[liberationtech] DecryptoCat

[Maxim Kammerer]

On Sun, Jul 7, 2013 at 3:25 PM, CodesInChaos <codesinchaos at gmail.com> wrote:
>> So introductory-level programming course mistakes are right out.
>
> In my experience it's quite often a really simple mistake that gets you,
> even when you're an experienced programmer. I'm quite afraid of simple
> off-by-one bug,

This thread started off with discussion of peer review, so I have
shown that even expensive, well-qualified peer review (and I am sure
that Veracode people are qualified) didn't help in this case. There is
a misconception as to what peer review is supposed to achieve, and
what it can't deal with, and I believe this misconception is similarly
true for both academia and engineering. Academic peer review is not
supposed to deal with fraud. Engineering peer review will have a hard
time dealing with incompetence (unless talking about a specific notion
of peer review where e.g. a team lead seats with a junior programmer,
closely reviewing every commit after thorough discussion). The
examples you have given are either algorithmic mistakes (nonce reuse)
or frequent mistakes due to lack of attention (off-by-one). Both can
be handled with during peer review — expert analysis in the first
case, and e.g. automatic static analysis using proprietary tools and
extensive testing in the second case (which I guess was partly what
Veracode did). But if you do something stupid, peer review probably
won't help, unless the reviewer is ready to do something akin to
implementing everything from scratch himself, and thoroughly comparing
the implementations.

--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte