[EMAIL PROTECTED] wrote:
On Mon, 27 Oct 2003 14:35:02 +1100, Brett Hutley said:
CALL STACK:
1: accept_user_input(); /* validate user input here */
2: processing_loop_with_user_input(); /* rather than here */
Of course, validating in (1) rather than (2) introduces race conditions and
the like (
Chris Eagle wrote:
-Original Message-
From: Brett Hutley [mailto:[EMAIL PROTECTED]
So you're saying I don't need to worry if a file pointer is NULL before
passing it through to fprintf()? So I don't need to worry if an argument
to strcpy() is NULL? Or are you trying to say that the standard
On Sun, 26 Oct 2003 23:07:18 EST, Bill Royds <[EMAIL PROTECTED]> said:
> such as OpenSSH has been found to have security problems. If you look at
> security advisories, find out how many come from Ada code. C makes it hard
> to write secure code.
I wasn't aware there was enough of a code base o
On Sun, 26 Oct 2003, Bill Royds wrote:
> You are saying that a language that requires every programmer to check for
> security problems on every statement of every program is just as secure as
> one that enforces proper security as an inherent part of its syntax?
> And I suppose that you also
Brett Hutley wrote:
> Sent: Sunday, October 26, 2003 7:44 PM
> To: Paul Schmehl
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Coding securely, was Linux (in)security
>
>
> Paul Schmehl wrote:
>
> *snip*
> > You complain that the code would be really slowed down if
> consistent and
> > co
> -Original Message-
> From: Brett Hutley [mailto:[EMAIL PROTECTED]
>
> So you're saying I don't need to worry if a file pointer is NULL before
> passing it through to fprintf()? So I don't need to worry if an argument
> to strcpy() is NULL? Or are you trying to say that the standard librar
On Mon, 27 Oct 2003 14:35:02 +1100, Brett Hutley said:
> CALL STACK:
> 1: accept_user_input(); /* validate user input here */
> 2: processing_loop_with_user_input(); /* rather than here */
Of course, validating in (1) rather than (2) introduces race conditions and
the like (all sorts of TOCTOU is
--On Sunday, October 26, 2003 7:25 PM -0800 Chris Eagle
<[EMAIL PROTECTED]> wrote:
That is the most backward thing I have ever heard. So you are saying all
I need to do as a programmer is tell you not to pass a negative
number/null pointer/un-initialized value... to my function and I am off
the h
Chris Eagle wrote:
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Paul Schmehl
...
But it shouldn't be the job of the writer of a subroutine to verify the
inputs. The writer of a subroutine defines what the appropriate inputs to
that routine are, and it's u
- Original Message -
From: "Paul Schmehl" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, October 26, 2003 8:39 PM
Subject: [Full-Disclosure] Coding securely, was Linux (in)security
> --On Sunday, October 26, 2003 8:04 PM -0500 Bill Royds <[EMAIL PROTECTED]>
> wrote:
>
> > You
Paul Schmehl wrote:
*snip*
You complain that the code would be really slowed down if consistent and
complete error checking were done. I wonder if anyone has ever really
tried to write code that way and then tested it to see if it really
*did* slow down the process? Or if this is just another
> On top of what Christian said, if you want people to know about your
> key, post it to a keyserver like keyserver.pgp.com.
>
> On Sat, Oct 25, 2003 at 02:05:24PM +0200, Christian Horchert wrote:
> > Hello Lorenzo!
> >
> > >so here is my new pgp key ready to use :
[...]
> > --
> > "If you don't
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Paul Schmehl
>...
>
> But it shouldn't be the job of the writer of a subroutine to verify the
> inputs. The writer of a subroutine defines what the appropriate inputs to
> that routine are, and it's up to
Paul Schmehl wrote:
--On Monday, October 27, 2003 10:23 AM +1100 Brett Hutley
<[EMAIL PROTECTED]> wrote:
Also using these type of functions in operating system code is a good way
to create a *REALLY* S L O W system. In maybe 80% of system code you are
going to know who ALL the callers of the fu
Paul Schmehl wrote:
If the input is *known* or has already been validated, why would you
need to check it? My point is, if you can't know what the input will
be, you *must* check it. The problem is that many programmers don't
think like hackers. They write code as if every user will input th
--On Sunday, October 26, 2003 8:04 PM -0500 Bill Royds <[EMAIL PROTECTED]>
wrote:
You are saying that a language that requires every programmer to check for
security problems on every statement of every program is just as secure as
one that enforces proper security as an inherent part of its synt
Title: RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
Just a question. We are counting bugs, right? Why arent we counting the bugs that got fixed in, for example, SP4 for windows 2000? That was released this year, correct? It contains atleast 670 bugs fixed. Are we counting remo
On Sun, 26 Oct 2003 11:55:15 PST, "Gregory A. Gilliss" said:
> experts. Mudge and Aleph1 found buffer overflows BITD. Route discovered
Were Mudge and Aleph1 already doing that stuff when the Morris Worm went out in
late 1988 and abused some buffers in fingerd? "Smashing the stack for fun and
pro
--On Monday, October 27, 2003 10:23 AM +1100 Brett Hutley
<[EMAIL PROTECTED]> wrote:
Also using these type of functions in operating system code is a good way
to create a *REALLY* S L O W system. In maybe 80% of system code you are
going to know who ALL the callers of the function are and are goi
You are saying that a language that requires every programmer to check for
security problems on every statement of every program is just as secure as
one that enforces proper security as an inherent part of its syntax?
