Search Mailing List Archives
codesinchaos at gmail.com
Sun Jul 7 05:25:31 PDT 2013
> So introductory-level programming course mistakes are right out.
In my experience it's quite often a really simple mistake that gets you,
even when you're an experienced programmer. I'm quite afraid of simple
places which I didn't fix in copy&paste, basic logic mistakes etc.
IMO Nadim's main mistake wasn't the actual bug, mistakes like that can
happen to anybody,
but it was designing a really weird API that invites mistakes. Nobody sane
return decimal digits
from a cryptographic PRNG.
For example a really basic cryptography mistake is reusing a nonce in
AES-CTR. Still it happens to people experienced
in both coding and cryptography. For example Tarsnap had since
vulnerability for several versions, despite a competent developer.
In my own programs I'm really careful about nonces and randomness, but
still I wouldn't be surprised if a trivial bug slipped through in that area.
Writing tests which detect such mistakes is really hard.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech