Linked by Thom Holwerda on Tue 4th Apr 2017 21:49 UTC
Bugs & Viruses

Once upon a time, a friend of mine accidentally took over thousands of computers. He had found a vulnerability in a piece of software and started playing with it. In the process, he figured out how to get total administration access over a network. He put it in a script, and ran it to see what would happen, then went to bed for about four hours. Next morning on the way to work he checked on it, and discovered he was now lord and master of about 50,000 computers. After nearly vomiting in fear he killed the whole thing and deleted all the files associated with it. In the end he said he threw the hard drive into a bonfire. I can't tell you who he is because he doesn't want to go to Federal prison, which is what could have happened if he'd told anyone that could do anything about the bug he'd found. Did that bug get fixed? Probably eventually, but not by my friend. This story isn't extraordinary at all. Spend much time in the hacker and security scene, you'll hear stories like this and worse.

It's hard to explain to regular people how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire.

Computers, and computing, are broken.

It's from 2014, but drop everything you're doing right now and read this. Go on. Don't put it off. Read it.

Order by: Score:
Not broken, just insecure
by daddio on Wed 5th Apr 2017 02:46 UTC
daddio
Member since:
2007-07-14

The entire article is full of things we who love technology already knew... but labelled broken.

What is missing, as is usually in these kind articles by security proffesionals, is perspective.

Computers are useful and wonderful, miraculous even if they leak information like a sieve. Privacy and security are features that matter more in some contexts than others. In the contexts where they really do matter, the world is pretty broken. No argument from me there.

But that is not the big picture, for most users of most computers.

Reply Score: 10

If only it was just computers...
by Kochise on Wed 5th Apr 2017 04:32 UTC
Kochise
Member since:
2006-03-03
It's developers
by FooBat on Wed 5th Apr 2017 07:39 UTC
FooBat
Member since:
2016-09-08

It's not computers that are broken. It's developers. In my experience, majority of modern-day developers are morons. It does not help that security is usually not even a concern in their minds when writing an application.

Reply Score: 4

RE: It's developers
by Sidux on Wed 5th Apr 2017 09:06 UTC in reply to "It's developers"
Sidux Member since:
2015-03-10

It's not only developers here.
They usually are the last decision point when changes are required by the client.
There are many sketches out there that try to outline this, and some of them do it quite well.

Reply Score: 2

RE: It's developers
by dekernel on Wed 5th Apr 2017 14:48 UTC in reply to "It's developers"
dekernel Member since:
2005-07-07

Developers are only half of the problem. The other half are the people putting together the functional requirements for a project. They are the ones that don't address the additional time needed to account for security in the development and testing. If security is not addressed up-front, I can guarantee it won't be at the end.

The final player in this game is society. What happens when a big-ass breach happens? The overwhelming majority of people go "meh" and move on. If there is massive accountability placed on the organization that is breached, then someday, security will be addressed.

Reply Score: 2

RE: It's developers
by JLF65 on Wed 5th Apr 2017 14:52 UTC in reply to "It's developers"
JLF65 Member since:
2005-07-06

It's that the pointy-haired bosses of the world don't want to spend money on talent. They don't understand programming, and don't appreciate the work that good coding is, so they hire whomever is cheapest, often from another country. They'll even complain that there aren't enough programmers when what they mean is there aren't enough programmers willing to work for half minimum wage while living ten to an apartment meant for two.

When I can get a job (and boy have I had to slash how much I ask for), I CRINGE at the code I get from previous workers. It's like they had the local Jr High computer class working for them as a school project or something. It's THAT BAD! It isn't even that these other programmers don't know about security, it's that they don't care - they aren't paid enough to care.

Reply Score: 5

RE[2]: It's developers
by Alfman on Wed 5th Apr 2017 15:59 UTC in reply to "RE: It's developers"
Alfman Member since:
2011-01-28

JLF65,

It's that the pointy-haired bosses of the world don't want to spend money on talent. They don't understand programming, and don't appreciate the work that good coding is, so they hire whomever is cheapest, often from another country. They'll even complain that there aren't enough programmers when what they mean is there aren't enough programmers willing to work for half minimum wage while living ten to an apartment meant for two.


osnews won't let me upvote this, so +1 here.

I upvoted FooBat as well, but it's only half the story. Most employers have themselves to blame as well. By far and large, they don't allocated resources to security, they don't reward anything other than hacking something together as quickly as possible and pushing it out. Security is just something they care about when vulnerabilities are made public.

There's many times I've brought up security concerns and they're usually more upset over repair costs than happy we fixed vulnerabilities. It's sad, but that's the economic reality for admins and software developers.


When I can get a job (and boy have I had to slash how much I ask for), I CRINGE at the code I get from previous workers. It's like they had the local Jr High computer class working for them as a school project or something. It's THAT BAD! It isn't even that these other programmers don't know about security, it's that they don't care - they aren't paid enough to care.


+1 again.

I'm seeing the same thing. I'm regularly loosing work to much cheaper typically offshore workers. It's very hard to offer a great great security when the market has decided that it prefers cheaper labor.

One of my clients offshored the development of a magento website, that's something I could have done, but whatever. They can only work with ubuntu, so I install the latest 16.4 LTS, but now they say they can only support PHP5, which is no longer being maintained in the latest distributions. I raise this issue and point out that magento has support for PHP7, but they respond that their code only works with an older unsupported version of magento that only works on PHP5 and Ubuntu 14.4. I suggest that they need to keep their code up to date with the current version of magento, but it turns out their developer is not even a real programmer, all that he can do is plug in templates and patches that someone else wrote for them that they are unable to maintain.

Now I'm extremely peeved at this because it means this unmaintained website code from who knows where is going to fall in my lap and I'm either going to have to fix it/replace it myself or just leave it running past EOL. I may not be paid to do the former and I hate being the sysadmin responsible for the later. It sucks all around that this team is doing an awful job, landing a lot of work due to low rates displacing people like us, and someone else is going to suffer the repercussions of their bad work.

Reply Score: 4

RE[3]: It's developers
by JLF65 on Wed 5th Apr 2017 17:26 UTC in reply to "RE[2]: It's developers"
JLF65 Member since:
2005-07-06

I'd up-vote your post, but I already posted, so can't vote anymore. Anywho, great points, all. I feel for you. Working on someone else's code can be a frustrating, hair-pulling task. In a few cases, I've simply rewritten the code rather than try to maintain/patch the old code. Getting someone to work on someone else's code is even more of a task. Like in your case, they may not have anyone capable of working on it anymore. Good luck on them actually hiring someone capable. That's one of the biggest hurdles involved with sub-contracting out work - you can't count on them having/hiring capable people. :/

Reply Score: 2

RE[2]: It's developers
by whartung on Thu 6th Apr 2017 18:57 UTC in reply to "RE: It's developers"
whartung Member since:
2005-07-06

It's that the pointy-haired bosses of the world don't want to spend money on talent. They don't understand programming, and don't appreciate the work that good coding is, so they hire whomever is cheapest, often from another country. They'll even complain that there aren't enough programmers when what they mean is there aren't enough programmers willing to work for half minimum wage while living ten to an apartment meant for two.


There aren't enough programmers. That's why crappy developers get paid as much as they do. That's why crappy programmers can get work at all. If there were enough programmers, companies could afford to be more selective in their hiring, rejecting bad programmers.

When I can get a job (and boy have I had to slash how much I ask for), I CRINGE at the code I get from previous workers. It's like they had the local Jr High computer class working for them as a school project or something. It's THAT BAD! It isn't even that these other programmers don't know about security, it's that they don't care - they aren't paid enough to care.


That whole "aren't paid enough to care" is a character/value quality, and it's the companies not holding them to account. When you signed up, you agreed to do the task at hand, not do the task at hand in a crappy way. It's not like they're fixed rate, "done by thursday" developers that under bid and over promised. These are staff developers. The whole "I don't get paid enough care" is BS. You knew the job coming in, whether it's fast food, or programming. In fast food, you clean the bathrooms.

Since there is a shortage of programmers, bad actors retain employment.

Part of this, of course, is that the management is simply unqualified to judge the quality of the work that they have hired to be done. They can nod their head at the pretty screens and hope the reports balance. Beyond that, it's sausage makings. The don't see the long term technical debt that may have been piled up in their system. But, also, most of the time, they end up never paying off that technical debt. It's cheaper to get a new system made, buy one off the shelf, etc. as the market matures.

