Just got the latest SANS newsletter and apparently I'm not
the only one who's dumbfounded by the number of buffer
overflow bugs in server software (Re: my rant to this list
a few months ago suggesting we charge programmers who write
code with these kinds of bugs in them with criminal negligence,
and stating that you're virtually immune from these kinds of
bugs if you write your software in MetaCard).

From: Alan for the SANS NewsBites service
Re:   May 9 SANS NewsBites


Steve Ballmer, Microsoft's CEO, walked into a meeting with a dozen
customers a few days ago and said disgustedly, "You would think we could
figure out how to fix buffer overflows by now."  He was talking about
the latest IIS buffer overflow fiasco through which (SANS has received
reliable confirmation to prove) well over 9,000 Microsoft- powered web
sites have been defaced.  And that pain is nothing compared to the
extortion and reputation damage organizations will soon face in trying
to recover the credit card numbers and other private information of
their clients.

Steve is right about buffer overflows.  Enough is enough.  It is time
to bring accountability to the programming profession.  We hope that
Microsoft will take the lead, guaranteeing all its internal programmers
get basic secure programming skills training and that the company helps
train developers outside of Microsoft.  And if that isn't enough,
perhaps as a security community, we can invite developers of important
code with buffer overflows to come to SANS conferences where they can
tell us all why they are subjecting us to this pain. Programmers have
been taught simple tests to avoid buffer overflows at least since 1960.
Some of them have forgotten the basics.  It's time to give them a reason
to remember.

Scott Raney  [EMAIL PROTECTED]  http://www.metacard.com
MetaCard: You know, there's an easier way to do that...

Archives: http://www.mail-archive.com/metacard@lists.runrev.com/
Info: http://www.xworlds.com/metacard/mailinglist.htm
Please send bug reports to <[EMAIL PROTECTED]>, not this list.

Reply via email to