[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] automated vulnerability testing
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] automated vulnerability testing
- From: Michael Gale <michael@bluesuperman.com>
- Date: Mon, 1 Dec 2003 22:34:28 -0700
Ok -- I am by far NOT a programmer but I have been doing system
administration for some time for software companies. From my experience
it is the programmer not the language that makes a program what it is.
If the program is not secure or highly exploitable then that is a fault
of the programmer not the language.
Blaming C or C++ for not securing the code for you or providing you with
to much power is ridiculous.
That is like blaming a car manufacture because your car has to much
horsepower and you were going to fast and hit poll.
Programming is like driving - YOU are behind the wheel and in control.
If you can not handle it try a 3 cyclinder car and basic HTML :)
Michael.
On Mon, 1 Dec 2003 09:58:33 -0600 (CST)
Ron DuFresne <dufresne@winternet.com> wrote:
> On Sun, 30 Nov 2003, Jonathan A. Zdziarski wrote:
>
> >
> > > Aren't such measures -- especially the former -- simply crutches
> > > that effectively _encourage_ the continuation of poor (even
> > > downright negligent) programming practices?
> >
> > Only to the extent that TCP wrappers and firewalls are simply
> > crutches to effectively encourage the continuation of poor systems
> > administration.
> >
> >
>
> Quite a flaw in logic there, I'm sure you meant;
>
> Only to the extent that TCP wrappers and firewalls are simply crutches
> to effectively encourage the continuation of poor systems networking
> protocols that already exist.
>
>
> Being that the flaws are inherent to the network protocols in use.
> Admins have long known how to lock a system down, and keep it that
> way, remove all users and limit access and functionality. That tends
> to make the system far less then useful. But, the core issue lies
> with the networking protocools that are meant to make iintersystem
> communications actually happen. There was no security within their
> design, security was the lowest factor in the developers mind at the
> time. And of course a rewrite of all that code and then pushing that
> to the internet-citezenry at large would be fairly daunting eh? Look
> how well the conversion from ssh1 to ssh2 has progressed...
>
>
> Thanks,
>
> Ron DuFresne
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html