So, developers get away with murder. Worse is better.

Finally, there was some study I recall where they basically determined that when it came to data breaches and other security things, it was simply cheaper to "deal with it" after the fact than to be proactive and prevent it in the future. This does not bode well for the industry as a whole.

Reply Score: 2

RE[3]: It's developers
by oiaohm on Thu 6th Apr 2017 21:05 UTC in reply to "RE[2]: It's developers"
oiaohm Member since:
2009-05-30

"It's that the pointy-haired bosses of the world don't want to spend money on talent. They don't understand programming, and don't appreciate the work that good coding is, so they hire whomever is cheapest, often from another country. They'll even complain that there aren't enough programmers when what they mean is there aren't enough programmers willing to work for half minimum wage while living ten to an apartment meant for two.


There aren't enough programmers. That's why crappy developers get paid as much as they do. That's why crappy programmers can get work at all. If there were enough programmers, companies could afford to be more selective in their hiring, rejecting bad programmers.
"

This is excuse and wrong. People making good audit tools don't work at minimum wage. You are talking at least BA in mathematics with high understanding of probability as a required staff member. Also some of those who design memory models and other things key to auditing are not programmers. They have BA-PHD in applied mathematics or are professional document writers who normally also have a BA.

At this point the alarm bells should start ringing. Its not a lack of programmers in a lot of cases. No matter how good of a programmer you have if they don't understand how they should be coding stuff they will make errors. Documentation is key for programmers to understand how they should be doing stuff. So you employ no documentation writers your code quality goes down.

Your audit tools need someone with applied mathematics to work out if you have covered every possibility. Again if your companies don't employ one of those you are fairly much again having programmer batting in the dark without the information to produce good results. So again you could have perfectly skilled programmers producing bad code.

So invest in more programmers only will basically never fix this problem.

Mathematically secure is a term for a reason. Its proved by a large amount of maths is not in the final product.

Reply Score: 2

RE[3]: It's developers
by Alfman on Thu 6th Apr 2017 22:01 UTC in reply to "RE[2]: It's developers"
Alfman Member since:
2011-01-28

whartung,

That whole "aren't paid enough to care" is a character/value quality, and it's the companies not holding them to account. When you signed up, you agreed to do the task at hand, not do the task at hand in a crappy way.



I think JLF65 would agree that it's not so much that we don't care. Honestly many of us working in the industry do care very much and we're just as disappointed as you too. It's not that we're lazy or unwilling or anything like that, but it's not a corporate priority for all of the other reasons you mention.

The biggest complaint I have with regards to security problems in the industry is simply not allocating enough resources for it. A project might very well have zero resources allocated to it until after a compromise takes place. This is one of those topics where all companies will say "yes security is extremely important to us" because they're ashamed to say anything else, but when it comes to dollars and cents almost all of them are guilty of shortchanging it.

In other words, I hear you loud and clear, now go find a way to demand better security from the companies such that they'll actually invest in it up front!



Another point I'd like to address is that just because we're in tech doesn't mean we're all quite as well off or in demand as it seems you are implying. Believe it or not the IT industry faces a lot of layoffs where many senior people with years of experience get tossed to the curb because the companies either can't afford to pay them or would rather replace them with someone cheaper via "restructuring".

Microsoft laid off thousands of US workers while planning to hire more in India:
http://www.businessinsider.com/microsofts-layoffs-are-not-yet-done-...
http://tech.firstpost.com/news-analysis/microsoft-set-to-build-beng...


IBM has been doing this on a continuous basis for a while, laying off thousands of highly paid senior workers while simultaneously bringing on thousands of new employees.
http://www.bizjournals.com/triangle/news/2017/03/30/ibm-confirms-rt...
http://www.businessinsider.com/ibm-added-and-lost-70000-people-2016...



I learned a lot about enterprise databases working with this company, they decided last year to lay off the whole staff in favor of cheaper temporary workers. Employees could apply for their old jobs at lower pay or take severance.
http://www.computerworld.com/article/3059256/it-careers/rejecting-e...


Understand that I'm not trying to complain here, but rather use these examples to maybe convince you that it's not simply a matter of companies not being able to find skilled workers. There's also a problem with companies actively flushing their experienced workforce in exchange for less experienced staff for lower wages.

