"a skilled backdoor-writer can defeat skilled auditors"?
stephan.neuhaus at tik.ee.ethz.ch
Tue Jun 3 22:54:12 PDT 2014
On 2014-06-04, 00:53, Andy Isaacson wrote:
> If the auditor at any point says "Well, I wouldn't have
> *recommended* that you implement your JSON parsing in ad-hoc C with
> pointer arithmetic and poor and misleading comments, but I can't find
> any *bugs* so I guess it must be OK" then that is an immediate fail.
And that I think is going too far. There might be perfectly valid
reasons to do what the developer did, and saying post-hoc that you fail
the audit because you don't like some design choices opens the door to
personal biases. (Good luck, for example, trying to write nontrivial C
without at least some form of pointer arithmetic.)
If you fail the audit, it's your duty as a professional auditor to
provide evidence that there is something actually wrong with the
software. It's OK to single out some pieces of code for closer
inspection because of code smells, but if you try your darnedest to find
something wrong with it and can't, then either the code is OK or you're
not good enough an auditor. In either case, you can flag the code, you
can recommend rewriting it according to what you think is better style,
but you can't in good conscience fail the audit.
More information about the cypherpunks