Quantcast

Maximum PC

It is currently Thu Jul 24, 2014 5:08 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 22 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Tom Halfhill's "NX: No Excuse for Poor Security"
PostPosted: Sun Sep 19, 2004 12:00 pm 
Team Member Top 100
Team Member Top 100

Joined: Fri Sep 17, 2004 5:35 pm
Posts: 1176
"...Programers deserve blame for writing crappy code and for ignoring software tools that guard against buffer overflows. The leading programming languages for commercial software development (C and C++) deserve blame because they lack the safety of modern languages like Java and C#."

This article was on the new NX bit in x86 processors, and how it will help protect your computer from viruses and trojan horses.

--------------------

The problem is not 'crappy code' by programmers. The problem is malicious code, by virus writers and crackers. Do not blame the programming languages C and C++ for the malicious code made by idiots.

Bounds checking should really be unneccesary for any commercial (i.e. experienced) programmer, really. Plus, with C++, std::vector s are quite safe, and the STL is quite popular.

Also, many, if not most, trojan horses and viruses (what this article was about -- protecting against malicius code!) are written in assembly, not in C or C++.

Why bash C/C++ and their programmers? The languages aren't making bad code, the crackers are!

That's my opinion, anyway, and I would like to hear yours.


Top
  Profile  
 
 Post subject:
PostPosted: Sun Sep 19, 2004 10:44 pm 
Team Member
Team Member
User avatar

Joined: Sun Aug 29, 2004 5:28 pm
Posts: 487
Location: Inside A Computer
I agree with you man. That column left a strange taste in my mouth too. Shifting the blame from the criminals to the victims again. What we need are programs written by legitimate programmers put in the hands of legitimate consumers that can track down the source of these malicious bits of code and return the favor in spades. For instance, if a web site or program you get from a site tosses spyware or some other malicious stuff on your machine, this program would find out where it came from and rather than just remove the bad bit of data, seek out the source and I dunno, trash it all to heck and back. Something violent. Something destructive. Find the author's home address and send some anthrax to him or something. :) But dang, don't blame legitimate programmers or languages that have been being used for some time now with success because of a group of jerks.


Top
  Profile  
 
 Post subject:
PostPosted: Mon Sep 20, 2004 1:13 am 
Boy in Black
Boy in Black
User avatar

Joined: Thu Jun 24, 2004 1:40 pm
Posts: 24339
Location: South of heaven
What are the stats on how many viri are made and released every day? Something extremly high I'm sure. Just the shear manpower involved in getting these numbers of bad code out is hard to say they're all intended to harm. Saying that, viri aren't all man made. In fact, from my past dealing and edumacation with them, the majority was buggy code. Even trying to hash out a VBcode in Excel can go seriously south.

Looking at my old notes, I see this pop up a lot on how to "prevent making viri" on about every other page. "nothing more than a C/C++, BASIC, or Pascal proggy, either intentional or not...and wild or in the zoo." On the side bar, I have "Java, when scripted with care can be less open to this"

Sure, there's now a majority of these programs that have the pure intention of doing harm (from the "brain", Michelangelo, BO, and the Love Bug), but all of these are taking advantage of something in order to work. It's something left open, or a line of code not really thought out. Thus, they make patches to fix these.

So...I still blame the programmers for writting this, but it's not 100% on them, so don't get me wrong. It's just the way of life. You make something, then someone points out the flaws in it with a bug. Hackers do this on websites, and the hackers become "bad" right away, even though some just want to say "hey, here's a hole to fix". Same thing with coders IMO. (The concept virus and Laroux were written just to show that you COULD write bad code for macro's, which then spawned Melissa). And even M$ is rumored to make viri in the early 80's (to wipe out disk-copying programs when copy-protected floppies were all the rage). But in complicated codes, you just can't know it's perfect until it's let out of it's cage as there's too much time and resources involved in doing so. Remember Microsoft revealing it's new OS that crashed on stage?? Yup...not perfect code IMO.

I don't think Mr. Halfhill was aiming a gun at 99% of the programmers out there as coding has become very clean, in sorts. But who's fault is it for ALLOWING a bug to be written? Someone has to be blamed first, and I'd put it on the programmer. Otherwise, we wouldn't have been so open to DoS attacks a few years ago. In debates over the chicken of the egg, I'll always pick the chicken...

And, as always...that's my opinion too.


Top
  Profile  
 
 Post subject:
PostPosted: Tue Sep 21, 2004 4:52 am 
Team Member
Team Member
User avatar

Joined: Sun Aug 29, 2004 5:28 pm
Posts: 487
Location: Inside A Computer
Sure a program can have bugs, but uninteltional viruses? I don't see that happening. If a program is written and run and it works fine, that's usually the end of it. It takes someone with malicious intent to exploit a bug to make it dangerous. So the blame, is really on that person, not the guy who wrote the useful bit of code that just happened to have an exploitable hole in it. That's the problem with a lot of folks these days, they like to blame the victim. If I walked out my front door and didn't lock it, that doesn't mean that if someone walks in and steals all my stuff that I'm the one in the wrong, the criminal is still the criminal and still 100% in the wrong. I should not and do not have to lock my door in order to be in the right. Neither should code have to be 100% flawless and without holes for the programmer NOT to be responsible for the acts of malicious exploits.

As for the chicken and the egg, wrong again I'm afraid. At least if you believe in evolution. If you believe in creation then it's still a 50/50 proposition but the proof of evolution is a little stronger and easier to back up. In which case, a creature that was close to being but not a chicken would lay an egg, the egg would have the genetic mutation to be a chicken, hence the egg came first.

I also always see the class as totally full... (Half with liquid and half with atmosphere). In a vacuume it would just shatter.


Top
  Profile  
 
 Post subject:
PostPosted: Tue Sep 21, 2004 6:25 am 
I'd rather be modding!
I'd rather be modding!
User avatar

Joined: Fri Jun 25, 2004 3:47 pm
Posts: 3731
Location: Las Vegas
Not that I agree completly wirth the article, but you guys aren't seeing somethings.

If you walk out your front door and leave it unlock and you get robbed - thats one thing. But, if you lock your door only to find out that every tom, dick and harry has the key to it and then you get robbed - its another.

There is no way for folks to program against every senario - but some are obvious.

There are unintensional virii, but I doubt there are a ton of them.

I think one of the problems MS is seeing is that it took sales more seriously then security with XP. I think that attitude is changing, but really, they should not have had it in the first place.

As we move into an era where people are trying more and more to screw up other peoples systems, programmers (and more importantly - program designers) need to be more carefull how they do things.

You guys think Tom is blaming the victim? Keep in mind the real victim is the end user. Programmers make locks - people depend on them. Jerks break into places. If the lock was weak or non-existant, the programming side is to blame. That doesn't mean they are responsible for losses for losses - just that they dropped the ball. Sometimes there is nothing they could have done - sometimes its obvious. Having a security standard in place is wise - but not an excuse to not consider security durring programming.

Manta's 2 pennies


Top
  Profile  
 
 Post subject:
PostPosted: Wed Sep 22, 2004 4:31 am 
Team Member
Team Member
User avatar

Joined: Sun Aug 29, 2004 5:28 pm
Posts: 487
Location: Inside A Computer
Certainly programmers need to consider security, no doubt about it. But the point is that whether they do or not, it isn't their fault if someone does something malicious. The blame still belongs squarely on the shoulders of the person who did the damage and not the programmer who overlooked a bit of security. Whether or not there is "no excuse for not writing secure code" there is still no way that it's the fault of the programmer that some jerk broke into a system. It's still shifting the blame from the guilty party to the innocent one.


Top
  Profile  
 
 Post subject: That giant sucking sound is...
PostPosted: Thu Sep 23, 2004 9:47 am 
8086
8086

Joined: Thu Sep 23, 2004 9:18 am
Posts: 3
...Tom "Dan Rather" Halfhill's credibility going down the comode.

Tom is now the Dan Rather of the hardware world. Prior to this I liked his column; no longer.

