12 Nov
2019
12 Nov
'19
11 p.m.
On Tue, 12 Nov 2019, Norman Wilson wrote:
I think I recall an explicit statement somewhere from
an interview with
Robert that the worm was inspired partly by Shockwave Rider.
Yes, I noticed the similarity too.
I confess my immediate reaction to the worm was
uncontrollable laughter.
I was out of town when it happened, so I first heard it from a newspaper
article (and wasn't caught up in fighting it or I'd have laughed a lot
less, of course); and it seemed to me hilarious when I read that Robert
was behind it. He had interned with 1127 for a few summers while I was
there, so I knew him as very bright but often a bit careless about
details; that seemed an exact match for the worm.
That was the trouble; had he bothered to test it on a private network (as
if a true professional would even consider carrying out such an act)[*] he
would've noticed that his probability calculations were arse-backwards,
and so spread much faster than it "should" have.
My longer-term reaction was to completely drop my
sloppy old habit
(common in those days not just in my code but in that of many others) of
ignoring possible buffer overflows. I find it mind-boggling that people
still make that mistake; it has been literal decades since the lesson
was rubbed in our community's collective noses. I am very disappointed
that programming education seems not to care enough about this sort of
thing, even today.
Yep. Don't use fixed-length buffers unless you *know* that it will
not overflow (i.e. the data is under your control), and don't trust
user input (especially if the reader is an interpreter with the
possibility of spawning a shell); there are of course others.
This is what you get when people call themselves programmers because
they once took a course in programming or read a book; that's like
calling oneself a doctor because you took a first-aid course...
One of my favourite examples is "Barbie the Computer Engineer" (grep the
net for it, but warning: the title contains a naughty word).
Oh, OK; here's a sanitised URL:
http://www.gizmodo.com.au/2014/11/barbie-fks-it-up-again/
Yes, that really is the URL; I've just tested it (but contents may offend
some viewers; you have been warned).
[*]
And for those who slagged me off for calling him an idiot, try this quick
quiz: on a scale from utter moron to sheer genius, what do you call
someone who deliberately releases untested software designed to compromise
machines that are not under his administrative control in order to make
some sort of a point? I don't know about other countries, but try that in
Australia and you'd be seriously out of pocket and/or doing porridge.
-- Dave (BSc, majoring in Computer Science and Mathematics)