[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-hackers] On Hash Collisions (28C3)

From: Alan Post
Subject: Re: [Chicken-hackers] On Hash Collisions (28C3)
Date: Sun, 1 Jan 2012 10:57:33 -0700

On Sun, Jan 01, 2012 at 04:36:41PM +0100, Peter Bex wrote:
> On Sun, Jan 01, 2012 at 10:29:18AM -0500, John Cowan wrote:
> > Peter Bex scripsit:
> > 
> > > Yes, and doing it in *every* *freaking* program.  Including
> > > third-party libraries written long ago or by people assuming a sane
> > > srfi-69 implementation (or more likely, not having thought about it).
> > 
> > Not at all.  Only fixing programs that are exposed to potentially
> > malicious data, like HTTP request parameters.
> New attack vectors are discovered all the time.  It's hard to predict in
> advance how someone is going to be able to abuse any given program.
> Again, it's better to fix it at the root (the library) than in each
> application.

The OpenBSD team made that same assumption: they don't know what
the attack vector is, so they'll fix insecure patterns.  I think
by this point they've proven that interesting attack vectors do
emerge and that you can benefit from proactively addressing them.

.i ma'a lo bradi cu penmi gi'e du

reply via email to

[Prev in Thread] Current Thread [Next in Thread]