marco

blog

Menu:

• home
• publications
• projects
• blog

Twitter accept bug

May 12, 2010

If the Twitter accept bug of a couple of days ago really was caused by in-band signaling (and there seems to be few, if any, other reasonable explanations for it), then one has to wonder if we will ever learn from past history.

In-band signaling (mixing control and data on the same communication channel) is famous for being hard to get right and to have caused quite a few security fails in a lot of different domains. Just to list a few well-known cases:

• telephone systems had blue-boxing;
• the C library had format string attacks, essentially because the format argument of printf and the likes mixes data and control;
• Matt Blaze and others found that in-band signaling allows one to evade the presumably secure wiretapping systems used by US law enforcement agencies.

I'll close with the mandatory reference to Bell's corollary:

Those who cannot remember the past are condemned to repeat it 
          -- George Santayana
Possibly with a handicap 
          -- Bell

Posted by marco in bug
0 comments