Bugtraq mailing list archives
Learning security
From: myer () ELANCO K12 PA US (Kevin M. Myer)
Date: Mon, 14 Dec 1998 11:17:12 -0500
Hello, This post may come across as off-topic but it remains an unanswered question in my mind. I've been a member of the BUGTRAQ list for the better part of 1998 and have learned much about UNIX (et. al) security from it. However, one post by mudge () l0pth com, talked about how insecure some of the supposed security packages are these days and it got me to wondering - where do they teach programmers security? I am not a programmer - I don't even have a formal education in computers or network or information technology. I have a degree in geology and I gained my UNIX experience from the workstations I used for research. I took one introductory comp-sci course, programming in C. However, I am wondering if the rash of buffer overflows, sloppily coded programs or just generally flawed algorithms or ideas for security are because programmers don't KNOW any better. Why do we ever here reports of files that are installed world readable/writeable? Why doesn't every programmer check the length of a string and do something appropriate if its longer than a buffer assigned for it? Why do we keep revisiting the same mistakes over and over again, only rolled in a slightly different fashion? I guess my real question is - where is secure and good coding being taught? Is there a book I can get that has a list of pitfalls to avoid when I program? Are there any such courses available in colleges on a wide-scale basis? Or is computer security bound to remain something that a handful of experts knows anything about and they learned it the hard way, by hacking around a system? I know thats how I've picked up what I've learned so far and thats the best teacher as far as I'm concerned. And I know Dennis Ritchie once was quoted as saying that UNIX wasn't desiged with security in mind. But you'd think somewhere, we'd learn something about programming and that the buffer overflow, for example, would be a thing of the past. Just wondering - like I said, I'm no expert on any of this. I just know enough to wonder why. Kevin -- Kevin M. Myer Technical Services Specialist ELANCO School District
Current thread:
- [SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0 Security Research Team (Dec 03)
- Breaking into houses to steal the security systems... Was: Dr. Mudge (Dec 03)
- <Possible follow-ups>
- Re: [SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0 robert.flannigan () PLATINUM COM (Dec 07)
- Call For Papers Marco de Vivo [UCV] (Dec 07)
- Lousy password handling in BreezeCOM Mr. SteelFire (Dec 10)
- Re: Lousy password handling in BreezeCOM Thilo Hille (Dec 10)
- NSA paper on computer security Kragen (Dec 11)
- about the ip header id Salvatore Sanfilippo (Dec 14)
- Learning security Kevin M. Myer (Dec 14)
- Administrivia Aleph One (Dec 10)
- RealSystem passwords Guy Cohen (Dec 10)
- Titan 3.0 Released Aleph One (Dec 10)
- Vulnerability in IRIX fcagent daemon SGI Security Coordinator (Dec 10)
- Linux 2.0.36: The stuff that was 'fixed quietly' [Summary] Alan Cox (Dec 10)
- Microsoft Security Bulletin (MS98-018) Aleph One (Dec 10)