[perlgeek]

FWIW it looks to me like this mostly isn't a code review, more of a conceptual review of how stuff is done and stored.

I can imagine that's way faster than doing a thorough code review, though the number of results from 10 hours is still very impressive.

[earthrise]

Here's the rough process I followed when I did that audit:

https://defuse.ca/b/hwwW9d3FkPGhM4T6xBIbhf

I think the reason I found so much in only 10 hours is that I had a good set of guesses about what could be wrong, based on what I've seen people get wrong before. From there it was just a matter of prioritizing which guesses to check. I did look at a lot of the code, although it was mostly guess-checking combined with a closer look at the cryptography code.

Because the audit was so short, the quality of the report suffered (ASCII, some mistakes, some severity ratings that I no longer agree with, etc.). My priority was to find as many problems as possible in the amount of time I was given, and then sort that out later.

To answer some other replies: I always report unbilled hours (in this case none), since I think it's dishonest to say you worked less hours than you did. You would essentially be claiming to be more productive than you really are.

[tptacek]

That seems to be the case, but I couldn't find any rigorous documentation on the crypto EncFS uses, so I imagine even this level of review required code review (that's also the only way you get a finding like the timing-leaking MAC validator, though I dispute that finding's "Medium" severity and think it's sev:lo).

[mmmooo]

Some of it must have required at least some level of code review (e.g. (MACFileIO.cpp, Line 209)). Even so, between the review, and the writeup, etc, if the total 'billed hours' is really ~10, the rather large hourly rates I've seen for such audits do appear much more appetising, at least to me.

[tjaerv]

For the particular reviewer who did this work, anyhow.