Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Too Cool For Secure Code
Jon Lasser, 2003-03-26

Until Unix and Linux programmers get over their macho love for low-level programming languages, the security holes will continue to flow freely.

Comments Mode:
Too Cool For Secure Code 2003-03-26
Anonymous (3 replies)
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-28
DrNerdware
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-26
Anonymous (4 replies)
Too Cool For Secure Code 2003-03-27
Anonymous (1 replies)
Don't Forget Ada! 2003-04-02
StealthBadger
Solving the problem 2003-03-27
Peter Ross
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous (1 replies)
Too Cool For Secure Code 2003-04-07
jhon blacken
That's the wrong attitude. 2003-03-26
Anonymous (26 replies)
That's the wrong attitude. 2003-03-27
Anonymous
Secure languages? 2003-03-27
Anonymous
That's the wrong attitude. 2003-03-27
Anonymous
That's the wrong attitude. 2003-03-27
dbtid (1 replies)
That's the wrong attitude. - haha, time to upgrade 2003-03-30
Anonymous (1 replies)
That's the wrong attitude. - haha, time to upgrade 2003-04-01
Penguinisto
That's the wrong attitude. 2003-03-27
Anonymous
ok but... 2003-03-27
SeJo
Re: That's the wrong attitude. 2003-03-27
George Barbarosie
That's the wrong attitude. 2003-03-27
Listener
Tools matter 2003-03-27
Jon
You are an idiot (or a troll). 2003-03-27
Anonymous
That's the wrong attitude. 2003-03-27
Anonymous
Re: That's the wrong attitude. 2003-03-27
CondorDes
That's the wrong attitude. 2003-03-27
Anonymous
That's the wrong attitude. 2003-03-27
Ron
Re:That's the wrong attitude. 2003-03-27
Anonymous
That's the wrong attitude. 2003-03-28
Anonymous
That's the wrong attitude. 2003-03-28
DrNerdware
That's the wrong attitude. 2003-03-28
Anonymous
Obsolete thinking. 2003-03-28
Anonymous
That's the wrong attitude. 2003-03-28
Anonymous
That's the wrong attitude. 2003-03-28
Anonymous
That's the wrong attitude. 2003-03-28
Anonymous
That's the wrong attitude. 2003-03-28
Anonymous
Type safety is good 2003-03-28
Anonymous
Real issue: don't make the same mistakes. 2003-03-29
Anonymous
I totally agree 2003-04-08
Anonymous
Nonsense 2003-03-26
Anonymous
Too Cool For Secure Code 2003-03-26
Anonymous
Too Cool For Secure Code 2003-03-26
Anonymous
Too Cool For Secure Code 2003-03-26
Anonymous
Too Cool For Secure Code 2003-03-26
Anonymous (1 replies)
Too Cool For Secure Code 2003-03-31
SK
Too Cool For Secure Code 2003-03-26
Anonymous
Too Cool For Secure Code 2003-03-26
Anonymous
Too Cool For Secure Code 2003-03-26
mk
I'd say this article is fairly redundant, stating many things that have been stated many times in the past.

However his choice of bug examples seems odd:

linux kernel ptrace - given the performance-critical status of the kernel, use of high efficiency languages seems appropriate. I haven't been able to find enough information of this vulnerability to know if it is language-feature specific or not.

OpenSSL timing attack - This is an algorithmic issue, and using a less efficient language (slower to execute) would make this problem worse, not better, by making it easier to detect the difference in execution time.

The MySQL config file vulnerability - This is an insecure file handling bug, and is not dependent on language. It's taking advantage of mysql's ability to over-write it's own configuration file.

It seems strange to me that the first three examples he cites aren't particularly relevant to supporting his argument. To his defense, He did say that "most" of those bugs were related, not all, but you'd think that at least the first 3 would be good examples.


Certainly the OpenSSL timing attack doesn't even deserve mention in this article, as his proposed "solution" to all of the world's programing security problems would actually make this problem substantially worse. If anything, it's an example _against_ very high level languages.

It seems to me like this article is a rehash of things said by others, written by someone who either doesn't understand the problem, or didn't take the time to read the security holes he was citing. What a shame, it may have had some potential to add some insightful commentary to this well known debate.



