An attack on paypal

Major Variola (ret) mv at cdc.gov
Wed Jun 11 11:01:56 PDT 2003


At 03:39 PM 6/10/03 -0700, Bill Frantz wrote:
>At 5:12 PM -0700 6/8/03, Anne & Lynn Wheeler wrote:
>>somebody (else) commented (in the thread) that anybody that currently
>>(still) writes code resulting in buffer overflow exploit maybe should
be
>>thrown in jail.

Not a very friendly bug-submission mechanism :-)

>IMHO, the problem is that the C language is just too error prone to be
used
>for most software.  In "Thirty Years Later:  Lessons from the Multics
>Security Evaluation",  Paul A. Karger and Roger R. Schell
><www.acsac.org/2002/papers/classic-multics.pdf> credit the use of PL/I
for
>the lack of buffer overruns in Multics.  However, in the
Unix/Linux/PC/Mac
>world, a successor language has not yet appeared.

What about Java?  Apart from implementation bugs, its secure by design.

---
"and then you go to jail" is a bad error-handler for a protocol.





More information about the cypherpunks-legacy mailing list