TELECOM Digest OnLine - Sorted: Re: Back to Being a Luddite (Oh Well)

Re: Back to Being a Luddite (Oh Well)

mc (
Thu, 13 Jul 2006 21:13:14 -0400

> [TELECOM Digest Editor's Note: Well Gene, I do not know how often
> _YOU_ get viruses, but I get a dozen or more each day. Fortunatly,
> most of them are caught in the virus trap operated for customers of
> where I am a high-speed subscriber. Viruses which
> are addressed to me -- regardless of whatever phony name they were
> sent from -- fall into a special 'mailbox' in my name set up by
> Cable One in red with warning flags all over it. So I can pick through
> them if I wish to examine them closer, or most of the time I just
> bash them. Often times they get 'sent by' ptownson, (either with the
> massis address or or whoever. A dozen each day ... I
> suggest the problem is worse than you admit. And I am sort of
> concientous also; in addition to that virus trap I also run three
> scanners, AVG, Ad-Aware, SpyBot Smash and Destroy. PAT]

The fact that viruses arrive in your e-mail doesn't mean that they would
have infected you. Almost all such e-mail is so obviously spam that you're
not going to open the files attached to it anyhow.

>> I believe there have been several overflows found in image processing
>> libraries (jpeg,pdf,tiff...) used by popular browsers and image
>> viewers.

>> I am also aware of atleast one entirely text based attack on a hole in
>> a java runtime engine.

> Yep. Buffer overruns are the biggest issue with web stuff. Shove more of
> something than is expected at just the right time and a badly coded
> something will barf or let it over write some code. And if that code can
> later be forced to execute then you have a way to stuff your own code
> into the system and have it execute. I saw a writeup about one of the
> biggies that his MS servers a few years back and the actual inserted
> code was maybe 20 or 40 characters. So it doesn't take much. And it
> doesn't have to be "code" that your browser thinks it is being fed.
> Text, graphics, code, etc ... are just lables. It's all bits.

There should never have been any such thing as a buffer overrun. I
blame the C and C++ programming languages, with their lack of internal
checking, for almost all the unreliability and security vulnerability
of modern software. Computers are 1000 times as fast as the first
PCs, and we still can't afford to spend 1% of our precious CPU time
bounds-checking the arrays. It isn't macho.

I know C and C++ can be used responsibly. My point is that C and C++ led to
a culture developing in which programmers insist on not "wasting" a single
CPU cycle on error-checking or security. (I call it "programming without a
helmet.") As a result, we are having to add security in the form of
additional software.

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: "Re: Back to Being a Luddite (Oh Well)"
Go to Previous message: "Re: Back to Being a Luddite (Oh Well)"
May be in reply to: "Back to Being a Luddite (Oh Well)"
Next in thread: "Re: Back to Being a Luddite (Oh Well)"
TELECOM Digest: Home Page