I posted this not long ago, maybe you'll find it interesting?
http://www.cbsnews.com/videos/youre-fired/

Reply Score: 2

RE[4]: It's developers
by whartung on Fri 7th Apr 2017 00:37 UTC in reply to "RE[3]: It's developers"
whartung Member since:
2005-07-06


The biggest complaint I have with regards to security problems in the industry is simply not allocating enough resources for it. A project might very well have zero resources allocated to it until after a compromise takes place. This is one of those topics where all companies will say "yes security is extremely important to us" because they're ashamed to say anything else, but when it comes to dollars and cents almost all of them are guilty of shortchanging it.

In other words, I hear you loud and clear, now go find a way to demand better security from the companies such that they'll actually invest in it up front!


It's clear from either a regulatory and/or market force factor, at this point, that security is not worth it to the company. They're willing to risk the compromises. Dumping your infrastructure and deferring it to faceless 3rd parties in "the Cloud" is, demonstrably, "worth it", as more and more folks organically are doing it. Security, not so much.

I think it's, while not trivial, relatively straightforward to pass a modern external 3rd party pen test. I've been through a couple of those, and they never wanted to see the source code. Instead, they black boxed it, asked if we hashed our passwords, "Here's the URL, go to it", and script kiddied their way to an analysis and report.

Another point I'd like to address is that just because we're in tech doesn't mean we're all quite as well off or in demand as it seems you are implying. Believe it or not the IT industry faces a lot of layoffs where many senior people with years of experience get tossed to the curb because the companies either can't afford to pay them or would rather replace them with someone cheaper via "restructuring".

Microsoft laid off thousands of US workers while planning to hire more in India:
http://www.businessinsider.com/microsofts-layoffs-are-not-yet-done-...
http://tech.firstpost.com/news-analysis/microsoft-set-to-build-beng...


IBM has been doing this on a continuous basis for a while, laying off thousands of highly paid senior workers while simultaneously bringing on thousands of new employees.
http://www.bizjournals.com/triangle/news/2017/03/30/ibm-confirms-rt...
http://www.businessinsider.com/ibm-added-and-lost-70000-people-2016...



I learned a lot about enterprise databases working with this company, they decided last year to lay off the whole staff in favor of cheaper temporary workers. Employees could apply for their old jobs at lower pay or take severance.
http://www.computerworld.com/article/3059256/it-careers/rejecting-e...


Absolutely. It was bad enough when jobs are out sourced and off shored. It's even worse when instead of moving the work out, they're bringing the workers in.

But I don't know if there's a glut of developers in the market. I don't know why an imported person would take less money than someone already here. They have the same expenses, they have to live where everyone else does. Housing here in So Cal is awful, not as bad as the bay area, but awful. Perhaps they're willing to earn less since they don't need to sock away as much for their retirement, since they don't plan to stay. Perhaps they're willing to live in cheaper conditions (several room mates, etc.). Perhaps they view a short term (few years) sacrifice in living standard (our living standards) worth the net gain they receive, even at a lower nominal rate. Simply, when you have 2 people living in the same area, why is one willing to work for so much less than the other in the same market.

The "hue and cry" for more developers, to the point that they're shipping them in, suggests that we simply don't have enough. That the natural labor market forces haven't driven the costs down to where they equalize with the "low cost contracts" that are paid to the foreign providers. Thus the calls for market protection (fewer visas, etc.) I'm trying to avoid politics, and I'm not Laissez-faire.

And I certainly don't agree with what's happening in this sector surrounding this.

But, that said, are folks refusing positions because they're paying too low? And if they are, then what are they doing instead? If the labor rate would net higher if the foreign importation ceased, that suggests that there is a rise in demand compared to supply ("not enough programmers").

I believe that there really is not enough programmers. I believe that programming is not "for everyone", that "everyone can code" as Tim Cook says. I think there is a difference between copying and pasting PHP and website templates and "programming". At the same time, I am a great advocate for end user programming, for tools that lower the barrier to entry, and, heck, the fact that someone can "be successful" by cutting and pasting PHP and website templates, truly, that's a good thing. We don't need computers to be in the hands of the elite to be useful. How many EEs are cringing at the who knows what contraptions folks are wiring together with little more knowledge than where the red and green wires go using things like Arduino et al. But if Sally gets here electric clothing costume with streaming, synchronized lights through a bit of solder, some "shields", and cut and pasted code -- that's a great thing.