How can Tom possibly blame the languages themselves for poor/ignorant coders? He says that they lack the safety of modern languages like java and C#. A vm isn't the holy bastion of safety he seems to believe it to be.
To assume it is, is just asinine.

Argh! :x

Tom, did you research _any_ of this before you posted? My God, man!


Top
  Profile  
 
 Post subject:
PostPosted: Fri Sep 24, 2004 7:56 am 
Smithfield
Smithfield
User avatar

Joined: Thu Jul 22, 2004 2:17 pm
Posts: 5315
Location: northwest BC
It doesn't matter what language you write code in, it is all vulnerable to malice.

People who write code for a company are usually under pressure to get it out, fast. I'm sure an often heard phrase in such places is "We'll de-bug later" Just take a look at Microsoft and their lame OS's over the years.

Fully robust and malice-proof code is damn near impossible. The more you want your code to be flexible and un-hackable, the longer it is going to take to write and debug.

You can't blame the programmers when they operate under such conditions. Who you blame are the 'suits' - the accountants and lawyers who don't write code themselves and have zero interest. All these clowns see are the potential profits, so they really hammer the programmers to get it out quick and dirty, no doubt threatening them with loss of job or benefits if they won't co-operate.


Top
  Profile  
 
 Post subject: Re: That giant sucking sound is...
PostPosted: Fri Sep 24, 2004 9:08 am 
I'd rather be modding!
I'd rather be modding!
User avatar

Joined: Fri Jun 25, 2004 3:47 pm
Posts: 3731
Location: Las Vegas
gpwolfe wrote:
...Tom "Dan Rather" Halfhill's credibility going down the comode.

Tom is now the Dan Rather of the hardware world. Prior to this I liked his column; no longer.

How can Tom possibly blame the languages themselves for poor/ignorant coders? He says that they lack the safety of modern languages like java and C#. A vm isn't the holy bastion of safety he seems to believe it to be.
To assume it is, is just asinine.

Argh! :x

Tom, did you research _any_ of this before you posted? My God, man!


Welcome to the MPC Forum. You might want your first few posts to be of a more positive note.


Hello all,

Here is my take.

I don't generally like Halfhill's stuff, but really - you guys are going over board. If you get crappy, insecure software, who is to blame?

The folks that program it.

I don't agree with pimping C# over C++ - its not really a right comparison and the tools needed in C++ are there if a programmer wishes to use them. They may not be inherent - but C# has enough other issues I don't like to have me nix it off my "learn" list. Like I said, I never really like Tom's stuff, so it doesn't surprise me that I disagree.

However, He is right about a few things. NX is like a wall around your house. But it is not an excuse to leave the front door open. In fact, contrary to Tom's belief - I don't think you need it. That is, provided you (the end user) practices proper security with tools that were hopefully programmed properly. If they contain crappy code - its the programmers fault. It doesn't matter to me if the project boss was an ***hat. The programmer created the code. They made it.

This is all before an actual attack happens. It isn't the programmers fault I get attack (hypothetically) - it the attackers. However, there is some blame to be spread if the attack is a success. Often, "holes" can be seen ahead of time and should be. Halfhills opinion is his own. Many agree with it. You guys don't. Yet, I have to say that the reasoning I hear in this thread is not nearly as sound as Halfhill's.

And that's comming from someone who generally avoids reading his stuff.

Its amazing that many programmer feel shafted when it comes to getting credit for thier work - and yet don't want to take responsibility for it either.

Manta


Top
  Profile  
 
 Post subject:
PostPosted: Sat Sep 25, 2004 11:07 pm 
Boy in Black
Boy in Black
User avatar

Joined: Thu Jun 24, 2004 1:40 pm
Posts: 24339
Location: South of heaven
I can't believe that you took a theoretical phrase of chicken and the egg, and turned it into a religious side. And I also can't believe that one took a single sentence of my post and based a total rebuke on it based solely on a note from 12 years ago... It's a "settting" for a post. Not the entire idea.

