Share this page!

matt blaze Profile picture
Twitter logo
8 Nov, 10 tweets, 3 min read
If you’re a computer scientist and you’ve not read this seminal work, you owe it to yourself to do so. (Un)fortunately, it’s become hard to find platforms on which the attack can be reproduced in the form described, but it’s a transformative experience when you do.
Mastery of the buffer overflow attack - not just understanding it conceptually, but actually being able to execute it - is like developing a terrible superpower. You start to understand the problem of security in an entirely different way. @aleph_one’s paper made that accessible.
Anyway, @aleph_one’s paper, and an exercise based on it, is assignment #1 in every security course I teach.
@aleph_one Ah, I neglected to include a link: phrack.org/issues/49/14.h…
Also, the timeline is notable. The Morris Worm (the first large scale buffer overflow exploit) was 1988. Smashing the Stack was 1996 and was directly usable. And here in 2021, most major OSs now ship with mitigations, but vulnerable C code is still alive and well.
Buffer overflows have had an amazingly and depressingly long tail. We knew about them well before 1988, and they can still be used to exploit real systems.
Compare this with, say, our response to Y2K. That problem was identified, there was a large but manageable and orderly effort to examine systems and eradicate it, and by 2000, it was no longer a threat. All the while, buffer overflows remained unpatched and exploited.
Part of it likely had to do with the fact that Y2K was very easy to explain, even to nonprogrammers. But you can’t really internalize the reality that buffer overflows are more than a hypothetical threat until you implement one. That’s why @aleph_one’s paper was important.
(Y2K, for you young folks, was the “Year 2000 Problem”. Many programs built in the 20th century used a two character data structure to represent years, which would be fine if the world were going to end in 1999. But if you need to compare dates from different centuries, yikes).
Y2K was a consequence of unfortunate timing in computer history coupled by with a lack of imagination. Computers were invented mid century. Two digit years were unambiguous for the recent past and immediate future for most purposes. And no one thought software lasted decades.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with matt blaze

matt blaze Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattblaze

matt blaze Profile picture
10 Nov
For the record, I will not be offering my election integrity course at the University of Austin.
Even imagining doing that makes me want to hide under the bed.
I’m considering, however, a course in computation theory, covering such topics as Gödel’s completeness theorem, Turing’s Halting Solution, and why they don’t want you to know whether P=NP.
Read 4 tweets
matt blaze Profile picture
9 Nov
The reaction to this illustrates the Great Divide in America, which is between those who’ve read Caro and those who haven’t.
The thing about The Power Broker is that when you first see it you think, oh god, this is one of those impossibly long books people claim to have read but never actually do. But then once you actually crack it open, you’re just hooked.
It’s ostensibly a biography of Robert Moses, but it’s actually a political history of New York and the power of infrastructure.
Read 5 tweets
matt blaze Profile picture
8 Nov
“Why did you block my other account? You must be an asshole.” You might not be learning the intended lesson here.
For the record, I block people for a variety of reasons, my being a capricious asshole being only one of them. Mostly I block people for being abusive or excessively tiresome.
If you’re unhappy about this, please feel free to make a first amendment complaint about me to your nearest police precinct. They’ll be glad to help you. Or complain to my employer (that’s George Mason University, remember).
Read 4 tweets
matt blaze Profile picture
7 Nov
So, “cryptocurrency technology" means digital signatures and hashes, at a minimum. So, which public key signature schemes do we teach 11th graders? Something based on elliptic curves, maybe? And where in the curriculum do we introduce chosen prefix attacks against hash functions?
Also, we’ll really need to start these kids with a good foundation in number theory and finite fields, not to mention the basics of differential and linear cryptanalysis. Better start in the 8th grade or so.
Or maybe they mean things like securing digital wallets. Which means we better getting them started in serious hardware reverse engineering techniques by the 9th grade or so.
Read 10 tweets
matt blaze Profile picture
7 Nov
Out of context, this sounds like the sort of thing that should cause one’s friends to stage an intervention. In context, too.
Maybe vaccines are “communist” because of their side effect of protecting not just recipients, but also those with whom they come into contact. Perhaps a proper capitalist vaccine should be developed that protects recipients while creating extra risk for everyone else.
But of course, if the market wanted such a vaccine, it should exist already.
Read 8 tweets
matt blaze Profile picture
24 Oct
Apropos of nothing in particular, pedantic insistence on a particular usage of some relatively unimportant technical term is invariably uninteresting. I’m reminded of a few years back when…
… some random stranger here made a big deal about how obviously I didn’t know what I was talking about when I used “cryptography” when I “clearly” would have used “cryptology” if I knew anything at all about the subject...
The truth is that while cryptography and cryptology can be narrowly distinguished (the former refers to encryption, while the latter to the study of the field broadly), virtually no one actually working in the field finds the distinction important, and uses them interchangeably.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @mattblaze has new unrolls!

Check out other threads from @mattblaze!

Read all threads by @mattblaze

:(