On the other hand, much of programming is becoming a blue collar enterprise. High level drag and drop, wiring together stuff you didn't write. The Arduino of programming. No real understanding, just cut and paste the internet in some new order to get your application. But that's still "wizardry" enough to get by for many applications. And, for many, that "worse is better", is good enough. Why should they pay premium rates? The internet is what Home Depot is to home improvement projects. Peter Principle as far as you can, and finally break down and hire an expert to deal with the last mile when you've found yourself over your head.

We are an unlicensed, uncertified bunch. I'm fundamentally against the idea of formalizing that, as I think it would destroy the market, or be completely useless. The industry is still not mature enough. Don't make me liable for whatever Microsoft decided to shove down the Internet some Tuesday night. As developers, we simply don't have a leg to stand on. We use all this stuff, but we can't trust any of it. When there is documentation, it's wrong or incomplete. And we're supposed to share the same responsibility for a web site that a civil engineer is for a building. Not hardly.

So, the consumers -- they get pot luck. Developer du jour creating constructs the end user can't judge beyond the pretty pictures they show on the screen. No wonder they're willing to take anyone they can find.

Reply Score: 2

RE[5]: It's developers
by Alfman on Fri 7th Apr 2017 08:53 UTC in reply to "RE[4]: It's developers"
Alfman Member since:
2011-01-28

whartung,

But I don't know if there's a glut of developers in the market. I don't know why an imported person would take less money than someone already here. They have the same expenses, they have to live where everyone else does. Housing here in So Cal is awful, not as bad as the bay area, but awful.


Ah yes, So Cal and bay area...that could explain it. Everyone from there has a distinctly different impression of the market than I see. I think you are right about the costs, they are so high that it creates a shortage of employees willing to move themselves and families there. When I hear about the costs in that area it's clear I would need a huge raise to be able to afford to raise my family there.

Incidentally I've never really understood why companies choose to move to areas with such high costs of living. It encourages commuter hell as employees try to live as far away as they can to afford cheaper housing yet still manage to drive to their job. It's awfully inefficient. I guess it's trendy, but to me it would make a lot more sense to open a company around a university or someplace where there's a continuous supply of new candidates eager to begin work and would prefer not to relocate.

Simply, when you have 2 people living in the same area, why is one willing to work for so much less than the other in the same market.



I think the key is their visas, while they're technically working alongside us, they're not competing in the same market as us. It creates an interesting dynamic. With a legally fixed number of H1B visas, the demand for H1B here in the US is much higher than the supply, but paying more has ZERO effect on a company's chances in the lottery, so there's no incentive to increase pay. Overseas however, there are millions of workers actually competing to get an H1B spot, the supply of candidates far exceeds the fixed demand for them, and so this suggests a downward pressure on H1B wages.

Also temporary visa workers know they're going back home where the money will be worth a lot more. The H1B visa is sponsored by the company, which as I understand it means they're not free to leave their job without loosing the visa and having to reapply to the lottery system again next year.




I believe that there really is not enough programmers. I believe that programming is not "for everyone", that "everyone can code" as Tim Cook says. I think there is a difference between copying and pasting PHP and website templates and "programming". At the same time, I am a great advocate for end user programming,
...
On the other hand, much of programming is becoming a blue collar enterprise.
...
We are an unlicensed, uncertified bunch. I'm fundamentally against the idea of formalizing that, as I think it would destroy the market, or be completely useless. The industry is still not mature enough. Don't make me liable for whatever Microsoft decided to shove down the Internet some Tuesday night. As developers, we simply don't have a leg to stand on.
...


You bring up a lot of good points. My response: chuckle it off and nod in agreement.

Edited 2017-04-07 09:08 UTC

Reply Score: 2

Good and bad article
by avgalen on Wed 5th Apr 2017 07:45 UTC
avgalen
Member since:
2010-09-23

First of all, I call bullshit on this story. It sounds like nothing more than a typical "I hacked the pentagon when I was young, but I won't tell you how and there is 0 proof".

