DJB Announces 44 Security Holes In *nix Software 983
generationxyu writes "D. J. Bernstein, better known as DJB, has announced the discovery of 44 security holes that were found by students in his course MCS 494: Unix Security Holes this fall at the University of Illinois at Chicago. Vulnerable programs of note include: CUPS, NASM, mpg123, MPlayer, xine-lib, and numerous others. Copies of the notification emails are here. The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software. In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course."
Misleading Title (Score:4, Insightful)
Why? (Score:0, Insightful)
Why is that low? I found 44 security holes to be a rather alarming amount.
Re:Misleading Title (Score:5, Insightful)
Re:Misleading Title (Score:3, Insightful)
Re:Don't just take this lying down, IMO (Score:5, Insightful)
What? (Score:4, Insightful)
Re:Don't just take this lying down, IMO (Score:5, Insightful)
1. This is the first term this class has been taught.
2. Nobody did well with the homework if the entire class of 25 students only found 44 holes.
3. Even those who were among the best students in the class, getting A's on all the exams, only found 2-3 holes.
Therefore the grades should be assigned to fit a bell curve based mainly on test scores and minimizing points earned for the homework.
ah, buffer overflows... (Score:4, Insightful)
I see the two specific items linked to are buffer overflow exploits. Anyone learning to program in C needs to have good buffer dicipline beaten into their heads.
It's like wiping your butt after crapping - mandatory basic hygine. If you can always remember to wipe your butt, you can always remembers to watch your buffer lengths.
Most of the class failed? (Score:3, Insightful)
Define "failed." They failed to find holes? Or they failed the course?
I seriously doubt a prof would fail an A average student for not being able to find a hole for an assignment. Extra credit, maybe, but an F? I mean, WTF?
My thoughts. (Score:5, Insightful)
Evidence to support this belief:
1) Giving homework to "go out and find some exploits" doesn't teach you anything and has a very unpredictable "path to completion"; i.e., it's not like there's a "problem" to solve, per se. It's simply a matter of some students having gotten lucky whereas others failed.
2) "After 300 hours of work and an A average on the exams, I expect to fail the course." Either the student is overly-pessimistic (which is possible), or the prof has done very little to: (a) boost morale, reassure students, or instil confidence; or, (b) grade students appropriately for the effort that they've put in. I think that the truth always lies somewhere between the extremes
3) "In a class of 25, 44 security holes seems a bit low." I highly doubt this, but then again, it entirely depends. If you're trying to find a security hole in "telnet" or "finger", I think you'd be outta luck -- the average joe undergrad would be better off picking random numbers to win the lottery than to find holes in software that has been tried, tested, and true for years.
Alternatively, if you just go to http://freshmeat.net and find some little backward project coded by a grade 9 high school student -- well, yeah, I think that an exploit should be pretty straightforward. Which leads me to ask: What the fuck does this assignment actually prove/teach? (See point (1), above.)
Fourth year: bird courses only please (Score:4, Insightful)
Its well known that every college grinds out the poor students in the first two years...if you've made it to fourth year, its time to ladle up some gravy and bolster your GPA in time for grad school applications, resume bolstering, etc.
So the real moral is that the most intelligent students are the ones avoiding the course altogether. If you want to get an education in unix security holes, go read the OpenBSD mail archives.
What's the deal? (Score:5, Insightful)
10 for each student? I doubt DJB himself could find 10 on his own inside of a semester.
In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course.
I guess the whispers I've been hearing about DJB being a complete asshole are true. It is always nice to have your academic future dictated by such people to your disadvantage, even though you may be a cut above the teacher himself. And in the meantime he will take credit for your work while simultaneously failing you. Thank you, sir, for reminding me why I dropped out of college.
If the majority of the class failed... (Score:5, Insightful)
Re:Don't just take this lying down, IMO (Score:4, Insightful)
No, no, and hell no. As a student, you are a student. Leave your stupid consumer victimization routine in suburbia, where it belongs. Don't try to bring that crap to academia.
