[Asterisk-Dev] Is anyone thinking anymore?
Steve Szmidt
steve at szmidt.org
Mon Jul 26 07:56:59 MST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday 26 July 2004 10:25 am, Karl Brose wrote:
> Naturally, the debate over the pros and cons of strcpy vs. strncpy, and
> sprintf vs snprintf and their various siblings in the group
> is not new.
> What is termed "defensive programming" here simply does not stand up to
> intellectual challenge, rather is an indication of doubt and insecurity.
Wait a minute! Buffer overflows is still the number one route a hacker takes
in breaking into a program. It's not "doubt and insecurity", it's using code
which blocks what can easily become a nightmare.
Now I'm not a C programmer, so I cannot say for sure which command should be
used over the other but I know that there is an insecure copy command and a
secure one in C.
Few people understand security. But as Bruce Schneier puts it: It's a
tradeoff. I'm very glad that Mark decided to take the route of more secure
over faster code. An easily hacked * box would become a nightmare for many of
us. Then it does not matter how fast it runs if it's full of buffer
overflows.
OpenBSD is continously audited for these kinds of "bugs" and as a result has
not had more than ONE remote access hole in SEVEN years.
When a known security expert had met with top people from Microsoft to address
their security problems, he said: They were really really bright people, but
they were clueless about security!
> There is no protection against someone messing up this or any other
> code, in fact with these changes you are giving an inexperienced coder
> even more chances to make errors. The introduction of additional
You can never protect yourself against bad programmers. But there are known
ways to protect yourself against being hacked!
- --
Steve
"They that would give up essential liberty for temporary safety deserve
neither liberty nor safety."
Benjamin Franklin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBBRu+ljK16xgETzkRAtNSAJwIz+2qm30s6hpyTPgQthkU5F+CCgCeOCQr
RxH8O0kG3/88J8MFqu5wZfg=
=8Jt3
-----END PGP SIGNATURE-----
More information about the asterisk-dev
mailing list