Firewall Wizards mailing list archives

Re: Extreme Hacking

From: Darren Reed <darrenr () reed wattle id au>
Date: Tue, 13 Jul 1999 01:13:47 +1000 (EST)

In some email I received from Marcus J. Ranum, sie wrote:

Ge' Weijers wrote:

On the other hand: those who need to develop security-related code,
protocols etc. do need to have an awareness of common exploits.


Yes, and no. They need to know classes of bugs to avoid, and
categories of common mistakes. For example, if you're developing
security critical code you need to know what buffer overruns are
and how to prevent them -- you do not need an exploit script that
tickles a bug in the latest version of BIND.


Allowing buffer overruns is just bad programming, irrespective of
whether or not it is being used in a sitatuation where it is a
security risk.  Function calls such as gets() should just be banned >:)

Other problems which can be introduced (race conditions with files,
etc), are sometimes more a question of design and implementation than
just bad programming.

Darren

Current thread:

Extreme Hacking Kunz, Peter (Jul 05)
- Re: Extreme Hacking Marcus J. Ranum (Jul 05)
  - Re: Extreme Hacking Arjan Vos (Jul 05)
  - Re: Extreme Hacking Aleph One (Jul 06)
    - Re: Extreme Hacking Marcus J. Ranum (Jul 06)
  - Re: Extreme Hacking Ge' Weijers (Jul 06)
    - Re: Extreme Hacking Marcus J. Ranum (Jul 12)
    - Re: Extreme Hacking Ge' Weijers (Jul 12)
    - Re: Extreme Hacking Darren Reed (Jul 12)
    - Re: Extreme Hacking Crispin Cowan (Jul 13)
  - Re: Extreme Hacking deab (Jul 06)
  - Re: Extreme Hacking Paul Woodie (Jul 06)
  - Re: Extreme Hacking Craig H. Rowland (Jul 06)
    - Re: Extreme Hacking Crispin Cowan (Jul 08)
    - Re: Extreme Hacking Craig H. Rowland (Jul 09)
    - Vulnerability Escrow (was: Extreme Hacking) Crispin Cowan (Jul 09)
    - Re: Extreme Hacking Joseph S D Yao (Jul 12)
    - Re: Extreme Hacking Craig H. Rowland (Jul 12)
  - Re: Extreme Hacking Stephen P. Berry (Jul 08)

(Thread continues...)