Date: Fri, 17 Jul 1998 10:25:54 -0600 (MDT) From: Wes Peters <wes@softweyr.com> To: freebsd-security@FreeBSD.ORG, cts@internetcds.com Subject: Re: EMERGENCY: new remote root exploit in UW imapd Message-ID: <199807171625.KAA19389@obie.softweyr.com> In-Reply-To: <199807170035.RAA05041@bangkok.office.cdsnet.net> References: <199807170035.RAA05041@bangkok.office.cdsnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
My hidden microphone recorded Craig Spannring (cts@internetcds.com) saying:
% C should not be used for trusted programs. The lack of true arrays
% with array bounds checking alone makes it too hazardous. How many
% buffer overflow attacks would we hear about if the trusted server
% programs were written using a language with bounds checking like
% Modula-2 or Ada? Zero.
And thus we hear from another Luddite. The use of Modula-2 or Ada
doesn't guarantee the programmers will take the time to design their
programs, does it? These languages don't require you to enter the
requirements document and the design document and compile them, nor
do they eliminate coding mistakes from the program. They supply
some tools, which are also available to C and C++ programmers,
in the form of strncpy, snprintf, etc.
The ONLY sure way to security is to carefully monitor the performance
of your system, and to make sure the developers and maintainers of
your system are responsive to the inevitable attacks and compromises.
These episodes are the best argument for Open Source systems I can
think of. How long would it take Microsoft or Sun to distribute a
patched server to their installed base? I'll bet {Free,Open,Net}BSD
and Linux get them out much faster. ;^)
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://www.softweyr.com/~softweyr wes@softweyr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807171625.KAA19389>