From owner-freebsd-security  Fri Jul 17 09:46:07 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA11503
          for freebsd-security-outgoing; Fri, 17 Jul 1998 09:46:07 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from itesec.hsc.fr (root@itesec.hsc.fr [192.70.106.33])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA11383
          for <freebsd-security@FreeBSD.ORG>; Fri, 17 Jul 1998 09:45:59 -0700 (PDT)
          (envelope-from pb@hsc.fr)
Received: from mars.hsc.fr (mars.hsc.fr [192.70.106.44])
	by itesec.hsc.fr (8.8.8/8.8.5/itesec-1.12-nospam) with ESMTP id SAA26087;
	Fri, 17 Jul 1998 18:45:24 +0200 (MET DST)
Received: (from pb@localhost)
	by mars.hsc.fr (8.8.8/8.8.8/pb-19980526) id SAA12047;
	Fri, 17 Jul 1998 18:45:19 +0200 (CEST)
	(envelope-from pb)
Message-ID: <19980717184518.A11872@mars.hsc.fr>
Date: Fri, 17 Jul 1998 18:45:19 +0200
From: Pierre Beyssac <Pierre.Beyssac@hsc.fr>
To: Craig Spannring <cts@internetcds.com>, Anonymous <nobody@replay.com>
Cc: bugtraq@netspace.org, cert@cert.org, freebsd-security@FreeBSD.ORG,
        security@bsdi.com
Subject: Re: EMERGENCY: new remote root exploit in UW imapd
References: <199807162206.AAA30072@basement.replay.com> <199807170035.RAA05041@bangkok.office.cdsnet.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.92.8i
In-Reply-To: <199807170035.RAA05041@bangkok.office.cdsnet.net>; from Craig Spannring on Thu, Jul 16, 1998 at 05:35:04PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Jul 16, 1998 at 05:35:04PM -0700, Craig Spannring wrote:
> C should not be used for trusted programs.  The lack of true arrays

Each language has its own weaknesses. Buffer overflows are not the
biggest security problem, far from it.

Just for an example, consider the number of attacks possible because
of badly-written Perl CGI scripts.

Blaming programmer incompetence on the language is naive at best.
Some languages are certainly safer than others, but no language
is safe against programmer errors.

> Sometime in the not to distant future there will be a major
> catastrophe related to insecure Internet software.  Perhaps a major
> bank will go broke, perhaps the stock market will be manipulated, I'm
> not sure about the specifics but it will happen.  There will be a

I highly doubt it. Any bug in a program is a potential danger and
any program has bugs; this has been a fact of life for years, long
before the Internet became mainstream. So much so that people are
used to it, thanks to a few major software companies.

Avoiding bugs is a software engineering problem. The choice of a
language is only a small part of the equation. Furthermore, limiting
computer security to a choice of language is really not serious.
-- 
Pierre.Beyssac@hsc.fr

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message