Re:Misleading Title (Score:5, Insightful)
I think that most people would agree that if the program can be *easily* removed from the underlying OS, it's not part of the OS itself. Therefore I would not consider notepad.exe part of the OS, however I would consider explorer.exe (even though it is a seperate application).
If you don't agree, it's okay, but that's how I think of it.
Re:Misleading Title (Score:3, Insightful)
Re:Don't just take this lying down, IMO (Score:3, Insightful)
Frankly, I think you're jumping the gun here. Ten is a nice round figure and one that suggests that it might have been picked arbitrarily. Perhaps the professor asked for ten but didn't expect any one individual to find more than two or three? Perhaps the professor wasn't as interested in their results as he was their methodologies and definitions of what did and didn't constitute a vulnerability? Perhaps he was using the exercise to reinforce lessons on how to create a secure computing environment?
Chew on that for a while, and while you're doing that think about the fact that you should be looking at university as a learning experience, not merely an acquisition of course credits. Frankly, your post makes you sound like someone who would sue their professor if he so much as considered awarding you less than a pass mark.
Re:Don't just take this lying down, IMO (Score:5, Insightful)
Re:Fourth year: bird courses only please (Score:3, Insightful)
Re:Boohoo (Score:2, Insightful)
Re:Don't just take this lying down, IMO (Score:5, Insightful)
Re:Don't just take this lying down, IMO (Score:4, Insightful)
I actually had a class like that, expected to fail but passed becase I actually did a lot of work on the problem and it showed. This may be one of those cases. Remember, research is about trying your best but still failing, actually most of the time.
Re:Don't just take this lying down, IMO (Score:2, Insightful)
I couldn't agree with this post any more.
Let me also say that if this professor feels so high and mighty, let's see this person perform the assignment themself! Something tells me this professor would also fail!
10 previously undiscovered exploits for one person to find is a serious undertaking. Most Security Professionals probably don't find that many per year I would guess.
Shesh. What an ass.
Re:Don't just take this lying down, IMO (Score:3, Insightful)
Same rules apply for universities, as the army, private industry, etc.
Re:My thoughts. (Score:5, Insightful)
Re:Sounds like Fermi at University of Chicago (Score:1, Insightful)
Strange definition of 'remote exploit' (Score:3, Insightful)
Example: http://www2.uic.edu/~kkubic1/securesoftware/26.tx
Jonathan Rockway, a student in my Fall 2004 UNIX Security Holes course,has discovered a remotely exploitable security hole in NASM. I'm publishing this notice, but all the discovery credits should be assigned to Rockway.
The only way I'd call this a remote exploit would be if someone has written an apache module that takes some assembly code and returns an executable. I dont think thats a very common setup.
Baz
Re:Don't just take this lying down, IMO (Score:5, Insightful)
Frankly, I think you're jumping the gun here...
I didn't jump the gun, I provided a qualified statement. You know, "if he does this then you should do this".
Now, let me provide another statement which may or may not apply to this specific case (since we haven't seen grades yet): Any time an entire class fails, it is on the professor's shoulders. Since we assume that the people in the class are both mentally competent and reasonably intelligent based on the fact that they're in college, and excepting odd situations (a 1 or 2 person class, for instance), a near-100% failure rate can only be one of three things:
1. The professor has created a class which cannot be successfully completed given the time constraints and the level of the students.
2. The professor has completely failed to impart his knowledge to the students.
3. The professor has based the grades on items which do not accurately reflect what was taught in the class.
Implying that a professor who fails all or nearly all of a given class has competently done his/her job is nonsense. It's not "part of the learning experience", it's a professional failure on the part of the professor and needs to be treated as such. In any event, when this sort of extraordinary event occurs, the University itself is responsible for allowing that failure to occur.
