[liberationtech] DecryptoCat

[Maxim Kammerer]

On Mon, Jul 8, 2013 at 4:34 AM, Tom Ritter <tom at ritter.vg> wrote:
> As one of the people on this list who does paid security audits, I
> both want to, and feel obligated to, weigh in on the topic.

Thanks for your insight into code review process. Besides perhaps
insinuating that Veracode didn't do their job properly, I don't see
how it is in any way relevant to the Cryptocat incident discussed ITT.

> So, not avoid the hard problem, let's take this particular bug.  What
> I would say is MOAR ABSTRACTION.
> […]
> Each of these classes is pretty modular, and is unit tested up the
> wazoo.

That's all very interesting. Meanwhile, in the real world:
https://github.com/cryptocat/cryptocat/tree/master/test

> If you think this bug could never happen to you or your favorite pet
> project; if you think there's nothing you can learn from this incident
> - you haven't thought hard enough about ways it could have been
> prevented, and thus how you can prevent bugs in your own codebase.

I think you forgot that you are not in a presentation to PHBs. There
is absolutely nothing I can learn from this incident. I know basic
programming principles, and my job is not in providing consulting to
software companies in a mess.

I understand the unwillingness to accept criticism and the
white-knighting, but look at it this way. If I told you that I found
another vulnerability in Cryptocat, and am in a process of selling it
to an intelligence agency, would you still proceed to lecture me on my
thinking processes, and on best software practices?

--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte