Vulnerability Development mailing list archives
Re: C versus other languages, round 538 or so (Re: CGI scripts in sh)
From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Thu, 28 Sep 2000 00:39:19 +0200
If the person is so experienced to make a "so good and essencial daemon/appz which I *must* run" I think they have experience enough to take away all the overflows of the source code and at least take a quick look and debug a little the source.
Personly, I believe there is an over-confidence among programmers how well they code. I mean, what we see here is you claiming that a "quick look" identifies all overflows, and someone else claiming that all overflows are due to the design, not at the implementation. I wish to point out that overflows etc have been found in very many daemons and other application coded by very experience programmers. And well known and very good bugtraqers such as the L0pht crew also has fallen into these pits. There is a difference between being far above the avarage programmers in computer science classes, it is not good enough to base assumptions on the experience of a programmer to remove implementation bugs; it must be specificly checked against in QA teams & security audits.
From what I gather, the most successfull development team (messured in
security) is the openbsd team. The key factors in their development has been slow development (security over fast developed features, which actually has proven to be good in maintains issues as well from what I gather at the securityfocus interview), strict security audits, and most likely very experienced designers and programmers. Another thing which is quite interesting is the general acceptance of usage of insecure functions; SSH got some publishity over an none-existent bug which IBM located. OK, the SSH team knew the bad code wasn't a problem because checks were in place at other locations. But I understand IBM very much, the code LOOKED exploitable. Why on earth anyone would make dangerous assuptions such as "this code will never be called with incorrect indata" is beyond me. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team http://www.eff.org/cafe
Current thread:
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 27)
- <Possible follow-ups>
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Vishweshwar Saran Singh Deo "Surguja" (Sep 27)