lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <41C213C3.6040404@immunix.com>
Date: Thu, 16 Dec 2004 15:01:23 -0800
From: Crispin Cowan <crispin@...unix.com>
To: Thor Larholm <thor@...x.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: DJB's students release 44 *nix software vulnerability advisories


Thor Larholm wrote:

>This small group of students highlights how individuals outside the
>security industry without special security prerequisites can still
>manage to outperform the average Bugtraq poster in sheer quantity of
>discoveries.
>
That might be just a tad overstated.

The slashdot article 
http://it.slashdot.org/article.pl?sid=04/12/15/2113202 was submitted by 
one of these students. The student said that he spent 300 hours on the 
project. The class had 25 students, so if we assume that is typical, 
that is 7500 man-hours to find 44 vulnerabilities, or 170 hours per bug.

I don't believe that this "outperforms" the typical bugtraq poster. More 
likely, it shows that when you are a professor, you can mandate a lot of 
work if you want to :)

> This adequately validates the typical estimate of between 5
>and 15 errors in every thousand lines of code.
>  
>
How so? The assignment was to find bugs in "UNIX" code, which arguably 
is at least 10,000,000 lines of code for a typical UNIX desktop, which 
should have over 50,000 bugs. That the class could find approx. 50 of 
them does not come close to validating a rate that predicts 50,000.

None of which is to denigrate the fine work that DJB and his class have 
done. I just don't think it validates the claims that Thor says it does.

Crispin

-- 
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