Once upon a time, a friend of mine accidentally took over thousands of computers. He had found a vulnerability in a piece of software and started playing with it. In the process, he figured out how to get total administration access over a network. He put it in a script, and ran it to see what would happen, then went to bed for about four hours. Next morning on the way to work he checked on it, and discovered he was now lord and master of about 50,000 computers. After nearly vomiting in fear he killed the whole thing and deleted all the files associated with it. In the end he said he threw the hard drive into a bonfire. I can't tell you who he is because he doesn't want to go to Federal prison, which is what could have happened if he'd told anyone that could do anything about the bug he'd found.


...but I read the article anyway and especially in the beginning it has some good information and analysis. Surely worth to read

...and then the last part of the article (a few paragraphs into "People, as well, are broken") is clearly getting less coherent and out of the expertise of the writer.

Reply Score: 3

Liar
by terra on Wed 5th Apr 2017 09:57 UTC
terra
Member since:
2012-11-01

Seriously.... "Accidentally"? No he created script and left it running. How could it be accidental? It could only be intentional

Reply Score: 1

Had my laptop taken away at hospital...
by xristos on Wed 5th Apr 2017 11:14 UTC
xristos
Member since:
2014-04-25

... because I logged on to their WiFi and discovered PCs with patient and doctor records that were sharing everything!

I was in the emergency room waiting to see a doctor and bored out of my mind. I took my laptop out and looked for free wifi to surf the web, when I discovered that the only (and public) wifi there also had PCs with these private files on them.

I told a nurse about it and she solved the problem by simply taking my laptop away :|

Reply Score: 2

JLF65 Member since:
2005-07-06

Thus solving the problem once and for all.

But...

ONCE AND FOR ALL!


Yeah, that part of the problem - the people in charge don't want to pay to SOLVE the problem, they expect the current workers to cover the symptoms as part of their current job. The nurse can't solve the problem, but she can take away your laptop.

Reply Score: 3

Comment by kurkosdr
by kurkosdr on Wed 5th Apr 2017 11:24 UTC
kurkosdr
Member since:
2011-04-11

Since we are proposing things for other people to read, there is a book called the "unix haters handbook" (Google it, it is offered by the publisher for free).

Among other things, it prophesized how C's insistence on the lowest common denominator, emphasis on speed over security, and worse-is-better would result in disasters in the future, and how C++ was the COBOL of the 2000s.

The book is written in a very fun and easy-to-read manner (yet amazingly technically correct) and if you haven't read it so, do it.

This is what I tell to people who preach Desktop Linux: Your OS is a non-sandboxed, written-in-C piece of garbage that allows apps to inherit all the user's permissions (instead of restricting permissions on a per-app basis). You are just lucky nobody wants to hack you, because if they wanted, they 'd probably shellshock their way towards you. Most linux people keep their servers running unrestarted for years (the uptimes!), so their main memory is full of loaded vulnerable code (even if the binary has been replaced on disk, the old version remains loaded in memory until a restart).

Android is good enough (assuming you have the latest version like my Nexus has), and Fuschia will be better. Google has an interest in security. They don't want hackers to steal user private data that axiomatically belong to the Google Adbot.

Edited 2017-04-05 11:28 UTC

Reply Score: 2

RE: Comment by kurkosdr
by osvil on Wed 5th Apr 2017 15:25 UTC in reply to "Comment by kurkosdr"
osvil Member since:
2012-10-25

Sorry, but the COBOL of the 2000s is not C++, it is Java.

And I doubt the problem is "C". nor any language for that matter. The problem is "deep stacks" of libraries. In fact, in the article it points to that very same problem.

The problem is a developer working on something (s)he doesn't fully understand often relying on libraries that are built on top of libraries on top of libraries. Many of them developed as well by people that didn't fully know what they were doing, linking them using tools they don't fully understand.

I am pretty sure there are many people (I've seen plenty of them) releasing software written in C++, linking against a plethora of libraries, not even knowing how the linker works. When I think about this the first book of Foundation comes to mind. The empire collapsing because people forgot how technology actually worked and all machinery being operated following some kind of ritual.

I am pretty sure there will be work for "software archeologists" in the near future, which will just "dig" into layers of "old code" to retrieve useful information. Well... maybe it already exists in the form of security experts.

