> Unfortunately, at this point, this research does not include actual code that we can use to reproduce the claims or the effectiveness and accuracy of the described side-channel attack.
Why not stream a bunch of extra whitespace after the JSON object, instead of introducing garbage into the JSON object that now has to be decoded and appears in debug logs, etc
Also saves some CPU cycles, less to encode/decode. Once you get that last '}' you know you're at the end.
> Once we got word of this research work and how exploiting the technique could potentially impact our AI products, we did what we always do in situations like this: we assembled a team of systems engineers, security engineers, and product managers and started discussing risk mitigation strategies and next steps. We also had a call with the researchers, who kindly attended, presented their conclusions, and answered questions from our teams.
Talk about making a mountain out of an ant-hill.
At work today I 'got word' of a bug in a meeting consisting of our top engineers. We discussed the issue extensively and were promptly able to devise a solution that was delivered to our products shortly after via our cloud-based code management system.
Otherwise, the missing semi-colon didn't cause too much issue and the every day stand-up meeting went well.
I'm guessing they want to avoid characters being removed by systems in the stack between the one generating the object and the one transferring bits over network. Could be more robust if everything (response and p) is re-forwarded through API Gateway or any API Orchestration logic.
As you pointed out, whitespace probably is technically superior, adding a useless field might be more convenient in their current stack and can help clients securing their own systems.
So this is just a marketing op-ed?