The wonderful thing about I'm the only one
Everything here is my opinion. I do not speak for your employer.
April 2014
May 2014

2014-04-11 »

Oh good grief.

The most boggling part of XML DTD retrieval for me (which was what was used in this attack, it I understand correctly) is that you don't even need the DTD in order to parse XML.  XML's syntax is so regular that you don't need the schema to get a parse tree.  Nevertheless, XML parsers go off retrieving stuff anyway, just in case.  Some XML parsers don't bother to cache it by default, either, so you're continually reparsing a small local xml file from your disk and it's fetching a giant DTD repeatedly from the web.

And people use this stuff on purpose.  I don't get it.

I'm CEO at Tailscale, where we make network problems disappear.

Why would you follow me on twitter? Use RSS.

apenwarr on