maradydd: (Default)
maradydd ([personal profile] maradydd) wrote2008-01-02 07:52 pm
  • Add Memory
  • Share This Entry
  • Current Mood: amused
Entry tags:

Small world

There's a post up on BoingBoing today (ok, yesterday for me) about open vs. closed search algorithms, suggesting that the search algorithms used by Google, Yahoo et al are bad because of their lack of transparency. It invokes a comparison to an important concept in computer security: "security through obscurity" is dangerous because an effective encryption scheme should be equally hard to break whether you know the internals of the algorithm that generated the ciphertext or whether you don't.

I think comparing this to search is a bad (or at best misleading) idea, and expounded on this in the comments. But I'm far more entertained by the fact that the two best comments on the post so far come from two sources with whom I am tangentially familiar, albeit from totally different directions: [livejournal.com profile] jrtom and [livejournal.com profile] radtea. Small damn world!
Flat | Top-Level Comments Only

[identity profile] enochsmiles.livejournal.com 2008-01-03 03:10 am (UTC)(link)
I stopped believing in the "many eyes make code shallow" nonsense a long time ago. The average amount of time it takes for a bug in PGP (whose source code has always been public, and both the company and the people involved privately have made a huge stir trying to get public auditing of the code) about five years to be discovered by source-code analysis.

Publicly, at least. The NSA doesn't file bug reports.

[identity profile] jrtom.livejournal.com 2008-01-03 06:39 pm (UTC)(link)
Honestly I'm not surprised. As you say, the NSA doesn't file bug reports...and they, and other organizations like them, are both the most motivated to find flaws in it, and the least motivated to report them. (And among the most capable of finding flaws, of course.)

[identity profile] maradydd.livejournal.com 2008-01-03 06:44 pm (UTC)(link)
*shrug* KML has seen a sudden upswing in users over the last few weeks, and they're filing bug reports like there's no tomorrow -- and tracking them down to their origin in the source. I certainly appreciate it; it makes my job easier.

[identity profile] enochsmiles.livejournal.com 2008-01-04 04:45 pm (UTC)(link)
Functionality bugs and security bugs are different. How many of these bugs are ones that do not affect functionality, but only affect security? I suspect very few.

(And as a side note: KML means "Keyhole Markup Language." You need a new name...)

[identity profile] jrtom.livejournal.com 2008-01-03 06:54 pm (UTC)(link)
Following on to my earlier response, and addressing your point more directly: I don't believe that "many eyes make code shallow", per se. I do believe that the more people that can see (and are motivated to look at) your code, the more likely it is that some sufficiently obsessed person will take a close look and run across any bugs that do occur. (That is, you don't necessarily need _lots_ of people, just the right ones, but the more people you have looking, the higher the probability that the right ones will be included.)

For something like the code associated with a search service like Google's/Yahoo's/Microsoft's, the required level of obsession (or other motivation) would have to be pretty high, but I think that we all agree that there are many people who are deeply interested in finding flaws that can be exploited through cheap manipulation of the inputs.
Flat | Top-Level Comments Only