[cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

James A. Donald jamesd at echeque.com
Wed Dec 15 23:41:12 EST 2010


Sandy Harris writes:
>> First, it is open source. The code can be audited, and anyone with really

On 2010-12-16 2:12 PM, Chris Palmer wrote:
> People make too much of this. In my experience, given the level of detail
> that you need to absorb to properly audit this kind of C code, it's not
> really all that different from auditing disassembled object code. In some
> cases, RE tools make the job easier. IDA's tree-of-basic-blocks view and a
> nice debugger can be just as easy or easier to deal with than your favorite
> IDE or Source Insight.
>
> Which is to say, it's extremely hard either way. :)

It takes about one hour per hundred lines of source code.  This is at 
least ten times faster than debugging someone else's object code, 
possibly one hundred times faster.




More information about the cryptography mailing list