[liberationtech] DecryptoCat
CodesInChaos
codesinchaos at gmail.com
Sun Jul 7 05:25:31 PDT 2013
> So introductory-level programming course mistakes are right out.
In my experience it's quite often a really simple mistake that gets you,
even when you're an experienced programmer. I'm quite afraid of simple
off-by-one bug,
places which I didn't fix in copy&paste, basic logic mistakes etc.
IMO Nadim's main mistake wasn't the actual bug, mistakes like that can
happen to anybody,
but it was designing a really weird API that invites mistakes. Nobody sane
return decimal digits
from a cryptographic PRNG.
For example a really basic cryptography mistake is reusing a nonce in
AES-CTR. Still it happens to people experienced
in both coding and cryptography. For example Tarsnap had since
vulnerability for several versions, despite a competent developer.
http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-security-bug.html
In my own programs I'm really careful about nonces and randomness, but
still I wouldn't be surprised if a trivial bug slipped through in that area.
Writing tests which detect such mistakes is really hard.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130707/ef8d8ce6/attachment.html>
More information about the liberationtech
mailing list