When there's only one

...there's only one choice
Everything here is my opinion. I do not speak for your employer.
April 2014
May 2014

2014-04-11 »

Oh good grief.

The most boggling part of XML DTD retrieval for me (which was what was used in this attack, it I understand correctly) is that you don't even need the DTD in order to parse XML.  XML's syntax is so regular that you don't need the schema to get a parse tree.  Nevertheless, XML parsers go off retrieving stuff anyway, just in case.  Some XML parsers don't bother to cache it by default, either, so you're continually reparsing a small local xml file from your disk and it's fetching a giant DTD repeatedly from the web.

And people use this stuff on purpose.  I don't get it.

Why would you follow me on twitter? Use RSS.
apenwarr-on-gmail.com