Jon Lasser, 2003-03-26
Until Unix and Linux programmers get over their macho love for low-level programming languages, the security holes will continue to flow freely.
Colapse all |
Post comment
Too Cool For Secure Code
2003-03-26
Anonymous (3 replies)
Anonymous (3 replies)
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
Blaming the tools the coders use is pointless and a waste of time: when everyone is using Java, as you suggest, to write all of our mail clients and other programs, what happens when some clever person exploits flaws in the underlying JVM? Or perl 5.8? These high level languages are only as good a...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-28
Anonymous
Anonymous
I couldn't agree more. It is definately the most idiotic article that I have seen in a long time.
On top of that, I want to comment on one of the points made. While C is a low level language, C++ by no means is one. C++ is absolutely high level object oriented language. I imagine the author of the...
[ more ] [ reply ]
On top of that, I want to comment on one of the points made. While C is a low level language, C++ by no means is one. C++ is absolutely high level object oriented language. I imagine the author of the...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-26
Anonymous (4 replies)
Anonymous (4 replies)
Not sure what exactly you are suggesting would be better than C/C++? Java? PHP? PERL? C#? I agree people need to think of security when coding but here it seems you are blaming the tools or the coders choice of tools. I would say that the coders desire for production of secure code could make most...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous (1 replies)
Anonymous (1 replies)
The sort of bugs discussed in the article are not due to badly designed protocols, but rather shoddily implemented algorithms. The author's thesis is that many of these bugs arise because the tools of choice are, in fact, very weak.
If you code in C/C++ then
(a) you immerse yourself in a swam...
[ more ] [ reply ]
If you code in C/C++ then
(a) you immerse yourself in a swam...
[ more ] [ reply ]
Solving the problem
2003-03-27
Peter Ross
Peter Ross
I like to make the distinction between programming the machine versus solving the problem.
Even with modern imperative languages, such as C#/Java/C++/C one spends a lot of time worrying about low level machine details and not actually solving the problem.
There does exist languages for which y...
[ more ] [ reply ]
Even with modern imperative languages, such as C#/Java/C++/C one spends a lot of time worrying about low level machine details and not actually solving the problem.
There does exist languages for which y...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous (1 replies)
Anonymous (1 replies)
I would suggest Ada95. None of the buffer overflow issues of C/C++. Bare-metal access/speed, built-in data checks, object-oriented, no single character mistakes (= vs. ==), and hard to leak memory. OBTW, It is now officially part of the GCC system too....
[ more ] [ reply ]
[ more ] [ reply ]
That's the wrong attitude.
2003-03-26
Anonymous (26 replies)
Anonymous (26 replies)
Want to know why C/C++ is used? Because there's no good reason that my mail client should take 200 megs of ram and 100% cpu. The "CPU IS CHEAP, MEMORY IS CHEAP, WHY SHOULD I OPTIMIZE?" attitude works if you like shelling out for hardware upgrades every year or so, but of us who use old hardware, it'...
[ more ] [ reply ]
[ more ] [ reply ]
That's the wrong attitude.
2003-03-27
Anonymous
Anonymous
What planet are you living on? What sensible extant languages, pray tell, are going to take your algorithms coded in lean, mean (but tragically very buggy) C and turn them into bloated resource hogs?
I've seen programmers of all experience turn out massively overweight "solutions".
The point ...
[ more ] [ reply ]
I've seen programmers of all experience turn out massively overweight "solutions".
The point ...
[ more ] [ reply ]
That's the wrong attitude.
2003-03-27
Anonymous
Anonymous
> No language will stop an idiot from making mistakes
Yet Java makes it close to impossible to make the 3 most made mistakes. You can't have byffer-overflow vulnerabilities since Java will barf before you 'get root'.
I'm not saying we should all use Java, but please be educated here and use Ja...
[ more ] [ reply ]
Yet Java makes it close to impossible to make the 3 most made mistakes. You can't have byffer-overflow vulnerabilities since Java will barf before you 'get root'.
I'm not saying we should all use Java, but please be educated here and use Ja...
[ more ] [ reply ]
That's the wrong attitude.
2003-03-27
dbtid (1 replies)
dbtid (1 replies)
That's a really great reply.
I'm often amused by the fact that Windows 2000/XP whatever consumes HUMONGOUS amounts of memory and even more disk space.
It's hilarious to compare a BSD which can run in 32 MB of RAM, provide X Windows and be secure vs. any version of MS-Windows.
Again, well sa...
[ more ] [ reply ]
I'm often amused by the fact that Windows 2000/XP whatever consumes HUMONGOUS amounts of memory and even more disk space.
It's hilarious to compare a BSD which can run in 32 MB of RAM, provide X Windows and be secure vs. any version of MS-Windows.
Again, well sa...
[ more ] [ reply ]
That's the wrong attitude. - haha, time to upgrade
2003-03-30
Anonymous (1 replies)
Anonymous (1 replies)
I sometimes wonder to myself "Are all people that run *nix broke?" I see the same arguments about how BSD, Solaris, etc can be run on a 486 with 4 meg of ram!!! wow!!!
Ok well while the rest of the world uprades to P4's, you keep your 486 and be happy....
[ more ] [ reply ]
Ok well while the rest of the world uprades to P4's, you keep your 486 and be happy....
[ more ] [ reply ]
That's the wrong attitude. - haha, time to upgrade
2003-04-01
Penguinisto
Penguinisto
Instead of "keeping your 486", us *ix-heads much prefer to keep costs in the server room down, which tends to justify (among other things) larger salaries for the *ix admins than the MCSE's ;)
Besides, you forgot the obvious conclusion of efficiency - more overall horsepower per MIP. We have a lu...
[ more ] [ reply ]
Besides, you forgot the obvious conclusion of efficiency - more overall horsepower per MIP. We have a lu...
[ more ] [ reply ]
That's the wrong attitude.
2003-03-27
Anonymous
Anonymous
I agree that no language will stop an idiot from making mistakes. But, I think it's unfair to call any programmers who have worked on the products mentioned idiots. It seems like every other internet worm that comes out exploits some kind of C/C++ buffer overflow problem. The author simply points...
[ more ] [ reply ]
[ more ] [ reply ]
ok but...
2003-03-27
SeJo
SeJo
Ok you have a point by telling the coders should be more self critical and check some code more thoroughly...
As a professional code (Java/C++ and various scriptinglanguages) I know for a fact that code checked and checked double by the programmer won't be always bugfree.
That is why there are t...
[ more ] [ reply ]
As a professional code (Java/C++ and various scriptinglanguages) I know for a fact that code checked and checked double by the programmer won't be always bugfree.
That is why there are t...
[ more ] [ reply ]
Re: That's the wrong attitude.
2003-03-27
George Barbarosie
George Barbarosie
Totally agree. Also one should remember that there's the right tool for the right job. And a bad programmer will write bad code whatever language he uses. So-called high-level languages have the unwanted side effect that distract a programmer's attention from security giving him a false sense of se...
[ more ] [ reply ]
[ more ] [ reply ]
That's the wrong attitude.
2003-03-27
Listener
Listener
While reading this thread, I had to wonder. Many of the vulnerablities listed require use of older code for the products listed as they get updated rather rapidly, and the base distro being something along the lines of pre kernel 2.0.
I think your trying to make a very valid point in your article...
[ more ] [ reply ]
I think your trying to make a very valid point in your article...
[ more ] [ reply ]
Tools matter
2003-03-27
Jon
Jon
When programmers get fed up with doing something, they switch to tools that do it for them. Currently, programmers aren't fed up with handling security issues the hard way - not least because they often just don't handle them at all.
The real issue is one of testing. If programmers are told "We w...
