[SystemSafety] OpenSSL Bug
Peter Bernard Ladkin
ladkin at rvs.uni-bielefeld.de
Thu Apr 10 20:34:22 CEST 2014
This is a massive security breach. People tell me, the biggest ever.
The only thing which it seems to me reasonable to do is:
* to cross my fingers and hope I'm too small fry;
* to wait for my bank to tell me my credit cards may have been compromised, and replace them;
* to change the passwords I have for a few hundred WWW sites; as well as the - to anyone with access
to more than a couple - obvious pattern with which I generated them.
For want of a bounds check. In a C program.
There are people here who have defended the use of the programming language C. Shame on you. Yes,
there are tools; there are reliable tools to check whether C programs adhere to strong-typing
principles. Etc. AND THEY WERE NOT USED BY PEOPLE WHOM I HAVE UP TO NOW TRUSTED. In other words, you
were lying to us about "good practice" amongst "SW developers" using C.
Isn't it time we passed laws - one in Britain, one in Germany, a European Mandate, one in the US,
one in Canada, one in <insert sensible-country name>, to require the use of reliably-strongly-typed
languages in critical SW? I'm sure Dennis would sign up, were he still to be alive.
Isn't it time we started a serious, when necessary aggressive, campaign against this kind of
software malpractice?
PBL
Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
More information about the systemsafety
mailing list