ZMLEB@SCFVM.BITNET (Lee Brotzman) (11/17/88)
This message was recently downloaded from GEnie, the General Electric Network Information Exchange: Message 2 Thu Nov 03, 1988 D.RUFFER at 21:22 EST This is more in the random rumor category, since I only have this second hand, but I'll put it up here to see if anyone else can substantiate it. Was anyone watching either the Today Show on NBC or Good Morning America in ABC between 7:30 and 8:30 earlier this week (probably Monday)? Let me explain why. My parents caught someone on those talk segments that was talking about the Computerized Voting Booths. Aparently, he was saying that because they were written in Forth they could be tampered with, because Forth is an unsecure language. WOW, do we need to make a rebuttal to that, and I hear one is being worked on right now. I know must of us programmer types rarely see that time of the morning, much less turn on the TV to watch one of those talk segments, but did anyone else hear about the show? Inquiring modems want to know. DaR ------------------------ On the surface, this is just another example of poor journalism about computers and programming (newspaper articles about the recent Internet virus have shown just how little your average reporter knows about the area of computers, networking, and programming). I'm posting this is to try to raise another topic of discussion. Is there such a thing as a "secure" programming language, or can only programs themselves be thought of as secure? What techniques can be used to write secure programs in any language, especially Forth? In regards to the voting booth example given above, I find it difficult to believe that a single voter fiddling around in the booth could rig an election. The greater threat is bribery or some other human frailty in the central data processing facility that tabulates the votes. Then again there have been several examples cited of people "outsmarting" bank automated teller machines. The principles might be the same. The reasons I ask is because this is a topic that interests me. I'm studying network communications in the Masters program at Johns Hopkins University, and security is a subject of heightened interest at the moment. -- Lee Brotzman (FIGI-L Moderator) -- BITNET: ZMLEB@SCFVM Internet: zmleb@scfvm.gsfc.nasa.gov -- If my employer knew what I was doing, I'd be fired on the spot, so Shhhh!
karl@ficc.uu.net (karl lehenbauer #) (11/18/88)
In article <8811171507.AA08404@jade.berkeley.edu>, ZMLEB@SCFVM.BITNET (Lee Brotzman) writes: > Aparently, he was saying that because they were written in Forth they > could be tampered with, because Forth is an unsecure language. > > WOW, do we need to make a rebuttal to that, and I hear one is being > worked on right now. ... I hope your rebuttal is going to say no computer language is secure, not that Forth is secure. -- -- +1 713 274 5184, uunet!ficc!karl -- Ferranti International Controls, 12808 W. Airport Blvd., Sugar Land, TX 77478
carroll@s.cs.uiuc.edu (11/19/88)
Program security is only very weakly correlated with the language, and
very strongly correlated with the skill of the programmer. There are
also a large number of other factors which are important, such as
what the machine is, who can use it, what OS is on it, etc. Just like
other algorithms, the question of security in a program transcends the
question of language, just as do good style, modular programming, and
user-friendliness.
Alan M. Carroll "How many danger signs did you ignore?
carroll@s.cs.uiuc.edu How many times had you heard it all before?" - AP&EW
CS Grad / U of Ill @ Urbana ...{ucbvax,pur-ee,convex}!s.cs.uiuc.edu!carrollorr@cs.glasgow.ac.uk (Fraser Orr) (11/21/88)
In article <8811171507.AA08404@jade.berkeley.edu> ZMLEB@SCFVM.BITNET (Lee Brotzman) writes: > I'm posting this is to try to raise another topic of discussion. >Is there such a thing as a "secure" programming language, or can only >programs themselves be thought of as secure? What techniques can be used >to write secure programs in any language, especially Forth? I don't see what your talking about. Surely "computer security" has little to do with programming language issues? Is this not a network, and/or operating system issue only? I would be interested to see anyone produce a compiler that refused to compile malicious code... :^> Maybe you could have a flag "-N num" that allowed you to compile code of differing levels of nastiness, you have to be super user to set level 1 and you have to have $USER set to "Ronald Regan" to compile code set to level 2? :^> Of course if your talking about internal security, might I mention type checking .... (evaporates in a flamefest :^> ) > In regards to the voting booth example given above, I find it difficult >to believe that a single voter fiddling around in the booth could rig an >election. I've never been in a voting booth. Do they have RS232 ports so that you can plug in your portable computer, hack into the network, and fix the vote? How very accommandating of them ! :^> > The reasons I ask is because this is a topic that interests me. I'm >studying network communications in the Masters program at Johns Hopkins >University, and security is a subject of heightened interest at the moment. Appoligies for the sarcasim, I think this could be an interesting discussion, Just move it to the correct newsgroup (or limit the discussion to program language issues) Regards, Fraser Orr
cs374124@umbc3.UMD.EDU (Clark "Crash" Culligan) (11/22/88)
In article <8811171507.AA08404@jade.berkeley.edu> ZMLEB@SCFVM.BITNET (Lee Brotzman) writes: > >Was anyone watching either the Today Show on NBC or Good Morning >America in ABC between 7:30 and 8:30 earlier this week (probably >Monday)? Let me explain why. My parents caught someone on those talk >segments that was talking about the Computerized Voting Booths. >Aparently, he was saying that because they were written in Forth they >could be tampered with, because Forth is an unsecure language. (stuff fromthe middle deleted) > I'm posting this is to try to raise another topic of discussion. >Is there such a thing as a "secure" programming language, or can only >programs themselves be thought of as secure? What techniques can be used >to write secure programs in any language, especially Forth? Language "security" I think has something to do with the error-trapping and/or memory protection of a program being executed. A "secure" language will trap errors that will trash variable memory, tear through program memory, etc. In that regard, Forth is unsecure. Then again, Forth is MEANT to be a wide-open, fully changeable language. Rarely have I seen a FORTH program not dip into program memory to change pointers to other words around. Why, the very act of changing the value of a variable involves taking the memory location and writing a new value to it. Forth is not a language for idiots, because Forth has no tolerance for idiocy. On the other hand, the security THEY'RE talking about is tamperability. How tamper-proof a program is depends on how it's written. A Forth system could be very secure, for instance, if you use specially coded words (so they couldn't be perniciously executed without a special book), and the stack space should be reduced to make any on-the-spot changes impossible without involving a stack-heap collision. I'm not studying Forth officially (it's more of a hobby), but that's the way I'd start write-protecting the language. On the third hand, we're talking about voting booths here. That means we're talking about officials, probably government officials, and THAT means government officials working with Forth. Stick to Cobol, guys. Leave the Forth programming to the experts... -David Wood -Lowly Student, UMBC =================================================================== = "Did YOU water your grandmother today?" = Strangeness On Demand = ===================================================================