[Cryptography] "NSA-linked Cisco exploit poses bigger threat than previously thought"

Sebastian Krahmer krahmer at suse.com
Wed Aug 24 03:56:41 EDT 2016


On Wed, Aug 24, 2016 at 02:08:48AM +0000, Peter Gutmann wrote:
> Jerry Leichter <leichter at lrw.com> writes:
> 
> >We've had safe programming languages for quite some time, but this kind of
> >code continues to be written in C.
> 
> There's also the other problem, inspired by Ed Post's comment that "the
> determined Real Programmer can write FORTRAN programs in any language".  You
> can write insecure code in any language, it's just that C is everywhere, and
> in particular in mission-critical areas, so the problems are more visible.
> Look at Java for example, no buffer overflows and no pointers so it's got to
> be totally secure.  No-one has ever found an exploit involving Java, have
> they?

Never! The design goal of java - being a secure language by removing
pointers and having exceptions - was entirely achieved.
Also, python (php,golang,...) programs are known to have no security issues at all.
If someone forgets to check certificates, doing it the wrong way,
allocated too short buffers or relies on untrusted input: Blame it all
to the language.

"safe programming languages" for the lulz. There is no such thing.
Theorem: The safer and easy-to-use the language is, the more stupid bugs will come around.
php showed us the hard way that for "safe languages", bug classes are rising
that nobody would have thought of before.

Sebastian

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer at suse.com - SuSE Security Team



More information about the cryptography mailing list