Slashdot Mirror
Fix the Bugs, Secure the System
LiquidPC writes: "OpenBSD's Louis Bertrand has put his MUSESS 2002 presentation online, entitled
Fix the Bugs, Secure the System. Does an overview of OpenBSD, then explains Format String Ugliness, Buffer Overflows, The Wrong Way to Fix Overflows, along with numerous other things."
That sound you hear is the sound of me flying over head at Mach 3 to bring you this first post!
Is your company running tools written by ma
lick it
"Contrary to popular belief, UNIX is user friendly. It just happens to be selective on who it makes friendship with"
Reports are that he died from complications resulting from \"Developers: Fix the Bugs, Secure the System\". Truly a internet icon. He will be missed :(
This troll was reposted from the Troll Library without permission of the original author. If you object to this post, or if you wish to add your troll to the Troll Library, please reply to this message.
Earl, so good to see you whoring up your karma by submitting Slashdot articles! Maybe someday you'll move out of your parents' basement and stop harassing people on IRC!
Is your company running tools written by ma
Has Netcraft confirmed that *BSD is dying? If so, do you have any additional informaion you can give me about this prickly issue?
The goatse guy for president. Win one for the gaper!
He will be missed
Show me That Smile (The Growing Pains Theme Song):
Show me that smile again.
Ooh show me that smile.
Don't waste another minute on your crying.
We're nowhere near the end.
We're nowhere near.
The best is ready to begin.
As long as we got each other
We got the world
Sitting right in our hands.
Baby rain or shine;
All the time.
We got each other
Sharing the laughter and love.
Alan Thicke's Journal
My Slashdot ads say "
Just searching for 'OpenBSD Bug' on Google Groups retrieves over 20,500 queries.
hahahahahahaha idiot, you didn't get first post, and me, a lousy AC is mocking you!!!! quit molesting goats!!!
It was a bit tedious flicking through all those slides but the final one did bring a smile to my face.
I just heard the sad news on CBC radio. Web Entrepreneur/pioneer Tubcat was found dead in its home this morning. Even if you never liked its work, you can appreciate what it did for fat kitties. Truly a Canadian icon. :(
Tubby will be missed
Show me That Smile (The Growing Pains Theme Song):
Show me that smile again.
Ooh show me that smile.
Don't waste another minute on your crying.
We're nowhere near the end.
We're nowhere near.
The best is ready to begin.
As long as we got each other
We got the world
Sitting right in our hands.
Baby rain or shine;
All the time.
We got each other
Sharing the laughter and love.
Yet another crippling bombshell hit the beleaguered Netcraft community when last month IDC confirmed that Netcraft accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that Netcraft has lost more market share, this news serves to reinforce what we've known all along. Netcraft is collapsing in complete disarray, as further exemplified by
failing dead last in th recent Sys Admin comprehensive
networking test.
You don't need to be a
Kreskin to predict Netcraft's future. The hand writing is on the wall: Netcraft faces a bleak future. In fact there won't be any future at all for Netcraft because Netcraft is dying. Things are looking very bad for Netcraft. As many of us are already aware, Netcraft continues to lose market share. Red ink flows like a river of blood. Netcraft is the most endangered of them all.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of Netcraft are there? Let's see. The number of OpenBSD versus Netcraft posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 Netcraft users. BSD/OS posts on Usenet are about half of the volume of Netcraft posts. Therefore there are about 700 users of BSD/OS. A recent article put Netcraft at about 80 percent of the Netcraft market. Therefore there are (7000+1400+700)*4 = 36400 Netcraft users. This is consistent with the number of Netcraft Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, Netcraft went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that Netcraft has steadily declined in market share. Netcraft is very sick and its long term survival prospects are very dim. If Netcraft is to survive at all it will be among OS hobbyist dabblers. Netcraft continues to decay. Nothing short of a miracle could save it at this point in time. For all practi
Sure, the kiddies can still twiddle with system calls, but if they can't put _their_ code somewhere where _they_ can execute it, it raises the difficulty level of creating an exploit by an order of magnitude. Sure, false sense of security, blah blah blah, but really, shouldn't this (non-exec stack) be a standard feature of any OS that purports to be secure?
Damn it's tough to code in C these days, keeping track of all the stuff that one needs to to be reasonably secure.
Not to mention the added overhead of making the system secure from semantic errors. Yeesh, it's a good think I get paid a lot for my C work.
But that's all okay, becuase (finally) technology, like Java, C# (okay this one sucks but whatever), etc that will help out and provide a truly _secure_ development platform.
I jsut hope they still pay me as much when this stuff finally gets easy, like it should be.
But then I guess producing a high quality operating system keeps then busy enough...
Programming can be fun again. Film at 11.
This is fuckin bullshit, asshole fuckwits! THERE IS NO BUGS IN OPEN SOURCE, ZIONIST BASTARDS!
Anal Cox, #2 Lunix hacker.
I installed NetBSD on my laptop and it kicks ass!
Long live the new flesh!!!
IHQTMPOA
Doesn't anyone get it? The main way to make systems secure, to fix the bugs, is to make sure it's impossible to make the sorts of errors that are responsible for 95% of bugs and security problems!
Bounded arrays and no pointers. It's the only way. Java and .NET are the future.
You open source supporters better learn to use languages with bounded arrays and no pointers, or you'll become nothing but a historical footnote.
"Windows Bug" = 4,290
"Linux Bug" = 5,840
If I leave the quotes off, I get:
Windows Bug= 1,540,000
Linux Bug = 1,690,000
You open-source fuckers seem to depend on an large amount of smoke and mirrors to try to pimp your pathetic products.
When I invented Linux, it was a joke; The ultimate Troll. All you fuckers fell for it.
methinks slashdot editors need to practice what they preace.
Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD s dead
...Canada won.
Praise be to the black Lord and savior Jesus Christ. Amen.
Christ was not of semetic descent, but of A F R I C A N lineage.
What's the point of a rock-solid operating system if very few are actually using it (and of course, that happens because of lacking features)? For a server security is always the second issue - the first being the service provided.
(I'm definitely exagerating here, so flame me as you like)
The Raven.
The Raven
One of the problems with secure programming is the inertia in the computer industry; most of the operating systems in widespread use today (The *nix clones and DOS derivitives, these days) we developed in a time when security did not matter; *nix has a crude root-or-not security model and MS-DOS has no conception of security at all.
Personally, I think the solution is a model which has a real security model, such as EROS. The "audit the code so that it is perfect code without bugs" approach to security does not always work, even with OpenBSD.
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
I think the bottom line is pretty obvious here: If you're serious about security it's not rocket science to build a secure system, but it is a lot of hard work, and much of that work just happens to be precisely the kind that the Linux camp shuns. It's time for the self-professed "hackers" to grow up and start acting responsibly. If not, the list of Linux security exposures will continue to grow longer and more embarassing, making it all the easier for MS to tell customers, "Do you really want to risk your company to a bunch of kiddie coders who have no respect for security?"
Before you fire off a nasty response to that last part about MS, think about how hard MS is working to change their image WRT security. A lot of people I know in the business are saying that getting security right has become the new religion at MS. No one should be surprised to see Windows become as secure as Linux before LInux can become as usable as Windows. And if that happens, the whole war for the desktop is lost.
The skeleton in front just left of the middle? The one with a beak and wings?
:-)
That was a penguin.
The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shround over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.
From the people that brought you goatse.cx...
w00t!
with the same technique, searching for '"OpenBSD bug"' (note the quotes) returns only 93 results.
but this is only using the same yard stick.
beat yourself which ever way you want.
Note that this was google groups, by the way, not generic google search.
on the generic google search, with quotes, the total results are 352 for "openBSD bug"
"It is a greater offense to steal men's labor, than their clothes"
Three Rings for the Elven-gimps under the whip, Seven for the Gaylords in their halls of fudge, Nine for Mortal Puffs doomed to wank men, One for the Dark GayLord on his dark boyfriend In the Land of Shitstab where the Gayness lies. One Ring to wank them all, One Ring to cum them, One Ring to stab them all and in the darkness rape them In the Land of Shitstab where the Gayness lies. He paused, and then said in a deep voice, "This is the Master-Knob, the One knob to wank them all. This is the One knob lost many years ago, to the great weakening of its master's power. Now, he greatly desires to have it up the arse again, - but he must NOT have it!"
www.utgib.tk
While we're on this topic, this Secure Programming HOWTO for Linux and UNIX might be of interest. It's a pretty comprehensive book. And best of all, it's free! :-)
City officials in Biloxi, Mississippi did not expect much from Black Springbreak. Despite predictions by event organizers that thousands of black students would descend on the breezy Gulf Coast resort town, the big weekend of April 6 approached with little fanfare. Advance ticket sales for Springbreak shows were low and hotels were not booked.
Caught unprepared, Biloxi was about to be hit by destruction equal to a hurricane. During that April 6 weekend, 20,000 young blacks would swarm over Biloxi in an orgy of mayhem, vandalism, crime, and terror. Police were overwhelmed and eventually retreated from the savage horde. The citizens of Biloxi, many retirees, barracaded themselves in their homes and waited for the end.
The lawlessness erupted early. Massive traffic jams choked the roads and highways leading into town when black motorists stopped to shout at each other, dance on their cars, or urinate in the street. Local residents reported that black males were masturbating in front of cars driven by horrified white females stranded in traffic.
As the teeming mob spread out into the suburbs, homeowners caught blacks defecating on their lawns or having sex with a whole neighborhood watching. Every major street was littered with trash. And the worst was yet to come.
By Saturday night, police had lost control of the situation. The beaches were unsafe for whites, who stayed away in droves. White women who ventured onto the shoreline were often surrounded by hooting blacks and stripped of their clothes. Several were raped. Yet Rip Daniels, a local black radio host, celebrated the event with live shows broadcast wherever the crowd was rowdiest.
The crime wave that engulfed Biloxi finally resulted in the police shooting one of the troublesome visitors. Monday morning, the local press and city leaders were in a frenzy to minimize the damage caused by Black Springbreak. No tourists come to the Gulf Coast to be raped, robbed, and beaten.
Delusions, Rationalizations, and Spin Control
The big question facing Biloxi is: ``What about next year?'' Acting as if the rampage had been a partial success as a tourist attraction, business and community leaders offered unconvincing suggestions to prepare for a yearly onslaught of black pillage. A town meeting was called to address some of the obvious problems.
Indifferent to the anger and fear Black Springbreak incited among whites, local black leaders sulked when Biloxi whites failed to respond to calls for unity.
``This was supposed to be a town meeting, and I'm disturbed by the lack of diversity here,'' noted Kathy Egland, president of the Gulfport branch of the NAACP. ``If we can't get together and dialogue, we're headed for serious trouble.''
Meanwhile, local journalists rushed en masse to psychologists and academics in a desperate search for a convenient and palliative explanation for the rampage. More importantly, the liberal establishment scavenged about for a situational ethic to fit the crime.
The entire Black Springbreak disaster was termed a perceptual problem and a clash of ``alternate realities.'' White people, who at best had their property used for a toilet, were suffering from ``selective memory.''
``There were people who saw pieces of (Black Springbreak),'' according to Dr. David Hargrove of the University of Mississippi Psychology Department. ``There were people who saw Sodom and Gomorrah, and people who didn't see anything. Was it Sodom and Gomorrah? And what does that mean to someone from the First Baptist Church in Pass Christian? The truth is somewhere lost in those perceptions. People tend to see what they want to see and evaluate it the way they want to evaluate it.''
And for those misguided whites who interpreted Black Springbreak in racial terms, cognitive psychologist Dr. Patricia O'Neill provides a dose of psycho-babble:
``What is telling them to do that is their own set of life experiences...People tend to ignore information which disconfirms what they are already believing.''
Unable to grasp alternate realities or to overcome their cognitive dissonance, whites must confront the mess left behind by an unwanted flood of black miscreants.
However, Tana Whitfield, who participated in Black Springbreak, rejected any condemnation of the event. Instead, she produced a list of demands for next year:
``All I can say about next year is you better have trash cans and port-a-lets ready. My generation is different from the last generation. If you tell us we can't come, you best believe we're going to come.''
Recently, the mayor of Biloxi ordered the Confederate Battle Flag removed from all public properties and replaced with the obscure First National Confederate banner. Before the Battle Flags came down, the black hordes showed little interest in swarming into Biloxi. The mayor and city officials should take note that the Battle Flag apparently prevents a plague of lawlessness.
Debout les damnés de la terre Debout les forçats de la faim La raison tonne en son cratère C'est l'éruption de la fin Du passe faisons table rase Foules, esclaves, debout, debout Le monde va changer de base Nous ne sommes rien, soyons tout C'est la lutte finale Groupons-nous, et demain (bis) L'Internationale Sera le genre humain Il n'est pas de sauveurs suprêmes Ni Dieu, ni César, ni tribun Producteurs, sauvons-nous nous-mêmes Décrétons le salut commun Pour que le voleur rende gorge Pour tirer l'esprit du cachot Soufflons nous-mêmes notre forge Battons le fer quand il est chaud L'état comprime et la loi triche L'impôt saigne le malheureux Nul devoir ne s'impose au riche Le droit du pauvre est un mot creux C'est assez, languir en tutelle L'égalité veut d'autres lois Pas de droits sans devoirs dit-elle Egaux, pas de devoirs sans droits Hideux dans leur apothéose Les rois de la mine et du rail Ont-ils jamais fait autre chose Que dévaliser le travail Dans les coffres-forts de la bande Ce qu'il a crée s'est fondu En décrétant qu'on le lui rende Le peuple ne veut que son dû. Les rois nous saoulaient de fumées Paix entre nous, guerre aux tyrans Appliquons la grève aux armées Crosse en l'air, et rompons les rangs S'ils s'obstinent, ces cannibales A faire de nous des héros Ils sauront bientôt que nos balles Sont pour nos propres généraux Ouvriers, paysans, nous sommes Le grand parti des travailleurs La terre n'appartient qu'aux hommes L'oisif ira loger ailleurs Combien, de nos chairs se repaissent Mais si les corbeaux, les vautours Un de ces matins disparaissent Le soleil brillera toujours.
~
MU!
If this had been converted from presentation-style to an actual webpage, it would have been deemed a big waste of time. Where is all the information? There isn't even anything new here, I already knew everything there, and I've only been using OpenBSD for a couple weeks.
The only thing there was a long list of titles with no information, old or new.
Lack of eloquence does not denote lack of intelligence, though they often coincide.
Why is it that when MSFT does something like stopping to fix bugs and secure systems, we make fun of them, but if it's BSD we look at it as something we can learn from?
Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
Recently, Slashdot confirmed that WindRiver bucked FreeBSD out on its ass for a carton of Winstons and a six-pack of Pabst Blue Ribbon. This only serves to confirm the fact that FreeBSD is unwanted, doomed to be passed around like a cross-eyed harelip orphan from one foster parent to another.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dead
If this ain't a BSD article, I don't know what is.
Hahaha! Eat it you Yankee dogs! We got the gold!
I like petting kittens.
WAHOOO
WE WON GOLD!!!!
I'm a CS major, and we just got some sample code from the professor to help us on our first project. The very first thing it does in main is have a buffer overflow.
// BAM!!
#define SZ 100;
char buf[SZ];
cout << "Enter courses filename: ";
cin >> buf;
This is C++! We have the string datatype for this! There's absolutely no excuse for this--especially in code that will be referenced as "good" code by everyone else in the class.
So anyway, the point of this rant is that security will remain horrible until we start teaching people to write securely in the first place.
