Security Review Summary of NIST SHA-3 Round 1

FormOfActionBanana writes "The security firm Fortify Software has undertaken an automated code review of the NIST SHA-3 round 1 contestants (previously Slashdotted) reference implementations. After a followup audit, the team is now reporting summary results. According to the blog entry, 'This just emphasizes what we already knew about C, even the most careful, security conscious developer messes up memory management.' Of particular interest, Professor Ron Rivest's (the "R" in RSA) MD6 team has already corrected a buffer overflow pointed out by the Fortify review. Bruce Schneier's Skein, also previously Slashdotted, came through defect-free."

SHA-3 Is Cracked.

Otherwise the NSA wouldn't have let it get this far.

Re:SHA-3 Is Cracked.

[gavron]

Your null pointer bitch derefernced[sic] herself and crashed, or I'll take out your fucking lights. How would you like that?

What do you call a penis up your ass? ASS-PENIS!!

Most niggers in Africa don't know what SHA-3 is. Therefore, SHA-3 is RACIST!

nigger nigger nigger

Re:ANSI C

Blame open source, not the language. This is the typical crap that comes out of FOSS projects -- unchecked boundary conditions, buffer overflows, sloppy (or non-existent) error handling. Trust me, even if they coded this stuff in Ada or Perl, they would have fucked it up. Frankly, I'm surprised most of them even compiled without lint warnings.

Re:ANSI C

Mod parent up. Thanks. Annoying SLASHVERTISEMENT!

Re:ANSI C

[iwein]

Yes, it would be nice to have a way to compile beautiful mathematical functions to machine code. Sadly you're dependent on those people that are writing the grammar and reference implementation of the compiler. What if they need one of those pesky algorithms for that?