What to do about open source vulnerabilities? Move fast, says Linux Foundation expert

Re: Reasons

is that users don't monitor or patch vulnerabilities assiduously.

I agree but there are a couple of reason why, apart from the obvious, lazy, can't be arsed, reasons.

1) It's a PITA. I remember decades ago teaching a class to support engineers for a very popular business OS and one of the students had previously worked on SW for the switches of cellular phone networks. "What to you mean I can't patch a library in a running application without downtime - we've been doing that sort of thing for years..."

2) SW houses keep changing shit. You load an update to get a security fix and find that all the features of the app you're using have moved, been changed, removed or otherwise broken. Please keep the two kinds of updates apart, if it ain't broken don't fix it, then people might be more inclined to fix the bits that are broken.

Re: The problem with testing

Also, it requires a completely different mindset than writing code and the associated unit tests.

Not only is it hard to switch to the "attacker" mindset when writing tests for security critical code, in my experience many programmers are incapable of doing that, especially for code they written.

Re: The problem with testing

> Is that very, very few testers are formally trained mathematicians.

We tried a mathematical approach, with formal proofs to verify software.

Given that didn't work, we now adopt a scientific approach, which is to write tests as a body of evidence that can't ever prove the hypothesis "the software works", but can instantly disprove it.

Re: an Initial Solution for Flash Crash Testing ..... Greater IntelAIgent Gaming

Secret messages can be compromised only if a matching set of table, key, and message falls into enemy hands in a relevant time frame. Kerckhoffs viewed tactical messages as only having a few hours of relevance. Systems are not necessarily compromised, because their components (i.e. alphanumeric character tables and keys) can be easily changed. ..... https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

Relevance is therefore Relative and wholly dependent upon Progress and Success in a Great Future Mood ..... of Almighty Immaculate Being and Virtual Rendering in Physical Phorms ...... Alter Egos of Id

Such are the Realms Beta Testing Presently ...... honouring the "happy path" method which is very good at excluding all other paths that may compete and seek to propose and impose unhappy future routes. Although why ever anything would travel that direction is something which might even bamboozle a Freudian or Jungian to conclude madness with lashings of badness to exhaust in insane notions and motions the right current diagnosis and persistent accurate enough prognosis for now. In any other time can that both change and be changed to something/anything else.

Thanks for the chance to practise what is shared and spoken of there, Claptrap314. Every time in Pursuit of Heavenly Excellence, a Win Win with Never Lose Fail Safe Guides.

Re: The problem with testing

Couldn't agree more

Jnr devs learn to hate me when i send there "pass suite" back to them saying 3/4 of the tests are missing.

Classic missing tests include:

-verifying that correct exceptions are thrown

-testing with malformed data

-Testing the negative path, i.e. test fails predictably and its failure can be considered a pass

-Integration tests masquerading as unit tests (thats a whole different kettle of fish)

While code coverage can give you a false sense of thoroughness all thats telling you is how many lines of code are not covered by the tests, NOT how many paths through the code have been tested, and often i find that a lot of tests are testing language features not logic to get coverage higher

Usually leads to a lot of grumbling until a few months later and onto the next project a maintenance task gets assigned and the value of the missing tests gets demonstrated...

Re: "the protection mechanism must not depend on attacker ignorance"

I missed a word, sorry, I meant to say "19th century".

A clear case of PBC (Posting Before Coffee).

Re: "the protection mechanism must not depend on attacker ignorance"

Fred, is there any possible defence against live applications of remote virtual reprogramming with roots and sources au fait in practice with deployment/employment/enjoyment of results entertaining Shannon's maxim. ‽ .

The posit here being .... No. None.

And possibly something entertained by El Regers contributing thoughts to this thread, too.

That would be an AWEsome Ministry with AIMODified Code Altering Behaviour Resulting.

EMPowered to Proceed and Process Progress in Exploration and Exploitation of Interesting Autonomous IntelAIgent Chain Reaction Cycles/Churns of Creative IT ACTivity ......... NEUKlearer HyperRadioProACTive IT Energy Live BetaTesting Immaculate Virtual Circuits ....... Connected to Dream Central Intelligence Commands and Controls.

And that's only to begin with ....... who knows what else there be connected and connecting live through there and those? :-)

Re: I found a good way to test a program

Rule #1 of programming: The user is your attacker.

Those names are entered by the administration, and are non-editable by the teachers.

Problem #1 solved. Next?

Not Always

If an application developer uses pcre to check the input for being correct(read: secure), that is proper engineering.

If the pcre developers use C and have bugs in their code, that says something about the pcre devs.

Non C OS Kernels

As the C fans will claim that all OS kernels must use C, here is a small list to prove otherwise:

https://en.m.wikipedia.org/wiki/ICL_2900_Series

https://en.wikipedia.org/wiki/Burroughs_large_systems

https://en.wikipedia.org/wiki/Singularity_(operating_system)

https://en.wikipedia.org/wiki/HP_Multi-Programming_Executive

Re: Stop Using C and C++

You have some sort of study to back that 70% claim? May I see the methodology?

You cannot fix stupid or lazy, and writing code that actually meets an interesting spec is hard.

I certainly agree that sloppy programming like while (a++ = b++) {} should have never seen the light of day, the problem is not the language. It was stdlib, which promulgated a dangerous data type into an unsuspecting world. Culture is everything, and claiming, "the world would be so much better if we just changed tools" is the province of daydreamers & dictators.

Re: More Good Habits

I agree that the whole, "be generous in what you accept and strict in what you admit" was a dangerous rubric from the get-go, and certainly undefensible by the time that m$ was rampaging across the industry.

I have often stated that the lack of trivial overflow detecting is a major wart with K&R. Not irreparable, however.