Re:Misleading Title (Score:4, Insightful)
or better yet, since it sounds as if this is an assignment due at the end of the semester, dive into some code, write up a few paragraphs on what you *think* is a security flaw, and submit it.
heck, i think the instructor should give credit for explaining 10 good code examples of secure routines.
Re:Don't just take this lying down, IMO (Score:5, Insightful)
That's different, and it's still bad because that reflects poorly on the professor. If you were a university, would you want to hire a professor of astronomy who couldn't teach people the basics (for whatever reason)?
What most of these posts are saying is that this professor did not grade these students on a reasonable test of their skills. It's kind of like a professor of Art History requiring students to discover a previously undiscovered Picasso. Sure, some may exist in people's basements or garage sales, and sometimes a new piece of art from an expired artist shows up on the auction block from an previously unknown collector of rare things, but would you consider it fair to flunk art students who could not find a new Picasso? How would you rate such a find, grade-wise?
Re:It's just an assignment - Did you even go to un (Score:5, Insightful)
Makes sense.
The requirements are to exploit 10 holes in unix software. Nowhere does it say that the unix software must come standard with any distros, and it doesn't say that you can't write it yourself.
Write a simple program with 10 holes in it, point them out, and boom you win.
We are talking about finding vulnerabilities and exploiting them aren't we? I'd get extra credit for finding and exploiting holes the class requirements.
Re:Misleading Title (Score:3, Insightful)
Yes, most people would. And that's why the title says *nix Software rather than *nix OS's. I don't know know anybody would defines "software" as meaning "something that is part of an OS". The title isn't misleading at all. In fact, it makes it explicit that we are discussing software for *nix rather than the OS itself.
Re:Fourth year: bird courses only please (Score:3, Insightful)
There is a time for learning for learnings sake - retirement.
That's one way of looking at it, sure. But I think I'll learn for learning's sake my entire life, thank you very much. That way I wouldn't feel my life was a waste of time if I died at 64.
Re:Don't just take this lying down, IMO (Score:3, Insightful)
Re:Don't just take this lying down, IMO (Score:1, Insightful)
It is not okay to fail an entire class if the professor cannot teach worth a damn and demands more than the students could ever possibly learn on their own. Your post implies that all professors are good at their job and have reasonable expectations. I have seen the results of a professor who did actually fail an entire class and, trust me, it was not because the students didn't try. The Professor was INCOMPETENT and was fired on the spot.
The problem is that most professors fall into one of three categories:
1. Those are brilliant in their field, but simply cannot teach.
2. Those that are brilliant in their field but are too concerned with their own personal research and egos to teach.
3. Those that could not make a career in their field of choice and decide to teach instead.
In my experience, it is the exception and not the rule for a professor to be brilliant in their field, able to teach the subject, and actually interested in their students and whether they understand the material. Why don't YOU chew on that before lecturing on the college experience.
Re:Why? (Score:3, Insightful)
I don't. Your average security hole is exploitable under only very limited circumstances -- say, if a program is being run with privileges that the individual invoking it doesn't have.
Holes of that sort are extremely widespread (and part of the reason why marking programs that haven't been audited setuid is generally understood to be bad practice).
Re:Sounds like Fermi at University of Chicago (Score:1, Insightful)
Er, wait now. There are courses where working to your full capacity should not have any bearing on a pass. Sometimes you're being tested to show you have a mastered a skill, not that you've shown dedication.
Pretty much any course past the middle of high school, really.
Re:Misleading Title (Score:5, Insightful)
Ahh, this is such stuff that pointless flamewars are made on.
Cheers
Stor
Re:Well, that's surprising (Score:3, Insightful)
Let's say I receive a virus attached to an email, which I open with kmail.
First of all, I've got to save it to disk, mark it as executable, and run it. This alone makes it quite improbable.
Second, the virus has actually to start up, and Linux binaries don't necessarily work on other systems, unless statically linked.
Assuming it's statically linked, Linux systems are rather less standard than Windows ones. How does it send mail? Well, kmail has a dcop interface, but I don't see a function for sending. The virus could compose it of course, but the user would need to click send on it.