And I suppose that you also believe in the tooth fairy.
Yes, it is possibl
Actually there is a significant difference between OS that get a large
number of vulnerabilities released like Windows, Linux etc. and those OS
like VMS and OS/400 that do not.
The real difference is the programming language used to write the code. The
C programming language used for Windows, Linux
Ted Unangst wrote:
On Mon, 27 Oct 2003, Brett Hutley wrote:
char buf[10];
const char *str1 = "OVER";
const char *str2 = "FLOW!";
sprintf(buf, "%s%s", str1, str2);
Admittedly a contrived example. The best way to handle this type of
stuff is to provide "safe" functions - like a sprintfn() that
On Mon, 27 Oct 2003, Brett Hutley wrote:
> char buf[10];
> const char *str1 = "OVER";
> const char *str2 = "FLOW!";
> sprintf(buf, "%s%s", str1, str2);
>
> Admittedly a contrived example. The best way to handle this type of
> stuff is to provide "safe" functions - like a sprintfn() that takes
I'm not a technical person, but i haven't seen any
posts here on the subject yet.
Today, a new virus/worm started spreading over most
IRC networks, information below:
It spreads by saying the address of a "picture"
file called britney.jpg on irc networks that you are connected to.
For more
--On Sunday, October 26, 2003 12:45 PM -0500 Bill Royds
<[EMAIL PROTECTED]> wrote:
Actually there is a significant difference between OS that get a large
number of vulnerabilities released like Windows, Linux etc. and those OS
like VMS and OS/400 that do not.
The real difference is the programmin
Okay, first how about a mea culpa - are you part of the OpenBSD group?
Because this sounds suspiciously like the kind of observation, albeit
justified, that would be posted by them. No slander intended, just
curious.
Second, I disagree, and here's why:
, regardless of what language/tool the O
On Fri, 24 Oct 2003 [EMAIL PROTECTED] wrote:
> > Hi, Mitch -- welcome to the Internet! Here's a tool you might find
> > helpful, it's called a 'Search Engine'! ;)
> > A quick google for a few bytes worth of shellcode returned a few
> > pages of jinglebellz.c related discussion.
> > http://www.ji
no shit!
how revolutionary!
- snot, finder of bugs without perl dash e
---
"Whitehat by day, booger at night - I'm the security snot."
- CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
-
yeah this is a fuckin unpatched vulnerability since few weeks, he are some links/tests :
http://www.k-otik.com/WMPLAYER-TEST/
http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html
Solution : Disable Active Scripting !!!
Cheers.Tom Russell <[EMAIL PROTECTED]> wrote:
Am i the only one getting annoyed a lil bit
by this Lorenzo Hernandez Garcia-Hierro??
Everyone in favor of +kb raise your hand?
On Sat, 25 Oct 2003 17:28:35 +0200, qobaiashi <[EMAIL PROTECTED]> wrote:
Am Samstag, 25. Oktober 2003 00:44 schrieb Lorenzo Hernandez
Garcia-Hierro:
Hi all,
Some pe
Paul Schmehl wrote:
--On Sunday, October 26, 2003 12:45 PM -0500 Bill Royds
<[EMAIL PROTECTED]> wrote:
Actually there is a significant difference between OS that get a large
number of vulnerabilities released like Windows, Linux etc. and those OS
like VMS and OS/400 that do not.
The real differe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dilema posted the *same* message twice to FD, just because he is a fame
whore.
- --=-QFP9PbcI+zCcGGGTK/wB
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Yeah umm thats some sexy shellcode there.
>=20
> /* x86 bind shellcode */
32 matches
Mail list logo
