undefined | Better HN

0 pointsMattRogish11y ago0 comments

The "experts only" attitude is because, well, as we've seen with HeartBleed, this is VerySeriousStuff.

If the author instead put together a book on how a layperson could perform open-heart surgery, you're damn right that actual surgeons would jump all over it.

There is some strange pervasive attitude/arrogance in tech that all it takes to be good at something is to be smart and give it a try. Why learn the theory/fundamentals when you can just start coding?

For building a web app, sure. But security is not one of those things. You actually need to learn the fundamentals and theory, and even then, need lots of experience.

0 comments

thrownaway242411y ago

That's a very weird lesson to learn from the heartbleed bug. What I learned is cryptography experts should be consulted on matters of math and ignored on matters of software. Any non-zero application of software development best practices would have prevented the heartbleed flaw, including:

1: Don't implement features you don't need. Nobody needs TLS heartbeat. Nobody. Don't implement it until you have a use case and the calling code in hand.

2: Test the features you do implement. What happens if this field is the minimum? The maximum? A power of 2? A power of 2, less 1? Negative when treated as signed?

duaneb11y ago

You know what else is hard? Writing a book on cryptography. It's all very well and good to point out problems, but there are probably more productive ways to teach people than simply point out what not to do.

scott_s11y ago

When you are writing about a difficult subject, you should invite reviews from experts to vet your work.

duaneb11y ago

I'm not disagreeing. I'm just pointing out that a critic is much less useful than an author.

3 more replies

j / k navigate · click thread line to collapse

0 pointsMattRogish11y ago0 comments

The "experts only" attitude is because, well, as we've seen with HeartBleed, this is VerySeriousStuff.

If the author instead put together a book on how a layperson could perform open-heart surgery, you're damn right that actual surgeons would jump all over it.

For building a web app, sure. But security is not one of those things. You actually need to learn the fundamentals and theory, and even then, need lots of experience.

0 comments

thrownaway242411y ago

1: Don't implement features you don't need. Nobody needs TLS heartbeat. Nobody. Don't implement it until you have a use case and the calling code in hand.

2: Test the features you do implement. What happens if this field is the minimum? The maximum? A power of 2? A power of 2, less 1? Negative when treated as signed?

duaneb11y ago

scott_s11y ago

When you are writing about a difficult subject, you should invite reviews from experts to vet your work.

duaneb11y ago

I'm not disagreeing. I'm just pointing out that a critic is much less useful than an author.

3 more replies

j / k navigate · click thread line to collapse