This is quickly becoming off topic, but I'll bite ;D. On Wed, Dec 8, 2010 at 10:52 PM, Gabriel Hurley <gab...@gmail.com> wrote:
> You wanna hand over your paycheck now, or later? :-) > > I know someone with a functional white-hat timing attack script sitting on > their laptop. They've been honing the statistical analysis to get the number > of data points needed down to a less noticeable size, but the technique can > already be successfully applied. > Pics or it didn't happen. If you can show me a viable timing attack, over the Internet, under reasonable real-world circumstances, and caused by something as negligible as a single string comparison I will give you my paycheck. And I will eat my laptop. > To your latter point, you can run a timing attack as slowly as you like, > and a lot of sites have very poor monitoring for things like 404s. A month > or more of patient low-level attacking to gain access to a prime target is > well worth it. > The longer you draw out the attack the less consistent the results. Code changes, hardware changes, data set sizes change, passwords change, BGP routes change, peering agreements change, phases of the moon change, etc. If you can tune your web app to the point where response time variance is small enough to notice a couple dozen CPU cycles of variance, and can maintain that sort of consistency over an extended period of time, either you're not doing anything interesting, you're running a Commodore 32, or you're my new hero. > The point being that we all ought to take timing attacks seriously. They're > not nearly as unrealistic as people think. > Sure, broadly speaking they're an attack vector. In this particular scenario it's silly wankery by smart people who put up with the same sort of silly wankery from me sometimes. So whatever. <3, Mike -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
