OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: BitchX /ignore bug
From: Steve Mosher (goatPHOENIX.ISN.NET)
Date: Fri Jul 07 2000 - 06:51:15 CDT

        Ahh, that makes sense. I learned to code with man pages, a
(bad) reference book, and a scary mess of poorly written code. The poorly
written code served as a wonderful example -- it would allocate and forget
about piles of memory, and it would crash all the time -- of what not to
do, and why. I guess my natural interest in security made me extend this
realization to risky ways of doing things, that weren't obvious.
        It's about time instruction became security conscious -- actually,
it's long overdue. The art of code auditing appears to be totally homebrew
-- AFAIK you can't learn it in school, or from books but it happens every
day, some people get paid to do it, others do it for the sake of it, and
others still do it to write exploits. I've done the first two, personally.
It's time people realize that when designing a program that has any sort
of privs at all -- *especially* for use with the internet -- that the
design thoughts *must* include attention to security.
        I'm willing to bet that code witten by those who write script-kid
exploits is probably of the most secure around. So, are we to encourage
these people to write books on C (or whatever) and teach programming in
schools? Are there any (programming) teachers on this list even? That
would be a start.

On Thu, 06 Jul 2000, Joe User wrote:
> Just think of it this way: someone that's got a natural knack for programming
> hops down to a bookstore and picks up "Learn C in 21 Days" and flips through
> it for about 10, and has everything down pat. Ok, no problem, except for the
> fact that the books you pick up register unsafe gets(), scanf(), strcpy(), etc.
> Then, after a short time of writing small projects this way, they find out about
> security: checking buffers, making certain that nothing can get out of bounds,
> etc...they pick up on this information, but too late. They've already learned
> the unsafe way of doing things, and old habits die hard. This, unfortunately,
> is what happens oftentimes; I figured it out when I wrote one program and
> couldn't figure out why a scanf() would overwrite the EIP and cause a segfault.
> It took me about 4 days to find the info online in an article [I believe it was
> on SunWorld] that you should never use scanf() at all. Many of the big-shot
> programmers out there that contribute or even write programs that are now in
> everyday use have never been to a school to learn to program, they just started
> by doing. It's shameful that the material they learned from had no notion of
> secure programming, but unfortunately that's the way it is :( 

--
Shop smart, shop S-Mart!
	- Ash