| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1458.1363905766@critter.freebsd.dk> Date: Thu, 21 Mar 2013 22:42:46 +0000 From: "Poul-Henning Kamp" <phk@....freebsd.dk> To: discussions@...sword-hashing.net, Marsh Ray <maray@...rosoft.com> Subject: Re: [PHC] Password Hashing done wrong on CISCO IOS In message <218AE73F98E99C4C98AF7D5166AA798E0906BEA8@...EX14MBXC286.redmond.cor p.microsoft.com>, Marsh Ray writes: >Implementation errors happen to *everyone*, even folks who know tons about >crypto. In practice, it seems that some functions are more prone to subtle >implementation errors than others. Somebody substituted their own (bad) judgement over the (alleged to exist) (better) design. That is not a "subtle implementation error", that is a two failures of management: The first failure is that the substitution happened on a so security critical algorithm without any management control mechanism catching it. The second failure is that Q/A failed to detect it too, because they did not test such a security critical algorithm against the (alleged to exist) design. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@...eBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Powered by blists - more mailing lists