Re: Public disclosure of discovered vulnerabilities

From: Eric Cordian (emc_at_artifact.psychedelic.net)
Date: 05/18/05 

Date: 17 May 2005 23:08:45 GMT

In sci.crypt Juuso Hukkanen <juuso_1848@tele3d.net> wrote:

> Or maybe it is K & R's fault. Maybe we could still send them a bill
> for causing about half of the computer vulnerabilities found in recent
> years. Tools are bad, not implementers.

There's some truth to this comment. I've often pondered how much buggy
software could have been avoided if PL/I had been the Unix implementation
language instead of C.

C flies at the right height above the hardware to make the sum of the
effort of porting the OS and the compiler a minimum, permitting fast Unix
proliferation onto new architectures. However, the type of sentinel and
pointer based programming it encourages is the very antithesis of what you
want in easily debugged provably correct code.

Disclosure of vulnerabilities is a mixed bag. If someone does a
constructive proof tomorrow that "Factoring is in P," should they post it
to Usenet, and bring security and electronic commerce to its knees?

Probably not. 

-- 
Eric Michael Cordian 0+
O:.T:.O:. Mathematical Munitions Division
"Do What Thou Wilt Shall Be The Whole Of The Law"