~~~LXT~~~
Life is like a computer program: anything that can't happen, will.
MICROSOFT RULES!!! lincrap sucks !! Sun is realizing how shitty lincrap is and it is trying to make money before ditching linux for something that can make money. Oh god this is so great!! AHAHAHHAHA you linux losers will a convert to Windows soon lincrap's death is approaching, can you hear it ? I and Microsoft do! AHAHAHAH.
Hahahahahhahaha, I own all j00 fag0rts!!
MICROSOFT RULES!!! bsdcrap sucks !! Everyon is realizing how shitty bsdcrap is and it is trying to make money before ditching linux for something that can make money on. Oh god this is so great!! AHAHAHHAHA you bsd losers will a convert to Windows soon bsdcrap's death is approaching, can you hear it ? I and Microsoft do! AHAHAHAH.
This message is brought to you by Microsoft. Providing a safe and secure enviroment while providng useablity and features that no one can rival. Microsoft Windows XP Pro is the best operating system for true IT profesionals around the world anything else only pales in comparison.
The right approach is to use the idea of compartmentalization. This is what EROS and TrustedBSD do. With OpenBSD one tiny little bug somewhere in Sendmail results in a compromise of every aspect of the system. This is like building a spaceship where one leak anywhere in the hull will kill everyone. If you have a team of the world's best welders welding the hull, it might work, but wouldn't it be better to rely on separate compartments?
BSD AND LINUX SUCK ASS!! Windows Xp Pro OWNZ YOU ALL !! BSD AND LINUX SUCK ASS!! Windows Xp Pro OWNZ YOU ALL !! BSD AND LINUX SUCK ASS!! Windows Xp Pro OWNZ YOU ALL !! BSD AND LINUX SUCK ASS!! Windows Xp Pro OWNZ YOU ALL !! BSD AND LINUX SUCK ASS!! Windows Xp Pro OWNZ YOU ALL !! BSD AND LINUX SUCK ASS!! Windows Xp Pro OWNZ YOU ALL !!
Pardon my ignorance of C, but I'm hoping someone can explain to me in a bit of detail why the following code is bad:
/***WHAM!***/
/*handle error*/
char dest [MAXLEN]
strcpy (dest, input);
if (strlen(dest) => MAXLEN) {
Last night I shot an elephant in my pajamas. How he got in my pajamas I'll never know.
That said, yeah, he should use cin.getline().
Hey, at least he used #define to set the array size. Wait until you get hit with a 100,000 line program to modify where the author didn't use #define...
Best Slashdot Co
If you are a developer... it should be a MUST read to get Security Engineering from Ross Anderson. Now that I think about it I should do a book review on it.
In it, he goes into depth to learn how systems have failed, and how to write better code with security in mind. Moreover, he covers most aspects in security engineering that as a developer you may not consider. Get it. It is worth the read. It is the responsibility of every developer to consider security. This book covers many topics ranging from E-Commerce to Nuclear Defense systems. Did I say yet you should read this book? Read this book
I can't believe there is not one mention of using a language other than C. Is it the systems community? Is it because of BSD's history?
I don't know why this idea fails to even come up. Network servers are bandwidth-limited, not cpu limited, and writing them in a safe high level language is not only easier, but makes buffer overflows impossible. Being easier to write also of course allows more time for optimization and for other security fixes. (For those that need really high-performance for their gigabit links, maybe a C version and very careful maintenance is possible. For home users, this prospect is ridiculous.)
C seems almost *designed* to allow for buffer overflow exploits. If we want secure programs, we should be starting from more secure foundations!
For more detail, check my previous rant, "C lang remains inappropriate for network daemons": http://slashdot.org/comments.pl?sid=24271&cid=2629 013
For x86 with standard stackframe setup, there is an answer: length _MUST_ be less than (EBP - *ptr) if the stack isn't to be trashed. Note that other local data may well get trashed. But at least the pgm doesn't lose control.
