it's astonishing how often this happens in my line of work
-
it's astonishing how often this happens in my line of work:
client: can you review our source code for security issues?
me: of course!
[we stare at each other in a long, tense silence]
me: ... may I see the source code?
client: absolutely not.
-
@0xabad1dea In a past life, I worked on a compiler that the DoE used. I never had to handle their bug reports and was quite glad. The flow was:
Them: It doesn't work.
Us: In what way?
Them: That's classified. The wrong number comes out of the program.
Us: What program?
Them: That's classified.
Us: Can you send us a reduced test case?
Six months pass while the reduced test case is declassified, which involves review that it does not leak anything about the Super Secret Program that it's based on.
The reduced test case does not trigger the bug. Apparently the original did, but en route to being declassified the parts that triggered the bug were removed.
-
MrBerard πππreplied to David Chisnall last edited by
Did you mean DoE? As in Education? What kind of secret stuff are they up to?!
-
David Chisnallreplied to MrBerard πππ last edited by
@MrBerard @0xabad1dea Department of Energy. They have a Fortran program that they are not allowed to modify without re-validating the simulation. They cannot re-validate it unless the test-ban treaty is repealed, and so it's a big pile of Fortran 77. They will pay unbounded amounts of money to companies that can make Fortran 77 run faster because they can't touch the source code (I assume this is still true, it's been quite a while).
-
@0xabad1dea well if they want to send me binaries I can reverse engineer it and then check for security vulnerabilities but it'll take a lot longer and I charge by the hour
