TFA says Ruby 1.9.x isn't vulnerable because its hash function is randomized