Slashdot Mirror

yeah, exactly. unless i can build the thing myself, it's still unsafe.

And even if you can, it may still be unsafe. Who's to say your compilers or hardware are not compromised?

A) Read through Ken Thompson’s Reflections on Trusting Trust. No major OS provides the guarantees you’re talking about. If you want those sorts of guarantees, you need to be compiling your OS updates from source using compilers you compiled from source that were themselves compiled using compilers you compiled from source, and so on down the entire toolchain until you’re in binary, and then we’ll need to have a talk about the trust you place in your hardware. If you’re that concerned about attacks against your OS—and there are people who have valid reason to be so—then you’re correct: iOS is not meant for you. But neither is any other other OS.

Frankly, if you’re not comfortable taking a company at its word when it publishes white papers detailing their update mechanisms and then publicly stands against the FBI in court when the government demands they add a backdoor, that’s fine, but recognize that you’re more or less suggesting a conspiracy at that point. And if you’re going to suggest a conspiracy at one company, why stop there? I’d question why you’re comfortable taking a different company at its word when you have no better guarantee from them, given that, as the link above should make clear, a hash for a binary posted to git is no guarantee that the binary matches the source posted to git. Again, if you’re in conspiracy theory territory, own it and don’t take anyone at their word. Otherwise, you need to choose a level of trust that’s appropriate to your needs and comfort. If seeing source makes you feel warm and fuzzy, that’s fine, but don’t suggest it provides guarantees it doesn’t.

C) Probably because Apple was actively making efforts to block unsupported hardware up until recently, via the now infamous Error 53. It’s only in the last year or so that Apple eased up and stopped trying to actively block unsupported hardware. So, why’d it happen now? Probably because this is the first major update since they eased up. That’d be my guess.

Ken Thompson's Reflections on Trusting Trust is well worth a read. Long story short, anyone with access to the hardware/software stack of your machine can compromise its security.

These attacks are not merely theoretical. The key to good security is to make the cost of compromise greater than the value of whatever would be received by doing so. For the average person, their privacy is not worth the effort of surrepitiously installing hardware. However, if you're a Palestinian terrorist... You may just want to have someone else purchase/service your electronic devices, as the Israeli equivalent of the CIA has planted explosives in the cellphones of Palestinians (and successfully carried out assassinations this way.)

... and Palestinians are naturally the default examples of terrorists, because resisting an illegal, brutal foreign military dictatorship is 'terrorism'.

Ken Thompson's Reflections on Trusting Trust is well worth a read. Long story short, anyone with access to the hardware/software stack of your machine can compromise its security.

These attacks are not merely theoretical. The key to good security is to make the cost of compromise greater than the value of whatever would be received by doing so. For the average person, their privacy is not worth the effort of surrepitiously installing hardware. However, if you're a Palestinian terrorist... You may just want to have someone else purchase/service your electronic devices, as the Israeli equivalent of the CIA has planted explosives in the cellphones of Palestinians (and successfully carried out assassinations this way.)

If you use a binary to compile your compiler, it may still have a backdoor even if one didn't exist in code.

And will it make a difference?

with a nod to Dennis Ritchie and his paper on trusting compilers

Reflections on Trusting Trust -- Ken Thompson

You can create an interface in C. Just typedef a struct with a bunch of function pointers. People implement the interface by creating an instance of the struct and filling in the function pointers.

It's actually a fairly common pattern. For example there are several described here

Find me a bank or online retailer that allows financial accounting data to be submitted over insecure connections instead of SSL. I can wait.

It doesn't matter what the bank or retailer gets the data over, it matters what your phone sends it over. All too often people start browsing from an insecure entry point and only later move to a secure part of a site. This allows the MITM to change links or redirects in the insecure part and hence get the user to either enter their authentication details unencrypted or get them to enter them encrypted but to a domain the attacker controls (and therefore has a "legitimate" certificate for).

Plus ssl isn't as secure as people might like to think, for example apparently there were CAs out there who would still sign certs using md5 after md5 collision attacks became feasible allowing attackers to get themselves a cert with CA powers that was trusted by browsers*. There have also been recent attacks on SSL itself, and attacks on the way browsers combine compression with ssl.

* http://www.win.tue.nl/hashclash/rogue-ca/

I took a graduate-level security class from Alex Halderman (of Internet voting fame) and what I came away with is that security comes down to trust. To take an example, when I walk down the street, I want to stay safe and avoid being run over by a car. If I think that the world is full of crazy drivers, the only way to be safe is to lock myself inside. If I want to function in society, I have to trust that when I walk down the sidewalk that a driver will not veer off the road and hit me.

When you order a computer, you simply trust that it doesn't have a keylogger or "secret knock" CPU code installed at the factory. It's exactly the same with software binaries, of course. In the extreme case, even examining all the source code will not help. You must trust!

The other day, MS's engineering team did an AMA on reddit where they answered the question of screen resolution:

Hey this is Stevie. Screen resolution is one component of perceived detail. The true measure of resolvability of a screen called Modulation Transfer Function (MTF), not Pixels. MTF is a combination of both contrast and resolution. There are over a dozen subsystems that effect this MTF number.. Most folks just focus on one number out of dozens that effect perceived detail. Without good contrast resolution decreases. Check out contrast sensitivity of the human eye graph (http://www.telescope-optics.net/images/eye_contrast.PNG) and if you want more see the links below. Basically, as resolution/DPI increases the eye has becomes less sensitive. So as a result, the amount of light in a room and the reflections off the screen have a huge effect on the contrast of the display. In fact, a small amount of reflection can greatly reduce contrast and thus the perceived resolution of the display. With the ClearType Display technology we took a 3 pronged approach to maximize that perceived resolution and optimize for battery life, weight, and thickness. First prong, Microsoft has the best pixel rendering technology in the industry (cleartype 1.0 and 2.0) .. these are exclusive and unique to Windows, it smooths text regardless of pixel count. Second, we designed a custom 10.6” high-contrast wide-angle screen LCD screen. Lastly we optically bonded the screen with the thinnest optical stack anywhere on the market.. something which is more commonly done on phones we are doing on Surface. While this is not official, our current Cleartype measurements on the amount of light reflected off the screen is around 5.5%-6.2%, the new IPad has a measurement of 9.9% mirror reflections (see the displaymate link: http://www.displaymate.com/iPad_ShootOut_1.htm). Doing a side by side with the new iPad in a consistently lit room, we have had many people see more detail on Surface RT than on the Ipad with more resolution.

Some more links to share if you want to know more (http://www.normankoren.com/Tutorials/MTF.html)... Also This is a great book to read if you really want to get into it: http://www.amazon.com/Contrast-Sensitivity-Effects-Quality-Monograph/dp/0819434965 or more here http://alexandria.tue.nl/extra2/9901043.pdf

So it seems that Microsoft has data that suggests that, despite the lower resolution, the Surface has greater precieved detail than the iPad. (although I find it annoying that they've muddied the waters by re-using trademarks - they've repurposed "Cleartype Display" as the MS equivalent of Apple's "Retina Display")

Yeah, they were:

http://www.win.tue.nl/~engels/discovery/death.html is just one list of explorers who died while out and about, explorifying. What' more: that list doesn't include trips specifically intended to settle an unknown landing site (one-way), and, I'm sure, is not all-encompassing. On top of that, none of the exploration ventures I listed are "safe", meaning there were people looked death straight in the face and said "I'm going anyway." These are the type of people who'd sign up to go to Mars.

You may be arguing that many of these explorers intended to come home, but that really doesn't change much. Even in those cases, explorers knew not all of their men would come home, and the ones who survived wouldn't be back until years after they left, yet they (and their men) went anyway.

Regardless, my point is there are people who will do this willingly, and rather than seeing it as a death sentence, they'll see it as a chance to explore the unknown, facing dangers to break the trail for future explorers. Return trip and long term survival would be nice, but optional.

Someone with some hefty CPU power broke the MS cert

MD5 was proven to be weak back in 1996, and further exploited in 2004-2008. MD5 collisions have been done in the past using about 18 hours on 200 PS3s (source). Any moderate size botnet (~20,000 machines) could duplicate that computing effort.

I would not be surprised if the US Government had moles in MS

Illegal and explicitly prohibited by numerous. However, they could legally have a working agreement with MS to share and exchange information.

You seem to be informed enough that you probably were aware of this, but see:

http://www.win.tue.nl/hashclash/rogue-ca/

Could have been real-world, except that they were white hats. And yes, I know that password hashing is a totally different use case whose utility is based on strength against preimage attack.

Remember, usually all you have to do is confuse the SSL client. There's usually little that can be gained by agonizing over the crypto parameters of the legitimate server cert, because the attacker gets to choose the weakest thing that the client will accept.

