Linked by Thom Holwerda on Wed 1st Apr 2009 13:48 UTC
Bugs & Viruses We're well and deep into April 1 now, and if you were to believe some of the reports and hype on the internet, we should've all been paying in bottle caps right about now. As any sane person already saw coming, the Windows worm Conficker didn't do anything. It just kind of sat there, patiently mocking all those who did not update their machines properly.
Thread beginning with comment 356302
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[5]: April Fools
by PlatformAgnostic on Wed 1st Apr 2009 18:40 UTC in reply to "RE[4]: April Fools"
Member since:

What makes you think NASA writes bug-free code? They just test their code, have some redundancy in their systems, and don't have to put up with malicious users.

Reply Parent Score: 4

RE[6]: April Fools
by sbergman27 on Wed 1st Apr 2009 19:14 in reply to "RE[5]: April Fools"
sbergman27 Member since:

What makes you think NASA writes bug-free code?

I've been following NASA lately. There's some really exciting stuff going on. For example, the Kepler mission is going to give us a remarkably reliable statistical map of "Earth-like" planets in their stars' "habitable zones" in just 3 or 4 years. But... as Thom asserts... it's not bug-free code[1]:

My assertion is that software projects, including those at Microsoft (and yeah, Mozilla), have come to expect that we won't roast them for being careless. (Hell, we heap praise upon Mozilla for being careless... after they release the fix.) And the more lax we become in our insistence upon quality, the more lax they will become in their development and release practices.

I used to despise DJ Bernstein and his attitudes. These days I'm not so sure.

[1] It is, however, well thought out and resilient.

Edited 2009-04-01 19:24 UTC

Reply Parent Score: 3

RE[7]: April Fools
by PlatformAgnostic on Thu 2nd Apr 2009 01:38 in reply to "RE[6]: April Fools"
PlatformAgnostic Member since:

Some of it is not just carelessness. Security bugs usually arise when people have subtle misconceptions about the contracts of the functions they call (or the functions are misspecified). You really can't get anything done if you spend all of your time reading every callgraph down to its leaves.

Microsoft (particularly the Windows team) tries its hardest to catch all of these security defects by banning certain unsafe standards, by encoding the contracts in a static anotation language that is checked by machine before code is allowed into the main branches, and by fuzzing and heavily reviewing parsers, protocols, and externally-facing code. It's still possible to miss something, however.

I wish DJB luck in 'putting the security industry out of business.' I'm afraid though that to truly do that, we'd need to ensure that all network-facing software is written by a small cadre of uber-programmers, reviewed by another set of uber-programmers, and fuzzed/tested extensively. Even if you can get Linux and Windows written by those kinds of people, you still need to deal with the third-party and LOB applications of the world who don't have the same incentives and resources.

Reply Parent Score: 2