How can you have blind-/boolean based SQL injection without any false positives? I would at least expect some level of false positives for these methods as they generally imply causation from correlation.
Yes, the word Free is also highlighted in bold on the homepage, while False-Positive isn't. I assumed it was a free service for a good 5 seconds. If that was intentional or not, I can't tell.
Using these four values, we can actually calculate the likelihood of a given event.
However, to have high specificity (low false positives) you must lower sensitivity (false negatives). So what you are doing is reducing a type 1 error in exchange for an increase of a type 2 error. Sensitivity is related to ability to identify positive results!
This particularly disastrous in security, since we can determine likelihood from good statistics; and use this in our risk management 'risk = impact * likelihood.'
9 comments
[ 3.6 ms ] story [ 29.6 ms ] threadBut, copy writing is art and science. Keep the fluff away from HN skeptics, and you should be fine. :-)
* True positive = correctly identified
* False positive = incorrectly identified
* True negative = correctly rejected
* False negative = incorrectly rejected
Using these four values, we can actually calculate the likelihood of a given event.
However, to have high specificity (low false positives) you must lower sensitivity (false negatives). So what you are doing is reducing a type 1 error in exchange for an increase of a type 2 error. Sensitivity is related to ability to identify positive results!
This particularly disastrous in security, since we can determine likelihood from good statistics; and use this in our risk management 'risk = impact * likelihood.'