Mod parent up.

There are four parts to SSL: Ciphers, Hashes, Randomness, and Public Key Crypto.

Public Key and Hashes are used by the SSL endpoints to validate the identity of the other end. Both ends must agree on a mutual Certificate Authority and the web of trust that extend from it.

Randomness is used to create a session key, shared via Public Key to seed the Cipher used to encrypt the session.

Weaknesses in hashes makes it easier to spoof a trusted site. Weaknesses in Randomness makes it easier to guess the Cipher key (this is the vector I've seen exploited the most). Weaknesses in Public Key makes everything vulnerable - which is why people are worried about Quantum Crypto.

Ciphers include: AES, Camellia, DES, RC4, RC5, Triple DES. Hash Functions include: MD5, MD2, SHA-1, SHA-2. Public Key includes: RSA, DSA, Diffie-Hellman key exchange.

Two things:

- Your note about the CA is not quite correct. The term Web of Trust (as I know it) refers to a PGP-like infrastructure, as opposed to the hierarchical model used by X.509 (which implies CAs). The difference is that trust in a CA always means trust in any key singed by it (and thus also the CAs below it in the hierarchy).
For those interested, you can more on this in these lecture notes from my crypto class.

- I know quantum computers can do fast factorisation (ie. break the RSA assumption), but can they also break the DDH assumption (diffie-hellman, elliptic curve crypto)?

The research shows that c. 20% of people suffer ill-effects from 3D meida:

http://w3.tue.nl/en/news/news_article/?tx_ttnews%5Btt_news%5D=9099&tx_ttnews%5BbackPid%5D=58898&cHash=9c1f2ae250

I have little binocular vision, so 3D is a bit ho-hum for me. Makes my girlfriend sick within minutes.

As already commented, there are various extremely good reasons why it does this with some people, just like there are good reasons why motion sickness effects some people. They boil down to the fact '3D' is a fake effect (it is NOT 3D) and some people's brains are more sensitive to the fakery.

So, 3D will wither on the tree and die, again. Unless the tech gets better and doesn't alienate (or rather, nauseate) 20% of the audience.

3D is a nice way to charge more money for tickets, and makes screen-cap bootlegs useless. This doesn't stop piracy, but I bet you the delay in availability of 'flat' screen-cap bootlegs and the 3D hoo-ha pushes more people to the cinema, which means more bums on seats and more dollars per seat than an equivalent 2D movie.

It's just a marketing ploy.

Here's a proof short enough to reproduce in a comment. http://www.win.tue.nl/~gwoegi/P-versus-NP/argall.txt

P=NP - An impossible question
A proposed proof of undecidability by Nicholas Argall, 25 March, 2003.

There has been much debate surrounding answers to the question of P=NP.
The problem is that we cannot answer the question until we have successfully
asked the question. The question is impossible to ask, that it why it will
never be answered.

1) A provable answer to the question P=NP requires a complete and consistent
formal statement of the question.
Rationale: Hopefully, this is self-evident. It is certainly axiomatic that
a formally provable statement be expressed in formal terms. Completion and
consistency follow from the requirement to provide a proof that is not
subject to challenge.

2) A complete and consistent formal statement of the question must
incorporate a complete and consistent formal definition of the sets P and NP
Rationale: Hopefully, this is also self-evident. (I have left out the
requirement to define the equality operator, since it is defined for us by
set theory.)

3) A definition based on a potentially undetectable characteristic is
incomplete
Rationale: We cannot accept the definition of the set NP purely in terms of
its members having a property (a solution test in polynomial time) that we
have no reliable mechanism to detect. Therefore, a complete definition of
the set NP must be arrived at via some other means.

4) The only possibility for a complete definition of the set NP is a
language
Rationale: Once we rule out observation of characteristics, our only means
towards a definition of the set NP is to formulate a language, a procedure
for testing the formal expression of the candidate problem that will accept
the problem or reject it.

5) No formal language capable of expressing non-trivial mathematical
problems can be consistent and complete
Rationale: As proven by Godel.

6) Therefore, no consistent and complete definition of the set NP is possible
Rationale: If we accept that the set NP can only be rigorously defined via a
language, this conclusion follows from the premises above.

7) Therefore, no consistent and complete statement of the problem of P=NP is
possible
Comment: A conclusion which is not only proven in this paper, but supported
by the years of argument between mathematicians regarding the relevance of
proposed answers to the problem.

