From owner-freebsd-security Mon Jul 20 16:48:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA19935 for freebsd-security-outgoing; Mon, 20 Jul 1998 16:48:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA19817 for ; Mon, 20 Jul 1998 16:48:32 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id QAA26069; Mon, 20 Jul 1998 16:47:10 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Brett Glass cc: Paul Hart , dg@root.com, security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-reply-to: Your message of "Mon, 20 Jul 1998 11:32:51 MDT." <199807201732.LAA20377@lariat.lariat.org> Date: Mon, 20 Jul 1998 16:47:10 -0700 Message-ID: <26065.900978430@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I would argue that the real problem is unsafe tools. C and its libraries > have, from the start, been rusty, and unsafe, with no safeguards against > cutting one's head off. Heck, the C language was more than 20 years old That may be true, but it has no relevance to this discussion. > Quality can't (and shouldn't) be tested or audited in. It should be DESIGNED > in. The development tools we use to develop the system in the first place That may be true, but it has no relevance to this discussion. > Any change in the status quo will require a change of attitude -- a level of > professionalism that I haven't seen yet in most developers. This has nothing to do with "lack of professionalism", this has to do with users (like yourself) simply expecting to get something without investing any of their own effort. I really have to be somewhat amazed at this discussion. I remember a period during the late 70's and 80's when NOBODY would have just run something on one of their systems without either extensively auditing it first or making sure that it had just gone through such an audit. People used to be *careful* about what they ran and they used to take a personal interest in anything which ran with root privileges. They also used to make backups and designate people to take over for them when they went on honeymoons and such. :-) Developers haven't changed much at all, from what I can see, but the quality of the *users* and the time and attention which they spend on proper security procedures has really gone into the toilet. Sorry Brett, but you're really pointing your finger in the wrong direction here. People have really gotten far too complacent lately and they're starting to pay the price for expecting everything to now be point-and-click, including their own security. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message