Re: Wrote a little encryption program. How can you tell how good it is?

From: Simon Johnson (Ckwop@hotmail.com)
Date: 03/05/03 

From: Ckwop@hotmail.com (Simon Johnson)
Date: 4 Mar 2003 17:46:33 -0800

> So what? Code, like prose or poetry, can, no matter its length, sparkle, or
> feed upon its own dullness. As length is no sign of a poem's merit, size is
> no sign of a program's security.

It's a nice point. The problem is that an interpreter for the writen
language is often more forgiving than a computer. In my life time i've
spotted a fair few typos in published works. Typo's don't matter in
written language too much - when slip-ups occur in computer code they
can cost many millions of dollars.

This said, I feel that I must retract what I said as an
over-simplifaction. The security of a program is a function of a huge
number of variables. While in the initial stages of development, one
would expect the number of security errors to be proportional to
program size - this probably wouldn't hold after security analysis of
the code was complete.
 
> > Humans often make mistakes, every extra line is another chance to
> > incorrectly cap a buffer etc..
>
> Or botch a punctuation mark.

That is actually a really nice point. English is complicated, much
like a computer programing language. Even after 19 years of attempting
to master the language I still don't know all the rules - or I abuse
the rules I do know because I forget how to apply them - Or i'm just
lazy.

This is a part of the human condition and it applies to computer code
just as much as english. In a program consisting of millions of lines
of code you *ARE* going to get a mistake unless you've spent *lots* of
time checking it.

You can believe some program is secure because you trust the people
who write the code to do it properly. Or, you can accept that no
matter who you employ you are going to get mistakes and you put the
checks in to try and catch as many of these errors as possible.

I know which belief i'd rather have,

Yours,

Simon.

Relevant Pages

  • Re: book - jQuery
    ... Of course it isn't a language, languages are only in my analogy. ... In other words, jQuery is 50K of junk code, not a ... Matter of taste, if you ask me. ... You obviously dislike js frameworks and you're unhappy about where is ...
    (comp.lang.javascript)
  • Perry Marshall DNA is language MP3 transcribed
    ... To have information you need matter, energy and will. ... ATCG letters of the DNA alphabet. ... What makes a language. ...
    (talk.origins)
  • Re: Pentester convicted..
    ... No matter how much good will is arguably present (think about the Daniel ... case in terms of the same defense) you have gained unauthorised access. ... As ethical IT security experts, with all our knowledge, skill and esoteric talent, we do not have a right to gain unauthorised access. ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • Re: Perry Marshall DNA is language MP3 transcribed
    ... To have information you need matter, ... ATCG letters of the DNA alphabet. ... What makes a language. ... The essential distinction between patterns and designs is language. ...
    (talk.origins)
  • Re: Halt execution procedure
    ... by expressions that are not initialization expressions. ... Many of the reasons for this are historical. ... But the language isn't designed from scratch and it ... it doesn't matter what you think. ...
    (comp.lang.fortran)