PHWinfo - Afficher un message - Re: Bug/Gross InEfficiency in HeathField's fgetline program

18/10/2007, 01h30

Richard Heathfield wrote:
> Tor Rustad said:

[...]

>> What has assets of national importance, in common with *apples*???
>
> Okay, let's try something oh so very different.

Why not try something computer related?

>> I be very surprised, if UK or US security professionals these days,
>> will hire people with such a complete lack of understanding of basic
>> security principles.
>
> You have not demonstrated such a lack in your correspondents.

Amazing, I was *not* hiring someone to protect *apples*, *crown* or
looking for a clueless in security, unable to identify *common* errors.

For an introduction to basic security principles, see e.g. [1]:

"Principle 32. Identify and prevent common errors and vulnerabilities

Discussion: Many errors reoccur with disturbing regularity - errors such
as buffer overflows, race conditions, format string errors, failing to
check input for validity, and programs being given excessive privileges.
Learning from the past will improve future results."

> The strncpy function does a simple task reasonably well. Yes, we all know
> it has a lousy name, but apart from that it's a simple function, easy to
> use properly. Yes, it's easy to use improperly too, but then so are lots
> of C functions.

The *relevant point*, is that this C function has been misused a lot,
and a buffer overflow can result in a total compromise of a computer
system. The probability of misuse, isn't low either.

[1] NIST Special Publication 800-27, "Engineering Principles for
Information Technology Security".

--
Tor <torust [at] online [dot] no>

C-FAQ: http://c-faq.com/

18/10/2007, 01h30	#1
Tor Rustad Messages: n/a Hébergeur:	Re: Bug/Gross InEfficiency in HeathField's fgetline program Richard Heathfield wrote: > Tor Rustad said: [...] >> What has assets of national importance, in common with apples??? > > Okay, let's try something oh so very different. Why not try something computer related? >> I be very surprised, if UK or US security professionals these days, >> will hire people with such a complete lack of understanding of basic >> security principles. > > You have not demonstrated such a lack in your correspondents. Amazing, I was not hiring someone to protect apples, crown or looking for a clueless in security, unable to identify common errors. For an introduction to basic security principles, see e.g. [1]: "Principle 32. Identify and prevent common errors and vulnerabilities Discussion: Many errors reoccur with disturbing regularity - errors such as buffer overflows, race conditions, format string errors, failing to check input for validity, and programs being given excessive privileges. Learning from the past will improve future results." > The strncpy function does a simple task reasonably well. Yes, we all know > it has a lousy name, but apart from that it's a simple function, easy to > use properly. Yes, it's easy to use improperly too, but then so are lots > of C functions. The relevant point, is that this C function has been misused a lot, and a buffer overflow can result in a total compromise of a computer system. The probability of misuse, isn't low either. [1] NIST Special Publication 800-27, "Engineering Principles for Information Technology Security". -- Tor <torust [at] online [dot] no> C-FAQ: http://c-faq.com/