1 Sep
2017
1 Sep
'17
5:47 p.m.
On 9/1/2017 10:48 AM, William Cheswick wrote:
early Internet.
I had to chuckle at the above.
This was back in the day when I could telnet into almost any TOPS-20
system using user account ANONYMOUS and a password of FTP (or something
similar depending on the system). It wasn't more than a few minutes
before I found an unprotected file somewhere that could be altered and
lay in wait for someone to run it. TOPS-10 systems were even easier. VMS
wasn't a big deal either. Even the UNIX systems at the time were never
really secure.
I was the ARPANET's and early Internet's worst nightmare. TELENET was an
even better source of stuff to look at. Thankfully, I was not malicious
nor profit-driven.
I still posit that C in the hands of the right people is not prone to
buffer overflows any more than some library issue in C++ or higher
languages.
Higher languages that put up safeguards are only as good as the
programmers who write the compiler/interpreter. Because deep down, the
libraries themselves, or the kernel itself is written in something
without hand-guards to keep you from cutting your fingers off. It's all
machine code in the end with, for example, no limits on pointers except
those that are constructed by more programmers or the memory protections
built into the processor (i.e. DEP).
In other words, by using a "safe" language you are just putting your
security in the hands of other people who may or may not be as concerned
as you are about it.
You can only put a certain amount of bubble-wrap around a razor blade.
In the end, there's still a razor blade under all those layers.