Re: concerning ~el8 / project mayhem

[Adam Shostack <adam () homeport org>]

On Thu, Aug 22, 2002 at 02:50:03PM -0400, Dave Piscitello wrote:

| >  - reading the LINUX source code
| 
| Oh, come down from the lofty perch...this is an entirely elitist 
| perspective. The ratio of people who must be engaged in securing systems 
| vs. those capable of evaluating whether source correctly bounds data 
| structures approaches infinity.

Being able to detect bounds in the structures may not be needed.  No,
wait, is not needed.  My favorite example, and I change the text
slighlty to not harrass the author: 
/* Too tired to do this better */ was in a pile of security code. 

Just reading the code of the thing you're installing is often
educational and enlightening.  Its gotten harder as things get more
complex, but its still worth doing, EVEN IF YOU"RE NOT A PROGRAMMER.
I say that as someone who rarely writes code.  I find reading other
people's code worth my time.  (I often say that my writing code is a
process bug; I can code, but not as well, quickly, or securely as a
good programmer..)

| >  - Reading papers by Bhoem, Parnas, Hansen and the like (or perhaps
| >    "Software Tools") on good technique and comparing it with some
| >     published code.
| >    (Some of the 'open source' code is exemplary in its grotty-ness)
| 
| This is unfortunately a luxury for many daily ops folks. Have you run or 
| worked in a NOC?

And you're finding time to post to this list?  ;) And as much as I
like the folks here, Parnas is more worthwhile.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards