[Cryptography] I don't get it.
Guido Witmond
guido at witmond.nl
Fri Apr 18 13:22:46 EDT 2014
On 04/18/14 14:53, Peter Fairbrother wrote:
>
> You know why I titled this thread "I don't get it"? Because I really
> don't understand why no-one has fixed this. It has been a known problem
> for 30 plus years, and it is responsible for well over half of all the
> known security bugs.
Well, I'm to blame.
20 years ago, I added a check to the gcc parser that whenever it
encountered a strlen or strcpy token, it would give a warning.
When I got into compiling my brand new linux 0.x and userland the amount
of warnings was so huge that I quickly disabled my checks. Besides, most
of the code worked, so why bother.
I got a rude awakening at the OHM-2013 hacker festival when someone gave
a presentation on stack smashing. His example function, gets().
> So why haven't they fixed it?
Most of the code worked, so I assumed someone else would.
It's the bystander effect. That's to blame. And me for being one among many.
Regards, Guido.
PS, read Gutmanns new book "Security Engineering", that's where I got
this wisdom from.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140418/3c68f4ef/attachment.pgp>
More information about the cryptography
mailing list