not-kennethreitz/convore.json
1
0
Fork 0
mirror of https://github.com/not-kennethreitz/convore.json.git synced 2026-06-17 21:50:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
convore.json/groups/pycon-2011/through-the-side-channel-timing-implementation-attacks/messages.json
T
Kenneth Reitz add958b068 shuffle things around a bit
2012-02-21 01:15:00 -05:00

1 line
14 KiB
JSON
Raw Permalink Blame History

[{"user_id": 18972, "stars": [], "topic_id": 12702, "date_created": 1299967899.722558, "message": "Yes. The topic is not really Python specific but he's tying it into some Python examples well.", "group_id": 373, "id": 336957}, {"user_id": 18539, "stars": [], "topic_id": 12702, "date_created": 1299967914.162735, "message": "I'm completely with him on the \"don't have something subject to timing attacks in the first place\" part earlier but I'm not sure that means you should not even be trying to limit how much data attackers get to play with. It sounded kind of like \"attackers are smart, give up\"", "group_id": 373, "id": 336964}, {"user_id": 19788, "stars": [], "topic_id": 12702, "date_created": 1299967284.2484291, "message": "We must all be paying a lot of attention. Good.", "group_id": 373, "id": 336847}, {"user_id": 20039, "stars": [], "topic_id": 12702, "date_created": 1299967366.69876, "message": "Good stuff....wonder if he will talk about doing a low and slow dictionary attack?", "group_id": 373, "id": 336862}, {"user_id": 1175, "stars": [{"date_created": 1299969798.9605801, "user_id": 38}], "topic_id": 12702, "date_created": 1299967314.7468729, "message": "Coda Hale has a good description of this http://codahale.com/a-lesson-in-timing-attacks/", "group_id": 373, "id": 336853}, {"user_id": 20760, "stars": [], "topic_id": 12702, "date_created": 1299967394.9862809, "message": "Were the slides put up prior, by chance?", "group_id": 373, "id": 336865}, {"user_id": 205, "stars": [{"date_created": 1299967854.0886619, "user_id": 20196}, {"date_created": 1299967877.1685259, "user_id": 19788}, {"date_created": 1299967864.066293, "user_id": 20760}], "topic_id": 12702, "date_created": 1299967682.7481289, "message": "Good talk", "group_id": 373, "id": 336914}, {"user_id": 21005, "stars": [], "topic_id": 12702, "date_created": 1299967997.9098079, "message": "@gpshead Yup, that's how I understood it too", "group_id": 373, "id": 336985}, {"user_id": 18539, "stars": [], "topic_id": 12702, "date_created": 1299967999.0584791, "message": "You can't use it as an excuse to not fix timing attack vulnerabilities.", "group_id": 373, "id": 336986}, {"user_id": 18972, "stars": [], "topic_id": 12702, "date_created": 1299967981.2604091, "message": "you should take that message as \"don't rely solely on attempting to limit data\"", "group_id": 373, "id": 336980}, {"user_id": 18539, "stars": [], "topic_id": 12702, "date_created": 1299967989.7483411, "message": "Oh, okay, sure.", "group_id": 373, "id": 336981}, {"user_id": 20760, "stars": [], "topic_id": 12702, "date_created": 1299967994.7078879, "message": "When dealing with encryption, any information that you leak is potentially a vector for attack. So keeping your system as black-box as possible is always the best strategy", "group_id": 373, "id": 336984}, {"user_id": 20760, "stars": [{"date_created": 1299968046.5440519, "user_id": 18972}], "topic_id": 12702, "date_created": 1299968033.1457341, "message": "Oh wait, there was a \"not\" in there I missed", "group_id": 373, "id": 336989}, {"user_id": 18539, "stars": [], "topic_id": 12702, "date_created": 1299968145.724086, "message": "@masterbunnyfu Where?", "group_id": 373, "id": 337014}, {"user_id": 18972, "stars": [], "topic_id": 12702, "date_created": 1299968970.1118579, "message": "also verify that % does not have a short circuit that alters the speed