On Tue, Jun 15, 2004 at 09:37:42PM -0700, Eric Rescorla wrote: > "Arnold G. Reinhold" <[EMAIL PROTECTED]> writes: > > My other concern with the thesis that finding security holes is a bad > > idea is that it treats the Black Hats as a monolithic group. I would > > divide them into three categories: ego hackers, petty criminals, and > > high-threat attackers (terrorists, organized criminals and evil > > governments). The high-threat attackers are likely accumulating > > vulnerabilities for later use. With the spread of programming > > knowledge to places where labor is cheap, one can imagine very > > dangerous systematic efforts to find security holes. In this context > > the mere ego hackers might be thought of as beta testers for IT > > security. We'd better keep fixing the bugs. > > This only follows if there's a high degree of overlap between the > bugs that the black hats find and the bugs that white hats would > find in their auditing efforts. That's precisely what is at > issue.
Indeed it is -- and unless I misunderstand, you're claiming that there is _not_ such a degree of overlap. I think most people would tend to agree that humans working in the same field generally work in similar ways; some, of course, are innovative and exceptional, but in general most run-of-the-mill system programmers have a lot of the same tools in their mental toolboxes and use them in much the same way; and some of the time, even the innovative and exceptional ones work in the same way as us drudges. This, to me, makes your claim extremely counterintuitive and questionable; it contradicts not only my intuition but my experience. I can't even begin to count the number of bugs I've found by inspection of code (with some other purpose in mind), forgotten to tell coworkers about or to fix "right" such that the fixes could be committed, and then seen others discover when they happened to cast their eyes over the same code fragment days, weeks, or months later. And I have deliberately audited large sections of code, prepared fixes, paused a couple of days or weeks to test my results, and seen others deliberately or accidentally find and fix (or, worse, exploit) the same bugs I'd laboriously churned up. If you won't grant that humans experienced in a given field tend to think in similar ways, fine. We'll just have to agree to disagree; but I think you'll have a hard time making your case to anyone who _does_ believe that, which I think is most people. If you do grant it, I think it behooves you to explain why you don't believe that's the case as regards finding bugs; or to withdraw your original claim, which is contingent upon it. Thor --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]