[thelist] Need help with a simple regex (Monday annoyance)

Ken Schaefer Ken at adOpenStatic.com
Mon Apr 4 23:55:17 CDT 2005 

: -----Original Message-----
: From: thelist-bounces-ken=adopenstatic.com at lists.evolt.org
: [mailto:thelist-bounces-ken=adopenstatic.com at lists.evolt.org] On Behalf Of
: Joshua Olson
: Subject: RE: [thelist] Need help with a simple regex (Monday annoyance)
: 
: > Unfortunately, none of us (AFAIK) are experts on this. If
: > people like Michael
: > Howard (author of Writing Secure Code [1]) and David
: > Litchfield (NGSS - he's
: > discovered how many vulnerabilities in various pieces of
: > software? [2]) say
: > it's possible, then I take their word for it (especially over
: > people here who
: > say "they can't get it to work" - no offence intended, but I
: > think the former
: > two know a lot more about what they are talking about).
: 
: Respectfully, I'd love to see an example of the character encoding
: injection attack.  Any chance you could dig one up? 
: Smart people theorizing about things isn't enough to make 
: me worried.  This kinda reminds me of the dark matter problem 
: in astrophysics... most of the smart minds say is MUST exist,
: but nobody can find it.  I'm sure this nut is a bit easier 
: to crack, though, or prove.  So, let's prove it...  
: then will I get onboard and be an evangel, too.

Why don't you ask them directly, rather than asking me. I'm a systems
engineer, not a code security guru.

Frankly, your attitude sounds to me just like those people who say "SQL
Injection - prove it. Cross site scripting, prove it. Session hijacking -
prove it". And for every example you give, they write up a little code
snippet to nullify it. The problem is that they don't follow accepted best
practise for writing robust, secure code in the first place. And they're not
interested in learning any general principles about what good code is, and
what bad code is. They need to be dragged, kicking and screaming, into
writing more secure code.

Now, I know you're a lot more savvy and intelligent (based on your
contributions to this list). But if you want information on more advanced
topics, my personal opinion is that you need to consult experts and consult
them in the forums they hang out, rather than relying on me to find
something. And if I can't find something, or prove it through an example I
come up with, then assume that it isn't possible. I mean, I can't prove the
existence of subatomic particles either - that doesn't mean they don't
exist). That's probably the best way forward IMHO.

Cheers
Ken

--
www.adOpenStatic.com/cs/blogs/ken/

More information about the thelist mailing list