Next, it can perhaps try using the server at localhost. If there's one, that is, since normal people probably aren't going to be running one. Reading the user's kmail config would probably work though, as long as the password is there.
So, overall I'd say, yeah, it's possible. But all the obstacles above make it a lot harder to do than on Windows, especially the first one. To make it run you probably would need to find a buffer overrun in a mail client, and that's increasingly uncommon these days.
Re:Most people will pass (Score:1, Insightful)
So guy-I-knew approached Parnas, and asked why.
"Becuase I don't like you".
Perhaps a nice letter from a lawyer will help... or an academic appeal.
Re:I can see it now... (Score:3, Insightful)
Re:Most people will pass (Score:4, Insightful)
"Becuase I don't like you".
And that was the end of it."
I wonder why? Disliking someone is NOT a valid reason to assign low grades. Thinking their work is crap is a valid reason. That statement pretty much could have enabled the student to have his grade reevaluated by an outside observer. I would have complained to academic affairs. After all, if the professor already dislikes you, that bridge is already burned.
If the story is true, of course.
Re:Modern education sunken to a new low (Score:4, Insightful)
Re:Don't just take this lying down, IMO (Score:3, Insightful)
"follow the chain of command..."
"the *political* office..."
John Sheridan knew his stuff alright; it sure is one way to start a civil war! (sort of)
Re:Misleading "Exploits" (Was Re:Misleading Title) (Score:5, Insightful)
A video player, say, should be completely immune to bad input. It should not be possible to craft an input file that causes my vide player to delete files or anything like that.
There is a very limited class of data (scripts, executables) that need to be "dangerous". Viewing a jpeg, even a jpeg hand-crafted by Dr. Evil, should never have the ability to do anything bad [well, OK, seeing the goatse guy is abd, but you know what I mean].
Re:Don't just take this lying down, IMO (Score:5, Insightful)
Re:Don't just take this lying down, IMO (Score:2, Insightful)
As a teacher, I agree 100% with parent (Score:2, Insightful)
If I cannot get a majority of my students to understand the topics enough to pass my grading criteria, then I have somehow failed to properly instruct them. As an employee of the school, the school has also failed them (I am an agent of the school).
What is the point of taking a class which has a failure rate higher than, say, 50%? Unless this is a live or die case, such as SEAL training, this is completely absurd.
As far as the students being smart enough to take the class... that is why most classes have prerequisites. If each of these students meets all prerequisites, and participates fully and honestly in the class, the failure rate should not be as high as this one appears (90%-ish).
Instructors MUST be held accountable for being successful teachers. If the student does not learn, despite real effort, then the fault lies with the person who had the knowledge, but failed to pass it on.
Re:Good idea? (Score:5, Insightful)
You also know more about IT management, unrealistic goals, undeserved punishment, and PHBs [wikipedia.org] than most professionals now. I don't know whether to rejoice in your hardwon jumpstart on corporate wisdom or mourn the inevitable early onset of cynicism.
Re:Don't just take this lying down, IMO (Score:4, Insightful)
1) Make wildly overstated demands.
2) Watch 1/3 of students abandon class.
3) Hold class
4) Back off on demands and grade fairly.
(Sorry, this is academia. No profit involved.)
Re:You can attract more bees with honey... (Score:1, Insightful)
Have you ever actually worked with qmail? Its rubbish. I administered a qmail system for two years with 60,000 users. Its a pile of absolute rubbish.
#1 DJB doesn't believe there are any bugs in his code. Technically, they may not be. Operationally, however, there are HUGE holes in his code.
#2 qmail accepts all mail first, THEN generates bounce messages internally. What this means is that when someone spams your server from wruiohwrui@yahoo.com to nonexistentaddress@yourserver.com, qmail will say "Yes! Please rape me!" and accept the message. It will then generate the bounce message and spend the next 5 days trying to deliver it to wruiohwrui@yahoo.com.