Reply Score: 3

RE[2]: Comment by kurkosdr
by Alfman on Wed 5th Apr 2017 16:19 UTC in reply to "RE: Comment by kurkosdr"
Alfman Member since:
2011-01-28

osvil,

And I doubt the problem is "C". nor any language for that matter. The problem is "deep stacks" of libraries. In fact, in the article it points to that very same problem.

The problem is a developer working on something (s)he doesn't fully understand often relying on libraries that are built on top of libraries on top of libraries. Many of them developed as well by people that didn't fully know what they were doing, linking them using tools they don't fully understand.



I think the most severe classes of faults are due to unsafe languages like C. Even someone proficient in security will make mistakes. IMHO choosing a safe language is step #1 for safe software.

I find your perspective on libraries interesting. Building layers of high level abstractions is often touted as one of the great enablers for modern software.

Clearly libraries enable some programmers to write programs that they wouldn't otherwise be able to write, which is ostensibly good, but the flip side of that is that programmers are writing programs they may not fully understand, which is ostensibly bad.

Of course there are other criticisms too, like the inefficiencies that are often the result of too many layers.


Do you think there's a solution?

Reply Score: 2

RE[3]: Comment by kurkosdr
by JLF65 on Wed 5th Apr 2017 17:34 UTC in reply to "RE[2]: Comment by kurkosdr"
JLF65 Member since:
2005-07-06

The most severe faults are not due to the language, but due to the programmer either not understanding where security comes from, or not caring. There are very few languages written with security in mind, and there are also compilers for other languages that vastly improve the security of the language being compiled. It all comes down to the programmer understanding AND caring enough to make a secure program/library/driver. I can take the least secure language you can find and make a 100% secure program. I can also take the most secure language you can find and make a 0% secure program. Piss off your programmers and just see what they're capable of! ;)

Reply Score: 3

RE[4]: Comment by kurkosdr
by Alfman on Wed 5th Apr 2017 18:35 UTC in reply to "RE[3]: Comment by kurkosdr"
Alfman Member since:
2011-01-28

JLF65,

The most severe faults are not due to the language, but due to the programmer either not understanding where security comes from, or not caring. There are very few languages written with security in mind, and there are also compilers for other languages that vastly improve the security of the language being compiled. It all comes down to the programmer understanding AND caring enough to make a secure program/library/driver. I can take the least secure language you can find and make a 100% secure program. I can also take the most secure language you can find and make a 0% secure program. Piss off your programmers and just see what they're capable of!


I agree, there's no doubt that skill and experience comes into play. However my comment was aiming more at the fact that even skilled engineers make bad assumptions from time to time and it's not necessarily due to inexperience, just that over time our ability to track all assumptions in our head can be impaired by the sheer volume of code.

Obviously we can still produce bugs in a managed language, but IMHO memory corruption is the most insidious and common kind of bug with unsafe languages. This is where safe languages can help us all produce more secure code. I concede that whether we like safe languages or not is a different matter ;)

Edited 2017-04-05 18:37 UTC

Reply Score: 2

RE[5]: Comment by kurkosdr
by Alfman on Wed 5th Apr 2017 21:31 UTC in reply to "RE[4]: Comment by kurkosdr"
Alfman Member since:
2011-01-28

Another example would be parameterized SQL interfaces versus generating full sql statements by concatenating strings programmatically. While there's nothing wrong with concatenating properly escaped values, as you can imagine I see a lot of horrible PHP code that concatenates values without escaping thereby making them vulnerable to SQL injection. ;)

This goes to what you said: despite PHP having safe memory management, there's a lot of terrible programming practices anyways. Encouraging the consistent use of parameterized functions should curtail this somewhat, but then there's always something else, like cross-site-scripting. Or using predictable tokens to identify a session, or...

We need a do-what-I-mean-not-what-I-say programming language ;)

Realistically though if such a language existed it would only serve to lower the bar again and businesses would hire even less competent programmers, haha.

Edited 2017-04-05 21:33 UTC

Reply Score: 2

RE[6]: Comment by kurkosdr
by kwan_e on Wed 5th Apr 2017 23:21 UTC in reply to "RE[5]: Comment by kurkosdr"
kwan_e Member since:
2007-02-18

We need a do-what-I-mean-not-what-I-say programming language ;)

Realistically though if such a language existed it would only serve to lower the bar again and businesses would hire even less competent programmers, haha.


