Path: utzoo!attcan!uunet!husc6!cmcl2!adm!smoke!gwyn
From: gwyn@smoke.BRL.MIL (Doug Gwyn )
Newsgroups: comp.unix.wizards
Subject: Re: Implications of recent virus (Trojan Horse) attack
Message-ID: <8890@smoke.BRL.MIL>
Date: 14 Nov 88 21:54:51 GMT
References: <17519@adm.BRL.MIL>
Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) <gwyn>)
Organization: Ballistic Research Lab (BRL), APG, MD.
Lines: 19

In article <17519@adm.BRL.MIL> rbj@nav.icst.nbs.gov (Root Boy Jim) writes:
>I can imagine you crusading against gets() in both the C and POSIX
>standards and I hope you have had success in that area. I would go
>so far as to suggest that everyone remove this routine from libc.a
>and place it in a separate library available only upon special request
>for binary applications only, after filling out numerous forms.

Although I probably voted to remove gets() from the proposed C standard,
I will stand by X3J11's decision to leave it in.  As explained in
discussions raging in comp.lang.c (INFO-C), there are safe uses for
gets(), its "problem" is well known, there are several other standard
library routines with similar characteristics, and a lot of existing
code uses it (sometimes safely, sometimes not).

People are focusing on the wrong problem.  The Internet virus also
attacked through a hole unrelated to gets(), and I know of at least
three other such holes.  The general problem is lack of sufficient
attention to detail in security-related code.  You're not going to
solve this by outlawing a sometimes useful tool.