Re: Public disclosure of discovered vulnerabilities

From: Ketil Malde (ketil+news_at_ii.uib.no)
Date: 06/09/05 

Date: Thu, 09 Jun 2005 12:30:43 +0200

"Douglas A. Gwyn" <DAGwyn@null.net> writes:

>>>> ... A "safe PL" contributes to programmer productivity,
>>>> allowing more programs to be written in a given time for a given
>>>> cost. That is "a good thing".

>>> No, it isn't: that increases the amount of incorrect
>>> code that is cranked out, which spreads the disease
>>> faster and farther.

>> Do you have any evidence that this is the case?

> It was previously noted that such a PL doesn't
> change an incorrect algorithm into a correct one.

I see. So your point is that most bugs and security issues are due to
incorrect choice of algorithm, and being well-versed in the technical
intricacies of languages like C is a necessary and/or sufficient
qualification for selecting good algorithms?

Of course the language doesn't fix a broken algorithm. However, it
influences how easy it is to implement the algorithm correctly. It
influences how easy it is to write modular code -- which again
influences how easy it is to replace a poor algorithm with a better
one.

Software development is a tradeoff between cost, bugs and
functionality, and problem domain, tools and processes impact the
balance. To point to secure programs in C or assembly proves nothing,
unless you also take into account the effort of producing (and
securing) those programs.

-k 

-- 
If I haven't seen further, it is by standing in the footprints of giants

Relevant Pages

  • Re: Cool visual illusion
    ... The algorithm is the "how". ... my focus is less on signal processing because we don't know ... most illusions are not bugs. ... You can't learn without making mistakes. ...
    (comp.ai.philosophy)
  • Re: A REQUEST concerning Nilgewater.
    ... they are viewed depends on ones overall signal/noise ratio and, ... about *expressing* the algorithm as you did. ... It also turned up serious bugs in the ... algorithm design as well as serious inefficiencies in the data flow. ...
    (comp.programming)
  • Re: Virtual Matrix Encryption
    ... die or simply another algorithm will be used in the AES. ... >> algorithms is that they hadn't studied by the whole crypto community and ... by not being studied by the community, the bugs have not ...
    (sci.crypt)
  • Re: The newer 33S display is improved
    ... exact same algorithm so numerically wise it's rather good. ... Are there corresponding bugs in the 17Bii and 48G? ... others) in the archives at the museum of hp calculators. ... some parts of the old HP customer service world are still very much ...
    (comp.sys.hp48)
  • Re: mem_fun doesnt work for virtual members?
    ... >> It is not an error to apply an algorithm to an empty range. ... these are actually my favorite kinds of bugs, ... and actually went through the ordeal of asking a C++ guru friend of mine (I ...
    (comp.lang.cpp)
Quantcast