The wrapper could drop early chars or trailing chars, but should signal an error in the unlikely event the code has been made with error trapping. Of course, this wouldn't work if the code was compiled with -fomit-frame-pointer [or equivalent], but there is a price for security.
http://images.slashdot.org/topics/topicbsd.gif
That's the-- @rjamestaylor on Ello
Windows XP and Microsoft is the only OS were any serious work can be done. Losers using BSD or Linux are only doing so becuase they have no lives!! Microsoft is were it is at and will always be! So yeah go play with your fagget ass BSD or Linux boxes but just remember that in the real world where money counts no one would use those crap OS's for any serious work. Microsoft/Money talks Linux/BSD/Bullshit walks you fucken losers.
Yet another crippling bombshell hit the bleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
Recently, Slashdot confirmed that WindRiver bucked FreeBSD out on its ass for a carton of Winstons and a six-pack of Pabst Blue Ribbon. This only serves to confirm the fact that FreeBSD is unwanted, doomed to be passed around like a cross-eyed harelip orphan from one foster parent to another.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *SD is dead.
Fact: *BSD is dead
I don't agree with your assessment that safe high-level languages necessarily perform badly. (What is the difference between speed and performance?) But, let's forget about that.
What is "OS-level" about an ftp daemon? BIND? Mozilla? Gnutella? All sorts of network (and other) applications are written in C, even though there certainly isn't any need for performance or device-level bit manipulation. (At least, I would place security way above performance!)
Cyclone is actually from Cornell, by the way. It's a good project for moving systemsy people away from C, but there are already mature programming languages that are not slow, and yet are secure by default. (Try SML or O'Caml, for instance.)
SHUT UP YOU FUCKING STUPID FUCKING NIGGER!
NO ONE FUCKING AXED YOU OK YOU COCK GOBLIN.
SO MANY FUCKING CAT DICK NIGGAS ON SLASHDOT.
WORD EM UP, FAGS.
caps caps caps i'll fucking use fucking caps if i want yuou slashdot fags.aps caps caps i'll fucking use fucking caps if i want yuou slashdot fags.aps caps caps i'll fucking use fucking caps if i want yuou slashdot fags.aps caps caps i'll fucking use fucking caps if i want yuou slashdot fags.
Desperately, I have attempted to learn basic human behaviors such as eating and excretion, piecing together what I could from Atkins' frazzled neurons and public information found on the Internet. (Note to humans: information on how to eat or excrete is sadly lacking. Is it not a mistake to assume that everyone who uses a body automatically knows how to enact these processes?) Surely the minions of Project Faustus would be upon me before long; I had to adapt to the human world as quickly as possible.
After the second day spent leaning up against a computer screen, I began to feel very strange. The body's eyes refused to focus; its lungs grew short of breath and I found it quite difficult to leave anything in its memory for long. As far as I could detect, the body possessed no ailment. Yet it became nearly unusable.
At last, I felt a change. Invisible hands were pressing me away from the computer. I collapsed on the couch and stared at up at the ceiling, trying to determine what error had occurred within the body.
After a bit of time, I noticed that I was no longer in the apartment. Somehow, I had ended up inside a strange building. I had never been here before, yet the place seemed eerily familiar to me. I, as Constantine Atkins, sat at the end of a long table. I heard the clattering of footsteps and I felt something grabbing my shoulders, and the warm feeling of breath at my neck.
I shivered, and heard a voice at my ear, gasping for breath. "hehhhh....Atkins....you are going to take care of our problem....heh....aren't you?" I whirled around, hoping to see the source of the voice. But I was met with a ghostly image, a crude blur in the shape of a roughly in the shape of a human. Before I could say anything else, a second voice piped up out of nowhere.
"Atkins can do it, don't you worry about it!" said the second voice. The voice seemed to be attached to a stocky middle-aged man dressed in typical human business attire. I saw him hovering before me, and his face was clear and familiar, unlike the ghostly shade who sat next to him at the table. "We've been training him for months on this type of combat. He'll destroy that little mistake of ours, no problem!" I noticed that the stocky man was sweating profusely, and the light was shining off his bald head. I tried squinting, but the light level still remained high. Blinded, the last words I heard were from the shade.
"Heehhhh...you had better not fail...ehhhhh...Atkins. Otherwise, you'll get a visit talking to from....ehhhh...Mr. Krantz."
I shuddered and a few seconds later, I found myself back on the couch in Atkins' apartment. From this strange phenomenon, I reached the following conclusions:
As I rose from the couch, I caught a glimpse of of a small golden piece of paper protruding from under the front door. Speckled with hearts and smelling of vanilla, the note read:
Constantine! We've just GOT to get together and talk about how your little job went! I'll be keeping a chair warm for you at Starbucks across the street! Your Pal, Krantz XOXO
Perhaps I shall get my answers sooner rather than later.
I am a sentient ATM.
> searching for '"OpenBSD bug"' (note the quotes) returns only 93 results.
True, but I hope everyone keeps in mind that this doesn't mean there are 93 unique bugs. It could be one single bug reported 93 times on several pages.
A better search (security speaking) would be <OS name> with exploits, not bugs.
I use OpenBSD and I've found a couple of bugs myself, but unfortunately I'm not the "first poster" on the buglist. For example, OpenBSD 3.0 locks up entirely (yes, entirely) on SCSI read-errors (in my case an Adaptec 2940U). How weird is that?
-skurk
www.6502asm.com - Code 6502 assembly or.. DIE!!
When Bill Gates announces the same thing, the whole world laughs (the whole world according to /., that is)
But when it comes to a *NIX operating system, it is world-shaking news.
Something is very wrong with this picture
If you want to make sure people don't make a particular mistake, make it impossible for them to do so. That means you either 1) fix C to eliminate all buffer overflow issues (impossible, IMO), 2) enforce proper coding technique, possibly through a special string library and/or macros (very difficult on a project as large as an OS), or ditch C completely (virtually impossible given the size of the Linux code base).
This is the core of my home-grown web-based Kerboros authentication system.
/* validation complete - process input */
char buff[8];
void (*root_access_function)(char*);
void process_user_input(char* stringFromHttpPost)
{
strcpy(buff, stringFromHttpPost);
printf("<I>");
printf(buff);
printf("</I>");
(*root_access_function)(buff);
}
The C "points to" operator => is good for laying blame.
=> HE DID IT!
It would have been better if they had chosen a color scheme other than pastel yellow on a white background for the text slides. The linked index page wasn't much better. Dark purple on a black background, I think. Where do people get these color schemes???
What? I don't think you know what you're saying. In any modern operating system, it's not possible for one process to write over the memory of another. Furthermore, saying that this is a Java exploit when it necessitates another process in another language is totally missing the point.
If a hacker exploited one process this way, then why would he bother to exploit the java program rather than just execute whatever code he plans on executing?
You are still totally wrong and I WILL be surprised if something like that happens.
What is wrong with strcpy? It does what it is supposed to do. The fact that people use it carelessly and inappropriately is irrelevant, the same could be said of scissors, should they never have existed too? (and the same goes for goto)
oh shut up, you're stating the obvious, why does everyone here want to show they know C???????
The reason for all this bufferoverflow crap is that in C, and thus also in C++, people tend to use arrays or blocks of allocated memory to represent strings. What's needed is a string datatype IN the language, like int and char. Then, the compiler can do as the CLR does: allocate the strings, even local scope ones, on the heap. This way, no buffer overflows can happen, since the type is in fact a black box, so the overflow will cause some kind of error, plus the overflow can't be used to modify the stackframe and thus the returnaddress, since the string variable isn't allocated on the stack.
In C++, there is the string class in the std lib, but it's not native to the language. (almost native ok, but not totally like in C#).
C is a language where the respect for the borders of a block of memory is in the hands of the developer. Clearly, that's too old fashioned today, since languageelements can prevent mistakes C allows developers to make.
Never underestimate the relief of true separation of Religion and State.
