Jerrold Leichter <[EMAIL PROTECTED]> writes: > | Thor Lancelot Simon <[EMAIL PROTECTED]> writes: > | > | > On Mon, Jun 14, 2004 at 08:07:11AM -0700, Eric Rescorla wrote: > | >> Roughly speaking: > | >> If I as a White Hat find a bug and then don't tell anyone, there's no > | >> reason to believe it will result in any intrusions. The bug has to > | > > | > I don't believe that the premise above is valid. To believe it, I think > | > I'd have to hold that there were no correlation between bugs I found and > | > bugs that others were likely to find; and a lot of experience tells me > | > very much the opposite. > | > | The extent to which bugs are independently rediscovered is certainly > | an open question which hasn't received enough study. However, the > | fact that relatively obvious and serious bugs seem to persist for > | long periods of time (years) in code bases without being found > | in the open literature, suggests that there's a fair amount of > | independence. > I don't find that argument at all convincing. After all, these bugs *are* > being found!
Well, SOME bugs are being found. I don't know what you mean by "these" bugs. We don't have any real good information about the bugs that haven't been found. What makes you think that there aren't 5x as many bugs still in the code that are basically like the ones you've found? > It's clear that having access to the sources is not, in and of itself, > sufficient to make these bugs visible (else the developers of close-source > software would find them long before independent white- or black-hats). I don't think that's clear at all. It could be purely stochastic. I.e. you look at a section of code, you find the bug with some probability. However, there's a lot of code and the auditing coverage isn't very deep so bugs persist for a long time. -Ekr --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
