Re: Functional programming and security

On Monday, May 5, 2014 3:20:41 AM UTC-5, Cecil Westerhof wrote: > > > ​That is why I do not understand that (where I live) they think you can > only be a good programmer if you only program in one language. > If I had to come up with a rule of thumb along this dimension it would be: Any truly ex

Re: Functional programming and security

If you want a friend, get a dog. If you want security, get a big mean-looking dog who barks a lot. Sorry, couldn't resist. On Tue, May 6, 2014 at 11:04 AM, Gary Trakhman wrote: > My 'Network Security' Professor once said to the class, 'There is no > security without physical security'. Prote

Re: Functional programming and security

My 'Network Security' Professor once said to the class, 'There is no security without physical security'. Protecting data from being read in memory means you've already lost. On Tue, May 6, 2014 at 5:19 AM, Luc Prefontaine wrote: > Reading this thread convinced me. > I will not write any infor

Re: Functional programming and security

Seriously, when concerns about > security reaches the garbage collector > which operates in live memory, > I wonder why we bother entering > any information in a computer... > ​On a desktop probably not an issue, but on a server that can run for a very long time and has a lot of more hands touchi

Re: Functional programming and security

Reading this thread convinced me. I will not write any information on any support except my brain cells and will not share it to avoid any leaks. I will also forget it immediately so no one can scrub my brain to recover it Going to erase everything I wrote and learned in the last past 30 years r

Re: Functional programming and security

On Tue, May 6, 2014 at 9:45 AM, Cecil Westerhof wrote: > 2014-05-05 19:48 GMT+02:00 Brian Craft : >> I would never have guessed modularity as a reason to worry about security >> in fp. >> >> I worry about immutability in fp, wrt security. Security requires >> mutability in order to remove sensitiv

Re: Functional programming and security

2014-05-05 19:48 GMT+02:00 Brian Craft : > I would never have guessed modularity as a reason to worry about security > in fp. > > I worry about immutability in fp, wrt security. Security requires > mutability in order to remove sensitive data from memory, and from app > history. A FIPS > ​Would f

Re: Functional programming and security

2014-05-05 12:17 GMT+02:00 Magnus Therning : > On Mon, May 5, 2014 at 10:20 AM, Cecil Westerhof > wrote: > > 2014-05-05 8:21 GMT+02:00 Magnus Therning : > > > >> any language" ;) However, choosing language wisely will allow you to > >> concentrate on solving the 'real' problem at hand, and relie

Re: Functional programming and security

I would never have guessed modularity as a reason to worry about security in fp. I worry about immutability in fp, wrt security. Security requires mutability in order to remove sensitive data from memory, and from app history. A FIPS review, for example, requires demonstrating where in your co

Re: Functional programming and security

On Mon, May 5, 2014 at 10:20 AM, Cecil Westerhof wrote: > 2014-05-05 8:21 GMT+02:00 Magnus Therning : > >> any language" ;) However, choosing language wisely will allow you to >> concentrate on solving the 'real' problem at hand, and relieve you >> from solving unrelated problems (memory manageme

Re: Functional programming and security

On Mon, May 5, 2014 at 5:05 AM, Magnus Therning wrote: > On Mon, May 5, 2014 at 10:09 AM, Cecil Westerhof > wrote: > > 2014-05-04 23:40 GMT+02:00 Magnus Therning : > > > >> On Sun, May 04, 2014 at 09:24:08AM +0200, Cecil Westerhof wrote: > >> > I heard the stand that functional programming made

Re: Functional programming and security

2014-05-05 12:05 GMT+02:00 Magnus Therning : > On Mon, May 5, 2014 at 10:09 AM, Cecil Westerhof > wrote: > > 2014-05-04 23:40 GMT+02:00 Magnus Therning : > > > >> On Sun, May 04, 2014 at 09:24:08AM +0200, Cecil Westerhof wrote: > >> > I heard the stand that functional programming made it difficul

Re: Functional programming and security

On Mon, May 5, 2014 at 10:09 AM, Cecil Westerhof wrote: > 2014-05-04 23:40 GMT+02:00 Magnus Therning : > >> On Sun, May 04, 2014 at 09:24:08AM +0200, Cecil Westerhof wrote: >> > I heard the stand that functional programming made it difficult to >> > write secure programs. I do not know enough of f

