Less Wrong is a community blog devoted to refining the art of human rationality. Please visit our About page for more information.

lukeprog comments on You Can Face Reality - Less Wrong

53 Post author: Eliezer_Yudkowsky 09 August 2007 01:46AM

You are viewing a comment permalink. View the original post to see all comments and the full post content.

Comments (32)

Sort By: Old

You are viewing a single comment's thread.

Comment author: lukeprog 24 February 2014 05:22:47PM *  3 points [-]

From information security analyst Joshua Goller, the "Tarksi-Gendlin Litany of Information Security":

What is vulnerable to exploitation is already so;
facing it doesn't make it worse,
and ignoring it doesn't make it secure.
Because it's vulnerable, it is what is there to be attacked,
and anything not found to be vulnerable isn't there to be hacked (yet).
The developers can stand to know what is exploitable,
for they unknowingly wrote it to be exploited,
and the users can stand to know what is insecure,
for they are currently using it insecurely.
If the software contains an exploitable bug,
I desire to believe that the software contains an exploitable bug.
If the software does not contain an exploitable bug,
I desire to believe that I haven't found any exploitable bugs in it yet,
And I had better keep looking.
Let me not become attached to beliefs I may not want.

Comment author: fubarobfusco 24 February 2014 09:41:58PM 4 points [-]

If the software does not contain an exploitable bug,
I desire to believe that I haven't found any exploitable bugs in it yet,
And I had better keep looking.

This part seems like a mistake. If this component actually does not contain an exploitable bug, my time would be better spent looking for exploitable bugs in other components. Otherwise I can never audit the whole code base.