[ more ] [ reply ]
The real issue is one of testing. If programmers are told "We w...
[ more ] [ reply ]
You are an idiot (or a troll).
2003-03-27
Anonymous
Anonymous
High-level languages do NOT have to be ultra-slow resource hogs. Check out O'Caml, it produces fast and efficient code. A guy called Doug Bagley did a "Language Shootout" page (too lazy to google for it now) which shows it to be FASTER than C++ and slightly slower than C in lots of common cases.
...
[ more ] [ reply ]
...
[ more ] [ reply ]
That's the wrong attitude.
2003-03-27
Anonymous
Anonymous
C/C++ are not the only performant languages. The software development community has, for years, labored under fallacies concerning managed languages. I'm using "managed" to describe everything from scripting languages to Java/C#/Lisp / etc.
The reason that you (and many other people) think that...
[ more ] [ reply ]
The reason that you (and many other people) think that...
[ more ] [ reply ]
Re: That's the wrong attitude.
2003-03-27
CondorDes
CondorDes
This person has obviously never tried to use a Java SWING app (which is what most of them are written in) on even a moderately fast processor (my laptop's Duron 900, for instance) with a decent amount of RAM (256MB).
The SWING/Java combination is incredibly slow and unresponsive...try it yourself...
[ more ] [ reply ]
The SWING/Java combination is incredibly slow and unresponsive...try it yourself...
[ more ] [ reply ]
That's the wrong attitude.
2003-03-27
Anonymous
Anonymous
not only that but you have to also remember that it adds up real quick. try this: leave the kernel as is (in C) and write the entire UNIX system in python. how many instances of python interpretor would be running? how many megs (if not gigs) of RAM would you need? sure, if you only do the mailer in...
[ more ] [ reply ]
[ more ] [ reply ]
Re:That's the wrong attitude.
2003-03-27
Anonymous
Anonymous
I will agree in part with the premise. I go back to the days of tape, punch cards, and core memory. What I have observed since that time is the dumbing down of the programmer with crap like Windows, C++ and University Professors that can't code their way out of paper bag trying to teach pupils.
I...
[ more ] [ reply ]
I...
[ more ] [ reply ]
That's the wrong attitude.
2003-03-28
Anonymous
Anonymous
> No language will stop an idiot from making mistakes.
The article doesn't claim a language can prevent idiots from making mistakes. But using a higher level language (like Java or Perl) will prevent an idiot from making more buffer overflow bugs. Getting rid of overflow bugs is like getting rid ...
[ more ] [ reply ]
The article doesn't claim a language can prevent idiots from making mistakes. But using a higher level language (like Java or Perl) will prevent an idiot from making more buffer overflow bugs. Getting rid of overflow bugs is like getting rid ...
[ more ] [ reply ]
That's the wrong attitude.
2003-03-28
DrNerdware
DrNerdware
So why not take your reasoning a bit further, and write your code in assembly language? We use higher level languages for good reasons, and we choose to pay a small price for the advantages.
Lasser didn't say that higher level languages alone will make code more secure. Nor does his argument impl...
[ more ] [ reply ]
Lasser didn't say that higher level languages alone will make code more secure. Nor does his argument impl...
[ more ] [ reply ]
Obsolete thinking.
2003-03-28
Anonymous
Anonymous
There are plenty of mail clients written in high-level languages like TCL that don't use 200 megs of RAM and 100% CPU. Interpreted languages have a bad name, but that mostly comes from the days when we were all coding in BASIC on 1 MHz 6502s.
The problem with C is it doesn't give you any protect...
[ more ] [ reply ]
The problem with C is it doesn't give you any protect...
[ more ] [ reply ]
That's the wrong attitude.
2003-03-28
Anonymous
Anonymous
Totally agree. As a coder myself I take every effort to audit my code. However the so called higher level languages like Visual Basic that any one can pick up, without training, are the tools that make programs weak and full of bugs simply because people can pick them up and use them to create their...
[ more ] [ reply ]
[ more ] [ reply ]
That's the wrong attitude.
2003-03-28
Anonymous
Anonymous
Amen. With a 233mhz laptop much of what is written today is sadly unusable. This would be acceptable if much of what is written was exponetially better than what was written several years ago, but that is not generally true.
Here's another point to ponder: is it fair to compare, as this article c...
[ more ] [ reply ]
Here's another point to ponder: is it fair to compare, as this article c...
[ more ] [ reply ]
Type safety is good
2003-03-28
Anonymous
Anonymous
Ok, so it seems obvious that the previous posters are unfamiliar with languages outside of C/C++ and Perl. The reason why other languages are better for security is because most other languages are type safe. Java is type safe, so is Perl, LISP, ML, and most other `modern' languages. Why is type saf...
[ more ] [ reply ]
[ more ] [ reply ]
Real issue: don't make the same mistakes.
2003-03-29
Anonymous
Anonymous
The problem isn't a poor choice of tools or programmer egotism. The problem is laziness.
When a diligent rogrammer finds a bug, he scans the full source looking for additional instances of the same defect. He then thinks of one common way to fix all instances and to prevent them in the future. ...
[ more ] [ reply ]
When a diligent rogrammer finds a bug, he scans the full source looking for additional instances of the same defect. He then thinks of one common way to fix all instances and to prevent them in the future. ...
[ more ] [ reply ]
I totally agree
2003-04-08
Anonymous
Anonymous
Java became a resource hog, is no longer portable, and is way too hard to install. Perl is still only good for hacks. Give me a high-level language that actually does something. Getting the GNU string library installed is usually too arduous for most tasks. C++ templates have muddled things.
...
[ more ] [ reply ]
...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-26
Anonymous
Anonymous
You remind me of what I like to call the "Java Faithful", people who think that everything (and I mean everything) should be written in Java (or some other ultra-high-level language). They think that only their opinion on the subject matters; they think that everyone has a Pentium 4 with 1GB of Ram,...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-26
Anonymous
Anonymous
First of all, he misses two key points on why security holes exist.
1. There never has been "requirements" about security when writing code for an application. Maybe if you are building something for the defense department...
2. He says to not use C/C++, but he doesn't say what to use. And he ...
[ more ] [ reply ]
1. There never has been "requirements" about security when writing code for an application. Maybe if you are building something for the defense department...
2. He says to not use C/C++, but he doesn't say what to use. And he ...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-26
Anonymous
Anonymous
This is a really, really dumb article.
Not only is it self contradictory, the author pointing out that security holes occur in both high-level and low-level languages with a very high frequency, but it frequently slips into sermon territory.
The real truth is that people developing software ne...
[ more ] [ reply ]
Not only is it self contradictory, the author pointing out that security holes occur in both high-level and low-level languages with a very high frequency, but it frequently slips into sermon territory.
The real truth is that people developing software ne...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-26
Anonymous (1 replies)
Anonymous (1 replies)
I just about fell off my seat laughing at this article. Jon Lasser is now OFF my reading list. How can you equate the performace of say C with that of python. And calling PERL a more secure programming language is purely ludicrous. Bad code is bad code, pure and simple it doesn't matter what you wri...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-31
SK
SK
> When did C and C++ suddenly become low-level programming languages?
In a sense they are both high *and* low level languages. High because they provide high-level constructs (e.g. object management) and low because they continue to provide low-level constructs (e.g. adding an arbitary number to ...
[ more ] [ reply ]
In a sense they are both high *and* low level languages. High because they provide high-level constructs (e.g. object management) and low because they continue to provide low-level constructs (e.g. adding an arbitary number to ...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-26
Anonymous
Anonymous
The points made in the article are interesting. I have a few comments. You were very critical of open source projects that used lower level languages such as C/C++. The people that write that software, (I admire them, I haven't bothered to do anything so altruistic in years) are providing you with a...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-26
Anonymous
Anonymous
I agree with this. Law of Diminishing Returns.
