From smcg@cs.hw.ac.uk Mon Jul 17 12:49:31 1989
From: smcg@cs.hw.ac.uk (Stephen McGowan)
Subject: Re: Beer - it's no joke!



			--------------------------------------
			BUGS.         DON'T LIVE IN IGNORANCE.
			--------------------------------------


-------------------------------------------------------------------------------
1.  Why Are You Being Sent This Message?
-------------------------------------------------------------------------------

This message is being sent to every software house in the country. It is about
BUGS. And everyone needs to know the facts. It explains what BUGS are, how they
spread, how serious the threat may be, and how they can be avoided.
Because it has to deal with matters of software and hardware, you may find
some of the information disturbing. But please make sure that everyone who
needs this advice reads this message. The more people who know about BUGS the
less likely they are to spread.

So, if you employ programmers, think carefully about what they need to know.
Whether or not you approve, many programmers do write programs, and some may
experiment with assembler.

Even if you think your programmer's don't act in this way, they will still need
advice because they may have friends who encourage them to.


-------------------------------------------------------------------------------
2.  Why Should You Be Concerned About BUGS?
-------------------------------------------------------------------------------

Any computer user can suffer from BUGS, depending on their behaviour. It is
not just a hacker's problem. There is no cure and they can cause crashes. By
the time you have read this, probably 3000 computers will have crashed in this
country. It is believed that a further 400,000 carry BUGS. This number is
rising and will continue to rise unless we all take precautions.

-------------------------------------------------------------------------------
3.  What Are BUGS?
-------------------------------------------------------------------------------

BUGS are caused by logical errors. These can attack a program's validation
routines which normally help fight off bad input and corruption. And if this
happens then programs can develop BUGS. They become unreliable and crash from
errors that cannot be detected.


-------------------------------------------------------------------------------
4.   How Do Programs Become Infected?
-------------------------------------------------------------------------------

Because errors can be present in specifications and designs, this means that
for most programmers the only danger comes through using a faulty design. This
applies to both top-down and bottom-up design. (It is believed that other forms
of design are also risky, such as SSADM, particularly if specifications are
taken at face value.)

So the errors can be passed from design to design, design to program, and back
again from program to design. For those who use assembler there is an added
risk from sharing software interrupts or device printers on a time-sharing
basis. Furthermore, sub-tasks spawned from infected programs have a high risk
of inheriting BUGS.

-------------------------------------------------------------------------------
5.   How Can You Protect Yourself From BUGS?
-------------------------------------------------------------------------------

(a)  Most programs which have errors don't even show it. They may look and
behave completely normally. So you cannot tell which ones are infected and
which ones are not. To protect yourself, follow these simple guidelines;

(i) The more programs you write, particularly assembler programs, the more
chance you have of encountering one which is infected. It is safest to stick
to one program.

			FEWER PROGRAMS, LESS RISK

(ii) Unless you are sure of a program, always use a debugger. This will
reduce the risk of encountering BUGS.

			USE DEBUGGERS FOR SAFER PROGRAMMING.

(iii) It is always best to use a source-level debugger. Low-level debuggers
can reduce this protection. Ask your team-leader for advice. Anyone who uses
assembler programs should not use software interrupts. If you do, never share
interrupts (or device handlers, floppies, etc) as you could be introducing
BUGS directly into your program.

			DON'T USE SOFTWARE INTERRUPTS. NEVER SHARE.


-------------------------------------------------------------------------------
6.   What Should You Do If You Think Your Program Has Been Infected?
-------------------------------------------------------------------------------

If you think your program has been infected, go to your course leader for 
advice about having a test. Or go directly to your personal tutor for private
and confidential advice and a test if you wish. If your program does have 
errors, they'll let you know and give you help and support.


-------------------------------------------------------------------------------
7.   What About The Resident Software?
-------------------------------------------------------------------------------

It is not safe to use comms packages, Armstrad applications or on-line
dictionaries unless you know they are bug free and have been rigorously 
tested. Nor is it safe to share a routine or include a file in a program
which has been infected.

-------------------------------------------------------------------------------
8.   What Can't You Get BUGS From?
-------------------------------------------------------------------------------

The government's clear advice for the software industry is that you CANNOT
get BUGS from normal use of an infected program. Neither can you get them
>from reading listings. Nor is there any record of a program becoming infected
through sharing comments. There is no danger in sharing floppies or micro-
drives. Nor can anyone become infected through using network drives or line
printers.

When integrating software, standard precautions should be taken to protect
programmers, users and applications. Exporting routines are safe: all the
declarations are used only once. All routines used for library builds should
be thoroughly checked.

-------------------------------------------------------------------------------
9.   How Safe Is It In Other Countries?
-------------------------------------------------------------------------------

BUGS exist throughout the world and throughout the computer industry. In
certain companies a large number of programs are believed to have BUGS. So it
is even more essential to follow the advice given in this message, particularly
if you should visit another company. Otherwise, if you do some work on an
unfamiliar program, you may inadvertantly affect your regular work when you
return.

Furthermore, in some companies, public routines are not checked for BUGS. In
those places where errors are widespread you should not, if you can possibly
avoid it, use routines from a contract programmer.

In certain start-up companies, routines may not be properly debugged. If you
can, avoid using interrupt repairs or patches. If you are in any doubt about
these points then discuss them with your course leader.


-------------------------------------------------------------------------------
10.   Do You Need More Information?
-------------------------------------------------------------------------------

The true picture about BUGS is that, at the moment, relatively few programs
are infected with proper full-blown BUGS. Those most at risk are assembler
programs which have common code with other assembler programs, programs
which share software interrupts, and users of these programs.

But BUGS is spreading. And as it does, so the risk of sharing an infected
routine also increases.

Ultimately, defence against BUGS depends on us all taking responsibility for
our own logical and programming actions.

