From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!usenet.blueworldhosting.com!feeder01.blueworldhosting.com!peer02.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!border3.nntp.dca.giganews.com!backlog3.nntp.dca3.giganews.com!Xl.tags.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local2.nntp.dca.giganews.com!nntp.nethere.com!news.nethere.com.POSTED!not-for-mail NNTP-Posting-Date: Thu, 10 Apr 2014 21:39:19 -0500 Newsgroups: comp.lang.ada Subject: Heartbleed From: csampson@inetworld.net (Charles H. Sampson) Date: Thu, 10 Apr 2014 19:39:18 -0700 Message-ID: <1ljwj8f.1wqbhvuabsdw1N%csampson@inetworld.net> User-Agent: MacSOUP/2.8.3 (Mac OS X version 10.4.11 (PPC)) X-Usenet-Provider: http://www.giganews.com X-Trace: sv3-ea6A75IxxHYdTfya1Abux7lPZt5LQuR+2P9kJnGmKr+VT3vawxJmJvps8wSHmFfljDSPFof69UUacMU!lIcMzE0gfsZdfrN2I0UsRfm0lcfRXujrdgGXejMSI5t4a69TPSPBhNEUHx5pWUuwrstwLCKiW9+3!6127Ub77ub1s4YfDudJ1fBFFDzGS6A== X-Complaints-To: abuse@nethere.com X-DMCA-Complaints-To: abuse@nethere.net X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly X-Postfilter: 1.3.40 X-Original-Bytes: 2344 X-Received-Bytes: 2456 X-Received-Body-CRC: 3382591065 Xref: news.eternal-september.org comp.lang.ada:19239 Date: 2014-04-10T19:39:18-07:00 List-Id: According to Wikipedia, the Heartbleed bug in OpenSSL is caused by two errors: Lack of bounds checking and failure to verify that the heartbeat request was valid. Whom does one express one's indignation to? The insistence of many in our "profession" on using C and its decendents is the reason I qualify the word "profession" when writing about software developers. Acting on a message without validating it is equally incomprenhensible to me. The former is a "profession"-wide problem. For the latter, someone needs a severe rebuke on his next performance review, at the least. It so happens that for the last project I worked on, I was responsible for TCP/IP communication. Every incoming message was fully validated, including validating all components of the message body. The only response to an invalid message was a negative acknowledgement to the sender. It never occurred to me to do it any other way. Haven't the problems associated with acting on invalid input of any sort been known for decades? Charlie -- Nobody in this country got rich on his own. You built a factory--good. But you moved your goods on roads we all paid for. You hired workers we all paid to educate. So keep a big hunk of the money from your factory. But take a hunk and pay it forward. Elizabeth Warren (paraphrased)