A small number of things require C, but everything else should evolve and use a better language. There are many possible choices here depending on the task at hand.
Re: Java
I'd wager that anybody who rails against Java has the barest (or no) u...
[ more ] [ reply ]
A small number of things require C, but everything else should evolve and use a better language. There are many possible choices here depending on the task at hand.
Re: Java
I'd wager that anybody who rails against Java has the barest (or no) u...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-26
mk
mk
I'd say this article is fairly redundant, stating many things that have been stated many times in the past.
However his choice of bug examples seems odd:
linux kernel ptrace - given the performance-critical status of the kernel, use of high efficiency languages seems appropriate. I haven't bee...
[ more ] [ reply ]
However his choice of bug examples seems odd:
linux kernel ptrace - given the performance-critical status of the kernel, use of high efficiency languages seems appropriate. I haven't bee...
[ more ] [ reply ]
Slow news day?
2003-03-27
TJ Miller jr
TJ Miller jr
Usually your articles are spot-on, but I gotta ask: Why do you think Microsoft Windows and the underlying environment are so bloated and slow, esp. when compared to a well-built *ix server?
Because the attitude "processing is cheap" may be fine for one or two highly specialized in-house programs...
[ more ] [ reply ]
Because the attitude "processing is cheap" may be fine for one or two highly specialized in-house programs...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Marion De Liau (1 replies)
Marion De Liau (1 replies)
Dear Mister Lasser.
I do feel that you have not thought long and thorough about this article before you pressed the "publish" button. Even though it is unfair I really do nto have the time to split every paragraph apart, yet let me comment on a rather broad basis.
I am one of those "too cool" ...
[ more ] [ reply ]
I do feel that you have not thought long and thorough about this article before you pressed the "publish" button. Even though it is unfair I really do nto have the time to split every paragraph apart, yet let me comment on a rather broad basis.
I am one of those "too cool" ...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-31
Anonymous
Anonymous
I'm always fighting with programmers over their lousy code so I understand both sides here. But there is a point to support developers, which is rarely brought up. Application development is often so disorganized and behind schedule that they are frequently not fully aware of the environment for whi...
[ more ] [ reply ]
[ more ] [ reply ]
Strong Typing, etc.
2003-03-27
RC
RC
I completely disagree with the author. As of yet there are no freely-implimented languages that could replace C.
What I would like to see, is compilers with strong typing, and other security features... There wouldn't even be a performance penalty in the output binary. Just imagine, if GCC r...
[ more ] [ reply ]
What I would like to see, is compilers with strong typing, and other security features... There wouldn't even be a performance penalty in the output binary. Just imagine, if GCC r...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
As you yourself pointed out -- the language wether it is low-level (c/c++) or higher-level (perl/python) doesn't prevent security problems. So don't blame the tools -- blame the coder. Ultimately it is there responsibility. And I agree with some of the other comments that bloated code is not the wis...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
I agree: there used to be an "art" to programming where people actually understood what they were doing.
I once worked on a large Assembler project. We all paid attention to the smallest detail and understood every single aspect of your compiler/debugger output.
Nowadays you get some self-conf...
[ more ] [ reply ]
I once worked on a large Assembler project. We all paid attention to the smallest detail and understood every single aspect of your compiler/debugger output.
Nowadays you get some self-conf...
[ more ] [ reply ]
Right idea, wrong solution
2003-03-27
Anonymous
Anonymous
You said it yourself: "Neither programmers nor system administrators like diversity in the underlying environment: it makes debugging much more difficult." So, the solution isn't to switch en masse to Java or Perl; the solution is to make it harder to write insecure code in gcc. No one should be u...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Fra. 219
Fra. 219
In general, high-level languages do not impose bank-breaking performance costs for user or server applications.
User applications, such as email clients, are not CPU-bound; they are user-bound. That is to say, they spend most of their time waiting for user input, not processing. It seems sensible...
[ more ] [ reply ]
User applications, such as email clients, are not CPU-bound; they are user-bound. That is to say, they spend most of their time waiting for user input, not processing. It seems sensible...
[ more ] [ reply ]
This is hogwash... I guess we should all use VB? That's High Level and we know how "bug" free that is.
2003-03-27
Anonymous
Anonymous
Not once in my entire life have I ever heard a computer programmer liken themselves to a fighter pilot, or even say the phrase "close to the metal". What drivel.
Lack of High level language use is not the problem. The problem is just errors/mistakes in programming, (that no one forsaw) or bugs ...
[ more ] [ reply ]
Lack of High level language use is not the problem. The problem is just errors/mistakes in programming, (that no one forsaw) or bugs ...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
I think you forgot to post a portion of your article, the part where you make a suggestion about what can be done. Instead all you did was cry about how bad C/C++'s string handling can be. If you're going to bitch atleast try to help, otherwise you're sideline whining is pointless.
What language ...
[ more ] [ reply ]
What language ...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
First, the problem is not low-level programming languages. What makes a program insecure is low-level programmers.
Thinking is needed to program in C or C++. If you don't think well, there's no "secure programming language"
Second, the author says that we are living a time of "cheap" co...
[ more ] [ reply ]
Thinking is needed to program in C or C++. If you don't think well, there's no "secure programming language"
Second, the author says that we are living a time of "cheap" co...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
I find it odd you would berate C/C++ programmers who have the philosophy "Real programmers manipulate the system at the lowest possible level, for the maximum possible effect" since clearly, the lowest possible level would be machine code or assebmly.
Plus, I find it odd that while berating coder...
[ more ] [ reply ]
Plus, I find it odd that while berating coder...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
Sorry but by his logic we should all be programming in Visual Basic, thats if we don't care about performance.
I do however hear what your saying and I agree, most programmers who make Internet apps have proberbly never even heared of BugTraq let alone ever taken the time to read the bugs posted...
[ more ] [ reply ]
I do however hear what your saying and I agree, most programmers who make Internet apps have proberbly never even heared of BugTraq let alone ever taken the time to read the bugs posted...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
Please, let's be honest. The higher the language level, the more people will think they can code when in fact they can't. Of course it's possible to write good and bad code no matter the tools used, but GUIs and "development suites" don't turn people into coders overnight, contrary to what some peop...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Shawn
Shawn
What about environments where one server is serving X and apps to multiple clients.
Serving an email client that was written in Java, or some higher level language than C/C++, to 25+ machines would be stupid. Every clock cycle wasted by the Java VM at that point is one cycle that someone else do...
[ more ] [ reply ]
Serving an email client that was written in Java, or some higher level language than C/C++, to 25+ machines would be stupid. Every clock cycle wasted by the Java VM at that point is one cycle that someone else do...
[ more ] [ reply ]
This is exactly right.
2003-03-27
Anonymous
Anonymous
The first comment post makes it clear exactly what is wrong. "We're all too good, open source is perfect, blah blah blah." There's this religious zealotry which ignores what is really going on. The reality is that as long as programmers continue to be idiots who easily shoot themselves in the foo...
[ more ] [ reply ]
[ more ] [ reply ]
Johnathan Lasser Isn't a a Programmer
2003-03-27
Someone Who Actually Writes Code (1 replies)
Someone Who Actually Writes Code (1 replies)
In a long standing tradition of using
unqualified pundits, SecurityFocus
pumped out another article by someone
who wasn't qualified to write it.
Jonathan Lasser is not a programmer.
How would he know what's secure?
Where are the pointers to all the
open source code he's written? Show...
