[pro] Heartbleed?

Alexander Schreiber als at thangorodrim.de
Tue Apr 29 07:18:12 UTC 2014


On Mon, Apr 28, 2014 at 09:23:03PM -0500, William Lederer wrote:
> Regarding why programmers don't write libraries in common lisp (ignoring
> what seems to be a screaming terror of the parenthetical, functional world)
> is that cryptography must be fast, and it must not leak timing information.
> 
> A final word here--I spend my days auditing and pen testing programs
> written in managed languages: C# and Java. None of the errors that bring
> down systems and lead to breaches in these languages result from bounds
> checking or buffer overflow issues. None of them are subject to the same
> kinds of flaws C exposes as evidenced by heartbleed. Nonetheless, there are
> vulnerabilities.
> 
> And I am sure that all remember the vulnerability exposed in Ycombinator
> which is written in Lisp. Simply writing your stuff in Lisp is not enough.

And that is a point that bears repeating: Whatever programming language
you end up using, it will not magically protect you from all errors or
mistakes. Depending on its design and other details, it might protect you
from _some_ classes of errors (such as shooting yourself in the foot with
pointers), but no matter what language, there _will_ still be plenty of
beartraps patiently waiting for the unwary. Heck, even something as heavily
discipline-and-bondage as SPARK ADA leaves opportunities to screw up
big time - just get your design assumptions wrong and you can be toast.

Kind regard,
          Alex.
-- 
"Opportunity is missed by most people because it is dressed in overalls and
 looks like work."                                      -- Thomas A. Edison




More information about the pro mailing list