I think I see what happens. I can see that the bigger picture isn't even a consideration worth investigating. Someone says "work harder!" and the worker calls for a strike. Bah.

And it's libel to say he called programmers poor and/or ignorant. No where does he say such things. He states the problem, if it's not just read through and you pick out what you do or don't like. "Early procs...had memory protection that could prevent these attacks. But programmers didn't like the restrictions, so the x86 chips made the protection unnecessary." The removed a protection because programmers didn't like coding for it. That says very clearly the truth what not just programmers, but every industrial complex does - Make decisions that, while seem like no harm, actually someday turn foul.

For years, cars (our hardware) didn't have seat belts (our protection) mandated. Sure, some had them, but until the law stated they must be in all vehicles...people didn't have the option to wear them. Today, this sounds like a very "crappy" management as it's just easier to not include them. Safety regs called for the car makers to "work harder" and just put them in for pete's sake.

But the very first paragraph was his pure intention. This should have been a silent inclusion. Why, if I saw a home with a "we now lock our doors" sign on the front door, then I'll skip that and start checking the windows. "Thanks! Saved me some time folks". It's just not something that you need to run around and brag about. So, it keeps buffer overflows from occuring...Good! That should have been in there and supported 20 years ago instead of fixing it now.

So instead of trying to turn the tables and blame hackers for breaking into software, use this article in your programming career; and any career for that matter! Next time you're pressed for a dead line of a budget...or just plain hate doing something, watch and you'll see things being left out or overlooked. Five years from now, it just may turn up in a dicscussion in a periodical.


Top
  Profile  
 
 Post subject:
PostPosted: Sat Sep 25, 2004 11:20 pm 
Team Member
Team Member
User avatar

Joined: Sun Aug 29, 2004 5:28 pm
Posts: 487
Location: Inside A Computer
Whoa Nelly there Chum... Who said anything about hackers? Hackers don't go around causing the kinds of problems that have been discussed here. That's a whole other group of people. As someone who's proud to be considered a hacker and have been for many many moons, I don't take kindly to the ignorant assumption that hackers are bad guys who run around trying to destroy things. We don't, that's a media mind twist.

And yes, I took the chicken and the egg thing and ran with it for chuckles. I didn't however turn it into a "religious" side. Religion had nothing to do with it. Creationism isn't a religion and neither is Evoloutionism. They're just different points of view. End of that, it was meant as a HUMOROUS aside, not a religious side.

Your analogy of seat belts is a bit weak. When a person has to resort to using analogies all the time it's a sign that their arguement isn't very strong to begin with. Say what you mean and if it's true it'll hold up just fine. The occasional analogy is perfectly acceptable but so far you've used two too many here. The fact is, we're discussing the validity of placing blame for the exploiting of potential (not realized) security risks in software on the programmers. And the programmers take the stance that it isn't their fault if someone maliciously abuses the code, if used as directed it will work just fine. The opposite argument, if I may make my own analogy here, is like the woman who sued McDonalds because she spilled coffee on herself in her car. So McDonalds had to go around printing up warnings to inform morons that "coffee is hot". This is both a waste of time and money. Oh and it's also kind of insulting to those of us with more than two brain cells to rub together.

So with all you've said I still don't see how any BLAME can be placed on programmers here. I can see how they could be considered to be doing a better job if they made sure all possible security holes were fixed up. But I can also see that meaning that we'll be waiting until the cows come home for any software to be released.


Top
  Profile  
 
 Post subject: RE: Chumly
PostPosted: Sun Sep 26, 2004 1:30 am 
8086
8086

Joined: Thu Sep 23, 2004 9:18 am
Posts: 3
Chumly wrote, among other things:

"And it's libel to say he called programmers poor and/or ignorant. No where does he say such things."

WTFO!? I don't understand why you need to go nonlinear here.

Perhaps I should elaborate, though I thought it pretty clear at the time.

A simple example of what I mean:

If a programmer uses strcpy() vs. strncpy() the buffer overrun potential he/she is opening his/her code to is true and real. Two possibilities exist, the programmer is just poor, as in not very good as in careless, or ignorant, as in doesn't know any better. Ignorant coders are going to be careless just because they don't know any better.

