[WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)

[silky <michaelslists@xxxxxxxxx>]

On Wed, Jul 16, 2008 at 8:02 PM, Martin O'Neal
<martin.oneal@xxxxxxxxxxxx> wrote:
>
> > this is fairly stupid.
>
> LOL; more stupid than vacuous name calling, or less?

I'd say it's on par with it :)


> > what financial institutions are
> > using floating point and not decimal
> > variables to represent their money?
> > very few i'd guess. it hardly needs
> > to be said that anyone using FP
> > variables to do financial maths
> > should be shot.
>
> LOL2; unfortunately you have guessed wrong.  Do not pass go.  Do not
> collect ukp200.  We see this kind of thing all the time in financial
> applications.

Well then you see some terribly-written financial apps. The ones I
worked are not like this.


> > your last recommendation for c# is
> > wrong. == is fine for numbers. your
> > test above even proves it!
>
> Er, obviously you have become confused due of the ambiguity of the bit
> where it says "This type of caching does not exist in C# as can be seen
> from the equivalent code example".

Yes I did; but it doesn't change the fact that your comments under
"Testing" in that section (page 16) are still not applicable to c#.
Nor is the "Recommendation" about ==. As I said.


> Thanks for the constructive criticism though.

You're welcome. I hope your future releases are improved because of it :)


> Martin...
-- 
silky
http://www.themonkeynet.com/
http://lets.coozi.com.au/

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA