Re: [SC-L] Andy Tanenbaum on Linux's origins and security

security benefits to microkernel designs, it's true, but there are also security benefits to monolithic designs, and which outweighs the other is a decision each system's architect must make - it certainly isn't a slam-dunk either way, to me. /~\ The ASCII der Mouse \ / Ribbon

Re: [SC-L] Interesting article on the adoption of Software Security

der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

[no subject]

traffic, This is not so much a difference between DECnet and IP as a difference between VMS and Unix. /~\ The ASCIIder Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

a lot of overlap. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

not exclusively (I know I'm a better programmer for knowing many languages). Perhaps not even predominantly. But as theoretically ugly as it may be, it is still pragmatically critical. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED

Re: [SC-L] Programming languages used for security

level, because the language is higher level, but they will occur if the thing being built is nontrivial.) /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

Re: [SC-L] Programming languages used for security

/SIGBUS rather than returning EFAULT). /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

Re: [SC-L] Programming languages -- the third rail of secure coding

should not have a separate entry from Java (and probably VBScript vs Visual Basic too). I also think ADA should be spelled Ada - you seem to be _trying_ to capitalize correctly /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED

Re: [SC-L] How do we improve s/w developer awareness?

us hard data about what their effect is, rather than the speculation (however well-informed) that's all we have to go on now - and it quite likely would have the pleasant side effect of pushing most open source projects out into the free (or at least freer) world. /~\ The ASCIIder Mouse

Re: [SC-L] Re: Application Insecurity --- Who is at Fault?

in the initial design, but reused in another way that nobody knew even existed at first writing, it could cause a crash (and associated DoS) or worse. /~\ The ASCIIder Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52

Re: [SC-L] Re: Application Insecurity --- Who is at Fault?

that anyone who thinks otherwise should not be coding or specifying for anything that has a significant cost for a security failure. (Which is not to say that they aren't!) /~\ The ASCIIder Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED

Re: [SC-L] Theoretical question about vulnerabilities

only proven this program correct, not tested it. /~\ The ASCIIder Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

Re: [SC-L] Theoretical question about vulnerabilities

the practical application of proof-based technology in a suitably constrained environment. Entirely true. But if you use theoretical language like proof, you have to expect to be held to a theroetical standard of correctness. /~\ The ASCIIder Mouse \ / Ribbon Campaign X

Re: [SC-L] Spot the bug

it's not, too. And if I want examples of bad code I hardly have to go to Microsoft to find them. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

Re: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

with that, which actually means just that you've picked the wrong TCP stack for your environment, not that there's anything wrong with the stack for its design environment. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED

Re: [SC-L] Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

no, a browser written in java would not have buffer overflow/stack issues. the jvm is specifically designed to prevent it ... And of course, we all know all JVM implementations are perfect. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML

Re: [SC-L] Managed Code and Runtime Environments - Another layer of added security?

Der Mouse is barking up the right rathole. :-) That's a lovely mangled metaphor. And, thanks for the kind words; I'm glad to see I'm not totally out to lunch. (I haven't been at this for as long as you have - you write from 1965 to 1969, during which time I was at most five years old

Re: [SC-L] Managed Code and Runtime Environments - Another layer of added security?

stacks would have exactly this kind of buffer overrun protection. Hmm, I wonder if there's something useful lurking there. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31

Re: [SC-L] Segments, eh Smithers?

, *and* they get it evaluated up to EAL7. Strictly speaking, you don't need to have it evaluated for it to be high security. Evaluation does not give the security; it gives confidence in the security (or lack thereof, if it flunks). Okay, okay, /nitpick /~\ The ASCII der Mouse

Re: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

will garner your OS widespread rejection (even if it does gain a sliver of acceptance from those who (a) understand the security principles involved and (b) want to run a shop that tight). /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL

Re: [SC-L] Another example of the futility of hardwareless 2 factor authentication

, in fact. But you can't make it impossible. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Secure Coding mailing

Re: [SC-L] HNS - Biggest X Window security hole since 2000

der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http

Re: [SC-L] bumper sticker slogan for secure software

to the bugs present in *that* program (the spec) and the bugs present in the compiler (the formal verifier). Formal methods are a useful tool, and have a place. But they are not a magic bullet. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML

Re: [SC-L] bumper sticker slogan for secure software

version. It might be of type k or it might be of some other type (possibly a type that can exist in language A, possibly not). And in any case, you have not found it; you have only demonstrated its existence. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML

Re: [SC-L] How can we stop the spreading insecure codingexamplesattraining classes, etc.?

or sideways in the code parse tree (versus structured constructs, which do such branches upward only). Exceptions are upward-only branches, and as a result don't have most of the problems gotos do. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML

Re: [SC-L] Coding with errors in mind - a solution?

to be aware of the throw-through-them potential, and none where I would say it was painful. Perhaps that's just an artifact of how I design my code /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52

Re: [SC-L] Could I use Java or c#? [was: Re: re-writing college books]

' capabilities per se. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Secure Coding mailing list (SC-L) SC-L

Re: [SC-L] Could I use Java or c#? [was: Re: re-writingcollege books]

keys out of swap space. (Looking through swap space is a relatively well-known forensic technique for finding things like crypto keys or passwords.) /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52

Re: [SC-L] [Full-disclosure] Chinese Professor Cracks Fifth Data Security Algorithm (SHA-1)

, for hash functions in general. A *good* hash function will of course have this property for all hash values. I don't know whether SHA-1 is good in this respect, though I would expect it is.) Okay, nitpicky-mathematician mode off :-) /~\ The ASCII der Mouse

Re: [SC-L] Perspectives on Code Scanning

wherein software isn't security Swiss cheese. :-) /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Secure Coding

Re: [SC-L] Perspectives on Code Scanning

into hardening the network interface before the config-file interface.) /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

Re: [SC-L] What's the next tech problem to be solved in software security?

actually using such environments (languages, whatever), then it's an improvement for the industry, even if it's no theoretical advance. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39

Re: [SC-L] Harvard vs. von Neumann

Like it or not, the Web doesn't work right without Javascript now. Depends on what you mean by the Web and work right. Fortunately, for at least some people's values of those, this is not true. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML

Re: [SC-L] Harvard vs. von Neumann

better? /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Secure Coding mailing list (SC-L) SC-L

Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

of what they should.) Who gets hit with tax when a bug is found in, say, the Linux kernel? Why? /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

both ways wrt imposing it on the developers. Often enough, the bugs are not bugs, but rather an end user misapplying software. I've often enough written software that was perfectly fine in its intended application but, if misapplied, could be a risk. /~\ The ASCII der Mouse

Re: [SC-L] GCC and pointer overflows [LWN.net]

. It accurately conforms to what the programmer coded, just not to what the programmer intended to code. The problem affects only code that depends on certain pointer computations whose behaviour has never been promised by C. /~\ The ASCII der Mouse \ / Ribbon Campaign X