Firewall Wizards mailing list archives
Re: FWTK and smap/smapd
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 19 Jul 2002 12:00:54 -0400 (EDT)
My question on this topic, and I' by no means a programmer, I hack at things that don;t work fr me and sometimes can figgure out enough to get them to work for me <smile>. But, is there a repository of audited common functions, calls, and proceedures, that are security wise, to aid the masses, not onlt in auditing efforts. but, to help elearn student programmers that are taught wrong in the firstplace? Not snippets here and there, but a full catalogue of code others can reference and resue with perhaps some minor chages to fit their programming situations? Thanks, Ron DuFresne On Fri, 19 Jul 2002, Marcus J. Ranum wrote:
Joseph S D Yao wrote:without commentary providing what you might call the specifications or design, or the social contract between the programmer and the user, there is nothing against which you can hold a piece of code and say, "THIS IS WRONG!" Code is amoral; it has an inherently situational ethic; such that even the grossest of buffer overflows can only lead us to conclude that the code does it, therefore the code does it. We must provide and communicate the moral absolutes against which the code is measured right or wrong. And we can communicate this on dead trees, or in living commentary.Hmmm... you've convinced me. I hadn't looked at it from that angle before. I guess what was motivating my opinion was some awful early experiences I had at a small security company where they had folks assigned to audit UNIX/C code who didn't know anything about UNIX or C. That left an indelible impression on me. :) In retrospect I'm sure it was just because those staffers had billable hours to expend and that was it. But ever since then I figured that if you gave people like that commented code they'd _audit_ _the_ _comments_ and the whole process is pointless. But you're right - what we're really talking about is checks and balances. And if you just give code there's, well, just code... I retract my previous comments on this topic!!! :) Where's the "undo" button?! mjr. --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjr () ranum com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: FWTK and smap/smapd, (continued)
- Re: FWTK and smap/smapd Bennett Todd (Jul 16)
- Re: FWTK and smap/smapd Russell Van Tassell (Jul 16)
- Re: FWTK and smap/smapd Joseph S D Yao (Jul 17)
- Re: FWTK and smap/smapd Frederick M Avolio (Jul 17)
- Re: FWTK and smap/smapd Joseph S D Yao (Jul 17)
- Re: FWTK and smap/smapd Marcus J. Ranum (Jul 19)
- Re: FWTK and smap/smapd Joseph S D Yao (Jul 19)
- Re: FWTK and smap/smapd Marcus J. Ranum (Jul 19)
- Re: FWTK and smap/smapd Anton J Aylward, CISSP (Jul 19)
- Re: FWTK and smap/smapd Paul D. Robertson (Jul 19)
- Re: FWTK and smap/smapd R. DuFresne (Jul 19)
- Re: FWTK and smap/smapd Joseph S D Yao (Jul 19)
- Message not available
- Code reviews [Was: FWTK and smap/smapd] Marcus J. Ranum (Jul 19)
- Re: Code reviews [Was: FWTK and smap/smapd] Jim Duncan (Jul 19)
- Re: Code reviews [Was: FWTK and smap/smapd] Carson Gaspar (Jul 22)
- Re: Code reviews [Was: FWTK and smap/smapd] ark (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Carson Gaspar (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Joseph S D Yao (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Carson Gaspar (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Darren Reed (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Joseph S D Yao (Jul 23)
- Re: FWTK and smap/smapd Russell Van Tassell (Jul 16)
- Re: FWTK and smap/smapd Bennett Todd (Jul 16)