8) Therefore, P=NP is undecidable
Comment: Given our inability to ask, we are unable to answer.

There is one thing which really surprise me: Page 44 (so 47 of the pdf http://www.win.tue.nl/~gwoegi/P-versus-NP/Deolalikar.pdf) he gives a “succ” relations, but he stated before that he does not want any order. And he certainly can obtain an order with the succ relation and the least fixed point. And it is well known that you can compose LFP to obtain only one LFP, hence if it’s proof works, it should also works over structures with an order ! I do not state that it means that the proof is false, but if this works, it also implyes what look like to be a really strange corollary into finite model theory, because it would use a kind of locality which does not take care about the orders relation. (At least that is what I understand of it but it may also be because this small part is really close to what was my current research)

I think this is a more useful link:

  * http://www.win.tue.nl/~gwoegi/P-versus-NP.htm

Latest entries (see bottom of page):

  * In December 2009, Ari Blinder proved that P is not equal to NP
  * In April 2010, Lizhi Du proved that P=NP
  * In May 2010, Changlin Wan proved that P=NP
  * In June 2010, Carlos Barron-Romero established P=NP
  * In July 2010, Mikhail Katkov established P=NP

The paper of this slashdot discussion is presently mentioned at the top of the page.

Stephan

Luckily 59 scholars have already proved either P=NP or P!=NP: http://www.win.tue.nl/~gwoegi/P-versus-NP.htm In short: kdawson strikes again.

I agree scribd sucks. You can find a link to the PDF from this page which also collects other proofs of P = NP, as well as proofs of P != NP. Pick whichever you prefer :)

First public proof attempt? I think not.
http://www.win.tue.nl/~gwoegi/P-versus-NP.htm

http://it.slashdot.org/article.pl?sid=08/12/23/0046258&from=rss

Or you could go http://crypto.stanford.edu/ssl-mitm/

and get it's cert signed - what you say? it has to be a signing cert?

http://www.win.tue.nl/hashclash/rogue-ca/

sure it might take a little setup.. but again.. if you own the router you own the network..

Its not 3D and its for windows but I always liked this program.

http://w3.win.tue.nl/nl/onderzoek/onderzoek_informatica/visualization/sequoiaview//

I wonder if it will run under Windows 7...

Let's try this again...without blown links (Need caffeine in the morning before posting

http://www.schneier.com/blog/archives/2008/12/forging_ssl_cer.html
http://www.checkpoint.com/defense/advisories/public/2009/cpai-31-Dec.html
http://www.win.tue.nl/hashclash/rogue-ca/

Uh... NO.

This alone says a bit.

This is a bit more disturbing.

But the ability to generate a rogue CA cert kind of nukes the claims you just made from orbit- just to be sure.

In short, it's NOT hard to get an SSL cert of that nature- just not as easy as snapping one's fingers.

Is it so hard to give enough information to find the actual publication that has the important details? I'm taking it as a given that the Telegraph can't be bothered to explain -how- this is different from earlier muscle cell cultures, but at least they could give me enough info to find articles that will tell me that. I mean, did these researchers actually publish a real paper in a peer-reviewed journal or did they just bypass that and go straight to the telegraph?

What's new about this?

Muscle cells have apperantly been cultured since 1968, although there isn't much about whether or not these cells proliferate in culture. A paper from 1988 claims to have gotten progenitor cells to turn into muscle cells in culture.

This article, still not a paper, from scientific american suggests that at least one Dutch researcher is interested in turning embryonic stem cells into meat. Those cultures don't last very long either according to the article: "Unfortunately, Roelen's cultures only survive a few months before they sputter, failing to reproduce because of genetic problems—their chromosomes become deformed or cells end up with too many copies. His group also works with adult stem cells extracted from skeletal muscle—a direct approach for in vitro meat."

I guess this might be the article in question, Roelen reports isolating a progenitor cell type that can be directed to either increase their numbers or turn into muscle cells. That’s almost a year old though. This article is more likely the one that sparked the telegraph article, the lab discusses factors that affect that culture system.

Post, quoted in the telegraph article, doesn't appear to be too directly involved, his research interests seem more about blood vessels and I couldn’t find any papers from his lab that looked relevant, but I didn’t do an exhaustive search on pubmed.

