|
You'd be surprissed how many services are "internet" facing even though they should never be... not even basic security considered. Recently had an incident where a RDP connection was possible to a server holding / running finicial data for multiple companies... not even a FW or anything inbetween... scary sometimes
Who the f*** is General Failure, and why is he reading my harddisk?
|
|
|
|
|
I'm not surprised.
But you have understand that in 1994, almost everyone was vulnerable.
It's relative.
Check out my IoT graphics library here:
https://honeythecodewitch.com/gfx
And my IoT UI/User Experience library here:
https://honeythecodewitch.com/uix
|
|
|
|
|
I would say that you have a category error here. One must divide the security breaches into unauthorized access, and authorized access to perform unauthorized actions. The first encompasses all "hacking" attempts (buffer overruns, SQL injection, etc. etc.), while the second encompasses the "inside jobs".
Secure languages are an attempt to mitigate "hacking". Proper procedures are one way to mitigate "inside jobs" and designing them is at least as difficult as designing a secure language.
C++ already has the neccesary mechanisms for producing robust code - unique_ptr<>, shared_ptr<>, string, vector, etc. The problem IMO is the legacy code ported from C, and new code that uses ordinary pointers and buffers in a misguided attempt at optimization.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
Quote: C++ already has the neccesary mechanisms for producing robust code - unique_ptr<>, shared_ptr<>, string, vector, etc. The problem IMO is the legacy code ported from C, and new code that uses ordinary pointers and buffers in a misguided attempt at optimization. The problem is also code written before C++11, when those pointers became available. It won't get retrofitted unless it has problems attributable to pointers, which it typically won't given the time it's had to soak. For new code, I think failing to use the things you mentioned is less a case of misguided optimization and more one of ignorance on the part of those who never progressed beyond the pure C way of doing things.
|
|
|
|
|
Without pointers, programming languages are pointless.
"In testa che avete, Signor di Ceprano?"
-- Rigoletto
|
|
|
|
|
CPallini wrote: Without pointers, programming languages are pointless pointerless. FTFY
Cheers,
Mike Fidler
"I intend to live forever - so far, so good." Steven Wright
"I almost had a psychic girlfriend but she left me before we met." Also Steven Wright
"I'm addicted to placebos. I could quit, but it wouldn't matter." Steven Wright yet again.
|
|
|
|
|
"In testa che avete, Signor di Ceprano?"
-- Rigoletto
|
|
|
|
|
It's just too easy to make a serious mistake even if you do know what you are doing and are extremely good at it. Meanwhile, the penalty for near any such failure is near inevitably RCE or privilege elevation with both basically throwing the doors wide open for the barbarians at the gates.
It's also "just how things are done", using pointers and pointer arithmetic. Maybe you can make a performance argument in a very few cases. (Why are they pythoning all the ML stuff instead of C++?) Mostly though, we aren't seeing superior products as a result, but inferior ones, not in terms of performance, but security. And it's just not worth it anymore to use these unless you just don't have a choice. The situations where that holds true are shrinking fast. They'll be gone inside a decade when I think it will be totally reasonable to expect something like a .NET-on-chip and other similar such inroading into embedded development.
|
|
|
|
|
If you're looking at technical issues leading to security issues, then null-terminated buffers are the number one problem, followed by use after free and then reading uninitialized buffers.
If you're looking at all sources of security issues, people are by far the number one cause of security incidents.
|
|
|
|
|
Here is a different view:
Ever since programming began, defeating compiler-enforced typed safety became an obsession of many programmers. And IMO pointers were their main tool as it gave the programming arena a natural layer-of-indirection. Be that as it may, thankfully, there is a great movement in C++ from programming with pointers, pointer semantics, to value semantics. With that, C++ "is like a different language" paraphrasing Bjarne. Value semantic programming gets really difficult, but that laudable goal is the re-assertion of compiler-enforced type safety without man-in-the-middle pointers. And compiler-enforced type safety was the original goal of C++ which Bjarne has single-handedly urged the C++ maintainers to adhere to over the years. IMO this will separate the programming sheep (get it done fast) from the goats in the future.