Tom used the word "sloppy". What does sloppy mean to you? Can you say, careless? That's probably the most common first thought. In any case what I said is most assuredly not libel. I dare say that it'd stand up to most logical/reasonable people in a debate.

Based on that screed you last posted I'd say you are not a logical/reasonable person. Though that could just be a mistaken first impression on my part?


Top
  Profile  
 
 Post subject:
PostPosted: Sun Sep 26, 2004 6:15 am 
I'd rather be modding!
I'd rather be modding!
User avatar

Joined: Fri Jun 25, 2004 3:47 pm
Posts: 3731
Location: Las Vegas
The Insane Modder wrote:

So with all you've said I still don't see how any BLAME can be placed on programmers here. I can see how they could be considered to be doing a better job if they made sure all possible security holes were fixed up. But I can also see that meaning that we'll be waiting until the cows come home for any software to be released.



Modder, Chumly and GPwolfe - this is not the LL ;)
Keep the burners low

For the record Modder, most of us here know that "hacker" means "programmer" - we have just fallen into the fad that everyone else has in using the term to describe mal-coders (its easer to type than "black-hat hacker")

Here is how I "blame" the programmers - wait - let me digress -

We should really divide "blame" and "responsibility" up.

The programmer is responsible.

If you get attacked or not, is not relevent. If the code is sloppy - its sloppy. Who is responsible for the code? Because you guys ignored me before, I will break it down.
    The end user has nothing to do with the code - so its not them.
    The mal-coder never even attacked the system (yet) - so its not them.
    Hmmm......who is left? - Oh yeah - the programmer!!


It doesn't matter why the code is sloppy. Maybe it was a bad boss? But the boss didn't write the code. I suppose you could blame the company. Thats fair - they take all the credit for the product, so they should take all the responsibility for it. Yet, the actual person is the programmer.

That doesn't mean the programmer should take the blame for all attacks - perfectly good code can still be vulnerable in ways that could not be foreseen. Halfhill was just saying that security needs to remain a software issue no matter how many hardware walls are put up. Like I said, building a wall around the house is no excuse to leave the front door open.

As far as the chicken and egg - Modder, since you weren't a commport member I must warn you that even jokes with a religious slide to them don't play well in this forum - for some reason it causes all kinds of trouble.

But since you opened the door in this thread :)

Creationism - Chicken came first
Evolution - Chicken came first.

The evolution reason is that we don't speciate animals except in the adult form. Before you can find and name the chicken egg, you need to find and name the chicken. There are a few exceptions (like the giant squid which was named even though it hasn't been seen), the chicken is not one.

So it doesn't matter if you go to church or not - the chicken came first. Now if you want to debate it in a more biologic sense, the answer would be "amino-acid" - which always comes first.

Hmmm....what else can I ramble on about.....

Oh yeah - in order to prevent sloppy code, certain security issues must be made public. Programming is not the military. You can't put a hardware wall in place and not tell folks about it. And you can't "privledge" information either. That would mean small companies and individuals couldn't program - and thats wrong. Further, mal-coders have ways of getting info without "permission", so you simply can't do it. Believe me, large Companies would love to see this - it thins the competition - but its wrong.

Hmmm.........well - thats it for me.

TTYL

Manta


Top
  Profile  
 
 Post subject: Re: RE: Chumly
PostPosted: Sun Sep 26, 2004 6:19 am 
I'd rather be modding!
I'd rather be modding!
User avatar

Joined: Fri Jun 25, 2004 3:47 pm
Posts: 3731
Location: Las Vegas
gpwolfe wrote:
Based on that screed you last posted I'd say you are not a logical/reasonable person. Though that could just be a mistaken first impression on my part?


It is.

Play nice.

Sometimes ignorant is an insult - sometimes its a statement of an innocent condition. Sometimes its both.

Best to avoid the word, me thinks.

