[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <en54o0t10kengf1d209bmbbthlhp5d2i4o@4ax.com>
Date: Fri, 29 Oct 2004 11:45:32 +0100
From: Chris Paget <ivegotta@...bom.co.uk>
To: Michael Wojcik <Michael.Wojcik@...rofocus.com>
Cc: bugtraq@...urityfocus.com, Valdis.Kletnieks@...edu
Subject: Re: Update: Web browsers - a mini-farce (MSIE gives in)
On Wed, 27 Oct 2004 06:32:07 -0700, you wrote:
<snip>
>I write comms code - client- and server-side middleware. I wouldn't dream
>of implementing a protocol with code that didn't sanity-check the data it
>gets off the wire.
What's your point? That you don't believe IE has any sanity checks?
More likely, this bug lies IN one of the sanity checks.
No system is 100% secure. Fact. Every single software system on the
planet, at least anything complex enough to justify the name "system",
DOES HAVE security flaws. They may not be easy to find, but they're
there. Anyone who believes otherwise either has access to technology
FAR in advance of the rest of us here on earth, or is a fool.
As proof of this, how about releasing some of *your* code? You
believe that it is possible to write code that is completely secure,
ie completely free of all security holes, both known and unknown, by
strictly adhering to and enforcing every single aspect of the protocol
it is designed to handle. I say that's not true - and I challenge you
to prove me otherwise.
Doesn't have to be a full application; a network protocol handler will
be sufficient; doesn't even need to be from a commercial app. Just
enough to demonstrate that you *are* telling the truth - either your
code will stand up, in which case most developers can learn a few
things by using your code as an example, or a flaw will be found to
prove the case that 100% security can never be acheived, regardless of
how well you believe you have validated your input.
How about it? Prove your case?
Chris
--
Chris Paget
ivegotta@...bom.co.uk
Powered by blists - more mailing lists