Vulnerability Development mailing list archives
Re: BitchX /ignore bug
From: jts28 () CORNELL EDU (Schlachter, Jake)
Date: Fri, 7 Jul 2000 09:47:31 -0400
On Fri, 7 Jul 2000, Bluefish wrote:
Is it the teachers' fault, can anyone be blamed? More importantly, is there anything (short of Java, or any change in language) that can be done about it?My experience from 2 years of undergraduate master of science eductation, is that there's never any mentioning of "insecure" programming. In the computer security course I took there was some mentioning of buffert overflows and similar threats, but isn't enough to ensure that code is written moderately well. And the security course is entirely optional. Actually, I fear it's the same at most universities. The avarage computer science students leaves his/her education with hardly any knowledge of security, and if (s)he has been taught any of it, it has been too theoretical.
Cornell's undergraduate CS courses are taught in java. This is a growing trend in academia. There is never any focus on secure code. In fact, there is never any emphasis on code at all-- to avoid any accusations of technical instruction, Cornell leaves all programming study to the student on their own time. This could be why the Masters are not passing on this instructional wisdom-- they're not present when the student is learning. We all know that classes are too large for code to be examined in detail. Even in the 500-level security course (which i thought was very well taught if my prof is listening in =) there was not emphasis on the code itself, but on the underlying protocols and concepts. Again, it was taught in java. A thorough examination of what constitutes a stack overflow exploit in C, and writing secure code in general, are concepts that might best be taught to beginning programmers by the security / programming community itself, by making instructional docs available online (if they aren't now), because they're not going to show up on an academic curriculum any time soon. You've got to take care of your own. jts28
Current thread:
- Re: The AOL Spyware, (continued)
- Re: The AOL Spyware Mikael Olsson (Jul 07)
- Re: The AOL Spyware Masial (Jul 08)
- Re: The AOL Spyware Mikael Olsson (Jul 08)
- Re: The AOL Spyware info (Jul 13)
- Re: BitchX /ignore bug Bluefish (Jul 07)
- Re: BitchX /ignore bug Slawek (Jul 07)
- Re: BitchX /ignore bug Arturo Busleiman (Jul 07)
- Re: BitchX /ignore bug Crispin Cowan (Jul 07)
- Re: BitchX /ignore bug Hogenberg, Richard (Jul 07)
- Re: BitchX /ignore bug Bluefish (Jul 07)
- Re: BitchX /ignore bug Schlachter, Jake (Jul 07)
- Re: BitchX /ignore bug Bluefish (Jul 08)
- Re: BitchX /ignore bug Christofer C. Bell (Jul 08)
- Re: BitchX /ignore bug Erich Meier (Jul 11)
- Re: BitchX /ignore bug Ron DuFresne (Jul 07)
- Re: BitchX /ignore bug Juan M. Courcoul (Jul 07)
- remote exploit Jim Stickley (Jul 07)
- Re: remote exploit Bluefish (Jul 08)
- Re: remote exploit Gerardo Richarte (Jul 10)
- Re: BitchX /ignore bug Matthew S. Hallacy (Jul 06)
- Updated Default Account Database Eric Knight (Jul 06)