Besides, this has already been done before with the research group that broke SSL certificates that used MD5 http://www.win.tue.nl/hashclash/rogue-ca/

You are an idiot

Yeah well, I have seen ball lighting being produced in a demonstration at my university. The problem is that I can't remember the name of the student who did it (it was a master project, if you can believe it), nor do I know if the results are already published. Besides this article, I didn't find anything else. If you want to know more, contact the professor (Kroesen) of this group: http://www.phys.tue.nl/EPG/ He will know for certain. I am not working for this group, although I know the people there.

The guys who created the Rouge Equifax Signing Certificate used 200+ PS3 to help find the MD5 collision.

We had more than 200 PS3s at our disposal, located at the "PlayStation Lab" of Arjen Lenstra's Laboratory for Cryptologic Algorithms at EPFL, Lausanne, Switzerland

http://www.win.tue.nl/hashclash/rogue-ca/

There are tons more you can do with a PS3 than play games.

One the bests ways in attracting learning math is Math Olympiads. It's both competitive and fun. There are a lot of books on the subject, see big list here : http://olympiads.win.tue.nl/imo/books.html#FirstStepsForMathOlympians

The only obvious reason to DDoS a bunch of DNS servers is if you're going to be doing some cache poisoning and mounting a massive MITM attack, and if you're lucky you recently obtained a trusted intermediate CA via an MD5 collision attack on a lousy root CA like RapidSSL.

Has anyone bothered to petition Mozilla to remove all the offending root CAs with the weakness shown in MD5 considered harmful today?

"MD5 considered harmful today Creating a rogue CA certificate" http://www.win.tue.nl/hashclash/rogue-ca/ You're welcome.

What about simply creating a better web of trust?

Congratulations!

You Sir have just re-invented CaCert. CaCert is a certification authority which operates by a web-of-trust model: users certify each other after seeing id, and only users having gathered a minimum amount of assurance points can get a certificate.

Unfortunately, CaCert is not trusted by the browsers (such as Mozilla or Konqueror), who seem to be more hung up about expensive audits and pompous root key signing ceremonies.

Other CA's, such as Comodo/CertStar or RapidSSL/GeoTrust don't seem to have any problems being blessed by browsers though. Thanks to these fly-by-nighters it's still very easy to mount an Mitm attack using your open Wifi honeypot, which will be undetectable, unlike this poser here.

You're referring to an update of the article dated December 31st. My post above was dated December 30th and was fully correct as of the date of posting.

It's not that hard to do this attack, but it does take some resources. They used a farm of 200 Playstation 2 machines to attack MD5. This is well within the capabilities of, say, the Russian Business Network.

Actually, they were PlayStation 3 machines. "Luckily it is also very suited for the special SPU cores of the Cell Processor that the Sony PlayStation 3 uses. We had about 200 PS3s at our disposal, located at the 'PlayStation Lab' of Arjen Lenstra at EPFL, Lausanne, Switzerland"

You're wrong. Read the attack author's write-up here: http://www.win.tue.nl/hashclash/rogue-ca/ You will see that they absolutely need to get the CA to endorse the data they produce. They come up with two certificates in advance that, under the right conditions, will both validate when one of them is signed via MD5. That means, you cannot take an arbitrary cert on the internet and feasibly come up with an identical cert that is malicious, where the same signature applies.

Mathematica 7 has launched, as noted in Stephen Wolfram's blog post. Among the new features are huge equation typesetting, transcendental roots, and discrete calculus. Looking back at the version 6 discussion, it's perhaps inevitable that comparisons will be made to CAR, CGsuite, GAP, Geogebra, Geometer's Sketchpad, Geometry Expressions, Geonext, LaTeX, Magma, Maple, Matlab, nauty, noneuclid, Pari, Sage, or SeifertView. In other news, the Wolfram Demonstrations project now has over 4000 interactive math demos.

Check out the OpenTTD NoAI branch. The AI for the original Transport Tycoon reacted quite badly to having its cheating turned off, and in OpenTTD generally sucks, even to the point of bankrupting itself sometimes. The NoAI branch is an attempt to make AI that don't cheat, and are incredibly good. An AI can always be made slower or stupider.
There have even been some experiments into building an interconnected rail network instead of sticking to point-to-point lines.

If there is anyone here who thinks they can program a good AI, I recommend you get involved.

Apparently it is you who misunderstand what it means to say that "MD5 is broken", as the numbers you gave were for an unbroken hash.

