Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How T-Mobil's network was compromised

From: Frank Knobbe <frank () knobbe us>
Date: Sat, 19 Feb 2005 10:14:31 -0600
On Sat, 2005-02-19 at 16:12 +0200, Willem Koenings wrote:

- user input is correctly sanitized and there is no flaw
- use input is not correctly sanitized and there is a flaw


I've seen cases where user input is correctly sanitized, but there was a
flaw.

If you tested your whole parameter set and don't find a flaw, it doesn't
mean that none exists. There could be a flaw that you haven't found with
your set of tests. That's what the quote is eluding to. You can say for
sure that there is a flaw, but you can not say for sure that there is
not one. You can't test for the absence.


So above saying is not always completly true. But you can't use
testing to find something you don't know at this exact moment -
unknown flaws.


Well, that's exactly the point of the quote :)


Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: