[39877] in Cypherpunks
Re: Another Netscape Bug (and possible security hole)
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Fri Sep 22 08:37:46 1995
To: Ray Cromwell <rjc@clark.net>
Cc: cypherpunks@toad.com
In-Reply-To: Your message of "Fri, 22 Sep 1995 03:15:39 EDT."
<199509220715.DAA27920@clark.net>
Reply-To: perry@piermont.com
Date: Fri, 22 Sep 1995 08:36:01 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Ray Cromwell writes:
> THIS IS A SERIOUS BUG!
[...]
> [I hear Perry in the background groaning and muttering "I told you so"]
Of course I told you so. I knew what I was saying when I mentioned
buffer overflows being a big problem in code written by the NCSA team,
most of whom went over to Netscape When at NCSA, they showed very
little capacity to learn this lesson no matter how many cracks
occured. They always just tried to kludge around the thing instead of
fixing it. When I write security oriented code, I outright ban the use
of certain C library calls.
> These buffer overflow bugs should be taught in every programming
> 101 course along with fencepost errors.
>
> I'm not even sure if I want to write the obligatory program to exploit
> the hack given that some malicious jerk would probably use it
> on his home page to attack people.
The problem is that if you don't produce a (benign) exploit people
aren't going to take it seriously enough.
Perry
