ahayes@ntlworld.com writes:
Steve Fosdick wrote:
So, back to MJR's email in which he says these are windows problems. I beg to differ. I think these are M$ problems and if M$ dained to write software for Linux it would be fraught with all the same issues.
OK, maybe we should say these are Microsoft problems. Trouble is, "Microsoft Virus" sounds so much like one of their products, doesn't it? Maybe it is and they are keeping the anti-virus makers in business ;-)
I also think they are programmer problems. Arguments are made saying it's the language the programmer uses. For example: "c has buffer overflows, use perl/whatever!", but once you take out buffer overflows you end up with the inability of programmers to create a decent authentication system. (Think hotmail, banks, etc)
Yes, ultimately the programmer is responsible, but can you name any other company which so fiercely defends the rights of their programmers to create such cock-ups, are reluctant to fix them once found and prevent others from fixing them?
I'm intrigued though: why is the ability to create buffer overflows linked to being able to create authentication systems? Maybe I've just not thought about it enough.
on Sat, Sep 22, 2001 at 09:48:39AM +0100, MJ Ray scribbled:
OK, maybe we should say these are Microsoft problems. Trouble is, "Microsoft Virus" sounds so much like one of their products, doesn't it? Maybe it is and they are keeping the anti-virus makers in business ;-)
Like the thing they distributed with windows 3.11? MS(A)V? :)
Yes, ultimately the programmer is responsible, but can you name any other company which so fiercely defends the rights of their programmers to create such cock-ups, are reluctant to fix them once found and prevent others from fixing them?
No, this is admittedly one of the distinct advantages open source (or software available under a license that allows you to patch your own copy). Or maybe people who can binary patch machine code directly will be in more demand in the future?
I'm intrigued though: why is the ability to create buffer overflows linked to being able to create authentication systems? Maybe I've just not thought about it enough.
Well, with a c program, the first exploitable bug you are likely to find is a buffer overflow. With perl, you move into the realm of shopping carts, webmail and so on. Quite often authentication mechanisms are insufficient, poorly thought out. Also there's the old open(HANDLE, $userstring); thing (where $userstring is set to "/bin/rm -rf / |") eg: http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=205785 http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=214155 http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=214456 so maybe the first two aren't perl, but I doubt they're c. (yay, securityfocus is now lynx browsable)
I'm just really trying to say, no matter what language you use, unless your programmer is clued up on security and the issues specific to that language and security generally, there is likely to be one of a common set of flaws.
-
MJ Ray -
xsprite@bigfoot.com