#3 the qmail queue processes choke up on any amount of moderate to high load, and will use 99% of CPU scanning the queue and not actually getting any work done.
#4 DJB arrogantly states that all servers should be running in GMT time because that makes more sense when trying to figure out logfiles. Hello?! ALL MY USERS ARE IN JAPAN. They don't care about the rest of the world.
#5 The log files are barely readable. It is almost impossible to actually track what happened to a particular delivery.
#6 Want spam/virus scanning? Forget it! You'll have to patch the code!
#7 Want LDAP support? Forget it! You need to patch it!
#8 Want to fix any problem operationally with qmail? FORGET IT! IT NEEDS TO BE PATCHED!
Sorry, I have a lot of pent up hatred for DJB and qmail. Anyone who says he is a good developer needs to actually USE his software in a real environment, in the real world, and they will quickly come to the opinion that
a) DJB is mostly right in his opinions, philosophically
b) DJB is completely ignorant of the realities of running a business.
I have to post this as an anon coward because I'm frightened DJB will slap a lawsuit on me for libel or some such.
Re:Agreed, many profs are abusive (Score:3, Insightful)
And you have never seen a female use tears to play on someones emotions and get their own way?
I was once naiive like you.
Re:Good idea? (Score:2, Insightful)
Re:It's just an assignment - Did you even go to un (Score:1, Insightful)
If I was there, I'd have immediately walked straight to my dean's office and dropped the class.
Then I'd have put in a request to audit the class informally
Re:Because bind and kerberos (Score:1, Insightful)
So sure, sendmail does more than qmail. But with the right companion programs and scripts, qmail can do just as much as sendmail while maintaining its airtight security. That's what makes DJB's design so compelling.
How to get your A (Score:2, Insightful)
At least if you flunk, you get to watch the monkey dig through code for the next six months to avoid losing his job.
I bet the math professors don't pull that crap with the next ten prime numbers.
Re:You can attract more bees with honey... (Score:3, Insightful)
Yes. It's not rubbish. Rediffmail is using it on their mail service and they have 25,000,000 users.
Operationally, however, there are HUGE holes in his code.
Your bullet points are numbered, but this one doesn't deserve a number, since it simply says that you have a non-zero number of bullet points.
#2 qmail accepts all mail first, THEN generates bounce messages internally.
Yes, it does. Why tell remote attackers which email addresses are valid and which are not? You're just inviting dictionary attacks. Qmail users never complain about dictionary attacks because they're never subjected to them.
#3 the qmail queue processes choke up on any amount of moderate to high load,
This is the silly qmail syndrome. You can either provision more servers or apply a patch.
#4 DJB arrogantly states that all servers should be running in GMT time because that makes more sense when trying to figure out logfiles. Hello?! ALL MY USERS ARE IN JAPAN. They don't care about the rest of the world.
And you call djb arrogant?
#5 The log files are barely readable. It is almost impossible to actually track what happened to a particular delivery.
Obviously you never discovered qmailanalog.
#6 Want spam/virus scanning? Forget it! You'll have to patch the code!
Well, this one is simply wrong. There are any number of qmail-queue replacements which don't require any patching.
#7 Want LDAP support? Forget it! You need to patch it!
Well, qmail-ldap certainly patches a whole hell of a lot of code, however, it also does boat-loads more than simply supply an ldap interface. Contrary to what you say, I managed to write an LDAP interface for a customer without having to patch qmail. LDAP, on the other hand, is generally a piece of crap, but that's another topic.
#8 Want to fix any problem operationally with qmail? FORGET IT! IT NEEDS TO BE PATCHED!
How else do you fix software? When you were a child did you walk to school uphill both ways?
Sorry, I have a lot of pent up hatred for DJB and qmail. Anyone who says he is a good developer needs to actually USE his software in a real environment, in the real world,
I have, and qmail works just fine for me and my customers.
