(keitai-l) Re: Java running into trouble on cell phones?

From: Curt Sampson <cjs_at_cynic.net>
Date: 09/06/02
Message-ID: <Pine.NEB.4.44.0209061842540.818-100000@angelic.cynic.net>
On Thu, 5 Sep 2002, James Santagata wrote:

> As far a buffer overflows are concerned they are not the
> only exploit that can be made nor necessarily the
> most important.

You still have to avoid them. Generally you spend a lot of money
on this and still often fail completely to eliminate them. That's
just the nature of C.

And yes, a java program can allow exploits beyond this, just as a
C program can allow exploits beyond this. But it's much easier to
write Java without security problems than it is to write C without
security problems.

> Here are some 126 known Java exploits from CERT.

Ha ha! I've seen more than 126 exploits due to buffer overflow in
C code in just the last week. Try counting the number of those on
the CERT web site.

All your points are true, but that still doesn't change the fact that
the vast majority of security holes due to bugs in code in systems over
the past few years have been buffer overflows. And a *lot* of money has
been spent on patching systems because of this. That's all.

Anyway, I shan't reply further as this appears to be getting quite
off topic for the list.

cjs
-- 
Curt Sampson  <cjs_at_cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC
Received on Fri Sep 6 12:53:55 2002