So you're saying Rust will breed incompetency. *walks away, whistling non-chalantly*

Reply Score: 2

RE[7]: Comment by kurkosdr
by Alfman on Thu 6th Apr 2017 01:49 UTC in reply to "RE[6]: Comment by kurkosdr"
Alfman Member since:
2011-01-28

kwan_e,

"We need a do-what-I-mean-not-what-I-say programming language ;)

Realistically though if such a language existed it would only serve to lower the bar again and businesses would hire even less competent programmers, haha.


So you're saying Rust will breed incompetency. *walks away, whistling non-chalantly*
"


To suggest that rust is this language is a backhanded compliment to rust you know ;)

I guess if you want to analyze the cost/benefits from this perspective you have to ask yourself if the improvements caused by safer and easier languages are sufficient to overcome the lowered competency of programmers who may begin to use them.


I think PHP replacing the more difficult perl is a good historical example of this. PHP made web programming more accessible to less competent programmers, but they would go on to produce the world's most notoriously insecure code. ;) So are we better off for having PHP? That's a very intriguing question I don't have an answer for.

Reply Score: 2

RE: Comment by kurkosdr
by Bill Shooter of Bul on Wed 5th Apr 2017 16:53 UTC in reply to "Comment by kurkosdr"
Bill Shooter of Bul Member since:
2006-07-14

https://fuchsia.googlesource.com/magenta/+/master/kernel/app/app.c

Fuchsia is also written in c.

Google also has security issues. Magic security does not rain down on us from the Gods sitting on their perch in Mountain View.

Reply Score: 3

OMG - this text is waste of time!
by kovacm on Wed 5th Apr 2017 14:07 UTC
kovacm
Member since:
2010-12-16

If you want good talk/read on subject, please watch Alan Kay
- Is it really "Complex"? Or did we just make it "Complicated"?

https://www.youtube.com/watch?v=ubaX1Smg6pY

Reply Score: 2

JLF65 Member since:
2005-07-06

+100!!! I can't tell you how often I've seen code where I can replace an entire MODULE with two or three lines of code. I suspect they were paid by the line... ;)

A program I was working on just a couple months ago, I replaced five files of code with three short functions. It's easier to read, easier to maintain, and much faster. Being far shorter means it's easier to check for security - I'd have hated to vette the old code for security... or even proper operation! Which might be the real reason it was so complicated - it's a corollary the old quote from "Real Programmers": Real Programmers never comment - if it was hard to write, it should be hard to read, and even harder to modify.

Reply Score: 2

allanregistos Member since:
2011-02-10

+100!!! I can't tell you how often I've seen code where I can replace an entire MODULE with two or three lines of code. I suspect they were paid by the line... ;)

A program I was working on just a couple months ago, I replaced five files of code with three short functions. It's easier to read, easier to maintain, and much faster. Being far shorter means it's easier to check for security - I'd have hated to vette the old code for security... or even proper operation! Which might be the real reason it was so complicated - it's a corollary the old quote from "Real Programmers": Real Programmers never comment - if it was hard to write, it should be hard to read, and even harder to modify.


That is why, in my opinion, it is more important to have more "files" than more "lines" in your software project. Functions should be separated logically from each other, and call them from the main program when necessary. Is this what we are doing, or some programmers were just too lazy to create a library of functions and just add functions without knowing that doing it gets more complicated during code review or debugging.

Reply Score: 2

JLF65 Member since:
2005-07-06

You got that right. Programmers sometimes feel the overwhelming need to put EVERYTHING in a single file. I've worked on projects that were one file with more than a megabyte of code in it! That's just nuts!

I should probably remark of why multiple smaller files is good: it's a form of commenting coupled to hierarchical structure of functions. The file names tell you what a function or set of functions is related to, and the hierarchy the files follow tell how they relate to the rest of the project. The smaller the file, the more specific a comment the name becomes.

Edited 2017-04-06 14:41 UTC

Reply Score: 2

Let us start using this
by allanregistos on Thu 6th Apr 2017 00:15 UTC
allanregistos
Member since:
2011-02-10

Qube OS.
https://www.qubes-os.org/

Is this a solution?

Reply Score: 2