Re:Misleading "Exploits" (Was Re:Misleading Title) (Score:3, Insightful)
It is not outside the realm of possibility that, for instance, a web server would use various programs to automatically process uploaded images.
Re:Good idea? (Score:5, Insightful)
Welcome to astronomy 101, 60% of your grade will depend on finding 10 new planets in our solar system
"and security than most professionals now,"
I have my doubts.
Re:Students didn't exploit the loophole (Score:3, Insightful)
My personal experience with reporting PHP Nuke bugs is the author just doesn't want to fix them (he appears to expect fixes to come with reports ) and grumbles at you, so I stopped bothering. Why should I fix PHP Nuke? Judging from the code I'd use some other software - I was just checking for other people to see if PHP Nuke was fit for use. My verdict was "not fit for use".
If you can't find anymore in PHP Nuke, just look for other PHP software that requires "track vars" and other insecure options.
The students who fail shouldn't have taken the class at all - if they are checking software that is already likely to have been audited, they obviously lack the necessary way of thinking, and that sort of thing is not DJB's fault.
Re:Misleading Title (Score:2, Insightful)
Re:Varying levels of seriousness... (Score:3, Insightful)
Blanket statements like this (and like "Goto is evil") do nothing to help improve the quality of software as we know it. strcat() is not evil. Using strcat on uncontrolled/unmonitored input on buffers whose memory allocation we are unsure of IS.
I have actually seen code like this in real production software:
char *xyz(const char *a, const char *b)
{
char *s;
s = malloc(strlen(a) + strlen(b) + 1);
strncpy(s, a, strlen(a));
strncat(s, b, strlen(b));
return s;
}
Not only is this patently wasteful -- the strn* functions unnecessarily checking bounds AND the extra strlen() calls [depending on optimization] -- but it generates buggy code! For the string to be valid, s[strlen(a) + strlen(b)] must "just happen" to be zero.
ACK!
That error is caused by juvenile programmers thinking that "strcat is evil", which in turn suggests that "strncat is good".
This code is correct, AND cheaper;
char *xyz(const char *a, const char *b)
{
char *s;
if (!(s = malloc(strlen(a) + strlen(b) + 1))
return NULL;
strnpy(s, a);
strcat(s, b);
return s;
}
of course, being the huge Apache Runtime fan that I am, I would write something like this myself in most "real" cases:
char *xyz(apr_pool_t *pool, const char *a, const char *b)
{
return apr_pstrcat(pool, a, b, NULL);
}
Re:Don't just take this lying down, IMO (Score:1, Insightful)
Have you ever taught a class? I taught university level Physics (as a professor, not as a TA) and I can tell you that there are many people who took my Physics for non-Science/Math/Engineering/Comp Sci majors course who got into the class not knowing what Physics was, upon my explaining it to them and offering drop slips, signed in advance, available outside my office, most stayed in the class...
Then one day, a week before the final two of these people came to my office (seperately) one to complain that I had said there was no Math used in the class and had assigned this problem (reworded for brevity) if a thunderstorm is travelling at 15 MPH how long will it take to get to a city 300 miles away? (actually this was a small part of a problem on meteorology) . I calmly explained to this individual that as we were in a University, this did not count as math.
The second individual was a young lady not wearing much, I had never seen her before that day, and she surely was wearing no underwear I could detect from my seated position behind my desk... She proceeded to tell me that she needed an A in the course and she would be happy to do anything I liked of a personal and private nature with me that weekend, at my home, to get that A. I suggested she study (really!) and asked why she had never been in class.
So, before you start handing out blanket statements, remember that you are assuming a lot.
Oh, that was out of a class of 64, and the class average was a 72% (we call that a C- where I come from, low passing grade), these were mostly seniors about to graduate.
Re:Varying levels of seriousness... (Score:3, Insightful)
> improve the quality of software as we know it. strcat() is not evil. Using
> strcat on uncontrolled/unmonitored input on buffers whose memory allocation
> we are unsure of IS.