for % 1 operations and you'll probably expose secrets of lengths that are not numbers that have single interned instances of the int() object within your VM rather than creating a new one, etc.. the rabbit hole is quite deep when talking about these things in such a high level language as a Python VM.", "group_id": 373, "id": 337143}, {"user_id": 21005, "stars": [], "topic_id": 12702, "date_created": 1299968568.5804241, "message": "@lvh Reminds me of something a college professor once said: \"Don't try writing assembly... you're not smarter than the compiler\"", "group_id": 373, "id": 337110}, {"user_id": 18972, "stars": [{"date_created": 1299968741.8264871, "user_id": 20760}], "topic_id": 12702, "date_created": 1299968646.554487, "message": "@bob you can do that without revealing the length (skip the length check) if you index b as b[i % len(b)]", "group_id": 373, "id": 337121}, {"user_id": 20984, "stars": [], "topic_id": 12702, "date_created": 1299968817.7951989, "message": "@lvh introducing randomness without getting context switched?", "group_id": 373, "id": 337138}, {"user_id": 1127, "stars": [], "topic_id": 12702, "date_created": 1299968304.1643829, "message": "Wow, just reading http://codahale.com/a-lesson-in-timing-attacks/ -- feel like I could be missing a good talk", "group_id": 373, "id": 337060}, {"user_id": 18539, "stars": [{"date_created": 1299968532.5586491, "user_id": 20723}, {"date_created": 1299968533.0073271, "user_id": 1175}, {"date_created": 1299968582.078644, "user_id": 20039}, {"date_created": 1299968631.0800669, "user_id": 20760}], "topic_id": 12702, "date_created": 1299968527.213186, "message": "Also an important lesson: stop doing your own crypto stuff, you will get it wrong ;-)", "group_id": 373, "id": 337108}, {"user_id": 20723, "stars": [{"date_created": 1299968256.714268, "user_id": 21005}, {"date_created": 1299968346.2003901, "user_id": 19788}], "topic_id": 12702, "date_created": 1299968233.8482831, "message": "answer: put no-ops in alternate code paths. bonus: your code might get featured in the \"coding atrocities\" talk :)", "group_id": 373, "id": 337042}, {"user_id": 18972, "stars": [], "topic_id": 12702, "date_created": 1299968301.2711029, "message": "hehe great q&a", "group_id": 373, "id": 337059}, {"user_id": 1175, "stars": [], "topic_id": 12702, "date_created": 1299968394.1428809, "message": "@zeeg I don't believe there was any information in this talk that's not covered in that article", "group_id": 373, "id": 337077}, {"user_id": 18539, "stars": [], "topic_id": 12702, "date_created": 1299968412.994972, "message": "To whoever just asked that question in the blue tshirt: if you use something like scrypt you're not vulnerable to that either :)", "group_id": 373, "id": 337081}, {"user_id": 20984, "stars": [], "topic_id": 12702, "date_created": 1299968699.098465, "message": "instead of sleeping, can't you just compute unrelated stuff?", "group_id": 373, "id": 337125}, {"user_id": 18972, "stars": [], "topic_id": 12702, "date_created": 1299968756.402705, "message": "what to do for people with products using vulnerable libraries?... this ties into my suggested practice to always build and bundle your dependencies as part of your project rather than assume they are good as an external library. shared libraries are overrated.", "group_id": 373, "id": 337132}, {"user_id": 18539, "stars": [], "topic_id": 12702, "date_created": 1299968863.983449, "message": "It makes it more difficult but not impossible -- and most of these samples are assuming you can get pretty silly large sample sizes", "group_id": 373, "id": 337142}, {"user_id": 18972, "stars": [], "topic_id": 12702, "date_created": 1299968231.7038641, "message": "open space on this later", "group_id": 373, "id": 337041}, {"user_id": 1175, "stars": [], "topic_id": 