1993-11-08 - Re: trusting software

Header Data

From: doug@netcom.com (Doug Merritt)
To: cypherpunks@toad.com
Message Hash: c1febdb04447d454ee730b6750393ec30fb2901b251b104d758e4b3812558442
Message ID: <199311080642.WAA02946@mail.netcom.com>
Reply To: N/A
UTC Datetime: 1993-11-08 06:43:00 UTC
Raw Date: Sun, 7 Nov 93 22:43:00 PST

Raw message

From: doug@netcom.com (Doug Merritt)
Date: Sun, 7 Nov 93 22:43:00 PST
To: cypherpunks@toad.com
Subject: Re: trusting software
Message-ID: <199311080642.WAA02946@mail.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


ogr@wyvern.wyvern.com (Jason Plank) said:
>Penned by Doug Merritt:
>> Furthermore, even close reading won't absolutely *guarantee* the lack of
>> backdoors in all cases, even if the reader is an expert on relevant
>> subjects.
>
>	Why not?  Read *every* line of code and the spaces in between two or
>three times.

Surely. A certain percentage of people will. A certain percentage of
people lack the expertise to do so. That was my primary point.

My secondary point is that even those who *do* may not detect the presence
of a backdoor. The decade-and-a-half controversy over whether DES has
a backdoor, despite the fact that the alogorithm is public, is an example
of this. The eventual answer to the question is less important than the
period of debate...think about it.

Reading source code is never a guarantee; it is only a *statistically* safe
measure. Worse yet, the statistical issues tend to be hard to analyze,
and in no case does one attain a 100% confidence.

This is a limited response to a limited question; I'm aware that there
are a million other issues as well.
	Doug





Thread