Re: Functional programming and security

2014-05-05 8:21 GMT+02:00 Magnus Therning : > any language" ;) However, choosing language wisely will allow you to > concentrate on solving the 'real' problem at hand, and relieve you > from solving unrelated problems (memory management, dealing with > pointers, etc). It will also simplify reaso

Re: Functional programming and security

2014-05-05 5:48 GMT+02:00 Wei Hsu : > Perhaps Cecil is referring to this article, Clojure web security is worse > than you > think, > describing > the immature state of Clojure's web security libraries. I > ​No, it w

Re: Functional programming and security

2014-05-04 23:40 GMT+02:00 Magnus Therning : > On Sun, May 04, 2014 at 09:24:08AM +0200, Cecil Westerhof wrote: > > I heard the stand that functional programming made it difficult to > > write secure programs. I do not know enough of functional > > programming yet to determine the value of a state

Re: Functional programming and security

2014-05-04 21:59 GMT+02:00 Adam Saleh : > Well, what does it mean to write secure programs? Citation needed :) > ​Well, the statement was that for secure programming you needed to program modular. It was hinted that when you program functional you can not program modular. I would not know why, bu

Re: Functional programming and security

2014-05-04 17:40 GMT+02:00 Evan Rowley : > Most functional languages have design features that enhance their > security. I'm referring to Clojure, Haskell, and Erlang, but this won't be > limited to those three. As someone who was hired to handle cyber security > needs of a contracting IT company,

Re: Functional programming and security

I would say the transaction model of datomic would have saved Mt Gox from its problems dealing with atomic transactions, however that's more due to datomic's design and poor design of the Mt Gox system than a clojure specific thing. On Monday, May 5, 2014 6:21:47 PM UTC+12, Magnus Therning wrot

Re: Functional programming and security

On Mon, May 5, 2014 at 12:13 AM, Evan Rowley wrote: > The question we have to ask is: Would use of a (specific?) functional > language prevented these? My opinion: > > Probably not in the case of Mt. Gox because their problems had more to do > with their application design. There is no language t

Re: Functional programming and security

Perhaps Cecil is referring to this article, Clojure web security is worse than you think, describing the immature state of Clojure's web security libraries. I don't think the language itself has much to do with this

Re: Functional programming and security

The most serious security vulnerabilities I've heard about for 2014 are Apple's SSL/TLS/HTTPS vulnerability, the OpenSSL Heartbleed vulnerability, FreeBSD's TCP bug, and of course the Mt. Gox bug that resulted in the company's bankruptcy. The Mt. Gox bug was caused by a flaw in the way they design

Re: Functional programming and security

On Sun, May 04, 2014 at 09:24:08AM +0200, Cecil Westerhof wrote: > I heard the stand that functional programming made it difficult to > write secure programs. I do not know enough of functional > programming yet to determine the value of a statement like this. > What is the take here about it? It

Re: Functional programming and security

On 4 May 2014 20:59, Adam Saleh wrote: > He thought, that using the language would make it harder to avoid cache > based and timing attacks due to nature of strict/lazy sequences. That's a good point, and one I hadn't considered. However, I can't think of any timing or cache based attack you c

Re: Functional programming and security

Well, what does it mean to write secure programs? Citation needed :) I remember a lengthy discussion with coleague of mine about writing cryptography primitives in haskell. I suggested, that haskells strong typing and syntax well suited for expressing mathematics, combined with good speed makes

Re: Functional programming and security

Most functional languages have design features that enhance their security. I'm referring to Clojure, Haskell, and Erlang, but this won't be limited to those three. As someone who was hired to handle cyber security needs of a contracting IT company, my personal and professional opinion is this: I w

Re: Functional programming and security

I've never heard anyone express that sentiment before. If anything the opposite is true. A large part of writing secure code is about avoiding errors, so any language feature that helps you write error-free code is good for security. Functional programming eliminates mutable state as a source of e

Functional programming and security

I heard the stand that functional programming made it difficult to write secure programs. I do not know enough of functional programming yet to determine the value of a statement like this. What is the take here about it? -- Cecil Westerhof -- You received this message because you are subscribe