On 6 June 2012 10:11, Dag Sverre Seljebotn <d.s.seljeb...@astro.uio.no> wrote: > > > Stefan Behnel <stefan...@behnel.de> wrote: > >>mark florisson, 05.06.2012 22:33: >>> It doesn't even necessarily have to be about running user code, a >>user >>> could craft data input which causes such a situation. For instance, >>> let's say we have a just-in-time specializer which specializes a >>> function for the runtime input types, and the types depend on the >>user >>> input. For instance, if we write a web application we can post arrays >>> to described by a custom dtype, which draws pictures in some weird >>way >>> for us. We can get it to specialize pretty much any array type, so >>> that gives us a good opportunity to find collisions. >> >>Yes, and the bad thing is that a very high probability of having no >>collisions even in combination with the need for a huge amount of brute >>force work to find one is not enough. An attacker (or otherwise >>interested >>user) may just be lucky, and given how low in the application stack >>this >>will be used, such a bit of luck may have massive consequences. > > Following that line of argument, I guess you keep your money in a mattress > then? Our modern world is built around the assumption that people don't get > *that* lucky. > > (I agree though that 64 bits is not enough for the security usecase! I'm just > saying that 160 or 256 bits would be.) > > Dag >
I think we're arguing different things. You agree to the security problem, but Stefan was still emphasizing his old point. >> >>Stefan >>_______________________________________________ >>cython-devel mailing list >>cython-devel@python.org >>http://mail.python.org/mailman/listinfo/cython-devel > > -- > Sent from my Android phone with K-9 Mail. Please excuse my brevity. > _______________________________________________ > cython-devel mailing list > cython-devel@python.org > http://mail.python.org/mailman/listinfo/cython-devel _______________________________________________ cython-devel mailing list cython-devel@python.org http://mail.python.org/mailman/listinfo/cython-devel