Manta


Top
  Profile  
 
 Post subject: Re: Tom Halfhill's "NX: No Excuse for Poor Security&quo
PostPosted: Sun Sep 26, 2004 6:28 am 
Bitchin' Fast 3D Z8000
Bitchin' Fast 3D Z8000
User avatar

Joined: Sat Jun 26, 2004 3:44 pm
Posts: 513
Location: Vancouver Island
Kybo_Ren wrote:
"...Programers deserve blame for writing crappy code and for ignoring software tools that guard against buffer overflows. The leading programming languages for commercial software development (C and C++) deserve blame because they lack the safety of modern languages like Java and C#."

This article was on the new NX bit in x86 processors, and how it will help protect your computer from viruses and trojan horses.

--------------------

The problem is not 'crappy code' by programmers. The problem is malicious code, by virus writers and crackers. Do not blame the programming languages C and C++ for the malicious code made by idiots.

Bounds checking should really be unneccesary for any commercial (i.e. experienced) programmer, really. Plus, with C++, std::vector s are quite safe, and the STL is quite popular.

Also, many, if not most, trojan horses and viruses (what this article was about -- protecting against malicius code!) are written in assembly, not in C or C++.

Why bash C/C++ and their programmers? The languages aren't making bad code, the crackers are!

That's my opinion, anyway, and I would like to hear yours.


You make two fatal assumptions.

1. That malicious code is intentional, and
2. That all programmers are "experienced."

While Java and C# are safe...relatively...you can still blow your leg off. And they still require you to have some forthought. You can blow buffers just as easily in Java and C# as you can C/C++...in fact, for the uninitiated it's very easy.


Top
  Profile  
 
 Post subject:
PostPosted: Sun Sep 26, 2004 7:03 pm 
Team Member
Team Member
User avatar

Joined: Sun Aug 29, 2004 5:28 pm
Posts: 487
Location: Inside A Computer
In this instance I am only refering to exploited code, not to code that was written poorly. Of course if code is written poorly and does not function according to specs then the programmer is responsible for that. But if the code is maliciously exploited by a 3rd party and something happens, that's not in any way the responsibility of the programmer. To use your own analogy as a vehicle for this, if someone dies in a car accident because they didn't wear their seatbelt, is it the seatbelt manufacturers fault? That's what's being said here, that if code CAN be exploited by a mal then it's the fault of the programmer, it isn't. Should the publisher of the software in question require that their software be more secure? Probably in most cases they should. Should they share some of the responsiblity for the failure of the software should it come under attack? I'm not so sure if I think they should. I think we should put the blame where it belongs, on the persons who are activly trying to cause problems. We need to develop new sets of laws and punishment to cover these crimes. Currently we have very little for this. We throw hackers in jail for doing no damage and pay money to jerks who put spyware on our computers in order to get it off, this is just wrong.


Top
  Profile  
 
 Post subject:
PostPosted: Sun Sep 26, 2004 8:51 pm 
Bitchin' Fast 3D Z8000
Bitchin' Fast 3D Z8000
User avatar

Joined: Sat Jun 26, 2004 3:44 pm
Posts: 513
Location: Vancouver Island
Look at this code... it's written in C# and is a very basic iteration loop...one will create a buffer overflow the other won't and is indicative of the abuse that can be done when people become too arrogant in the safety of their code, or don't understand how to use the tools available to them.

Code:
public class bungya
{
        public static void main()
        {
               int count;
               int[] hooger = new int[10];
               for(count=0;count=10;count+=1)
               {
                        hooger[count] = count;
                        Console.WriteLine(count);
                }
         }
}


This is indicative of C and C++ style of programming. STL not withstanding.

That piece of code creates an Array (hooger) and gives it a size of 10 positions... 0-9. The for count then populates the array with whatever is the current count. The problem is, however that it will create an array overflow because the loop is trying to add one more element that does not exist. Sometimes it's easy to forget arrays are Zero based.

The .NET run-time compiler would catch this, but sometimes it doesn't or you can have it override errors like this. Regardless, the program would still crash, even with exception handling.

