lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 22 Feb 2006 09:27:05 +1100
From: "Craig Wright" <cwright@...syd.com.au>
To: "Ansgar -59cobalt- Wiechers" <bugtraq@...netcobalt.net>,
	<bugtraq@...urityfocus.com>
Subject: RE: Vulnerabilites in new laws on computer hacking




In response to:

"How would you detect such a vulnerability without actually hacking the
system? Is one supposed to not notice these things? Will that really
make them go away?"

White Box and black box testing used in combination. These are not pen.
tests contrary to the belief of many people. An implementation test is
defined as a commission fault test. This requires full disclosure to be
effective. This is a common and known engineering principle.

Unfortunately many people who state that they are engineers are in fact
not engineers - engineering is a profession and requires certain
memberships in professional societies, qualifications etc. There may or
not be legislative support for this dependant on the country you happen
to be in - but this is another discussion.

A quality assurance rather than quality control argument is being held
without most of the people on the "we should be allowed to do what we
want side" understanding this. The argument of learning on systems that
you have no right to explore is flawed as you can not by definition
complete either a white box or black box test without being given the
rights. If you do not understand this point than it is time to engage in
further learning and education.

Regards
Craig S Wright

"White box testing is concerned only with testing the software product,
it cannot guarantee that the complete specification has been
implemented. Black box testing is concerned only with testing the
specification, it cannot guarantee that all parts of the implementation
have been tested. Thus black box testing is testing against the
specification and will discover faults of omission, indicating that part
of the specification has not been fulfilled. White box testing is
testing against the implementation and will discover faults of
commission, indicating that part of the implementation is faulty. In
order to fully test a software product both black and white box testing
are required."

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