Dinis Cruz wrote: <snip introductory comments>
> > A couple comment on your article: > > /"... .NET has a built-in security model just like Java. //.NET is type > safe just as Java is type safe. ..."/ > > This is only correct when .Net is executed under Partial Trust and Java > with the Security Manager enabled. > > In Full Trust .Net or Java with Security Manager disabled, the VM > verifier is disabled and the built-in security mode is just about useless. > > The main security advantage that the current .Net and Java environments > have, is that they are not as vulnerable to buffer overflows as C/C++ <snip rest of excellent discussion> Hola Dinis et al., I subscribe to many security-related mailing lists, and I don't remember on which this one occurred, but, in the past two to three months, there was a great discussion around Multics and the Multics security model and implementation. Now, I'm an old phart, but not quite that old . . . (Apologies to the Multicians out there . . . :-) ). WRT type safety, etc., one of the big appeals of Multics was that it was written in PL/I. Now, I /*am*/ old enough to admit to having learned PL/I in Comp Sci 101, and I actually did productive work with it (when I could get to the keypunch). Looking back on it, PL/I protected me (a beginning programmer) from many errors of omission that I would have made had I been using C or C++. In some ways, I think we are back doing the same thing for which we excoriate others . . . not learning lessons from those who came before us and reinventing the wheel. IMHO, WRT operating systems, there is ample history to guide us on what works and what doesn't. (And how to write OSs in HLLs). Those who elect not to pay attention to history and who must forge their way into the vast, uncharted (by them) waters deserve everything they get. And, FWIW, I'm surprised that Butler Lampson is still Microsoft . . . My 0.02$CURRENCY. Cheers, /g _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
