Vulnerability Development mailing list archives
Re: BitchX /ignore bug
From: goat () PHOENIX ISN NET (Steve Mosher)
Date: Fri, 7 Jul 2000 08:51:15 -0300
Ahh, that makes sense. I learned to code with man pages, a (bad) reference book, and a scary mess of poorly written code. The poorly written code served as a wonderful example -- it would allocate and forget about piles of memory, and it would crash all the time -- of what not to do, and why. I guess my natural interest in security made me extend this realization to risky ways of doing things, that weren't obvious. It's about time instruction became security conscious -- actually, it's long overdue. The art of code auditing appears to be totally homebrew -- AFAIK you can't learn it in school, or from books but it happens every day, some people get paid to do it, others do it for the sake of it, and others still do it to write exploits. I've done the first two, personally. It's time people realize that when designing a program that has any sort of privs at all -- *especially* for use with the internet -- that the design thoughts *must* include attention to security. I'm willing to bet that code witten by those who write script-kid exploits is probably of the most secure around. So, are we to encourage these people to write books on C (or whatever) and teach programming in schools? Are there any (programming) teachers on this list even? That would be a start. On Thu, 06 Jul 2000, Joe User wrote:
Just think of it this way: someone that's got a natural knack for programming hops down to a bookstore and picks up "Learn C in 21 Days" and flips through it for about 10, and has everything down pat. Ok, no problem, except for the fact that the books you pick up register unsafe gets(), scanf(), strcpy(), etc. Then, after a short time of writing small projects this way, they find out about security: checking buffers, making certain that nothing can get out of bounds, etc...they pick up on this information, but too late. They've already learned the unsafe way of doing things, and old habits die hard. This, unfortunately, is what happens oftentimes; I figured it out when I wrote one program and couldn't figure out why a scanf() would overwrite the EIP and cause a segfault. It took me about 4 days to find the info online in an article [I believe it was on SunWorld] that you should never use scanf() at all. Many of the big-shot programmers out there that contribute or even write programs that are now in everyday use have never been to a school to learn to program, they just started by doing. It's shameful that the material they learned from had no notion of secure programming, but unfortunately that's the way it is :(
-- Shop smart, shop S-Mart! - Ash
Current thread:
- Re: BitchX /ignore bug, (continued)
- Re: BitchX /ignore bug Security Mail Acct. (Jul 06)
- wwwboard my help reveal user name and password Julian Linton (Jul 07)
- Re: wwwboard my help reveal user name and password Shelagh Pepper (Jul 07)
- Re: wwwboard my help reveal user name and password Shadowboxer (Jul 07)
- Re: wwwboard my help reveal user name and password Jason Legate (Jul 07)
- Re: wwwboard my help reveal user name and password Simon Hughes (Jul 11)
- About all the default password databases... Mikael Olsson (Jul 07)
- Re: About all the default password databases... Roelof Temmingh (Jul 07)
- Re: About all the default password databases... Jonathan Leto (Jul 07)
- Re: About all the default password databases... Phenoelit (Jul 08)
- Re: BitchX /ignore bug Steve Mosher (Jul 07)
- Re: BitchX /ignore bug Mikael Olsson (Jul 07)
- Re: BitchX /ignore bug Steve Mosher (Jul 08)
- The AOL Spyware Maxime Rousseau (Jul 07)
- Re: The AOL Spyware Mikael Olsson (Jul 07)
- Re: The AOL Spyware Masial (Jul 08)
- Re: The AOL Spyware Mikael Olsson (Jul 08)
- Re: The AOL Spyware info (Jul 13)
- Re: BitchX /ignore bug Bluefish (Jul 07)
- Re: BitchX /ignore bug Slawek (Jul 07)
- Re: BitchX /ignore bug Arturo Busleiman (Jul 07)