Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BitchX /ignore bug

From: security () PHUZZIELOGIK CX (Security Mail Acct.)
Date: Thu, 6 Jul 2000 20:10:18 -0700

On Thu, 6 Jul 2000, Joe User wrote:


Just think of it this way: someone that's got a natural knack for programming
hops down to a bookstore and picks up "Learn C in 21 Days" and flips through
it for about 10, and has everything down pat. Ok, no problem, except for the
fact that the books you pick up register unsafe gets(), scanf(), strcpy(), etc.
Then, after a short time of writing small projects this way, they find out about
security: checking buffers, making certain that nothing can get out of bounds,
etc...they pick up on this information, but too late. They've already learned
the unsafe way of doing things, and old habits die hard. This, unfortunately,
is what happens oftentimes; I figured it out when I wrote one program and
couldn't figure out why a scanf() would overwrite the EIP and cause a segfault.


Ok, I agree with this, but, does anyone have any suggestion for a
book(s), targeted at beginners, that either focus specifically on writting
secure code or that at least teach the secure methods? Thanks.

-=/phuzzie\=-                   The refusal to choose is a form of
                                choice; disbelief is a form of belief.
     phuzzie () phuzzielogik cx
                                                - Frank Barron
          http://www.phuzzielogik.cx

       * PGP Public Key - http://www.phuzzielogik.cx/email.html *
Previous By Date Next
Previous By Thread Next

Current thread: