[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Does your software?

I have unsubscribed from this mailing list. Please remove my name from   
your personal address lists. Thanks.


From:  Peter Wayner[SMTP:[email protected]]
Sent:  Tuesday, October 24, 1995 2:33 PM
To:  Dr. Frederick B. Cohen
Cc:  cypherpunks
Subject:  Re: Does your software?

>My get-only server is available in source form, is 80 lines long and
>thus easily understood, has been shown to meet security properties, is
>now in the process of being mathematically proven to meet those
>properties, and is published in a refereed journal which can be used to
>confirm its contents in detail.  Hence, I do provide secure distribution
>through purely physical means.
Uh, proofs only go so far. There was one Cornell CS professor who was a
real devotee of "proving" your programs correct. He even published one of
his proofs in a "refereed" journal. Big whoop. It still had an error.

Proofs can help identify flaws, but they can never rule out all flaws.
That's why their name is so bogus. I wouldn't be surprised if you could
prove that the Finger daemon, which is sort of like a really low-level
GET-ONLY HTTP server, is also safe. In fact, your math proving ability
could probably even prove the pre-Robert Morris finger daemon is safe and
secure. If programmers don't think of preventing finger requests longer
that 512 bytes then why should the head-in-the-clouds program provers?

 - Peter

>-> See: Info-Sec Heaven at URL http://all.net
>Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236

P.S. "FC" is your log in and "FC is found inscribed in the writings of   
Unabomber. Coincidence?

on't speak
officially, were to be torn apart and the ulterior motives speculated   
I'd either shut up on this list or get off it completely. (Recall that we
had Marc Andreessen on this list last December--for whatever reasons, and
there are likely several, he left. I recall many attacks on his company.   
perhaps figured "What the hell do I need this for?")

Legitimate, scientific analysis is commendable. The brute force attack on
Netscape was great, and even better was the random seed attack. But many   
the attacks are less solid:

"How can you people at Digital Datawhack produce such crap? The   
you make in the Flogisticon module are disgusting, another example of
security through obscenity."

(What I think this piling on is likely to accomplish is to push company
list subscribers here to just shut up. They see that the more is said by
folks from Netscape, as the best current example, the more fireworks and
insults ensue. The less that is said the better. This is not a good

I'm not arguing for "niceness," just that some of the edge be taken off   

The "bounties" that are being offered in press releases have the danger   
inviting premature announcement of results. And of discouraging companies
from actively participating in this list and discussing what might be   
to improve security.

Just my views. No doubt some will think I'm a shill for some company.

 --Tim May

Views here are not the views of my Internet Service Provider or   

Timothy C. May              | Crypto Anarchy: encryption, digital money,
[email protected]  408-728-0152 | anonymous networks, digital pseudonyms,   
Corralitos, CA              | knowledge, reputations, information   
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."