A more appropriate, and compliant, piece of code should look like this:

Code:
public class bungya
{
      public static void main()
      {
               int count;
               int[] hooger = new int[10]
               for(count=0;count=hooger.Length -1 ;count+=1)
               {
                      hooger[count] = count;
                      Console.Writeline(count);
               }
       }
}


One simple change, in the end step of the For loop assigns the end value as the length of the Array minus 1 (it will still add a position at the extent of the bounds). Thus it will not only stop the loop at the last value of the array, it will also not populate the array past that iteration. It is also specification compliant as well.

A company has a responsibilty to be smart when it initially spits out code. If it's not it could be held liable. Microsoft understood that at some point someone was going to successful sue for damages due to the insecurity of their software, but the legal department came up with the alternative, "Our damages cold be the difference between hundreds of millions and billions if we take a proactive step..." and they did that by sending their developers on month long "security code practice" courses.

While I agree 100% that those who are responsible for exploiting the code should take the majority of the blame, the developers need to be smart and take a proactive stance.

The only developers that I do not think should be fundamentally culpable are open source developers who can have their code modified outside of their control. But even then, the GPL should not be a get out of jail free card, either.


Top
  Profile  
 
 Post subject:
PostPosted: Tue Sep 28, 2004 9:28 pm 
Team Member
Team Member
User avatar

Joined: Sun Aug 29, 2004 5:28 pm
Posts: 487
Location: Inside A Computer
Everything made sense until the end there. The GPL should not be a get out of jail free card? Sorry, if I release code in open source format and someone else screws with it and it becomes unstable you're saying that I should share some of the blame for that? You're joking, right?


Top
  Profile  
 
 Post subject:
PostPosted: Tue Sep 28, 2004 9:37 pm 
Bitchin' Fast 3D Z8000
Bitchin' Fast 3D Z8000
User avatar

Joined: Sat Jun 26, 2004 3:44 pm
Posts: 513
Location: Vancouver Island
The Insane Modder wrote:
Everything made sense until the end there. The GPL should not be a get out of jail free card? Sorry, if I release code in open source format and someone else screws with it and it becomes unstable you're saying that I should share some of the blame for that? You're joking, right?


No I'm not. There is nowhere in the GPL that says those that distribute their software under it are immune from prosecution or responsibility. If you take my statement into account with the rest, you will see that I believe the person with LEAST amount of culpability is the GPL programmer. So, if you use a little bit of common sense you will see the meaning of my post:

The GPL is not a get out of jail free card, or should it be. If you write secure, good code without the intention of someone exploiting it, then you should be saved from reprisal. HOwever, if you write code with the intension someone will create a monster out of it, or it's a specific utility which can be abused...then yes I beliebe you should be held responsible at some level.

The fact remains if you act in good faith, your original code will stand. There will already be a copy of it. If someone modifies it against your wishes and makes it malicious...then you have a get out of jail free card because you can show distinct changes.

If you use common sense and act in good faith, you can't go wrong. But it's very important to understand that what you do, or start, or contribute to you could become liable for.


Top
  Profile  
 
 Post subject:
PostPosted: Tue Sep 28, 2004 9:50 pm 
Bitchin' Fast 3D Z8000
Bitchin' Fast 3D Z8000
User avatar

Joined: Sat Jun 26, 2004 3:44 pm
Posts: 513
Location: Vancouver Island
If you would like an example of what I am talking about, look at the kid from Switzerland that released I believe it was the Slammer virus. He took an existing piece of code (which I believe was inert, or he had an odd version), modified for his purpose and released it on the world.

By his own admission his intentions were NOT malicious...but they ended up being so. They still have to find the programmer of the original virus...but they nailed this kid by proxy...even though he never created it, and was using it under the GPL.

Sure...that's a virus...but it illustrates the responsibilty that exists in everyday life. We are responsible for our actions, and our's only. The attitude in the software industry has been, "It's too expensive to get it right." And they'd be true...but wait, someday, someone is gonna sue or something will happen that was never meant to happen and you'll hear whining and bitching.


Top
  Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 22 posts ]  Go to page 1, 2  Next

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group