> So introductory-level programming course mistakes are right out. In my experience it's quite often a really simple mistake that gets you, even when you're an experienced programmer. I'm quite afraid of simple off-by-one bug, places which I didn't fix in copy&paste, basic logic mistakes etc. IMO Nadim's main mistake wasn't the actual bug, mistakes like that can happen to anybody, but it was designing a really weird API that invites mistakes. Nobody sane return decimal digits from a cryptographic PRNG.
For example a really basic cryptography mistake is reusing a nonce in AES-CTR. Still it happens to people experienced in both coding and cryptography. For example Tarsnap had since vulnerability for several versions, despite a competent developer. http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-security-bug.html In my own programs I'm really careful about nonces and randomness, but still I wouldn't be surprised if a trivial bug slipped through in that area. Writing tests which detect such mistakes is really hard.
-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
