At 03:39 PM 6/10/03 -0700, Bill Frantz wrote: >At 5:12 PM -0700 6/8/03, Anne & Lynn Wheeler wrote: >>somebody (else) commented (in the thread) that anybody that currently >>(still) writes code resulting in buffer overflow exploit maybe should be >>thrown in jail.
Not a very friendly bug-submission mechanism :-) >IMHO, the problem is that the C language is just too error prone to be used >for most software. In "Thirty Years Later: Lessons from the Multics >Security Evaluation", Paul A. Karger and Roger R. Schell ><www.acsac.org/2002/papers/classic-multics.pdf> credit the use of PL/I for >the lack of buffer overruns in Multics. However, in the Unix/Linux/PC/Mac >world, a successor language has not yet appeared. What about Java? Apart from implementation bugs, its secure by design. --- "and then you go to jail" is a bad error-handler for a protocol.