:: Re: [DNG] Nasty Linux systemd secur…
Forside
Slet denne besked
Besvar denne besked
Skribent: g4sra
Dato:  
Til: dng@lists.dyne.org
Emne: Re: [DNG] Nasty Linux systemd security bug revealed
On Monday, July 26th, 2021 at 4:48 PM, Steve Litt <slitt@???> wrote:
> Andreas Messer said on Mon, 26 Jul 2021 09:38:23 +0200
>


> > My feeling is, that you can not simply teach someone how to write safe software.
>


> Why not? You can teach a person to do anything else. But maybe not in
> college, because college is built to make money, not to teach. Consider
> the average textbook and compare to the average "For Dummies" book. The
> former makes the subject matter look incredibly complex, justifying the
> professor. The latter makes it easy to learn.
> What is needed is a curated document explaining the five or ten or
> twenty things you need to do to be secure, and then how to achieve them
> in a practical world.

Software is far too complex to be audited by following a fixed set of generic rules,
otherwise someone would have already written software that can do exactly that.
We have some tools, but they are incomplete and fallible.

The personality of the individual is key, which is why not anyone can learn to program safely.
I witnessed an individual sail through and get top marks at college, they had an eidetic mind.
They could recall any fact they had been told\read instantly and accurately.
But they had no creativity and could be easily tripped up with the simplest of problems if they had not seen it before.


> Let's start with input field cleansing and
> protection from errant pointers and buffer overflow. There are many
> more:

Yeah, that's what they taught me at college :).

> It takes some effort to learn, but I doubt it's rocket science

Which is why they call it Computer Science, it's harder.
Rocket Science has a formula for everything, even the top AI experts cannot formulate the intricacies of a Neural Net program.

> and one certainly doesn't need to come from a family who can fund
> college plus living expenses for 4 years, or 7, or whatever.

Agreed, we must have all at least heard of Kevin Mitnick, who as a teenager learnt from his dad, a security expert.
How executing software processes what you enter into it is as much a security concern as the source code.
>


> SteveT