12702, "date_created": 1299968578.383692, "message": "@lvh that's basically all you need to know about security =p", "group_id": 373, "id": 337112}, {"user_id": 20984, "stars": [], "topic_id": 12702, "date_created": 1299969049.272553, "message": "@lvh so the random operations to introduce need to be in the same order of the remaining computation that would be left in the correct case", "group_id": 373, "id": 337148}, {"user_id": 20760, "stars": [], "topic_id": 12702, "date_created": 1299968190.4309139, "message": "I still stand by my statement that you should strive to limit any information leak that you can. In the case of timing attacks, that means making the timing of your response not dependent on the input in any way, obviously.", "group_id": 373, "id": 337032}, {"user_id": 20760, "stars": [], "topic_id": 12702, "date_created": 1299968221.174433, "message": "@lvh \"that means you should not even be trying to limit how much data attackers get to play with\"", "group_id": 373, "id": 337037}, {"user_id": 20760, "stars": [], "topic_id": 12702, "date_created": 1299968440.9146769, "message": "@gpshead I want to star that many times", "group_id": 373, "id": 337090}, {"user_id": 18539, "stars": [], "topic_id": 12702, "date_created": 1299968720.8679271, "message": "@dnozay What's the difference?", "group_id": 373, "id": 337129}, {"user_id": 20760, "stars": [], "topic_id": 12702, "date_created": 1299968236.5422521, "message": "I missed the \"not\" in \"not even try\"", "group_id": 373, "id": 337043}, {"user_id": 20785, "stars": [{"date_created": 1299968283.079246, "user_id": 20742}], "topic_id": 12702, "date_created": 1299968274.649497, "message": "No more secrets", "group_id": 373, "id": 337050}, {"user_id": 222, "stars": [{"date_created": 1299968433.5992489, "user_id": 19788}, {"date_created": 1299969921.218828, "user_id": 38}], "topic_id": 12702, "date_created": 1299968367.0456109, "message": "def constant_time_str_not_equals(a, b):\n \"\"\"Returns a != b in constant time (except when the string isn't even\n the correct length).\n\n The reason for doing this is that it might be possible to gain knowledge\n about the expected value by measuring the time it takes to do the\n comparison as a side channel attack.\n\n * http://en.wikipedia.org/wiki/Timing_attack\n\n \"\"\"\n if len(a) != len(b):\n return True\n x = 0\n for i in xrange(len(a)):\n x |= ord(a[i]) ^ ord(b[i])\n return x != 0\n", "group_id": 373, "id": 337072}, {"user_id": 21005, "stars": [], "topic_id": 12702, "date_created": 1299968442.813966, "message": "sleep is for the weak", "group_id": 373, "id": 337093}, {"user_id": 18539, "stars": [], "topic_id": 12702, "date_created": 1299968692.3039651, "message": "What's the context of doing string comparison", "group_id": 373, "id": 337123}, {"user_id": 21005, "stars": [{"date_created": 1299968792.7793319, "user_id": 18972}, {"date_created": 1299969269.3835721, "user_id": 14865}], "topic_id": 12702, "date_created": 1299968757.907203, "message": "Good talk!", "group_id": 373, "id": 337133}, {"user_id": 18539, "stars": [], "topic_id": 12702, "date_created": 1299968782.9272809, "message": "At least with the library the library can be fixed", "group_id": 373, "id": 337136}, {"user_id": 20760, "stars": [], "topic_id": 12702, "date_created": 1299968246.230988, "message": "lol", "group_id": 373, "id": 337046}, {"user_id": 20785, "stars": [], "topic_id": 12702, "date_created": 1299968280.353538, "message": "great talk", "group_id": 373, "id": 337053}, {"user_id": 20760, "stars": [], "topic_id": 12702, "date_created": 1299968748.7341039, "message": "@gpshead Better than my suggestion", "group_id": 373, "id": 337131}, {"user_id": 18539, "stars": [], "topic_id": 12702, "date_created": 1299968314.576571, "message": "@masterbunnyfu Right. I'm still somewhat critical of my own reasoning there since \"it can't hurt\" is often completely wrong in crypto :)", "group_id": 373, "id": 337062}, {"user_id": 21005, "stars": [], "topic_id": 12702, "date_created": 1299968340.1214759, "message": "Ahh yes... I was wondering if he was going to get around to a solution for the problem he setup at the beginning :)", "group_id": 373, "id": 337066}, {"user_id": 20760, "stars": [], "topic_id": 12702, "date_created": 1299968619.5438361, "message": "@bob Wouldn't it be better to loop for the max len of the two strings? Both cases run into the problem of one string being shorter than the other (IndexError)", "group_id": 373, "id": 337117}, {"user_id": 20760, "stars": [], "topic_id": 12702, "date_created": 1299968763.014019, "message": "Definitely", "group_id": 373, "id": 337134}, {"user_id": 222, "stars": [], "topic_id": 12702, "date_created": 1299970069.249716, "message": "but yeah you could probably come up with a version that runs in constant time for strings with mismatching length, but that complexity is not worth it since you should be comparing hashes most of the time anyway", "group_id": 373, "id": 337238}, {"user_id": 20760, "stars": [], "topic_id": 12702, "date_created": 1299968384.539906, "message": "For the current question, the reason a random sleep won't work is because the random sleep can be removed via statistical analysis.", "group_id": 373, "id": 337075}, {"user_id": 1127, "stars": [], "topic_id": 12702, "date_created": 1299968422.9099331, "message": "@mwhooker I love eye opening things, and this is totally new to me :)", "group_id": 373, "id": 337084}, {"user_id": 20984, "stars": [], "topic_id": 12702, "date_created": 1299969090.2400639, "message": "cryptography - fail fast is bad", "group_id": 373, "id": 337149}, {"user_id": 18972, "stars": [{"date_created": 1299968432.0113871, "user_id": 20760}, {"date_created": 1299968451.691489, "user_id": 18539}, {"date_created": 1299968527.4961841, "user_id": 20723}, {"date_created": 1299968534.5801251, "user_id": 1175}, {"date_created": 1299968645.289407, "user_id": 20984}], "topic_id": 12702, "date_created": 1299968424.3070929, "message": "never sleep", "group_id": 373, "id": 337085}, {"user_id": 222, "stars": [], "topic_id": 12702, "date_created": 1299970199.0353839, "message": "I'm kinda surprised he didn't mention that when the question was asked", "group_id": 373, "id": 337253}, {"user_id": 20760, "stars": [], "topic_id": 12702, "date_created": 1299968509.75295, "message": "Sleep in code is bad enough. I saw someone put a sleep in a test. ;_;", "group_id": 373, "id": 337103}, {"user_id": 18539, "stars": [], "topic_id": 12702, "date_created": 1299968795.0003891, "message": "As opposed to an intenral thing that will only be figured out when it's too late", "group_id": 373, "id": 337137}, {"user_id": 18539, "stars": [], "topic_id": 12702, "date_created": 1299968839.6159041, "message": "But introducing randomness *generally* can be filtered out quite well", "group_id": 373, "id": 337140}, {"user_id": 222, "stars": [], "topic_id": 12702, "date_created": 1299969922.5316119, "message": "@masterbunnyfu in all of our use cases for that function, we are comparing hashes, so length is not important (even if the input is a password and is some other length to begin with)", "group_id": 373, "id": 337223}, {"user_id": 1175, "stars": [], "topic_id": 12702, "date_created": 1299972117.411031, "message": "@bob that's actually still an issue. Read my link above, or talk to the speaker about it", "group_id": 373, "id": 337560}, {"user_id": 222, "stars": [], "topic_id": 12702, "date_created": 1299977582.1087, "message": "@mwhooker no, not in Python. read carefully.", "group_id": 373, "id": 337943}]
Reference in New Issue View Git Blame Copy Permalink