Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FWTK and smap/smapd

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 19 Jul 2002 12:00:54 -0400 (EDT)

My question on this topic, and I' by no means a programmer, I hack at
things that don;t  work fr me and sometimes can figgure out enough to get
them to work for me <smile>.  But, is there a repository of audited common
functions, calls, and proceedures, that are security wise, to aid the
masses, not onlt in auditing efforts.  but, to help elearn student
programmers that are taught wrong in the firstplace?  Not snippets here
and there, but a full catalogue of code others can reference and resue
with perhaps some minor chages to fit their programming situations?

Thanks,

Ron DuFresne

On Fri, 19 Jul 2002, Marcus J. Ranum wrote:


Joseph S D Yao wrote:

without
commentary providing what you might call the specifications or design,
or the social contract between the programmer and the user, there is
nothing against which you can hold a piece of code and say, "THIS IS
WRONG!"  Code is amoral; it has an inherently situational ethic; such
that even the grossest of buffer overflows can only lead us to conclude
that the code does it, therefore the code does it.  We must provide and
communicate the moral absolutes against which the code is measured
right or wrong.  And we can communicate this on dead trees, or in
living commentary.


Hmmm... you've convinced me.  I hadn't looked at it from that
angle before.

I guess what was motivating my opinion was some awful early experiences
I had at a small security company where they had folks assigned to audit
UNIX/C code who didn't know anything about UNIX or C. That left an
indelible impression on me. :)  In retrospect I'm sure it was just because
those staffers had billable hours to expend and that was it. But ever
since then I figured that if you gave people like that commented code
they'd _audit_ _the_ _comments_ and the whole process is pointless.

But you're right - what we're really talking about is checks and
balances. And if you just give code there's, well, just code...
I retract my previous comments on this topic!!! :) Where's the "undo"
button?!

mjr.
---
Marcus J. Ranum                               http://www.ranum.com
Computer and Communications Security  mjr () ranum com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: