[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"a skilled backdoor-writer can defeat skilled auditors"?

> Message du 04/06/14 05:40
> De : "coderman" 
> On Tue, Jun 3, 2014 at 6:06 PM,  wrote:
> > ...
> > Your proposal [building meaningful security in from the start] would cause 99% of software currently in use to be rejected and make the development costs increase as astronomically as to be compared to medical research.
> 1% making the cut is a far too generous estimate, perhaps 1% of 1%. as
> for the cost issue, which must be paid somewhere,
> you make two assumptions:
> first, assuming the externalities of insecure systems are simply
> non-exist-ant. the costs of our pervasive vulnerability are
> gargantuan, yet the complexity and cost of robust alternatives
> instills paralysis. (this lack of significant progress in development
> of secure systems feeds your defeatist observations; it's ok ;)

I kind of feel like an ant looking at the task of moving a mountain.

> second, that the schedules and styles of development as we currently
> practice it will always be. if you solved a core (commodity) infosec
> problem once, very well, in a way that could be widely adopted, you
> would only need to implement it once! (then spending five years and
> ten fold cost building to last becomes reasonable)

Yah no, we never know when a problem is really solved. We may consider it solved, then someone comes and breaks it for us. Not even formal proofs stand forever.