Vast majority of the cybersecurity community: “an absolute ton of exploits come from memory safety issues with C/C++, we should move to memory safe languages like Rust to greatly reduce security risk and make everyone safer”
You: “Ehh Rust has a couple features, but it’s totally not worth switching from my precious precious C”
Not quite, had I done something more broad than sure. But I reference a specific group of people whose job it is to provide security guidance on such matters. The ones who are out there fighting the good fight, RE’ing malware and busting down botnets among many security things
But I’m sure you are similarly credentialed as the SMEs in the cybersecurity field right?
Nah. If you’d been leaning on specific statements of any given expert — of which it is of course possible to find plenty that might in such casual rhetoric be used to support whichever conclusion you like — that would’ve been argumentum ad verecundiam, an appeal to authority. Instead you cited an imagined “vast majority” to exaggerate the universality of your opinion.
P.S. Whilst I’m indulging my argumentative side perhaps it is also worth pointing out that you totally mischaracterized my own statements and motivation. I am not primarily a C programmer, and I’ve been happy to use Rust myself when the opportunity arises. I have no personal stake in this particular fight.
Ah I see your default is to sprinkle in a bit of argumentum ad logicam and add a dash of straw man at the end
Your statement comes across as the migration from C/C++ is more of an upgrade for new features and increased “ease of use” rather than an urgent security issue when it definitely is. It’s more than just a case of a couple of experts and some articles, you’ve got multiple governmental and NGOs like The NSA, The Whitehouse, CISA, DARPA all calling for the migration away from C/C++ to memory safe languages
“DARPA, the Defense Department’s (DOD) R&D agency, will lean on emerging AI capabilities in a new program to deal with the costly and time-consuming challenge of rewriting C and C++ code to Rust in a move designed to meet the push for federal agencies and private organizations to adopt memory-safe programming languages.”
"CISA, in conjunction with the National Security Agency (NSA), FBI, and the cyber security authorities of Australia, Canada, the United Kingdom, and New Zealand, said its call for better memory safety follows from its Secure By Design recommendations – endorsed by all of these cyber authorities.
“With this guidance, the authoring agencies urge senior executives at every software manufacturer to reduce customer risk by prioritizing design and development practices that implement MSLs [memory safe languages],” the report argues."
~
"CISA suggests that developers look to C#, Go, Java, Python, Rust, and Swift for memory safe code.
“The most promising path towards eliminating memory safety vulnerabilities is for software manufacturers to find ways to standardize on memory safe programming languages, and to migrate security critical software components to a memory safe programming language for existing codebases,” the CISA paper concludes."
But no one is talking about that that is doesn’t need to be Rust. There are alternatives that can do as much if not more with the type system & safety while being as low-level as C without some of Rust’s restrictions.
Vast majority of the cybersecurity community: “an absolute ton of exploits come from memory safety issues with C/C++, we should move to memory safe languages like Rust to greatly reduce security risk and make everyone safer”
You: “Ehh Rust has a couple features, but it’s totally not worth switching from my precious precious C”
Turns out there is a name for that. I had to look it up. Never seen such a striking example before.
Not quite, had I done something more broad than sure. But I reference a specific group of people whose job it is to provide security guidance on such matters. The ones who are out there fighting the good fight, RE’ing malware and busting down botnets among many security things
But I’m sure you are similarly credentialed as the SMEs in the cybersecurity field right?
Nah. If you’d been leaning on specific statements of any given expert — of which it is of course possible to find plenty that might in such casual rhetoric be used to support whichever conclusion you like — that would’ve been argumentum ad verecundiam, an appeal to authority. Instead you cited an imagined “vast majority” to exaggerate the universality of your opinion.
P.S. Whilst I’m indulging my argumentative side perhaps it is also worth pointing out that you totally mischaracterized my own statements and motivation. I am not primarily a C programmer, and I’ve been happy to use Rust myself when the opportunity arises. I have no personal stake in this particular fight.
Ah I see your default is to sprinkle in a bit of argumentum ad logicam and add a dash of straw man at the end
Your statement comes across as the migration from C/C++ is more of an upgrade for new features and increased “ease of use” rather than an urgent security issue when it definitely is. It’s more than just a case of a couple of experts and some articles, you’ve got multiple governmental and NGOs like The NSA, The Whitehouse, CISA, DARPA all calling for the migration away from C/C++ to memory safe languages
https://devops.com/darpa-turns-to-ai-to-help-turn-c-and-c-code-into-rust/
“DARPA, the Defense Department’s (DOD) R&D agency, will lean on emerging AI capabilities in a new program to deal with the costly and time-consuming challenge of rewriting C and C++ code to Rust in a move designed to meet the push for federal agencies and private organizations to adopt memory-safe programming languages.”
https://www.theregister.com/2023/12/07/memory_correction_five_eyes/
"CISA, in conjunction with the National Security Agency (NSA), FBI, and the cyber security authorities of Australia, Canada, the United Kingdom, and New Zealand, said its call for better memory safety follows from its Secure By Design recommendations – endorsed by all of these cyber authorities.
“With this guidance, the authoring agencies urge senior executives at every software manufacturer to reduce customer risk by prioritizing design and development practices that implement MSLs [memory safe languages],” the report argues."
~
"CISA suggests that developers look to C#, Go, Java, Python, Rust, and Swift for memory safe code.
“The most promising path towards eliminating memory safety vulnerabilities is for software manufacturers to find ways to standardize on memory safe programming languages, and to migrate security critical software components to a memory safe programming language for existing codebases,” the CISA paper concludes."
But no one is talking about that that is doesn’t need to be Rust. There are alternatives that can do as much if not more with the type system & safety while being as low-level as C without some of Rust’s restrictions.