> -----Original Message-----
> From: Goetz Babin-Ebell [mailto:babin-ebell (at) trustcenter (dot) de [email concealed]]
> Sent: Monday, November 10, 2003 11:25 AM
>
> But wrongly rejecting good input has no security implications.
> But wrongly accepting bad input has.

Coding to satisfy only security implications, in a vacuum separated from the
rest of the world, all the security bugs in the world can be fixed simply by
removing all the features.

Wrongly rejecting good input has a very strong implication - your program
fails to do what it is tasked with. You can call that a security
implication, in that security's task is not just to prevent access by the
unwashed, but also to allow, provide and facilitate access to those that are
approved.

If all we are doing is trying to prevent unauthorised access, then all we
have to do is turn off, unplug, and shred, our computers. There - security
made easy.

Alun.
~~~~
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place | alun (at) texis (dot) com. [email concealed]
Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

[ reply ]