Leserreporter: Wer schöne Verschwörungslinks für mich hat: ab an felix-bloginput (at) fefe.de!
[zurück][ältere Posting][neuere Posting] Freitag, 13 April 2007 | Blog: 9 | No: 8583
David LeBlanc schreibt in seinem Blog, wie bei MS Office Security funktioniert. Sie benutzen Klassen, die das Programm halt abstürzen lassen, wenn sie detektieren, daß sie gerade geownt werden. Hier ist mein Kommentar dazu:
[zurück]
[ältere Posting][neuere Posting]
[zurück][ältere Posting][neuere Posting] Freitag, 13 April 2007 | Blog: 9 | No: 8583
500 for a piece of software that does not even really try to be secure but just applies some ass covering filter?
David LeBlanc schreibt in seinem Blog, wie bei MS Office Security funktioniert
I disagree. Saying you can either crash or get owned is a false dilemma.
Crashing instead of getting owned does not help the customer, because he can still lose his data. He won't get a worm (unless you missed some other wormable issue), but still, that's just reducing the severity from "critical" to "moderate". It's still a bug. The customer still wants it fixed. The only one who has an actual advantage of this is you, because you only have to answer for a DoS, not a worm.
So my point of view is: crashing if you detect an error is a cop out, an ass covering mechanism big companies like to use, because it's easier to crash than to implement error handling.
Similar issue: using try/except to catch AVs and then pop up a window saying "uh, that Word file smelled funny". That is not error handling, that is ass covering.
Security is never simple. Security is work. Yes, you will actually have to do something to make your code more secure. Just adding a try/except or SafeInt band-aid does not make the product more secure, it's just ass covering. Why am I paying $500 for a piece of software that does not even really try to be secure but just applies some ass covering filter?
I'm not just ranting about Windows here, btw. Linux has limited the size_t arguments to read() and write() to below 2 gigs, because some crappy kernel code might use signed ints for lengths, and then it would blow up. O RLY? That's not security, that's just ass covering. And coming from the GNU people who used to distinguish their software from other Unix software by removing arbitrary limits.
This attitude is pervasive in the software industry, and I hate it. Also because you will do the work twice. First you will apply a band-aid, then someone will find a way around your band-aid, or someone will notice that a crash during trying to save a document can destroy data and is just as bad for the customer, and you will have to fix it again, this time for real.
Twiter-Ticker
Fefes Latest Youtube Video Links
Der Betrieb der KraftZeitung kostet Geld. Da wir auch weiterhin unabhängig, überparteilich und ohne kommerzieller Werbung für Sie da sein wollen, sind wir auf Ihre Spende angewiesen. Vielen Dank.
