|
Full Disclosure
mailing list archives
Re: automated vulnerability testing
From: Michael Gale <michael () bluesuperman com>
Date: Mon, 1 Dec 2003 22:34:28 -0700
Ok -- I am by far NOT a programmer but I have been doing system
administration for some time for software companies. From my experience
it is the programmer not the language that makes a program what it is.
If the program is not secure or highly exploitable then that is a fault
of the programmer not the language.
Blaming C or C++ for not securing the code for you or providing you with
to much power is ridiculous.
That is like blaming a car manufacture because your car has to much
horsepower and you were going to fast and hit poll.
Programming is like driving - YOU are behind the wheel and in control.
If you can not handle it try a 3 cyclinder car and basic HTML :)
Michael.
On Mon, 1 Dec 2003 09:58:33 -0600 (CST)
Ron DuFresne <dufresne () winternet com> wrote:
On Sun, 30 Nov 2003, Jonathan A. Zdziarski wrote:
Aren't such measures -- especially the former -- simply crutches
that effectively _encourage_ the continuation of poor (even
downright negligent) programming practices?
Only to the extent that TCP wrappers and firewalls are simply
crutches to effectively encourage the continuation of poor systems
administration.
Quite a flaw in logic there, I'm sure you meant;
Only to the extent that TCP wrappers and firewalls are simply crutches
to effectively encourage the continuation of poor systems networking
protocols that already exist.
Being that the flaws are inherent to the network protocols in use.
Admins have long known how to lock a system down, and keep it that
way, remove all users and limit access and functionality. That tends
to make the system far less then useful. But, the core issue lies
with the networking protocools that are meant to make iintersystem
communications actually happen. There was no security within their
design, security was the lowest factor in the developers mind at the
time. And of course a rewrite of all that code and then pushing that
to the internet-citezenry at large would be fairly daunting eh? Look
how well the conversion from ssh1 to ssh2 has progressed...
Thanks,
Ron DuFresne
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
| 
Intro
