At 9:19 AM -0400 7/8/03, Barry Warsaw wrote:
The data we use:
- the str() of the output of random.random()
- the str() of the server's current time
- the str() of the content
and we concatenate these three strings together before hashing them.
I'm not sitting in front of the source code for
At 4:39 PM -0400 7/10/03, Barry Warsaw wrote:
On Thu, 2003-07-10 at 15:35, Paul Hoffman / IMC wrote:
- Can random.random() run out of randomness? That is, if you bombard
the machine with requests that call random.random(), will it start
sending out predictable responses?
Any pseudo random
On Thu, 2003-07-10 at 15:35, Paul Hoffman / IMC wrote:
- Can random.random() run out of randomness? That is, if you bombard
the machine with requests that call random.random(), will it start
sending out predictable responses?
Any pseudo random number generate can, right? Python 2.2's RNG
On Thu, 2003-07-10 at 15:54, Chuq Von Rospach wrote:
My worry, of course, is that the e-mail community has had a tendency to
see mail-back validation as the solution to many problems (and it is,
just not as globally as some might hope) --- but I don't think the
community has ever stopped
On Tue, 2003-07-08 at 17:53, Barry Warsaw wrote:
On Tue, 2003-07-08 at 11:00, Nigel Metheringham wrote:
One thing that could be considered to protect ourselves against such
attacks if there was a way of reducing the complexity to reasonable
levels, would be to drop pending subscription
On Tue, 2003-07-08 at 01:49, Chuq Von Rospach wrote:
So I'm worried that someone's figured out how to circumvent yahoo's
confirmation process. I wanted to bring this up with Yahoo, but they
evidently weren't interested.
Okay, so /that/ sucks.
(and the reason I'm posting this to
On Tue, 2003-07-08 at 13:36, Barry Warsaw wrote:
I'd think that because three of the UserDesc components come directly
from the subscribee, it would be very difficult to guess the UserDesc
repr, /aside/ from the difficulty of guessing the random float and
timestamp.
Since it looks like the
On Tue, 2003-07-08 at 15:32, Barry Warsaw wrote:
[Removing list-managers from the recipients]
You took off mailman-developers too... I've put that one back. :-)
On Tue, 2003-07-08 at 08:54, Nigel Metheringham wrote:
Since it looks like the attacker in this case generated an initial
On Tue, 2003-07-08 at 11:00, Nigel Metheringham wrote:
One thing that could be considered to protect ourselves against such
attacks if there was a way of reducing the complexity to reasonable
levels, would be to drop pending subscription requests after a couple
(think of an appropriate
well, I was promised more than once that yahoo security was going to
contact me, and nobody ever did. Ohwell.
here's the issue: it looks to me like someone's figured out Yahoo's
confirmation protocol.
First, we got (edited for brevity):
From: Yahoo! Groups
10 matches
Mail list logo