Upgrade ethereal please. . .

John Richard Moser nigelenki at comcast.net
Tue Mar 15 14:16:17 CST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Nathan R. Valentine wrote:
>>It's not like this is amazing that it's in ethereal; it's just ironic
>>that a security tool has a huge security hole, and of course any
>>security hole should be a priority fix (Gentoo policy I believe mandates
> 
> 
> Though it isn't surprising if you think about it. One of the hardest
> things to do absolutely correctly with C-family languages is low-level
> parsing of byte fields/strings

It's not really hard, it's just easy to mess up.  C is easy to code in;
it's a lot easier to write code when you actually know what it's doing,
because that way you know exactly what you're doing.   C and Objective-C
are my languages of choice simply due to ease of use.  Assembly is
pretty nice too, but I don't know all the mnemonics, it's non-portable,
etc; if I knew what all the commands were I could deal with that pretty
well.  Of course, slightly misuse the logic and you create a fucking bad
set of code. . .


> and yet this is the language that most of
> the sniffer tools use. Not that I don't understand their choice of
> development language. Just pointing out that it is a Catch-22 of sorts.
> Choose another language and lose some speed and developer know-how;
> choose language that requires direct management of memory and make it
> easier for developer to make errors that result in dramatic security
> problems. 
> 
> You see the same kinds of issues with tcpdump, snort, and other
> low-level security tools that are written in languages that allow direct
> memory mangling. 
> 
> 

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

    Creative brains are a valuable, limited resource. They shouldn't be
    wasted on re-inventing the wheel when there are so many fascinating
    new problems waiting out there.
                                                 -- Eric Steven Raymond
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCN0KQhDd4aOud5P8RAvUWAKCRTLf6bOruatk4aMzqkr7PRuRuvwCgisZS
sSF/FAXLFGNNYrptQgTVbJ4=
=NG31
-----END PGP SIGNATURE-----

More information about the ubuntu-devel mailing list