[SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

[ljknews]

At 11:41 PM -0400 3/20/09, Gary McGraw wrote:

> once long ago I spilt a bottle of wine with dan geer

> we argued for hours about whether a buffer overflow was
> a bug or a flaw.  if you find one in a code pile (say,
> caused by a local variable on the stack and a gets call) ,
> it is a bug.  Or is it a flaw that the C stack grows in
> an incredibly stupid way?

That reasoning has a bit of not being able to see the forest
for the trees.

The root problem (and I do not care about the terminology)
is that the C programming language promotes the use of
uncounted strings.
-- 
Larry Kilgallen