ntli.net>, Hairy One Kenobi wrote:
>
> >Someone writing Open Source certainly doesn't make them an instant Guru.
>
> No, but if their code is accepted in a project, it certainly isn't the
> stuff they teach in "Intro to Computer Programming Languages". Last
> time I looked, I didn't see "hello, world" in the source for Apache
> or Sendmail, or the FreeBSD (or Linux) kernels. ;-) With most open
> source projects, the author usually has a choice of a number of chunks
> of code written by others. Even if the author selects a piece of goat
> droppings, someone else is going to come up with a replacement that at
> least isn't quite as horrible. Presented to the author properly, it has
> a chance of being adopted.

Granted.

> >Or necessarily mean that their code is - in any meaningful way -
> >peer-reviewed.
>
> I suspect that Open Source code is peer-reviewed a lot more often than
> closed source simply because it's possible to do so. Eric S Raymonds
> wrote in "The Cathedral & The Bazaar" (O'Reilly, ISBN 1-56592-724-9,
> October 1999, but available on the web)

While I have no knowledge of the cite posted, what I *will* say is that,
when I've personally checked (the FireFox IDN thing is a recent example),
I've seen examples of coding "oopsies" that even a remotely sane individual
would have noted and flagged. If such peer review were a fact.

> 8. GIVEN A LARGE ENOUGH BETA-TESTER AND CO-DEVELOPER BASE, ALMOST
> EVERY PROBLEM WILL BE CHARACTERIZED QUICKLY AND THE FIX OBVIOUS TO
> SOMEONE.
>
> Or, less formally, "Given enough eyeballs, all bugs are shallow."

Absolutely. Although, in Real Life (tm), it's a lot harder to see these bugs
(and that can be even simple ones, let alone the convoluted nonsense that
one gets in a "mature" codebase). I can even voulenteer the simlest of the
most obvious - one of our major products still proclaims a copyright date of
2004. Trivial, yes. On every bloody screen, yes. And missed by everyone (I
asked for it to be changed a mere 2 months into this year... we're now days
from 2006). We're not talking of a trivial userbase, either - it might be
low on the list of things to fox (but hasn't been flagged, that I know of),
but - of the multi-millions of users that out product has, who has seen fit
to report the problem?

Noone.

Yes, it's hightly trivial, but.. what about the [proposed] legions of
programmers that "everyone" puts forward as having checked OS code? I
deleted the FireFox source a while back, but there's an entry in the
now-recommended-disabled code that basically says "must remember to comment
this out". But it isn't. And, TBH, who the hell noticed?

> But I don't think anyone would review an entire source tree. Someone
> might look at a section pertaining to something they know about, or
> when they are trying to figure what it was that caused the massive
> explosion in the printer, or out of plain curiosity, but that's about it.

Used to be that one peer-reviewed on a module fashion (can't say if it
happens now, but that was certinaly the vogue when I started coding
profrssionally in the late eighties)

My experience indicates that it's damned difficult to actually catch a bug -
you can catch a style that indicates a liekly proliferation of bugs ("Ravi
Patel", sometime before 1990; I have never before seen more GOTO labels in
FORTRAN than there are working lines of code. And, thank Dog, never since.
Fortunately, "nothing important" - /just/ the C2 system used by several
British county Police forces)

> I'm a networking admin, and while I do Bourne shell stuff, I'm
> not paid enough to program ;-)

More's the shame - once upon a time, cutting code was viewed in a similar
way to architecture (a merging of art and engineering); then the HR weenies
got involved, and it became an engineering discipline without the
engineering structure. Bad move.

Dunno about where you live, but in the UK programming is paid in a similar
way to Dickensian clerks - I happened to luck-out in getting two very
technical jobs that allow me to keep up to date, while avoiding that whole
drift into Management (although, that said, the last couple of days was the
first time that I've built an ActiveX control)

<Shudder>.

There's also a lot more documentation on the Net than there was three years
ago.. but not for Delphi and building - rather than using - ActiveX.

In a frankly rather pathetic moment of pride, I'd like to think that I was
in some way still "up there" for learning a wholly new bit of methodology in
less than a day. Not that, you understand, the control is any good - I'd
/like/ it to take an LDAP call, Base64 decode it and *remember* what it's
done. Instead, I submit the retrieved string, decode it *every damned time*,
and /then/ report. Choice was get the job done and go on holiday to Spain
tomorrow [today!], or finesse the code.

Did I mention that I trained as a practical engineer? :oD

H1K

Quantcast