[ more ] [ reply ]
unqualified pundits, SecurityFocus
pumped out another article by someone
who wasn't qualified to write it.
Jonathan Lasser is not a programmer.
How would he know what's secure?
Where are the pointers to all the
open source code he's written? Show...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Das Megabyte (1 replies)
Das Megabyte (1 replies)
This is just stupid. How high is your load right now? How high is it at its absolute maximum? I'm willing to bet, if all your machine is doing is email, that it's taking way less than 50%.
If not, then you have ot ask yourself how you are you saving money by using old machines. Is it by runni...
[ more ] [ reply ]
If not, then you have ot ask yourself how you are you saving money by using old machines. Is it by runni...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
Saying that using new languages that protect against buffer overruns and format string vulnerabilities is the solution is a bit like the ostrich sticking it's head in the sand.
If all c/c++ memoryrelated vulnerabilities would go away someone would find new ways to exploit other things. As you sa...
[ more ] [ reply ]
If all c/c++ memoryrelated vulnerabilities would go away someone would find new ways to exploit other things. As you sa...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Tirs
Tirs
There is not a thing like "more secure languages". Since we switched from C/C++ to Java in the (very very large) software company I work for, there has been no decrease in the number of errors and bugs found by our continuous internal tests and audits. Even worse, your approach of "have the programm...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Ivan Vecerina
Ivan Vecerina
Why always "C and C++" ?
I love coding in C++ to take advantage of generic programming capabilities, while sticking with high-level constructs (std::string instead of char buffers, std::ostream/... instead of printf, RAII for resource and memory management).
I dislike writing C code, where I s...
[ more ] [ reply ]
I love coding in C++ to take advantage of generic programming capabilities, while sticking with high-level constructs (std::string instead of char buffers, std::ostream/... instead of printf, RAII for resource and memory management).
I dislike writing C code, where I s...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
This article is great! I wish the author took it 1 level higher - focusing on a contributing factor to 'why most software sucks'.
Recently, I witnessed a group of programmers developing an API for a networked application. Although the API was a step in the right direction, there are still too man...
[ more ] [ reply ]
Recently, I witnessed a group of programmers developing an API for a networked application. Although the API was a step in the right direction, there are still too man...
[ more ] [ reply ]
Crap
2003-03-27
terber
terber
You simply don't have the heart to say: Most people are incapable to design and implement computer software. Period. Exactly like most people are unable to fly a fighter aicraft. (BTW: imbecile analogy). And this will not change, despite any techniques.
Texts as yours direct people to think: "Hum...
[ more ] [ reply ]
Texts as yours direct people to think: "Hum...
[ more ] [ reply ]
christ, what a whinger
2003-03-27
mark hahn (hahn@mcmaster.ca)
mark hahn (hahn@mcmaster.ca)
exactly why is this arrogant little sermon worth posting, and worth reading? security comes from good design and testing; it does not come from using tools with all the sharp edges filed off.
don't run with scissors, play nice with the other kids, don't cut towards your body. and little bobby, ...
[ more ] [ reply ]
don't run with scissors, play nice with the other kids, don't cut towards your body. and little bobby, ...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
To write that C/C++ are poor tools for writing a mail client (or any other application) without explaining *why* they are a poor choice is poor writing.
Just what would you suggest? Java? Perl? Both have their vulnerabilities, just as C does.
As a developer with around 20 years of professio...
[ more ] [ reply ]
Just what would you suggest? Java? Perl? Both have their vulnerabilities, just as C does.
As a developer with around 20 years of professio...
[ more ] [ reply ]
Syte and Methodology not the Tool
2003-03-27
Anonymous
Anonymous
I don't think there is anything inherently insecure in using any programming language to write codes. It's all about how your write your code. As much as you must follow 'good' styles in Java to produce a secure code, writing in C can be secure too. Then you may say it's much more difficult to follo...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
I totally agree with the article.
Languages like C and C++ are inherently dangerous because they allow for the classic buffer overflow. If you program in C or C++, that does not mean your code WILL be exploitable by an overflow, but you run the risk. Buffer overflows in Java are basically impo...
[ more ] [ reply ]
Languages like C and C++ are inherently dangerous because they allow for the classic buffer overflow. If you program in C or C++, that does not mean your code WILL be exploitable by an overflow, but you run the risk. Buffer overflows in Java are basically impo...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
Actually I think the author has a point.
You should always choose the tool of highest abstaction level possible in order to rapidly develop safe programs. However, this often tends to end up with C++ applications. I have problems with languages such as Haskell and so on beacuse they cannot express ...
[ more ] [ reply ]
You should always choose the tool of highest abstaction level possible in order to rapidly develop safe programs. However, this often tends to end up with C++ applications. I have problems with languages such as Haskell and so on beacuse they cannot express ...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
Baffles me too, Jon. Having worked with "scripting" languages and "system" languages, on modern machines there's no reason to work in bare-metal unless you're working directly with the hardware. Abstractions serve to improve the security of the code, ease of development, and programmer efficiency....
[ more ] [ reply ]
[ more ] [ reply ]
I Dont Think So
2003-03-27
Randy LeJeune
Randy LeJeune
This article is silly. The low level languages are used for a reason. Performance and speed. Applications written in higher level langauges tend to be much slower and less robust than the ones in which you can closely control how memory is allocated. The real problem here is just poor programming. S...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Kirk Rafferty (kirk_at_rafferty.org)
Kirk Rafferty (kirk_at_rafferty.org)
One of the nice things about being an Airline Pilot is that the pilot is provided with the equipment, procedures, and training to fly the big iron. Rare is the airline pilot that gets to choose what kind of plane he wants to fly, and how he wants to fly it.
When going into a new job, it's pretty...
[ more ] [ reply ]
When going into a new job, it's pretty...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
I'm really agree with previous comments: with any code and any language you can do buffer overflows and bug so there is no real preference for coding except yourself or project needs.
and for stackguard, get a glimpse to openbsd: first system to get in propolice (which is a sort of stackguard) bu...
[ more ] [ reply ]
and for stackguard, get a glimpse to openbsd: first system to get in propolice (which is a sort of stackguard) bu...
[ more ] [ reply ]
Things should change
2003-03-27
Matthew B
Matthew B
It's hard to argue away the use of C/C++. Languages serve their appropriate purposes, but just i/o libraries reduce the need for complex and error prone system calls, libraries need to be developed that address common security risks. Buffer overflows can be addressed with appropriate data structures...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
[snip]
And it would be both unlikely and counterproductive for the Linux kernel or the system library to be rewritten in Perl, Java, or Python.
[end snip]
This is the most moronic thing i have ever read!!! How in the hell do you propose writting the kernel in any of these languages???
The...
[ more ] [ reply ]
And it would be both unlikely and counterproductive for the Linux kernel or the system library to be rewritten in Perl, Java, or Python.
[end snip]
This is the most moronic thing i have ever read!!! How in the hell do you propose writting the kernel in any of these languages???
The...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
You hit your thumb instead of the nail. As a programmer, I am fully aware and willing to take resposibility for my own mistakes, no matter what the consequences are. I have found this to be true amongst my peers as well. The real problem is that we are all under a lot of pressure to produce, rega...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
The problem is that susceptible low-level languages (C, C++) are too entrenched; I personally expect the problem to continue for years to come for Linux, Unix, and Microsoft. Even .NET won't solve the problem due to the amount of unmanaged code for starters.
Generally, higher-level "popular" lan...
[ more ] [ reply ]
Generally, higher-level "popular" lan...
[ more ] [ reply ]
I agree entirely
2003-03-27
Iain Collins (iain_collins@mac.com)
Iain Collins (iain_collins@mac.com)
I agree with the article developer entirely.