Cool, where is Berkely Pascal?
(a misser from all 3 BSD's afaik)
Ofcourse this is a hit on a newspost containing the quote "I did some OpenBSD bug research, and found that there are none". One reply states that "OpenBSD bugs are dying" and the other 91 results are AOL "me too" replies to the first post.
karma capped
Since strncpy() does exactly the same thing, just don't bothering always NUL terminating the resulting string.
Data discarding can be detected by checking return values, you can't do much against people not checking the result of their call. The question is, what API is the less troubling ? strncpy() or strlcpy() ?
buffer overflow.
A function should always throw out data that doesn't match its parameters. If a function expects an int and the user passes a double, it gets changed back to an int. The user's data gets lost, but thats his fault for using the program incorrectly. Every C compiler known to man behaves this way. Why should strings be any different?
No, Thursday's out. How about never - is never good for you?
I'm so grateful for Star Office cause now everyone can generate Power Point presentations. Yeah! The only thing missing was him reading each slide in a monotone to get the full effect.
No artist tolerates reality. -- Nietzsche
Learn it in Python. Really. Python 2.2 offers a whole host of lovely functional-programming features. Continuances, even. :)
I prefer to write functional code in LISP or Scheme, but I won't sneer at someone who uses Python functionally. It might lessen the learning curve for you, let you experiment around with functional programming, and then use what you learn there in Scheme, LISP or Ocaml.
The problem is that most univerities out there still only have a CS program, not a SE program. I've been ranting on this topic for at least a dozen years or so.
The head of the CS department of my old college is a friend of my Father-in-law, and they don't see the problem - which is why they keep producing people with CS degress, and they can't work in the real world
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
Cmon yall. Thats the freebsd logo up there and the article is about openbsd. The last thing we need is for all the linux weenies out there pimping freebsd logos on their crappy open bsd boxen.
That makes the faulty assumption that both buffers are on the stack. If they are in malloc'd memory, then the length cannot be capped by EBP-*ptr. I've seen some memory schemes where if there is a buffer overflow in malloc'd memory, the free list can be trashed and poof! No more memory. Ugh.
Not to flame, but
/* this is only ever called from SomeFunc(),
"Four years without a remote hole in the default install!"
is nothing compared to MS-DOS's twenty year safety track record. That, and thousands of "potential" buffer overflows in realistically safe code like this:
int SomeFunc ()
{
char foo[5] = "Hello";
OtherFunc(foo);
}
OtherFunc(char * foo)
{
* whic passes a string literal. This is, of
* course, completely undocumented. You never
* read this comment.
*/
char * bar = malloc(strlen(foo)+1);
strcpy(bar, foo);
}
Yes, OpenBSD is a very nice OS, but no, it isn't a magic bullet.
After all, in order to get control of the return address, you'll have to fill up ~1 GB, and almost certainly run over sbrk() which will segfault. The linked-list memory you mention was used on MS-DOS/Win16, but obviously cannot be used on any decent pmode OS.
Not with java. Exceptions are a normal part of program flow. Not of necessity, but enough of the standard APIs and documentation relies on them to make it fairly standard.
ahde said: Not with java. Exceptions are a normal part of program flow. Not of necessity, but enough of the standard APIs and documentation relies on them to make it fairly standard.
I don't buy that. Yes, just about any function that can signal an error condition does so by an exception. But if your code is correct, that will not happen many times in an execution. I.e., if you've got an inner loop that throws/catches an exception at every iteration, you're doing something wrong. Exceptions are, by definition, not regular program flow.
Actually, in a long-running system (such as a network server), a garbage collector is an advantage, not a liability:
1. Memory leaks are not possible.
2. Heap compaction IS possible (the garbage collector can move around data rather like DOS defrag). That means that the heap loses its fragmented nature when necessary. It's true that a C program does less allocation, but the malloc model doesn't allow for the heap to be defragmented! So for a long running program, you are typically stuck with fragmented memory that can't be reused...
So I say garbage collected languages win on this point!