Mate Wierdl <[EMAIL PROTECTED]> writes:
> I am reading this book by B. Schneier, in particular, the section
> `Cracking and hacking contests'. He thinks that contests (like offering
> $1000 for finding a security hole in a product) are bad for four main
> reasons, the first reason being that the contests are usually unfair
> since the author of the software decides what he/she considers a "hole".
He's not alone in that opinion; I think that opinion has a lot of merit,
although I wouldn't go so far as to say that such contests are *bad*. But
I don't think they actually prove anything.
> He also thinks that even having a software out and used for a few years
> without incidence does not imply that it is secure. He says, the best
> way to evaluate the security of a product is to have it audited by
> security experts.
It's worth bearing in mind, when evaluating this opinion, that Bruce
Schneier is a security expert that people hire to perform such security
audits. He has a point, but it's also unsurprising that he's in favor of
the work that he personally does.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