It is possible to generate MD5 collisions in reasonable amounts of time. It is possible to generate different meaningful files which have the same MD5 hash in reasonable amounts of time. It is not currently practical to generate a different file which has the same MD5 hash as another existing file, but that's not what I was suggesting.

Here's what our crusader would do

1) Select an existing child porn file

2) Generate two new files. One is crafted to render pretty much the same as the existing child porn file. The other is crafted to look like something which isn't contraband. Both have the same MD5 hash (different from the existing CP file).

3) Enter the new child porn file, and its MD5, in the child porn database. (or, more subtly, distribute it to known child porn purveyors who are about to be busted, and let someone else enter it in the database)

4) Distributed the non-contraband file via legitimate channels.

5) Go after people who are likely to have the non-contraband file, search computer using MD5 tool, and find evil MD5 (on legit file).

6) Use existence of evil MD5 to get warrant to do a thorough search of the computer

See
http://www.win.tue.nl/hashclash/SoftIntCodeSign/
for an algorithm for creating meaningful files with the same MD5 hash.

We're a lot more advanced than you might think:

http://www.win.tue.nl/hashclash/SoftIntCodeSign/

This generates two programs (actually valid Win32 Executables compiled from source) and modifies them to have the same MD5. So you have "good.exe" and "evil.exe" of your own crafting with identical hashes but VERY different content.

Let's say you use MD5 to implement a "known good" program list in your software firewall/antivirus program, etc. You've just been compromised because now I can distribute a "good" program that a user allows after they have verified it's authenticity and then I can generate an "evil" program with the same hash that deletes his hard drive.

MD5 is dead.

The prefixes can be different you just need a supercomputer cluster to run the program. The appendages need to be added to both files however which is fine for JPEG -- you can add as much junk as you want at the end and it will be ignored -- but doesn't help with the challenge presented in that we can't modify the original file.

A better solution would be to create a file that has the same checksum but different contents. Name it the same thing (add "fake" to the name) and release it into the wild. Their methods will produce false positives as a result (bad for the person doing this) but it won't stand up in court and therefore make all other cases with evidence discovered from the same methods invalid.

Remember, checksums are not foolproof, they can be forged.

Every time a "P2P patch" is detected, Windows calculates the patch's MD5 Hash and sends it to Microsoft.

With a Hollywood movie hacker, you mean. It is theoretically possible for this to be done, but researchers have not accomplished it yet. Just last month someone came close, but it required altering the original program to match the new MD5 collision value: Software Integrity Checksum Vulnerability

But I'm sure it would be no problem for your über-hacker or for Chuck Norris.

Here's an example with 12. Linked to from TFA even.

No, this is different. In the case of the colliding webpages, bit level inspection immediately reveals what's going on: both "good" and "bad" version are included in the webpages, with an if-statement to choose which one to display.

When you inspect these binaries at bit level, they contain only the "good" or the "bad" version, and some random data appended to it to make the MD5 hash of the files collide. This technique thus also works for file formats which don't have control statements such as "if" or "file starts at offset". See also: http://www.win.tue.nl/hashclash/Nostradamus/, scroll down to: "Didn't Daum and Lucks do something like this in 2005?"

Marc Stevens already constructed these "chosen-prefix" collisions for X.509 Certificates, see the HashClash project page. What's new in these results, is that it did not require massively distributed computing efforts, only one Playstation 3 and less than two days of computation. There is no paper available yet as to how he achieved this major optimization, but his MSc thesis gives a clue: see "future work" at the end of section 7.4.

No, this is different. In the case of the colliding webpages, bit level inspection immediately reveals what's going on: both "good" and "bad" version are included in the webpages, with an if-statement to choose which one to display.

When you inspect these binaries at bit level, they contain only the "good" or the "bad" version, and some random data appended to it to make the MD5 hash of the files collide. This technique thus also works for file formats which don't have control statements such as "if" or "file starts at offset". See also: http://www.win.tue.nl/hashclash/Nostradamus/, scroll down to: "Didn't Daum and Lucks do something like this in 2005?"

Marc Stevens already constructed these "chosen-prefix" collisions for X.509 Certificates, see the HashClash project page. What's new in these results, is that it did not require massively distributed computing efforts, only one Playstation 3 and less than two days of computation. There is no paper available yet as to how he achieved this major optimization, but his MSc thesis gives a clue: see "future work" at the end of section 7.4.