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/150/18830#18830
Slow news day? 2003-03-27
TJ Miller jr
Too Cool For Secure Code 2003-03-27
Marion De Liau (1 replies)
Too Cool For Secure Code 2003-03-31
Anonymous
Strong Typing, etc. 2003-03-27
RC
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Right idea, wrong solution 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Fra. 219
This is hogwash... I guess we should all use VB? That's High Level and we know how "bug" free that is. 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
so pilots can't really fly? 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Work at a C shop guys? 2003-03-27
Anonymous
Oh Boy 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Shawn
This is exactly right. 2003-03-27
Anonymous
Johnathan Lasser Isn't a a Programmer 2003-03-27
Someone Who Actually Writes Code (1 replies)
Johnathan Lasser Isn't a a Programmer 2003-04-02
Anonymous
Too Cool For Secure Code 2003-03-27
Das Megabyte (1 replies)
Too Cool For Secure Code 2003-04-08
ibanix
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Tirs
Too Cool For Secure Code 2003-03-27
Dave
Too Cool For Secure Code 2003-03-27
Ivan Vecerina
Too Cool For Secure Code 2003-03-27
Anonymous
Crap 2003-03-27
terber
christ, what a whinger 2003-03-27
mark hahn (hahn@mcmaster.ca)
Too Cool For Secure Code 2003-03-27
Anonymous
Syte and Methodology not the Tool 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
I Dont Think So 2003-03-27
Randy LeJeune
Too Cool For Secure Code 2003-03-27
X-Nc
Too Cool For Secure Code 2003-03-27
Kirk Rafferty (kirk_at_rafferty.org)
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Things should change 2003-03-27
Matthew B
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
I agree entirely 2003-03-27
Iain Collins (iain_collins@mac.com)
Too Cool For Secure Code 2003-03-27
Anonymous
Thats the _right_ attitude 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Sticks-and-Stones programming tools 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Higher level languages also insecure 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Bad code is a result of a poor development process 2003-03-27
c0d3cr33p@hotmail.com
Too Cool For Secure Code 2003-03-27
Synonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
simply sloppy programming 2003-03-27
rishab
Its not macho love its SKILLS! 2003-03-27
Anonymous
Silly 2003-03-27
Anonymous
Boo. 2003-03-27
Anonymous
(sigh) 2003-03-27
grey
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
I agree 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
It's Too Cool To Criticize Programmers 2003-03-27
PipTigger
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Java as a solution 2003-03-27
Anonymous
Many scripting languages don't scale 2003-03-27
PyMan
Too Cool For Secure Code 2003-03-27
Anonymous
MS security much worse. 2003-03-27
Ron
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
No.. No.. No.. 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too cool for secure code 2003-03-27
Ben
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-27
Anonymous
Partially true 2003-03-27
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Couldn't agree more 2003-03-28
Anonymous
Software responsibilities 2003-03-28
Anonymous
Blame the coder, not the language 2003-03-28
Anonymous
Alternatives? 2003-03-28
Anonymous
Too Cool For Tested Code? 2003-03-28
Werm
Too Cool For Secure Code 2003-03-28
Lee Reynolds
Stupidest piece I have ever read. 2003-03-28
Anonymous
Too Cool? No, not really. 2003-03-28
clee
Stop wasting electrons and our time 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code - Wise Words 2003-03-28
DrNerdware
Too Cool For Secure Code 2003-03-28
Angelos Karageorgiou
Too Cool For Secure Code 2003-03-28
Philips
Too Cool For Secure Code 2003-03-28
Anonymous
Way Kewl For Secure Code 2003-03-28
fnaaijkens@ultihouse.com
Too Cool For Secure Code 2003-03-28
Anonymous
For what it's worth, RPC wasn't 2003-03-28
Anonymous
Too Cool For Secure Code? My two cents 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
vijeno <vijen0@yahoo.com>
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
User clients are rarely security risks 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-28
Anonymous
Re: Too Cool For Secure Code 2003-03-28
Anonymous
Too Cool For Secure Code 2003-03-29
Anonymous
That was a joke ? 2003-03-29
Anonymous
Too Cool For Secure Code 2003-03-29
blacklight
I Agree 2003-03-29
LesPaul
Too Cool For Secure Code 2003-03-29
Not Really Anonymous
Too Cool For Secure Code - USE VB! 2003-03-30
Anonymous (1 replies)
Too Cool For Secure Code - USE VB! 2003-04-01
Anonymous
goto india; 2003-03-30
mummer the bard
Portability, efficentcy, hot air 2003-03-31
jthomas@poweronemedia.com
Too Cool For Secure Code 2003-03-31
G. Bailey Childs
Why say it's just Linux/unix? 2003-04-01
Ally
Too Cool For Secure Code 2003-04-01
Anonymous (1 replies)
Too Cool For Secure Code - uh, yeah no shit 2003-04-01
Anonymous
Too Cool For Secure Code -- Only Unix and Linux? 2003-04-02
winklessd@netscape.com
This is so funny - linux on linux battle 2003-04-02
Anonymous (1 replies)
This is so funny - linux on linux battle 2003-04-03
Anonymous (1 replies)
This is so funny - linux on linux battle 2003-04-03
Anonymous
The article reflets the writers inexperience 2003-04-08
Anonymous







 

Privacy Statement
Copyright 2009, SecurityFocus