Python

Bengt Richter bokr at oz.net
Mon Dec 30 12:22:14 EST 2002 

On Sun, 29 Dec 2002 21:15:27 -0600, Skip Montanaro <skip at pobox.com> wrote:

>
>    Erik> But his question was really about learning programming in the
>    Erik> context of being an IT security expert.  In that context, beyond
>    Erik> basic programming concepts, I don't think Python will be of much
>    Erik> specific help.  Consider the number of buffer overrun exploits
>    Erik> that exist in Python programs :-).
>
>(I realize you were referring to Python code itself.  Still...)
>
>The Python C code is more readable than most, so he should have an easier
>time finding all those that exist in the C runtime. :-) It never ceases to
>amaze me how many security alerts are due to buffer overrun exploits.  I
>keep thinking, "Shouldn't they have found all of the buffer overruns in
>Sendmail and MSIE by now?"  Damn hard task to track down.

This general problem has been going on a long time.

<rant>
Which makes me wonder how much CPU designers think about supporting safer programming
in general, when they don't have, e.g., deep pocketed clients interested in DRM.
(Likewise, they could support RT programming a lot better IMO). (I mean in mainstream
CPU chips. Embedded specialized chips are another story, where I'm sure there is much variety).
Of course backwards compatibility is a big thing, but still.

Seems like there is no one assessing the cost of less-than-robust software/CPU infrastructure,
and saying we'd like to pay an extra buck a chip for designers to spend some overtime on this.
Instead we all pay in person-hours dealing with the consequences of Sendmail and MSIE exploits
etc. which might not have been so easy in another universe, and it adds up to a lot more than
a buck a CPU chip (which would pay for a number of designer-years of work).

No one cares, because the ones that pay have no representation, and mean nothing individually.
Maybe small businesses and others who lose real money on lost time ought to organize to have
a more effective voice in the design of the products they use.
</rant>

Well, at least in the design of free software, we do have a voice ;-)

Regards,
Bengt Richter

More information about the Python-list mailing list