At 4:39 PM -0400 7/10/03, Barry Warsaw wrote:
On Thu, 2003-07-10 at 15:35, Paul Hoffman / IMC wrote:
- Can random.random() run out of randomness? That is, if you bombard
the machine with requests that call random.random(), will it start
sending out predictable responses?
Any pseudo random numbe
At 9:19 AM -0400 7/8/03, Barry Warsaw wrote:
The data we use:
- the str() of the output of random.random()
- the str() of the server's current time
- the str() of the "content"
and we concatenate these three strings together before hashing them.
I'm not sitting in front of the source code for Mail
On Thu, 2003-07-10 at 15:54, Chuq Von Rospach wrote:
> My worry, of course, is that the e-mail community has had a tendency to
> see mail-back validation as the solution to many problems (and it is,
> just not as globally as some might hope) --- but I don't think the
> community has ever stoppe
On Thu, 2003-07-10 at 15:35, Paul Hoffman / IMC wrote:
> - Can random.random() run out of randomness? That is, if you bombard
> the machine with requests that call random.random(), will it start
> sending out predictable responses?
Any pseudo random number generate can, right? Python 2.2's RNG
On Thursday, July 10, 2003, at 12:35 PM, Paul Hoffman / IMC wrote:
(Of course, watching the outgoing mail would make this attack easier
too. :-) )
of course, if they're sniffing packets or otherwise intercepting
content, the only thing that'll stop it is a phone call... carrier
pigeon, maybe
On Tue, 2003-07-08 at 17:53, Barry Warsaw wrote:
> On Tue, 2003-07-08 at 11:00, Nigel Metheringham wrote:
>
> > One thing that could be considered to protect ourselves against such
> > attacks if there was a way of reducing the complexity to reasonable
> > levels, would be to drop pending subscrip
On Tue, 2003-07-08 at 11:00, Nigel Metheringham wrote:
> One thing that could be considered to protect ourselves against such
> attacks if there was a way of reducing the complexity to reasonable
> levels, would be to drop pending subscription requests after a couple
> (think of an appropriate num
On Tue, 2003-07-08 at 11:00, Nigel Metheringham wrote:
> One thing that could be considered to protect ourselves against such
> attacks if there was a way of reducing the complexity to reasonable
> levels, would be to drop pending subscription requests after a couple
> (think of an appropriate num
On Tue, 2003-07-08 at 15:32, Barry Warsaw wrote:
> [Removing list-managers from the recipients]
You took off mailman-developers too... I've put that one back. :-)
>
> On Tue, 2003-07-08 at 08:54, Nigel Metheringham wrote:
> > Since it looks like the attacker in this case generated an initial
> >
On Tue, 2003-07-08 at 13:36, Barry Warsaw wrote:
> I'd think that because three of the UserDesc components come directly
> from the subscribee, it would be very difficult to guess the UserDesc
> repr, /aside/ from the difficulty of guessing the random float and
> timestamp.
Since it looks like th
On Tue, 2003-07-08 at 01:49, Chuq Von Rospach wrote:
> So I'm worried that someone's figured out how to circumvent yahoo's
> confirmation process. I wanted to bring this up with Yahoo, but they
> evidently weren't interested.
Okay, so /that/ sucks.
> (and the reason I'm posting this to mailm
well, I was promised more than once that yahoo security was going to
contact me, and nobody ever did. Ohwell.
here's the issue: it looks to me like someone's figured out Yahoo's
confirmation protocol.
First, we got (edited for brevity):
From: Yahoo! Groups
Date: Mon Jun 23, 2003 1:13:36
12 matches
Mail list logo
