On Tue, 2006-04-25 at 17:38 -0400, Roberto C. Sanchez wrote: > Monique Y. Mudama wrote: > > On 2006-04-25, Ron Johnson penned: > > > >>On Tue, 2006-04-25 at 13:34 -0600, Monique Y. Mudama wrote: > >> > >>>Sure, but I could write a program in COBOL and still load passwords > >>>from a plain text file stored with wide-open permissions, just for > >>>example. > >> > >>That's willfully stupid programming. > > > > > > People do stuff like that all the time. As I said, you can write an > > insecure program in any language. > > > > I think you are twisting Ron's point. His original point was that some > languages (like C/C++) make it possible to have hard to detect subtle > faults that become security problems. Other languages (like COBOL) do > away with those subtle issues. Essentially, you have to try and be > determined to write something insecure. I think his discussion focused > on strings, but it probably extends to other things as well.
Correct. Strings, their generalized older brother arrays, and their cousin, malloc(). For example, pass an overly-long string into a C program, and you can smash the stack. Pass that same string into a COBOL program and it gets truncated at the compile-time field length. -- ----------------------------------------------------------------- Ron Johnson, Jr. Jefferson, LA USA "The Socialist who finds his children playing with soldiers is usually upset, but he is never able to think of a substitute for the tin soldiers; tin pacifists somehow won't do." George Orwell, 1940, reviewing /Mein Kampf/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