We *should* be using higher level languages (like Python/Perl/Java) for a lot of our applications.
They are easier to maintain, add features to, bug fix, and faster to impliment (not to mention being more portable).
Contrary to oft-held views, t...
[ more ] [ reply ]
We *should* be using higher level languages (like Python/Perl/Java) for a lot of our applications.
They are easier to maintain, add features to, bug fix, and faster to impliment (not to mention being more portable).
Contrary to oft-held views, t...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
The problem is that susceptible low-level languages (C, C++) are too entrenched; I personally expect the problem to continue for years to come for Linux, Unix, and Microsoft. Even .NET won't solve the problem due to the amount of unmanaged code for starters.
Generally, higher-level "popular" lan...
[ more ] [ reply ]
Generally, higher-level "popular" lan...
[ more ] [ reply ]
Thats the _right_ attitude
2003-03-27
Anonymous
Anonymous
Despite the attitude of many of the commentors, I believe this is the right attitude to take.
Buffer overflows are something which we should really not have to worry about, given the simple methods available today to deal with them - which are integrated directly into languages such as Python/Per...
[ more ] [ reply ]
Buffer overflows are something which we should really not have to worry about, given the simple methods available today to deal with them - which are integrated directly into languages such as Python/Per...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
I think bad programmer training is a bigger obstacle to producing good code. People see examples using fixed sized buffers in tutorials, and think this is okay, leading to buffer overflows. That's one example for you C advocates. Books like "Teach Yourself in 24-Hours" don't help....
[ more ] [ reply ]
[ more ] [ reply ]
Sticks-and-Stones programming tools
2003-03-27
Anonymous
Anonymous
Yes, the year is now 2003 and programmers are still using sticks-and-stones to program large applications.
The programming languages in widespread use just plain suck for what they are being used for. They are wrong tool for the job. C/C++ are undesirable for anything but the lowest level syste...
[ more ] [ reply ]
The programming languages in widespread use just plain suck for what they are being used for. They are wrong tool for the job. C/C++ are undesirable for anything but the lowest level syste...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
I agree w/ the previous post. If GHz=CHEAP means that programmers should start using higher level languages... where's the perceived benefit? Apps run about the same speed, do about the same stuff, but take 10x the disk space and cycle cout? I'd much rather see new and innovative apps using the e...
[ more ] [ reply ]
[ more ] [ reply ]
Higher level languages also insecure
2003-03-27
Anonymous
Anonymous
I don't believe that C++ creates a less secure program than "high level languages." I will continue to write in C++ because, as Bjarne Stroustrup says, I don't see much need for other languages.
As the article points out, Perl, PHP and Python can be used to write insecure code. A programming la...
[ more ] [ reply ]
As the article points out, Perl, PHP and Python can be used to write insecure code. A programming la...
[ more ] [ reply ]
Bad code is a result of a poor development process
2003-03-27
c0d3cr33p@hotmail.com
c0d3cr33p@hotmail.com
Breathe, and repeat again after me: "Bad code is a result of a poor development process."
Just jumping in and laying down some quick, clever code can win you kudos from your peers, but it often comes at the price of proper planning and forethought.
Of course, we don't always have an extra 3 we...
[ more ] [ reply ]
Just jumping in and laying down some quick, clever code can win you kudos from your peers, but it often comes at the price of proper planning and forethought.
Of course, we don't always have an extra 3 we...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Synonymous
Synonymous
Ok, while I agree with certain points in your arguments regarding that key programmers remove themselves from their macho-mindset for brief periods of time to realize the potential availability of higher-level programming tools, I ask you whether this article simply wreaks of being too whiny, or, if...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
I think that the previous posts demonstrate exactly the bad attitude that this article is discussing. A huge class of security exploits are made ineffective by modern development tools, and ignoring those tools in favor of older tools based only on performance, is a characteristic of amateur develop...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
This is one of the more rediculous pieces I've ever read.
This is *exactly* the type of thinking that churns out Microsoft products -
"Memory is cheap, processing is abundant, storage is plentiful, so let's use as much as we can of all of them!
So what if people want to run multiple programs at ...
[ more ] [ reply ]
This is *exactly* the type of thinking that churns out Microsoft products -
"Memory is cheap, processing is abundant, storage is plentiful, so let's use as much as we can of all of them!
So what if people want to run multiple programs at ...
[ more ] [ reply ]
simply sloppy programming
2003-03-27
rishab
rishab
of course lower-level languages, which provide more access and power, also result in more damage when used badly.
but the issue is not programming languages as much as sloppy code.
frankly i still haven't been able to figure out why people code without checking for buffer overflows. anyone who...
[ more ] [ reply ]
but the issue is not programming languages as much as sloppy code.
frankly i still haven't been able to figure out why people code without checking for buffer overflows. anyone who...
[ more ] [ reply ]
Boo.
2003-03-27
Anonymous
Anonymous
The recent security holes in Unis softare have ABSOLUTELY NOTHING TO DO WITH LOW-LEVEL LANGUAGES and everything with design bugs. Also the idea that languages must keep newbies from doing specific mistakes (in this case security bugs due to buffer overflows) is a load of complete and undiluted bulls...
[ more ] [ reply ]
[ more ] [ reply ]
(sigh)
2003-03-27
grey
grey
As a previous response stated - there _is_ a reason that things are still written in C, performance being very notable, but another reason is because most of the alternatives suck ass, and don't actually buy you anything.
Python, Perl, Java? Do -any- of those allow me to compile a program into a...
[ more ] [ reply ]
Python, Perl, Java? Do -any- of those allow me to compile a program into a...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
I think that many programmers use C and C++ because it is easy to write Windows graphical applications with them.
Security wise, Java and Ada for example are probably far better. But it is almost impossible to write a Windows NATIVE application with them.
I thought that C# would solve the prob...
[ more ] [ reply ]
Security wise, Java and Ada for example are probably far better. But it is almost impossible to write a Windows NATIVE application with them.
I thought that C# would solve the prob...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
This article is idiotic. Blaming a programming language for human faults is just dumb. No matter what language you use, the end result processed by your processor is the same.
I see valid points as well, like using higher level constructs to make life easier for the programmer. But, sometimes one...
[ more ] [ reply ]
I see valid points as well, like using higher level constructs to make life easier for the programmer. But, sometimes one...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
Writing an operating system kernel in an interpreted language is more than merely "unlikely". And what shall the interpreter be written in? C is, without any question, the most portable language to write system libraries in as well. Everything can and must bind to it under unix, so it is also an ...
[ more ] [ reply ]
[ more ] [ reply ]
I agree
2003-03-27
Anonymous
Anonymous
To the previous poster, 200 megs of ram and 100 percent CPU, with what language and which mail client? If you want to argue, cut out the bs exageration.
Do a search on Java security, Java buffer overruns, etc. You will find articles attributed to MS java and others which point out that there are n...
[ more ] [ reply ]
Do a search on Java security, Java buffer overruns, etc. You will find articles attributed to MS java and others which point out that there are n...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
i find it kinda funny when someone makes a article about security in linux vs windows as they seems to forget is that in a normal linux distr there about 100 times more software then in your avarage windows installbut still there are more scurity holes reported for windows alone then the entire set ...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
You have a point, but I would suggest that C and C++ have the ability to be as secure as any other programming language. Using the same data types and objects for all of your variables allows the programmer to make sure that there are few security vulnerabilities, and if you find one it is easy to ...
[ more ] [ reply ]
[ more ] [ reply ]
It's Too Cool To Criticize Programmers
2003-03-27
PipTigger
PipTigger
Too many people today say
"until programmers take responsibility" ...
"until they aren't so egotistical" ...
