[SystemSafety] OpenSSL Bug
Martyn Thomas
martyn at thomas-associates.co.uk
Thu Apr 10 20:50:04 CEST 2014
I agree. The processes used here don't pass the basic test to be called
software engineering, but then almost no software development does.
What to do about it?
Martyn
On 10/04/2014 19:34, Peter Bernard Ladkin wrote:
> This is a massive security breach. People tell me, the biggest ever.
>
> The only thing which it seems to me reasonable to do is:
> * to cross my fingers and hope I'm too small fry;
> * to wait for my bank to tell me my credit cards may have been compromised, and replace them;
> * to change the passwords I have for a few hundred WWW sites; as well as the - to anyone with access
> to more than a couple - obvious pattern with which I generated them.
>
> For want of a bounds check. In a C program.
>
> There are people here who have defended the use of the programming language C. Shame on you. Yes,
> there are tools; there are reliable tools to check whether C programs adhere to strong-typing
> principles. Etc. AND THEY WERE NOT USED BY PEOPLE WHOM I HAVE UP TO NOW TRUSTED. In other words, you
> were lying to us about "good practice" amongst "SW developers" using C.
>
> Isn't it time we passed laws - one in Britain, one in Germany, a European Mandate, one in the US,
> one in Canada, one in <insert sensible-country name>, to require the use of reliably-strongly-typed
> languages in critical SW? I'm sure Dennis would sign up, were he still to be alive.
>
> Isn't it time we started a serious, when necessary aggressive, campaign against this kind of
> software malpractice?
>
> PBL
>
> Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
> Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
>
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
>
More information about the systemsafety
mailing list