Re: M$ attack on Common Sense

From: Jean-David Beyer (
Date: 09/13/03

Date: Sat, 13 Sep 2003 16:22:09 -0400 wrote:

> IMHO, its the *_kind_* of problems that make Windows insecure that is
> disturbing-its a craftsmanship issue.
> Look at all the buffer overrun problems that have been patched in
> Microsoft products since January, (many large shops have an
> organization that is dedicated to patching Microsoft products.)
> Even a simple SW QA process would have found the buffer
> overruns-using a mechanical procedure, no less. For example,
> compiling with the equivalent of
> and having QA run a
> regression suite would have saved Microsoft, their customers, and the
> rest of the Internet a lot of grief over the last few months.
> There are more elegant solutions to the buffer overrun problem, (like
> used in OpenBSD,) but compiling with memory management QA libraries
> is a minimal standard in most commercial software shops.
Well, if they wrote in C++ or any other run-time environment where the
string is a datatype, it would be impossible to overrun a string, which
is the usual overrun in my experience when some input over which you
have no control (the Internet, a user, or a program working on behalf of
a user). C++ users using the C++ Standard Library have such a datatype
available, and it would be a simple matter to do something similar for
other datatypes, even objects.

   .~.  Jean-David Beyer           Registered Linux User 85642.
   /V\                             Registered Machine    73926.
  /( )\ Shrewsbury, New Jersey
  ^^-^^ 4:15pm up 23 days, 1:41, 2 users, load average: 2.29, 2.22, 2.11