Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)
colinthomson1 at o2.co.uk
Thu Aug 5 01:59:55 BST 2010
Roland Perry wrote:
> It seems to be worse than that... why are these products so susceptible
> to vulnerabilities? For example, one that used to occur over and over
> again was "buffer overflow". Surely there must be programming (or memory
> management) techniques that could eliminate them entirely?
There are indeed appropriate techniques, but these techniques involve either or both of using hardware which supports memory management (as implemented by old-fashioned mainframe providers and some old-fashioned mini-computer providers) and programming in languages whose operational semantics requires bound checking and separation of code and data. Systems using the technologies developed in the late 1960s and the 1970s by companies such as Burroughs, ICL, and even CTL could not have suffered from most of the vulnerabilities that we see today.
However, all this sound practise was thrown away - following the "cheaper is better, regardless of safety and security, and theoretical soundness is undesirable because it costs more" philosophy which was illustrated by the invention of insecure (and indeed un-securable) languages like C, operating systems like Unix, and hardware that was designed to support only these minimal cost languages and operating systems. Even worse, the people who led this appalling rush towards unsoundness became (and still are) revered idols of the IT industry. Over time the situation became worse - C++ was invented but the inventors chose to keep all the insecurity built into C, the MS Windows operating system was created when total disregard for security had become the norm with what one might expect to be the result, and many more idiocies were perpetrated. The result is a bunch of excessively vulnerable software, which mostly can't rely on any useful security support from the underlying hardware, that we have to live with today.
More information about the ukcrypto