Just got the latest SANS newsletter and apparently I'm not the only one who's dumbfounded by the number of buffer overflow bugs in server software (Re: my rant to this list a few months ago suggesting we charge programmers who write code with these kinds of bugs in them with criminal negligence, and stating that you're virtually immune from these kinds of bugs if you write your software in MetaCard). Regards, Scott From: Alan for the SANS NewsBites service Re: May 9 SANS NewsBites ************************* Steve Ballmer, Microsoft's CEO, walked into a meeting with a dozen customers a few days ago and said disgustedly, "You would think we could figure out how to fix buffer overflows by now." He was talking about the latest IIS buffer overflow fiasco through which (SANS has received reliable confirmation to prove) well over 9,000 Microsoft- powered web sites have been defaced. And that pain is nothing compared to the extortion and reputation damage organizations will soon face in trying to recover the credit card numbers and other private information of their clients. Steve is right about buffer overflows. Enough is enough. It is time to bring accountability to the programming profession. We hope that Microsoft will take the lead, guaranteeing all its internal programmers get basic secure programming skills training and that the company helps train developers outside of Microsoft. And if that isn't enough, perhaps as a security community, we can invite developers of important code with buffer overflows to come to SANS conferences where they can tell us all why they are subjecting us to this pain. Programmers have been taught simple tests to avoid buffer overflows at least since 1960. Some of them have forgotten the basics. It's time to give them a reason to remember. -- ******************************************************** Scott Raney [EMAIL PROTECTED] http://www.metacard.com MetaCard: You know, there's an easier way to do that... Archives: http://www.mail-archive.com/metacard@lists.runrev.com/ Info: http://www.xworlds.com/metacard/mailinglist.htm Please send bug reports to <[EMAIL PROTECTED]>, not this list.