"until they care about security" ...
"until they agree with ME about what's most important" ...
The fact is that few programmers are directly to blame for security problems. Especi...
[ more ] [ reply ]
"until programmers take responsibility" ...
"until they aren't so egotistical" ...
"until they care about security" ...
"until they agree with ME about what's most important" ...
The fact is that few programmers are directly to blame for security problems. Especi...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
I guess you don't include 'coding' on your CV, eh, John? To suggest that the use of Perl over C (or C++) will make one write better code is naive in the _extreme_. How many ADA programs have real world bugs?
And ANY language which allows some measure of abstraction (e.g. C++) is easier to 'secu...
[ more ] [ reply ]
And ANY language which allows some measure of abstraction (e.g. C++) is easier to 'secu...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
It's all in the attitude. Things like this sweep: "lots of sprintf -> snprintf and strcpy -> strlcpy; checked by tedu"
(sample: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/cdio/cddb.
c.diff?r1=1.5&r2=1.6&f=h )
Are easy to do on any open source project, but only OpenBSD people do these sweeps...
[ more ] [ reply ]
(sample: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/cdio/cddb.
c.diff?r1=1.5&r2=1.6&f=h )
Are easy to do on any open source project, but only OpenBSD people do these sweeps...
[ more ] [ reply ]
Java as a solution
2003-03-27
Anonymous
Anonymous
Java is a suitable platform for IRC, and mail clients as well as print deamons, pop3 deamons and even moderate to low performance web and mail servers. The java libraries and runtime system help eliminate the most common and serious security problems. Modern virtual memory systems can map the JVM's ...
[ more ] [ reply ]
[ more ] [ reply ]
Many scripting languages don't scale
2003-03-27
PyMan
PyMan
While I applaud your suggestion that too much code is written in C and C++ simply because it's the "cool" thing to do, the fact is that with large software systems, most scripting languages don't scale.
I love Python. But, _any_ weakly-typed language like Python, moreso with Perl where DWIM is tu...
[ more ] [ reply ]
I love Python. But, _any_ weakly-typed language like Python, moreso with Perl where DWIM is tu...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
Certainly, there are security issues regardless of programming language choice. The fact is that security is almost always an after-thought during most programming projects. The only way that more secure code will ever be written in any language is if it is written from the start to be as absolute...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Please give me one application that is a huge commercial success for the desktop that is written in Java? Or any other language than C/C++....
People don't like security holes in their software any more than they like buying a new computer every year to be able to run their software...
Educa...
[ more ] [ reply ]
Anonymous
Please give me one application that is a huge commercial success for the desktop that is written in Java? Or any other language than C/C++....
People don't like security holes in their software any more than they like buying a new computer every year to be able to run their software...
Educa...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
I aggree that now a days it seems as if more and more bugs are present. To blame that on the choice of language is utter non-sense. What is to blame goes back to the fighter pilot and programmer analogy. If it was as hard to call your self a programmer and to have a job programming as it is to fly ...
[ more ] [ reply ]
[ more ] [ reply ]
No.. No.. No..
2003-03-27
Anonymous
Anonymous
Don't blame a language for the shortcomings of those who use it. A language is a tool, and is not responsible for how it is used. There are plenty of examples of "secure" C/C++ code; unfortunately this is the exception and not the norm.
The problem today is languages are becoming so high level ...
[ more ] [ reply ]
The problem today is languages are becoming so high level ...
[ more ] [ reply ]
Too cool for secure code
2003-03-27
Ben
Ben
I admit there are all sorts of tools available to make C safer - MISRA parses, for instance, but the fundamentals of the language are just not as safe as C++. That said C++ too can be coded to guidelines to make it safer too, using std::vector in place of arrays, using std::string as opposed to cha...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
Thinking security and Linux? Go to the assurance elements in Part 3 of the Common Criteria requirements as a starting point for what serious security professionals think are good practices. Then compare how Linux is created, documented and distributed. There isn't a good match. Which is not to say t...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
I feel like I have to point out that no language can do more than another. Instead of acting as if programming in a certain language automatically makes programs secure, I find myself wondering why more effort hasn't been put into various C array/pointer/buffer APIs. One project that does this, off ...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
Hear hear! I applaud your strong stance in this article. From the comments you've received so far it's fairly obvious that most everyone is completely missing your point. I, too, am tired of "code jockeys" who think that it's better to write "cool", uncompilable, unmaintainable, undocumentable code ...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
The written code is only as good as the programmer that wrote it. Mistakes with buffer overflows tend to be in the code because of poor training or lack of understanding by the coder. What's needed is to have software tested, have people willing to test and except that even the best coders have bad ...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
I want to fly too, but I can't. My vision isn't good enough. :(
The kinds of programs I write don't require me to think about security. If there was an exploit in my programs the user would be all like "Oooo, you can cheat by moving your pawn like a knight!" or "My calculator is singing. That's n...
[ more ] [ reply ]
The kinds of programs I write don't require me to think about security. If there was an exploit in my programs the user would be all like "Oooo, you can cheat by moving your pawn like a knight!" or "My calculator is singing. That's n...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-27
Anonymous
Anonymous
Oh, I see... So You suggest implementing low power/low storage/ low mem OS and app in... what, exactly? perl? Java? What else? OK, now fit it all (let's say, a firewall at wire speed) into 8MB of memory (which is _a lot_ of space).
Sorry, but Your suggestion will solve nothing: spec determines toll...
[ more ] [ reply ]
Sorry, but Your suggestion will solve nothing: spec determines toll...
[ more ] [ reply ]
Partially true
2003-03-27
Anonymous
Anonymous
While I think that this article is partially true, I don't completely agree.
One of the points not mentioned is that all languages have their vulnerable areas. So I spend much of my time working with websites. The typical area of concern here is on validation of user input (sql injection, XSS) an...
[ more ] [ reply ]
One of the points not mentioned is that all languages have their vulnerable areas. So I spend much of my time working with websites. The typical area of concern here is on validation of user input (sql injection, XSS) an...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-28
Anonymous
Anonymous
Sorry but choice of language has nothing to do with a system's security. C/C++ is the language of choice for Open Source programmers because it delivers the best performance across a wide range of hardware. Processing power is cheap and available, but only in the developed countries. In third-world ...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-28
Anonymous
Anonymous
As a newbie to programming I have wondered how to prevent these types of errors, but I have yet seen a beginning C C++ book which explains what a buffer overflow error is or what coding practices should be used to prevent it. Maybe this is one of the places where this should be taught, in the begin...
[ more ] [ reply ]
[ more ] [ reply ]
Couldn't agree more
2003-03-28
Anonymous
Anonymous
If the number of similar bugs coming up in mature products developed by good programmers is any guide, then it's time for a change. OpenSSL, Sendmail and the Linux kernel are written by smart, dedicated and experienced programmers who presumably take security seriously. But buffer overflows are s...
[ more ] [ reply ]
[ more ] [ reply ]
Software responsibilities
2003-03-28
Anonymous
Anonymous
It's nice to be idealist, but I seriously doubt that coders will take reponsibility for their code until there are severe consequences for not doing so. If a civil engineer designs a bridge calculating the loads wrong, doesn't have it reviewed by peers, doesn't take steps to ensure the his design an...
[ more ] [ reply ]
[ more ] [ reply ]
Blame the coder, not the language
2003-03-28
Anonymous
Anonymous
Hi,
i agree with above comments.
problem is not in the language, but that the coders do not put that much effort in the security aspect. its more of the "get it done" attitude which quite often leads to cuttin corners. btw, who tests these software .the same ppl..
some ppl out there are good wh...
