Hacker News new | ask | show | jobs
by scoutt 2673 days ago
A system crash is a bug. Period. In many cases it could lead to Denial of Service. An insulin pump can stop working.

I remember when C# came out almost 20 years ago. People said "I can forget about managing memory so I can focus on the logic". Programs kept crashing, memory problems were still there.

The article goes with "...remove the burden of memory safety from our shoulders, allowing us to focus on logical correctness and soundness instead...". More or less the same, and admitting that said problems won't go away.

But here we are, it's 2019 and we're still using C/C++ as if nothing happened.
1 comments
empath75 2673 days ago
A crash is a bug but not a security problem.
link
scoutt 2673 days ago
Such affirmation requires that a crash will never produce a security problem. But for example...

"Families are LOCKED OUT of or INSIDE their homes as Yale 'smart' security app crashes leaving dozens stranded"

https://www.dailymail.co.uk/news/article-6268379/People-lock...

"Households up and down the UK were unable to lock or unlock their doors"

An unlocked door it's a security problem too...

link
empath75 2673 days ago
That's still a bug. I feel like you're being intentionally obtuse about what's considered to be a security problem in code. Nobody ever suggested that rust code can never crash or have bugs. It's just about memory safety, which obviously has nothing to do with door locks.
link
scoutt 2673 days ago
Sorry if I gave that impression. It was not my intention.

> A crash is a bug but not a security problem.

I think that all bugs, the ones that produces crashes and security bugs should be all treated equally. A bug is a bug, whenever it has security implications or not.

To me, the article gives the impression that a system crash is not a security problem, because a Rust program will "terminate in a controlled fashion, preventing any illegal access". But one for example, can fingerprint a system by forcing it to crash.

And of course, nobody expects that Rust will prevent bugs from happening, but at the same time I don't get why the fixation of setting a difference between security bugs and bugs.

"security problems are just bugs" - Linus Torvalds. (http://lkml.iu.edu/hypermail/linux/kernel/1711.2/01701.html)

edit: Linus reference.

link
empath75 2672 days ago
Security problems are bugs but not all bugs are security problems.
link