Re: Passwords can sit on disk for years

2004-06-14 Thread jdean
Ben Laurie wrote: In OpenSSL we overwrite with random gunk for this reason. What? No compiler is smart enough to say, The program sets these variables but they are never referenced again. I'll save time and not set them. -

Re: Is finding security holes a good idea?

2004-06-14 Thread Ben Laurie
Eric Rescorla wrote: Cryptography readers who are also interested in systems security may be interested in reading my paper from the Workshop on Economics and Information Security '04: Is finding security holes a good idea? Eric Rescorla RTFM, Inc. A large amount of effort is

Re: Is finding security holes a good idea?

2004-06-14 Thread Eric Rescorla
Ben Laurie [EMAIL PROTECTED] writes: Eric Rescorla wrote: Cryptography readers who are also interested in systems security may be interested in reading my paper from the Workshop on Economics and Information Security '04: Is finding security holes a good idea? Eric Rescorla

Re: Passwords can sit on disk for years

2004-06-14 Thread Jack Lloyd
On Mon, Jun 14, 2004 at 11:31:23AM +, [EMAIL PROTECTED] wrote: Ben Laurie wrote: In OpenSSL we overwrite with random gunk for this reason. What? No compiler is smart enough to say, The program sets these variables but they are never referenced again. I'll save time and not set them.

Re: Passwords can sit on disk for years

2004-06-14 Thread Ernst Lippe
On Monday 14 June 2004 13:31, [EMAIL PROTECTED] wrote: Ben Laurie wrote: In OpenSSL we overwrite with random gunk for this reason. What? No compiler is smart enough to say, The program sets these variables but they are never referenced again. I'll save time and not set them. Most modern

Re: Passwords can sit on disk for years

2004-06-14 Thread Rich Salz
What? No compiler is smart enough to say, The program sets these variables but they are never referenced again. I'll save time and not set them. Given the semantics of C pointers, and multiple compilation units, the answer to your question is probably not in non-research use. /r$ --

Re: Is finding security holes a good idea?

2004-06-14 Thread Eric Rescorla
Ariel Waissbein [EMAIL PROTECTED] writes: Roughly speaking: If I as a White Hat find a bug and then don't tell anyone, there's no reason to believe it will result in any intrusions. The bug has to become known to Black Hats before it can be used to mount intrusions. This can

Re: Is finding security holes a good idea?

2004-06-14 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Ben Laurie writes: What you _may_ have shown is that there's an infinite number of bugs in any particularly piece of s/w. I find that hard to believe, too :-) Or rather, that the patch process introduces new bugs. Let me quote from Fred Brooks' Mythical