Just saying.
|
|
|
|
|
Sticking to software development, pointers are obviously not a problem, bad programmers are a problem (cretins disguised as geniuses often are a very big problem). Bad management (forcing people to cut corners) is also to blame. And sometimes there are royal mess-ups in initial design.
Of course the golden rule of any organization is to blame anyone and anything for your mess, but not admit your own fault, and pointers are a bit like quantum superposition, everyone heard of it, few understand it, so it is a perfect scapegoat.
|
|
|
|
|
It depends on what they are pointing to …(?)
I had just switched companies. I was about a year and a half out of school with pretty solid C skills. A senior programmer at the new company who was new to C asked me to review a C module he was implementing.
All of the code looked pretty solid. The module used a fairly large struct for tracking its data. Every method in the module accepted a pointer to the struct type or else used a global pointer (too long ago).
After reviewing the code, I asked him “Where is the memory allocated to actually hold the struct data?”. Huh?
We added a global variable declaration of his struct type and initialized the global pointer with its address and everything worked fine.
My tenets when dealing with pointers:
1. When declaring the pointer, the * is part of the type.
int* justAPlainOldVariableOfTypeIntPointer;
int** justAPlainOldVariableOfTypeIntPointerPointer;
- A pointer is a leash
- A pointer is NOT the dog!(or cat but who leashes their cat, it is undignified)
- When writing or reading code with the dereference operator *, say “dereference “ out loud.
4a. Understand the difference between * as declaration, * as dereference unary operator and * as multiple binary operator or do not try to use them! - Same for addressOf & operator. (as well as assignment operator, comparison operator, etc)
- The compiler enforces type safety. Let it do its job! Unless you are dealing directly with hardware or doing low level memory tricks, you should not need to recast something.
|
|
|
|
|
I was writing a lounge entry and the front door got slammed on me.
I tried getting to CP from two different networks so I'm pretty sure it weren't just me.
Ya'all saw that too, right?
I took a snapshot of it.
Here's what I saw[^] and it was instant.
I guess them hamsters is angry.
|
|
|
|
|
Wow, not even the stylized 404 error page. Something really choked. I didn't see anything, FWIW
Check out my IoT graphics library here:
https://honeythecodewitch.com/gfx
And my IoT UI/User Experience library here:
https://honeythecodewitch.com/uix
|
|
|
|
|
When did you see that ?
In a closed society where everybody's guilty, the only crime is getting caught. In a world of thieves, the only final sin is stupidity. - Hunter S Thompson - RIP
|
|
|
|
|
I believe it was around 5:45pm Eastern Standard Time on thursday, June 13.
I tried to ping the site to and couldn't get anything -- and it was such a huge disconnect that I thought it looked like a DNS issue.
I remoted to my work computer -- in a geographically different location (another city from me) and on an entirely different ISP and I got the same error from browser : 404.
|
|
|
|
|
I saw that. I guess a 404 is just enough to tell Down Detector and other such sites that "something" is coming back, so they all claimed it was up...
|
|
|
|
|
That's interesting, because for me it was instaneous and quite harsh: I mean I couldn't even ping codeproject.com at that time. It was literally like someone slammed the door on me.
I tried from an entirely different network and got the same thing.
Glad someone else confirmed seeing it to.
|
|
|
|
|
Oh it was instantaneous, nothing spent any time trying to resolve anything and then timing out. The 404 response was pretty much immediate.
I'd be curious to read any post-portem Chris would be willing to share.
|
|
|
|
|
Here's an additionally interesting thing: Today my work's ISP is having major issues.
Can't even ping our web site at this time.
Here at home and other coworkers spread through-out cities are working fine but none of us can get to our work machines via RDP and our company is virtually cut off from Internet.