No. The problem here (either way) is not what *functions* the programmer is
using; the problem is what *language* the programmer is using. C was great
in the 1970s, when computers filled whole rooms and needed every instruction
per second that could be squeezed out of them. At the time, more robust
languages (such as lisp) were just too darned slow, and if a feature required
the computer to do a little too much (or waste too much storage), it just
wasn't implemented. Word wrap was an optional _extra_ in word processing
software, because it required the whole line to be (gasp) recopied while the
user waited! C was great because it allowed programs that would otherwise
have to be written in assembly language for efficiency reasons to be more
portable -- and Unix directly benefitted from this, outstripping and leaving
in the dust a number of otherwise better systems (TOPS-20 for example) that
were unfortunately tied to specific hardware. Languages that allocated string
space dynamically and did other things to coddle the programmer, such as
lisp or BASIC, were only good for specific tasks where performance was less
critical. The real VHLLs didn't even exist.
Today, there are still things that need to be written in a low-level language
such as C. Device drivers are an excellent example. The performance and the
efficiency really matter there. The kernel's scheduler is another example.
But these things should be written by experienced programmers who know the
heck what they're doing. (Yeah, I know, it doesn't always work out that way,
and even experienced programmers still make mistakes...) But we still have
every noob and his kid brother trying to write high-level applications in C
for no good reason, and *this* is why we still have buffer overruns -- it's
because we still have fixed-size buffers.
Will better languages eliminate all bugs? No. But they will, eventually,
as they are gradually adopted, eliminate certain whole *classes* of bugs
that have been plagueing us for 30+ years, buffer overruns being one of the
most obvious. Pointer errors are another thing you don't have in VHLLs,
because you don't have unsafe pointers or pointer arithmetic. (You can still
make the mistake of treating a return value that may be undef as if it's
definitely a reference, but the bug that results is easier to track down,
because instead of happily writing bits into an unrelated piece of storage
and possibly smashing something that will haunt you six hundred lines of
code later it immediately complains that you can't use that value as a
reference.) You don't get a fencepost error on the max value of an array
index when you've replaced your legacy C-style for loops with foreach loops
that don't use indices, for example. (Legacy for loops have been deprecated
in Perl for virtually ever now, and in Perl6 they are going away completely;
for will always mean foreach and will always operate on a list. The other
VHLLs that haven't done this already will eventually.)
Your correct, cheaper code is still horribly needlessly long for what it
accomplishes: with the brace style fixed for terseness and the superfluous
blank lines removed, it still comes to seven lines (lines!), just to
concatenate a couple of strings, which shouldn't take seven characters.
And yes, I know it's a contrived example, but it's still illustrative.
Re:Good idea? (Score:4, Insightful)
Well, then perhaps you do deserve to fail. He's the one doing the grading, and he's the person responsible for giving you an assignment where success is based as much on luck as on technical prowess.
He tells you what he means and sticks with it. That's something to respect.
This is called begging the question. Why, exactly, is this something to respect?
"Hey, I'm going to kill you if you don't give me your money."
"Well, I don't have any money."
"Sorry, gotta kill you."
"That's cool. I totally respect that."
Perhaps if you didn't idolize him as much, you might realize the practical consequences of a failing grade for your GPA, and potential employment future. But at least you got to learn from a kick-ass prof, right? Or rather, an ass-kicking prof.
Re:ah, buffer overflows... (Score:2, Insightful)
Many Eyes (Score:2, Insightful)
I don't understand why this is a bad thing. It is the community watching itself and in this case it is the *NIX community watching itself.
I say we need more courses like this.
Re:Good idea? (Score:3, Insightful)
I have to say, it sounds like a stupid requirement. I study social scinences, so an equvalent for me would like; "Come up with a ten point working plan for peace in the middle east"
Re:Don't just take this lying down, IMO (Score:3, Insightful)