[ more ] [ reply ]
i agree with above comments.
problem is not in the language, but that the coders do not put that much effort in the security aspect. its more of the "get it done" attitude which quite often leads to cuttin corners. btw, who tests these software .the same ppl..
some ppl out there are good wh...
[ more ] [ reply ]
Alternatives?
2003-03-28
Anonymous
Anonymous
For all you "can only be done in C/C++" people. There ARE languages designed for security. Ada comes to mind.. I know people don't like to talk about Ada, but hey.. it's secure AND it is used for low-level programming. Java, C#, and probably some other languages, while not as secure as Ada have a fe...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Tested Code?
2003-03-28
Werm
Werm
I agree. There are lots of high-level languages that will save you a whole load of grief, and however flawed Java is, it does force you to trap errors (like integer overflow, array indices being out of bound etc).
There are, I find, a couple of problems though. And they're not technological. They...
[ more ] [ reply ]
There are, I find, a couple of problems though. And they're not technological. They...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-28
Lee Reynolds
Lee Reynolds
The issue here is not what languages people are using, but rather the approach that programmers take when writing their code and depth of detail with which the code is examined for bugs. New bugs (and therefore exploits) are found on a regular basis because far more time is spent writing the code ...
[ more ] [ reply ]
[ more ] [ reply ]
Stupidest piece I have ever read.
2003-03-28
Anonymous
Anonymous
This has to be the worst piece I have ever read about security. Low level languages are used for speed and efficiency. If you want to complain about someone not programming with security in mind go for it, but don't blame the tools.
It is idiots like you that make a 2GHz system run like a 48...
[ more ] [ reply ]
It is idiots like you that make a 2GHz system run like a 48...
[ more ] [ reply ]
Too Cool? No, not really.
2003-03-28
clee
clee
Using a higher-level language won't fix the problems with security.
Using a higher-level toolkit, such as Qt (from Trolltech, as used by KDE) or even GTK+, both of which have bindings for the higher-level languages, is the answer.
No user should have to put up with the exponentially reduced ru...
[ more ] [ reply ]
Using a higher-level toolkit, such as Qt (from Trolltech, as used by KDE) or even GTK+, both of which have bindings for the higher-level languages, is the answer.
No user should have to put up with the exponentially reduced ru...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-28
Anonymous
Anonymous
As to the "what language is better" question, look at variants of ML. Standard ML or OCaml are examples. ML has a really nice type system that catches most forms of errors which cause segfaults, buffer overflows, etc. at compile time; 50% of debugging something in ML is getting it to compile, and ML...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code - Wise Words
2003-03-28
DrNerdware
DrNerdware
Well said. I recommend reading the Secure-Programs HOWTO and following the advise given there. Then read "The Mythical Man-Month" by Fred Brooks.
Far too many programmers and programming books focus on the tools, like compilers and editors. More attention to the craft would help. Books like Softw...
[ more ] [ reply ]
Far too many programmers and programming books focus on the tools, like compilers and editors. More attention to the craft would help. Books like Softw...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-28
Angelos Karageorgiou
Angelos Karageorgiou
Jeez and you are trying to tell me that a programmer who is counting bits and interrupts
at sub-nanosecond intervals should also do his/her
own code's audit and use a high level language like eifell to program the APICs, riiiight ?
Dude write another book for power users and leave program...
[ more ] [ reply ]
at sub-nanosecond intervals should also do his/her
own code's audit and use a high level language like eifell to program the APICs, riiiight ?
Dude write another book for power users and leave program...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-28
Anonymous
Anonymous
Buffer overuns are just a symptom of using memory copy, or pointer access code that does not have bounds checking (ie. crap programming). That is why you use C++ rather than C, and create classes that manage buffers; There is a performance penalty, but it is minimal, and optimised buffer copy method...
[ more ] [ reply ]
[ more ] [ reply ]
Way Kewl For Secure Code
2003-03-28
fnaaijkens@ultihouse.com
fnaaijkens@ultihouse.com
OK, you really throw it at the guys!
Maybe, you wouldn't find a carreer in diplomacy. Yet:
1. Stuuupid people (dare I name VB? slAP! sorry.) would find optimizing unnecessary.
2. Smaaarrt people would appear to find optimizing the code until the last CPU cycle wasn't wasted, the most importan...
[ more ] [ reply ]
Maybe, you wouldn't find a carreer in diplomacy. Yet:
1. Stuuupid people (dare I name VB? slAP! sorry.) would find optimizing unnecessary.
2. Smaaarrt people would appear to find optimizing the code until the last CPU cycle wasn't wasted, the most importan...
[ more ] [ reply ]
Too Cool For Secure Code? My two cents
2003-03-28
Anonymous
Anonymous
First of all, he misses two key points on why security holes exist.
1. There never has been "requirements" about security when writing code for an application. Maybe if you are building something for the defense department...
2. He says to not use C/C++, but he doesn't say what to use. And he ...
[ more ] [ reply ]
1. There never has been "requirements" about security when writing code for an application. Maybe if you are building something for the defense department...
2. He says to not use C/C++, but he doesn't say what to use. And he ...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-28
vijeno <vijen0@yahoo.com>
vijeno <vijen0@yahoo.com>
It's always good to be reminded of security issues, of course.
I don't like to speak for others. Judging my own code, however, I am sure that my C++ code is far more secure than my Perl code (which does, of course, say nothing about my code's overall security.) Perl makes me get too comfy, someti...
[ more ] [ reply ]
I don't like to speak for others. Judging my own code, however, I am sure that my C++ code is far more secure than my Perl code (which does, of course, say nothing about my code's overall security.) Perl makes me get too comfy, someti...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-28
Anonymous
Anonymous
So long as your labor is free, fine. But in the real world, development costs can determine whether something needed gets done.
Working in low level languagrs is a waste of time for most things. Hell, why not use assembler? It is far more efficient than C.
In your example, if I'm reading mail, who...
[ more ] [ reply ]
Working in low level languagrs is a waste of time for most things. Hell, why not use assembler? It is far more efficient than C.
In your example, if I'm reading mail, who...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-28
Anonymous
Anonymous
The attitude of 'performance costs' of being 'negligible' when there is 'single-digit percent' penalty along with diverse codebase libraries is where coders go wrong. Writing good code requires effort. The coder must validate input, check for overruns, and more. However, C and C++ compilers usual...
[ more ] [ reply ]
[ more ] [ reply ]
User clients are rarely security risks
2003-03-28
Anonymous
Anonymous
Your article extols the virtue of using high level languages on such simple things as clients, but accepts that performance on servers is an issue.
Err... so what's the point of your article? You've reaffirmed the status quo.
Servers will always be written for performance, and hence will alwa...
[ more ] [ reply ]
Err... so what's the point of your article? You've reaffirmed the status quo.
Servers will always be written for performance, and hence will alwa...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-28
Anonymous
Anonymous
This article should never have been published. Yea, let's all use a bloated high-level language, like Visual Basic, 'cause...WHAT? There is too much bloated, crappy software out there now, made by weenies that can't do any better. I'm all for C/C++, but, like any language, the programmer must be awa...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-28
Anonymous
Anonymous
One word - speed. C and C++ are alot faster than the higher level languages like Java and .NET stuff as well as PERL and PYTHON.
Bugs are a fact of life. THERE IS NO BUGFREE SOFTWARE.
On the other hand, there are exploit and bug resistant coding practices. Practices such as reusing code tha...
[ more ] [ reply ]
Bugs are a fact of life. THERE IS NO BUGFREE SOFTWARE.
On the other hand, there are exploit and bug resistant coding practices. Practices such as reusing code tha...
