An attack on paypal
Bill Frantz
frantz at pwpconsult.com
Wed Jun 11 19:14:21 PDT 2003
At 11:01 AM -0700 6/11/03, Major Variola (ret) wrote:
>At 03:39 PM 6/10/03 -0700, Bill Frantz wrote:
>>IMHO, the problem is that the C language is just too error prone to be
>used
>>for most software. In "Thirty Years Later: Lessons from the Multics
>>Security Evaluation", Paul A. Karger and Roger R. Schell
>><www.acsac.org/2002/papers/classic-multics.pdf> credit the use of PL/I
>for
>>the lack of buffer overruns in Multics. However, in the
>Unix/Linux/PC/Mac
>>world, a successor language has not yet appeared.
>
>What about Java? Apart from implementation bugs, its secure by design.
Java is certainly an improvement for buffer overruns. (The last estimate I
heard was that 1/3 of the penetrations were due to buffer overruns.) Java
is still semi-intrepreted, so it is probably too slow for some
applications. However Java is being used for server-side scripting with
web servers, where the safety of the language is a definite advantage.
Of course, when you cover one hole, people move on to others. Server-side
Java is succeptable to SQL injection attacks for example.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | Due process for all | Periwinkle -- Consulting
(408)356-8506 | used to be the | 16345 Englewood Ave.
frantz at pwpconsult.com | American way. | Los Gatos, CA 95032, USA
More information about the cypherpunks-legacy
mailing list