Does your software?

[Germain Arthur]

I have unsubscribed from this mailing list. Please remove my name from   
your personal address lists. Thanks.

ahg3

 ----------
From:  Peter Wayner[SMTP:pcw at access.digex.net]
Sent:  Tuesday, October 24, 1995 2:33 PM
To:  Dr. Frederick B. Cohen
Cc:  cypherpunks
Subject:  Re: Does your software?



>My get-only server is available in source form, is 80 lines long and
>thus easily understood, has been shown to meet security properties, is
>now in the process of being mathematically proven to meet those
>properties, and is published in a refereed journal which can be used to
>confirm its contents in detail.  Hence, I do provide secure distribution
>through purely physical means.
>
Uh, proofs only go so far. There was one Cornell CS professor who was a
real devotee of "proving" your programs correct. He even published one of
his proofs in a "refereed" journal. Big whoop. It still had an error.

Proofs can help identify flaws, but they can never rule out all flaws.
That's why their name is so bogus. I wouldn't be surprised if you could
prove that the Finger daemon, which is sort of like a really low-level
GET-ONLY HTTP server, is also safe. In fact, your math proving ability
could probably even prove the pre-Robert Morris finger daemon is safe and
secure. If programmers don't think of preventing finger requests longer
that 512 bytes then why should the head-in-the-clouds program provers?

 - Peter


>--
>-> See: Info-Sec Heaven at URL http://all.net
>Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236

P.S. "FC" is your log in and "FC is found inscribed in the writings of   
the
Unabomber. Coincidence?





on't speak
officially, were to be torn apart and the ulterior motives speculated   
upon,
I'd either shut up on this list or get off it completely. (Recall that we
had Marc Andreessen on this list last December--for whatever reasons, and
there are likely several, he left. I recall many attacks on his company.   
He
perhaps figured "What the hell do I need this for?")

Legitimate, scientific analysis is commendable. The brute force attack on
Netscape was great, and even better was the random seed attack. But many   
of
the attacks are less solid:

"How can you people at Digital Datawhack produce such crap? The   
assumptions
you make in the Flogisticon module are disgusting, another example of
security through obscenity."

(What I think this piling on is likely to accomplish is to push company
list subscribers here to just shut up. They see that the more is said by
folks from Netscape, as the best current example, the more fireworks and
insults ensue. The less that is said the better. This is not a good
situation.)

I'm not arguing for "niceness," just that some of the edge be taken off   
the
attacks.

The "bounties" that are being offered in press releases have the danger   
of
inviting premature announcement of results. And of discouraging companies
from actively participating in this list and discussing what might be   
done
to improve security.

Just my views. No doubt some will think I'm a shill for some company.

 --Tim May



Views here are not the views of my Internet Service Provider or   
Government.
 ---------:---------:---------:---------:---------:---------:---------:----  

Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms,   
zero
Corralitos, CA              | knowledge, reputations, information   
markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."