Feeds

Today's bugs have BRANDS? Be still my bleeding heart [logo]

Code-slinger Verity reviews the rash of groovy-named open-source security vulns

Build a business case: developing custom apps

The Flensing of C

The Heartbleed fiasco and its antecedents have cast doubt on the famous golden ratio of eyeball to bug that open source allegedly offers.

Perhaps because I find cryptographic code deeply dull, I have always been sceptical of this claim. It seems to me that the only folks properly motivated to pore over the inner details of SSL are those naughtily looking for a vulnerabilities. Everybody else just mutters 'looks ok to me' and carries on squeezing their blackheads.

But now that I have myself invested nearly quarter of an hour of personal eyeball time with this supposedly well-inspected code, I have come to a different conclusion. No bug is shallow if it lives in a bug-camouflaging environment. It really is time that C was abandoned as the automatic choice for this work. Its use just sets up these failures.

OpenBSD is essaying a grand rewrite of OpenSSL called LibreSSL. They say their first task is to 'flense' the code. If this were to include using C++ to get a teensy bit of type safety, and stopping the antediluvian practice of depending on goto statements for resource protection, then I would overlook the ghastly verb flense in the expectation that our electronic secrets could enjoy a little more privacy in their cloudy nests. ®

The essential guide to IT transformation

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Why has the web gone to hell? Market chaos and HUMAN NATURE
Tim Berners-Lee isn't happy, but we should be
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
China hopes home-grown OS will oust Microsoft
Doesn't much like Apple or Google, either
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Sin COS to tan Windows? Chinese operating system to debut in autumn – report
Development alliance working on desktop, mobe software
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?