Re: BitchX /ignore bug

[jts28 () CORNELL EDU (Schlachter, Jake)]

On Fri, 7 Jul 2000, Bluefish wrote:

> > Is it the teachers' fault, can anyone be blamed? More
> > importantly, is there anything (short of Java, or any change in language)
> > that can be done about it?
>
> My experience from 2 years of undergraduate master of science eductation,
> is that there's never any mentioning of "insecure" programming. In the
> computer security course I took there was some mentioning of buffert
> overflows and similar threats, but isn't enough to ensure that code is
> written moderately well. And the security course is entirely optional.
>
> Actually, I fear it's the same at most universities. The avarage computer
> science students leaves his/her education with hardly any knowledge of
> security, and if (s)he has been taught any of it, it has been too
> theoretical.

Cornell's undergraduate CS courses are taught in java. This is a growing
trend in academia.  There is never any focus on secure code.  In fact,
there is never any emphasis on code at all-- to avoid any accusations of
technical instruction, Cornell leaves all programming study to the
student on their own time. This could be why the Masters are not passing
on this instructional wisdom-- they're not present when the student is
learning. We all know that classes are too large for code to be examined
in detail.  Even in the 500-level security course (which i thought was
very well taught if my prof is listening in =) there was not emphasis on
the code itself, but on the underlying protocols and concepts. Again, it
was taught in java.  A thorough examination of what constitutes a stack
overflow exploit in C, and writing secure code in general, are concepts
that might best be taught to beginning programmers by the security /
programming community itself, by making instructional docs available
online (if they aren't now), because they're not going to show up on an
academic curriculum any time soon.  You've got to take care of your own.

jts28