lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: strombrg at dcs.nac.uci.edu (Dan Stromberg)
Subject: DCOM RPC exploit  (dcom.c)

On Sun, 2003-07-27 at 12:25, David R. Piegdon wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> IMHO it is TIME to sue corporations like microsoft for their stupidity
>  - and their believe that people/customers are even more stupid.
> they sell their software and tell about their "great security-concepts",
> but they actually do nothing about it.

Actually, much as I absolutely despise microsoft (I'd be overjoyed for
weeks if they closed doors permanently), they -are- doing a lot about
security.

For the short term, they're sending (have sent?) all their programmers
to security training.  This is but a band aid, but it is considerably
better than nothing, and better than the opensource movement is likely
to emulate (fully), simply because the places where programmers learn
programming generally don't take this seriously.

For the long term, and more importantly, they're pushing a move to
interpreted languages, meaning .net.  .net is evil.  .net must die.  But
.net makes a lot of sense which we should not fail to learn from.

I cannot emphasize enough that the opensource crowd (of which I am a
part) needs to learn from this.  Stop writing software in crappy
languages like C if you want it to sit next to the network on a machine,
and possibly even if you're only running in the soft, chewy center.

Give up languages that make buffer overflows too damn easy.  It's not
enough to say "the programmer should know better", because OBVIOUSLY
many do not.  Use python.  Use ML or a variant.  Use lisp.  If you have
to use that excuse for line noise called perl, go ahead.  Anything that
doesn't put the programmer perilously close to buffer overflows!  Turing
(which is designed from the beginning for safe systems programming) or
Modula-3, or Eiffel or Sather are good too, if you absolutely cannot
give up the speed of a compiled language.  The latter three all have
respectable free implementations available for linux and others, as do
all of the interpreted languages mentioned.  They make vastly more sense
than C.

Even if -you- know what you're doing as a developer, that -doesn't- mean
that every last maintainer that comes after you will.

So yes, microsoft reeks to the sky, but it's not true to say that
they're doing nothing about their security problems.  Weak arguments
against microsoft posed as strong ones hurt opensource's credibility.

-- 
Dan Stromberg DCS/NACS/UCI <strombrg@....nac.uci.edu>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030728/8be0f1f3/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