I pinged our web site and got: Temporary failure in name resolution.
Oh, and we can't get to our company outlook, but we can all still chat via MS Teams.
|
|
|
|
|
Woke at 04:00, shower, coffee, toast, emails.
Then the ironing to get out of the way before dropping the car off for a service and have new brake disks fitted all round - I've got 20 mins before Timbo is due to pick me up, so I'll do a quick supermarket run to get mouthwash (since I opened the last new bottle just before bed last night) and a few odds and ends.
Walk out of the supermarket and the phone goes - Rich needs a favour. Sure, what do you need? "Can you drive me to A&E, I think I've broken my foot." Ah. No car - have you still got Gills car key (his wife went on holiday in sunny climes yesterday)? Yes. OK, I'll be home ASAP and get you off down there. Ring Timbo to see if I can hurry him up, and the first thing he says is "Can you do me a favour?"
His neighbour (a drug addict) has had a stroke, so his (psycho) wife is down at the local A&E with him, and he's babysitting the two girls* but Timbo's wife is due at physiotherapy at 11, could I take her? Explain the car problem, the Rich problem but say I'll do what I can. Finally he turns up and I get home, grab Rich, he grabs his fishing gear so he can tie some flies while he's waiting to be seen because he's going on a three day fishing trip tomorrow, I suggest his phone and charger and off we go - to a further away hospital than the addict because his wife's daughter is a doctor and they have a shorter waiting list.
Surprisingly quickly "how to drive a manual" comes back to me - it's been nearly two years since I switched to auto - and I drop him off, get back home to look after their dogs just in time to swap to Timbo's car and load up Eryl for her physio and off we go. I wait outside, listening to an audiobook and then take her home. As I'm reversing into their drive (which is a complicated job in an unfamiliar car) the phone rings - it's Rich who has been processed, could I collect him? Swap back to Gill's Fiat (a willing little hybrid, but the second slowest car I've ever driven and with the build quality you expect from Italian cars) and drive back to the hospital to collect Rich who has indeed broken his foot and has a large boot on which means he can't go fishing tomorrow. He's not a happy bunny.
Finally get home and the cat is furious because it's been eight hours since he ate his breakfast and I should know better than that ...
And one of my jobs today was to set up a new set of cat food for him as he's a picky little toad and I have to feed him different meat / manufacturer for each meal or he goes off them and will never eat them again. So I've got to do that before I can feed him which isn't his idea at all.
Busy day. And it's not over yet.
* And Timbo's as good with kids as Josef Fritzl but that's their problem**
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
Quote: Rich, he grabs his fishing gear so he can tie some flies while he's waiting to be seen because he's going on a three day fishing trip tomorrow I like this guy!
Quote: has indeed broken his foot and has a large boot on which means he can't go fishing tomorrow. He's not a happy bunny. Bummer.
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
|
|
|
|
|
I'm worn out from just reading about your movements of the day.
I’ve given up trying to be calm. However, I am open to feeling slightly less agitated.
I’m begging you for the benefit of everyone, don’t be STUPID.
|
|
|
|
|
Wow, that is a busy day. You've done more in less than a day than I've accomplished all week. I've been diligently working to refine my talents in the art of procrastination lately. The more I practice, the better I get.
There's no procrastination technique that is too petty for me to engage in. There's a moth that's been flying around my living room for several days now. I sprayed it with bug spray several times, and it just keeps flying around. Sometimes I sit and watch it flutter about the room. I have my television on and it's streaming CBS News. I'm not watching it because I'm more interested in watching the moth.
Anyway, don't overdo it. Be sure to take time out for yourself, too.
|
|
|
|
|
OriginalGriff wrote: Woke at 04:00
Well there's your problem right there!
But OTOH, I suspect if you got up later, you'd just get less time to get the same amount done...
But seriously, as I was reading through, I thought I was gonna need a diagram.
|
|
|
|
|