[ more ] [ reply ]
Re: Too Cool For Secure Code
2003-03-28
Anonymous
Anonymous
"No language will stop an idiot from making mistakes." Be that as it may, it becomes much harder to make mistakes when you're not coding in C/C++. I've done my share of programming in C/C++, heck, even Assembly. Inevitably, whenever you compile after some changes, you get an error. But what kind...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-29
Anonymous
Anonymous
Welcome to the world of UNIX. On *nix systems you have the ability to run more than one user application at once. It is called multitasking and is shipped with all main stream distros you have tested, like Red Hat Linux for example.
However. If you for example runs a shell server with 500 user ac...
[ more ] [ reply ]
However. If you for example runs a shell server with 500 user ac...
[ more ] [ reply ]
That was a joke ?
2003-03-29
Anonymous
Anonymous
Sorry if my criticism is not really constructive now, but the text seems like it's empty, so many lines for nothing after all... On what do you base your thesis ? Sorry but security holes depends on ONLY 1 thing : People's conscience.
Doesn't matter the language, what matters is if you are aware ...
[ more ] [ reply ]
Doesn't matter the language, what matters is if you are aware ...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-29
blacklight
blacklight
I understand that C's standard library of functions is susceptible to buffer overflows, and that those programmers who do worry about overflow attacks end up designing their own libraries - That's one way to deal with it.
Buffer overflow attacks are successful if user inputs are not QAed properly...
[ more ] [ reply ]
Buffer overflow attacks are successful if user inputs are not QAed properly...
[ more ] [ reply ]
I Agree
2003-03-29
LesPaul
LesPaul
I agree with the author. In my professional career I've mostly involved with developing low level applications using C programming language. I like C, it is very good for reaching and manuplating low level details. This is what I need for coding kernel modules. However, I should also note that, C re...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code - USE VB!
2003-03-30
Anonymous (1 replies)
Anonymous (1 replies)
If you C/C++ used an enterprise level coding language such as VB or .NET you would understand why we all think you are living in the dark ages....
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code - USE VB!
2003-04-01
Anonymous
Anonymous
Yes, us C++ coders are all in the dark ages. We know nothing. Stupid us for, for example, using C to interface with Win32, which is also written in C.
Now, you go have fun writing imports for VB so you can use the real Win32 functions.
Even Microsoft recognise the power of C++ - why else would...
[ more ] [ reply ]
Now, you go have fun writing imports for VB so you can use the real Win32 functions.
Even Microsoft recognise the power of C++ - why else would...
[ more ] [ reply ]
Portability, efficentcy, hot air
2003-03-31
jthomas@poweronemedia.com
jthomas@poweronemedia.com
This is idiocy.
C is the most widely supported language in the world. Programs written in C can, and will be, ported between Unix, Windows, OS/2, QNX, Macs, VAXen, and anything else you can think of. This is one reason good programmers still write in C. You never know where your program will be r...
[ more ] [ reply ]
C is the most widely supported language in the world. Programs written in C can, and will be, ported between Unix, Windows, OS/2, QNX, Macs, VAXen, and anything else you can think of. This is one reason good programmers still write in C. You never know where your program will be r...
[ more ] [ reply ]
Too Cool For Secure Code
2003-03-31
G. Bailey Childs
Jon -
Some tasks require low-level languages to achieve the desired result. C and C++ are high-level languages. Assembler is a low-level language. It is not usually a question of performance or machoism, but needed access to the absolute machine instructions in order to do the job.
GBC
...
[ more ] [ reply ]
G. Bailey Childs
Jon -
Some tasks require low-level languages to achieve the desired result. C and C++ are high-level languages. Assembler is a low-level language. It is not usually a question of performance or machoism, but needed access to the absolute machine instructions in order to do the job.
GBC
...
[ more ] [ reply ]
Why say it's just Linux/unix?
2003-04-01
Ally
Ally
Why say it's just Linux/unix? Of course, it's true for them, but also most of the NT system is written in "C" (remember, MS have said themselves that the NT code can't be open-sourced because of the poor quality).
C and C++ are still used in windows development (I should know, I make a living fro...
[ more ] [ reply ]
C and C++ are still used in windows development (I should know, I make a living fro...
[ more ] [ reply ]
Too Cool For Secure Code
2003-04-01
Anonymous (1 replies)
Anonymous (1 replies)
The reason you are seeing so many of these bug reports is because the source code is available. In most cases, these "buffer overrun" vulnerabilities are only theoretical vulnerabilities. Unless you have a very malicious system administrators who deliberately exposes the system, there would be abo...
[ more ] [ reply ]
[ more ] [ reply ]
Too Cool For Secure Code - uh, yeah no shit
2003-04-01
Anonymous
Anonymous
"Compare this to Microsoft's environment which has been successfully attacked with viruses which impact substantially high numbers of servers and workstations."
Well considering that MS makes up 99% of the desktop market (a lot being inexperienced home users, who have no idea how to harden a syst...
[ more ] [ reply ]
Well considering that MS makes up 99% of the desktop market (a lot being inexperienced home users, who have no idea how to harden a syst...
[ more ] [ reply ]
Too Cool For Secure Code -- Only Unix and Linux?
2003-04-02
winklessd@netscape.com
winklessd@netscape.com
Wow, I was always taught that C and C++ wer HIGH level languages! And acxcording to what I learned in programming classes 30 years ago, they are. Assembler, PL360, machine language are very close to the metal (and I've used those , too). I'm an old fart FORTRAN programmer. Which means I programm...
[ more ] [ reply ]
[ more ] [ reply ]
This is so funny - linux on linux battle
2003-04-02
Anonymous (1 replies)
Anonymous (1 replies)
I just love watching Linux geeks fighting with one another, it just sets in stone what the rest of us who work in the corporate world have known for a long time, there is no stability or security in an operating system run by a bunch of c/++ coders that all think they are elite gods.
See, most Li...
[ more ] [ reply ]
See, most Li...
[ more ] [ reply ]
This is so funny - linux on linux battle
2003-04-03
Anonymous (1 replies)
Anonymous (1 replies)
Wanna know why we use linux?
because it helps us score with chix, who in 99% of cases adore penguins
It gives us the power to make machines do what they're told to, period
one for watching movies, another to serve stuff on the internet, a third to browse the web, none of them to ever show discont...
[ more ] [ reply ]
because it helps us score with chix, who in 99% of cases adore penguins
It gives us the power to make machines do what they're told to, period
one for watching movies, another to serve stuff on the internet, a third to browse the web, none of them to ever show discont...
[ more ] [ reply ]
This is so funny - linux on linux battle
2003-04-03
Anonymous
Anonymous
Ok,
I'm of the mentality you need "the right tool for the job" Your not going to get a phillips screw out with a robertson screwdriver.
Codeing, I've done C/C++, UML, XML, Perl, CGI (created some fun scripts), Java, Delphi, Basic, Pascal, VisualC, C# and a nubmer of others.
You can all sit ...
[ more ] [ reply ]
I'm of the mentality you need "the right tool for the job" Your not going to get a phillips screw out with a robertson screwdriver.
Codeing, I've done C/C++, UML, XML, Perl, CGI (created some fun scripts), Java, Delphi, Basic, Pascal, VisualC, C# and a nubmer of others.
You can all sit ...
[ more ] [ reply ]
The article reflets the writers inexperience
2003-04-08
Anonymous
Anonymous
Maybe he just graduated from "security school" or something. There is no high level language that protects the author from his own mistakes - while still offering the speed and flexibility needed by modern applications.
The example given - a mail client - is an example of where C/C++ is needed. ...
[ more ] [ reply ]
The example given - a mail client - is an example of where C/C++ is needed. ...
[ more ] [ reply ]
[ more ] [ reply ]