From owner-freebsd-chat Mon Feb 17 16:12:12 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id QAA26793 for chat-outgoing; Mon, 17 Feb 1997 16:12:12 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA26787 for ; Mon, 17 Feb 1997 16:12:09 -0800 (PST) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.8.5/8.6.9) with ESMTP id QAA28131; Mon, 17 Feb 1997 16:08:37 -0800 (PST) To: Charles Mott cc: "David O'Brien" , Michael Smith , freebsd-chat@freebsd.org Subject: Re: Countering stack overflow In-reply-to: Your message of "Mon, 17 Feb 1997 13:28:52 MST." Date: Mon, 17 Feb 1997 16:08:37 -0800 Message-ID: <28127.856224517@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-chat@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > This is the final post of a long back and forth exchange. I'm sorry my > terminology is not up to your standards, but I think if you read the > entire thread, you will see that my understanding is fairly clear. Do > your homework before making an obnoxious statement. > > The fact that FreeBSD is so easily exploited by stack overflow > techniques, when the method has been widely known for probably a decade > is the real tragedy here. Boys, boys, please calm down! :-) To put the matter even more in perspective, RTFM (Robert T Fuckin' Morris) did not invent the exploits used in his worm, they came from security advisory information he became privy to through his *father's* involvement as head of ARPAnet security, or whatever the exact title of Bob Morris's position was. I don't think that the father was actually tossing this kind of stuff down in front of his son directly, but sone somehow got ahold of it and the rest is history. My point? These sorts of problems have been around since the 70's, when Bob Morris was collecting his security advisories. They've probably popped up in TOPS, ITS, Twenex, VMS and every OS in-between, and I daresay that many are probably *still there*. This is a problem as old as programming, and to castigate the FreeBSD team specifically for it is just silly. Sure, everyone knows about the famous fingerd hole and the problem of stack overflow in general - why do you think gets() started spewing out that obnoxious warning a long time back? Knowing about a problem, like stack overflow or goto abuse or improper indentation or any of a thousand different programmer evils does NOT somehow automatically prevent such problems from reoccuring in the future, and I don't care who the programmer is or what the operating system under discussion might be - as long as humans are doing the programming, all are vulnerable to a repetition of history. Jordan