[Cryptography] "NSA-linked Cisco exploit poses bigger threat than previously thought"
Watson Ladd
watsonbladd at gmail.com
Wed Aug 24 16:05:50 EDT 2016
On Aug 24, 2016 11:45 AM, "Sebastian Krahmer" <krahmer at suse.com> wrote:
>
> On Wed, Aug 24, 2016 at 02:08:48AM +0000, Peter Gutmann wrote:
> > Jerry Leichter <leichter at lrw.com> writes:
> >
> > >We've had safe programming languages for quite some time, but this
kind of
> > >code continues to be written in C.
> >
> > There's also the other problem, inspired by Ed Post's comment that "the
> > determined Real Programmer can write FORTRAN programs in any
language". You
> > can write insecure code in any language, it's just that C is
everywhere, and
> > in particular in mission-critical areas, so the problems are more
visible.
> > Look at Java for example, no buffer overflows and no pointers so it's
got to
> > be totally secure. No-one has ever found an exploit involving Java,
have
> > they?
>
> Never! The design goal of java - being a secure language by removing
> pointers and having exceptions - was entirely achieved.
> Also, python (php,golang,...) programs are known to have no security
issues at all.
> If someone forgets to check certificates, doing it the wrong way,
> allocated too short buffers or relies on untrusted input: Blame it all
> to the language.
Consequence of short buffer in java: a crash. In C: epic pwnage. All the
other bugs still exist in C programs. Java just closes a huge swath.
>
> "safe programming languages" for the lulz. There is no such thing.
> Theorem: The safer and easy-to-use the language is, the more stupid bugs
will come around.
> php showed us the hard way that for "safe languages", bug classes are
rising
> that nobody would have thought of before.
>
> Sebastian
>
> --
>
> ~ perl self.pl
> ~ $_='print"\$_=\47$_\47;eval"';eval
> ~ krahmer at suse.com - SuSE Security Team
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160824/c314a21e/attachment.html>
More information about the cryptography
mailing list