Re: How T-Mobil's network was compromised

[Willem Koenings <infsec () gmail com>]

On Fri, 18 Feb 2005 16:49:03 -0500, Valdis.Kletnieks () vt edu
<Valdis.Kletnieks () vt edu> wrote:
> On Fri, 18 Feb 2005 16:04:52 EST, bkfsec said:
>
> > Are you aware of any server software that has been so rigorously tested
> > that it has no flaws at all?
> >
> > That would be one hell of a find...
>
> "Testing can reveal the presence of flaws, but not their absence" -- E. Dijkstra

In my belief, this is not completely true. Let's say we are testing
web application, as this thread already started from one. Let's say
i'm testing application regarding to input sanitizing.  Code analysis
is one type of testing. When i do code analysis and look, how user
input is handled, i have  those results:

- user input is correctly sanitized and there is no flaw
- use input is not correctly sanitized and there is a flaw

So above saying is not always completly true. But you can't use
testing to find something you don't know at this exact moment -
unknown flaws.

all the best,

W.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html