Hi nummish.. * On 28/08/2008, [at 11:36:23 -0500] nummish [nummish@xxxxxxxx] seemed to say:
Sorry to resurrect a 9 day old thread here... It's an interesting concept, but like all timing based attacks, won't the digits be more susceptible to noise due to possible network latency? Even with two queries, there is still a large volume of requests getting made, and one little bump can invalidate the information you are pulling out.
We bumped into the same problem when we took the ordinal(char) approach. A small hiccup on the line easily makes an A an E The bit by bit approach we use (http://www.sensepost.com/research/squeeza/) makes this problem much easier to deal with.. i.e. we once had an insanely bad connection to a box and upp'ed the delay per bit to 14 seconds.. i.e, 14 secs == 1, 0 == 0. The analyst aged a few years while waiting for the output he needed, but you can be fairly confident of the integrity of the data. (its why squeeza happlily does a transfer of binary files from the server using just timing (and patience)) /mh Ps.. checkout the paper on the same page for snippets of the sql we are using.. --Haroon Meer, SensePost Information Security | http://www.sensepost.com/blog/ PGP: http://www.sensepost.com/pgp/haroon.txt | Tel: +27 83786 6637
Attachment:
pgpOGio1dmT_G.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/