nanog mailing list archives
Re: Searching for a quote
From: Stephen Satchell <list () satchell net>
Date: Fri, 13 Mar 2015 06:14:09 -0700
On 03/12/2015 10:25 PM, Keith Medcalf wrote:
Robustness is desirable from a security perspective. Failure to be liberal in what you accept and not being prepared to deal with malformed input leads to such wonders as the Microsoft bug that led to unexpected/malformed IP datagrams mishandled as "execute payload with system authority". Rather than sloppiness you could also attribute the error to malice -- that it was injected at the specific request of certain government agencies, perhaps under threat, perhaps with just a wink and a nod ...
"Being liberal in what you accept" and "being prepared to deal with malformed input" are two different concepts. Back when I was involved with protocol design on ARPAnet, what I was taught is that one has to be able to handle *correctly* malformed input, and not yield astonishing results. This is not easy, particularly in assembler language. Blowing buffer boundaries is just plain crap code. As for malice, I've never seen that. Not checking buffer boundaries, in my experience, is always stupidity or laziness. This is particular true when someone threw together a proof of concept quickly, then didn't go in and harden the code before releasing it to the world. (Some of that was born during the "interop" meetings, where groups of coders would assemble in a conference room and bang implementation together -- because it was done quickly, sometimes it was very sloppy.)
Current thread:
- Searching for a quote Jason Iannone (Mar 12)
- Re: Searching for a quote Tom Paseka (Mar 12)
- Re: Searching for a quote Miles Fidelman (Mar 12)
- Re: Searching for a quote Jason Iannone (Mar 12)
- Re: Searching for a quote Michael Thomas (Mar 12)
- Re: Searching for a quote manning bill (Mar 12)
- Re: Searching for a quote Matthew Petach (Mar 15)
- RE: Searching for a quote Keith Medcalf (Mar 12)
- Re: Searching for a quote Stephen Satchell (Mar 13)
- Re: Searching for a quote Karl Auer (Mar 13)
- Message not available
- Re: Searching for a quote Larry Sheldon (Mar 14)
- Re: Searching for a quote Miles Fidelman (Mar 12)
- Re: Searching for a quote Tom Paseka (Mar 12)
- Message not available
- Re: Searching for a quote Michael Thomas (Mar 13)
- Re: Searching for a quote Dave Taht (Mar 12)
- Re: Searching for a quote Rich Kulawiec (Mar 12)
- Re: Searching for a quote Jason Iannone (Mar 12)
- Re: Searching for a quote Barney Wolff (Mar 12)